OrangeHRM Service Privacy Policy

(Revision July 2025)

This Service Privacy Policy covers the privacy practices employed by OrangeHRM when OrangeHRM customers (“Customer”, “You”) use our Cloud-Based Enterprise Applications (the “Cloud Service”) or On-Premise Enterprise applications (the “On-Premise Service”) or both (“Cloud Service and On-Premise Service”, “Service”). This Privacy Policy does not apply to any information or data obtained by OrangeHRM for any other purpose, such as marketing purposes. Please refer to the OrangeHRM Privacy Policy

Who We are

When we use the terms “OrangeHRM”, or “us” or “we” in this policy, we are referring toexte OrangeHRM Inc.

Data Protection Officer

Our Data Protection Officer oversees how we collect, use, distribute and secure your information to ensure your rights are respected. Our Data Protection Officer can be contacted at dpo@orangehrm.com

How we collect information

In the normal course of using the OrangeHRM Cloud or On-Premise Service, Customers will enter electronic data into the OrangeHRM systems (“Customer Data”).

Customers may input Customer Data into data templates and submit these to OrangeHRM through secure channels. OrangeHRM Implementation consultants will assist with the import of such data into the OrangeHRM Cloud or On-Premise Service

What Information Do We Collect

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the categories of Personal Data listed below based on the OrangeHRM modules purchased;

  • Employee Management: Personal contact details, including name, title, addresses, telephone numbers, and personal email addresses. Date of birth, Gender, Marital status and dependants, emergency contact information, National Insurance/Social Security number, Bank account details, payroll records and tax status information, Salary, annual leave, pension and benefits information, Location of employment or workplace, driving license, Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process), Employment records (including job titles, work history, working hours, training records and professional memberships), Photographs, Qualifications(Work Experience - Former employement details, Educational, Qualifications, Skills, Languages, Professional & Social license details), Passport & Visa details, Memberships (Membership details & subscriptions), Assets ( Assest details tracking with assignment).
  • Performance:Employee performance information, such as performance reviews and ratings. Employee trackers with their feedback.
  • Goals:Employee goals, objectives, and their progress & feedback tracking.
  • Leave:Employee leave information, including the type of leave and any relevant medical reports, should be attached as necessary.
  • Time and Attendance: Employee attendance information (Punch In/Out, Attendance reports, working hours)
  • Career development: Individual career development plan details with desired goals & their progress tracking.
  • Training:Course info, enrollments, attendance, results, certificates.
  • Request Desk:Requester info, request details, attachments, workflow status.
  • On/offboarding:Personal details that are required for the employee management, reference details, employment info, relevant document uploads such as educational & professional qualifications, proof-of-address, photo ID, onboarding checklists & tasks, acknowledgments, exit checklists & tasks.
  • Recruitment:Candidates' resumes and their personal information, such as name, address, telephone number, mobile number, and email address, as well as interviewer notes on the candidate and results of tests that may have been performed.
  • Disciplinary:Employee disciplinary information, such as warning letters.
  • Surveys:employee responses to corporate surveys.
  • Rosters:work patterns, including punctuality data
  • Any other information applicable to candidates, workers, contractors, and employees.

How we keep your information safe

We have a comprehensive, written information security program in place that includes industry-standard, administrative, technical, and physical safeguards to protect Customer Data from unauthorized access.

Our infrastructure service providers are Rackspace Inc and Amazon Web Services, Inc. They maintain various certifications that help us validate our security policies and processes as well as comply with applicable legislation such as GDPR, Jamaican Data Protection Act, Singapore Personal Data Protection Act, and international standards. If you want to know more about OrangeHRM GDPR Compliant please refer to this. The following compliance frameworks have been examined and validated :

OrangeHRM Advanced Cloud Service

Our infrastructure service provider is Rackspace Inc.

  • ISO 27001 - Rackspace Information Security Management System (ISMS) with ISO 27001 is an iterative management system that ensures security policies and processes are effective in mitigating identified risks. Rackspace’s ISMS validates the management of information security in its data center operations.
  • SSAE 18 and ISAE 3402 - Rackspace SOC (1,2,3) reports can be used to satisfy requirements under both the SSAE 18 and ISAE 3402 standards. This report includes a description of the controls in place as well as the auditor's informed assessment of their effectiveness throughout the audit period.
  • PCI DSS - Rackspace’s status as a PCI DSS Level 1 service provider has been verified by a qualified security assessor (QSA). It covers;
    • Physical security for data centers.
    • Network infrastructure
    • Rackspace employee access to network devices.

OrangeHRM Open Source Cloud Service

Our infrastructure service provider is Amazon Web Services, Inc.

  • ISO 27001 - AWS ISO/IEC 27001:2022 is a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) outlining how AWS consistently oversees security comprehensively and holistically.
  • SSAE 18 and ISAE 3402AWS offers a SOC 1 Type 2 report, which aligns with SSAE 18 and ISAE 3402 standards. This report is valuable for various audit requirements, both within the United States and internationally. It confirms that AWS has appropriately designed control objectives and that the specific measures in place to protect customer data are functioning effectively.
  • PCI DSSAWS has obtained validation through AWS Security Assurance Services LLC, a team of Qualified Security Assessors (QSAs) certified to provide guidance and assessments for PCI DSS compliance. AWS successfully completed a Level 1 assessment as a Service Provider in line with PCI DSS requirements.

For the On-Premise Service and the cloud service, we may temporarily retain customer-submitted data templates containing customer data in the OrangeHRM secure facility, until Customer data is successfully imported into the on-premise and cloud Services. OrangeHRM Vault is a secure file transfer platform where customers can submit password-protected data files directly. Only authorized consultants will have access to these files through OrangeHRM Vault. OrangeHRM Vault will automatically validate these files for security and remove them from storage regularly.

All OrangeHRM AI (Artificial Intelligence) features are designed in compliance with “Privacy by Design” principles and undergo continuous security validation.

Your personal information rights

We process customer data at the request of our customers and do not have direct control or ownership of the personal data processed by the system. Prior to sending data to OrangeHRM for processing purposes, you are responsible for complying with any regulations or laws that require you to provide notice, disclosure, and/or obtain consent.

We offer a comprehensive set of data protection capabilities ranging from role-based access control to data encryption; from corporate policy publishing tools to data management with extensive audit logs. It enables Customers to gain access to, correct, and limit the processing of their personal data.

New capabilities in OrangeHRM software version 6.4 upwards allow you to purge terminated employees and candidates from the entire system including audit trails. This is to help you to practice data subject requests such as the right to be forgotten.

If you are using the Recruitment module, you can now obtain job application consent by laying out your data policy and requiring a check in the checkbox before allowing a candidate to apply for a vacancy.

Any data subject request that is directed to us will be forwarded to the customer and we will assist the customer in meeting any obligation to respond to such data subject requests. If the customer requests help from OrangeHRM to comply with data protection regulations, OrangeHRM will respond to their request within 30 business days.

Data retention period

In the OrangeHRM Cloud Service, if you have a valid SAAS agreement with OrangeHRM, your data will be retained in our servers. Should you purge any specific employee or candidate records, this data will be immediately purged from the system. Such information will then be completely removed from OrangeHRM backups after 4 weeks.

Between 10 and 30 days after the agreement between OrangeHRM and the Customer is terminated, OrangeHRM will remove the customer's personal data from the OrangeHRM servers, and all customer personal data will be fully purged from OrangeHRM backups after a further 4 weeks.

For On-Premise service, we will ensure that any temporary data such as customer data templates, is purged between 10 and 30 days after the termination of the agreement between OrangeHRM and the Customer.

Note:
Under OrangeHRM standard agreements, the aforementioned data retention periods will be valid. Customers who have subscribed to OrangeHRM extended services will have their data retained for longer than the above mentioned periods (can go up to 12 weeks).

Meeting our legal and regulatory obligations

OrangeHRM may, where it concludes that it is legally obligated to do so, disclose personal data to law enforcement or other government authorities. OrangeHRM will notify customers of such requests unless prohibited by law.

Consent

Prior to using sensitive personal information about you for any service improvements, we will first request your consent. Before you give your consent, we will tell you what information we collect and how we use it. You have the right to withdraw your consent at any time by contacting us. Clients retain the flexibility to enable or disable each AI feature.

How we use your information

Per the relevant agreement between the Customer and OrangeHRM, we may access customer data within OrangeHRM to provide the service, prevent or address service or technical problems, respond to support issues, respond to the customer’s instructions, or as may be required by law.

We may process anonymized data to troubleshoot customer-specific issues and for quality control purposes.

We may process anonymized data to track how the Service’s various components are used. This information is used to drive feature development and service enhancements as well as to provide recommendations on how our products and services can add value for you. OrangeHRM does not sell your information to any party under any circumstances and OrangeHRM is not responsible for any PII data sold by the data controller.

All customer data is anonymized before it is provided to any third-party AI models (such as those provided by OpenAI via API). This data is not used for training any machine learning models. No AI output is finalized without human validation by the Customer or their authorized users.

Artificial Intelligence Features and Data Usage

OrangeHRM has introduced a set of AI-powered features to enhance HR functionality and user experience. Customers can choose which AI capabilities to enable. When enabled, the AI features may process certain types of Customer Data already stored in the OrangeHRM system.

  • Personally Identifiable Information (PII) is anonymized before being processed by any AI model.
  • AI outputs are always subject to human review and override. Final decisions remain with the Customer.
  • OrangeHRM does not retain AI-generated content, and all content generated by the Citra AI feature is auto-deleted after 30 days.

How you access the OrangeHRM Service

Customers and their authorized users may access the Service directly via a URL that is unique to their tenant or may elect to use internal launch pages for single sign-on or other purposes. As they utilize the service, customers provide information for processing and storage. Customers may also configure the Service to allow end users to input information directly into the Service

Your information and third parties (Sub-processors)

To comply with applicable law, regulation or authorized requests, we may share your information with third parties. We will notify you of such incidents unless prohibited by law.

Sub-processors processing personal data as part of the Services See the complete Sub-Processor list here.

International Transfer of data

In Cloud Service, we store customer data in the nearest data center used by OrangeHRM to provide your specific service, Eg: European client data is stored in European centers.

In Cloud Service and On-Premises Service, we may transfer anonymized data from European region Data Centers to North American Rackspace Data Centers and Asian technical support centers for the purposes of providing the Service, preventing or addressing service or technical problems, responding to support issues, and responding to the Customer’s instructions.

Right to fair treatment

OrangeHRM will not discriminate against you for exercising your privacy rights. Regardless of your privacy preferences, OrangeHRM will provide the products and services you require.

Making a Complaint

If you have a complaint about the use of your personal information, please contact your application admin within the organization. If you have a complaint about the OrangeHRM service privacy policy or security, please contact our DPO at dpo@orangehrm.com.

Updates to this notice

We may update this privacy statement to reflect changes in our information practices. If we make any material changes, we will notify you by means of a notice on this site prior to the change taking effect. We encourage you to periodically review this page for the latest information on our privacy standards.