Privacy Policy

1.1KadrHR (“we,” “us,” or “our”) operates the KadrHR Management Platform accessible at kadrhr.com and app.kadrhr.com (the “Platform”). We are committed to safeguarding the privacy of all individuals whose personal data we process. We never sell personal data, and we carry out all processing operations in strict compliance with all applicable laws and regulations.

1.2This Privacy Policy applies where we are acting as a Data Controller with respect to the personal data of our website visitors, Platform users, and prospective customers; in other words, where we determine the purposes and means of processing that personal data.

1.3When KadrHR processes employee data on behalf of its Clients (company Administrators and HR Managers), KadrHR acts as a Data Processor and the Client acts as the Data Controller. In such cases, the Client's own privacy policies govern the relationship between the Client and its employees.

1.4This Policy applies to: (a) Company Administrators and HR Managers who access the Platform on behalf of their organization; (b) employees and individuals whose data is managed within the Platform by our Clients; (c) job applicants who submit applications via public vacancy pages at app.kadrhr.com; and (d) visitors to kadrhr.com.

1.5Our website and Platform incorporate privacy controls that affect how we process your personal data. You may use these controls to specify marketing preferences and limit publication of your information.

1.6Where your personal data is processed on the basis of our legitimate interests, you may object to such processing at any time by contacting us at info@kadrhr.com.

2.1“We”, “us” and “our” refer to KadrHR Platform, registered in the Republic of Uzbekistan, operating at kadrhr.com and app.kadrhr.com.

2.2For questions about this policy or our data practices, contact our Data Protection team at info@kadrhr.com.

3.1In this Section 3, we set out: (a) the categories of personal data we may process; (b) the source of such data; and (c) the purposes for which we process it.

3.12Please do not supply any other person's personal data to us unless we specifically prompt you to do so, and only where you have the legal right to share that data.

4.1We use the personal data described in Section 3 for the following purposes:

• Service Delivery: to provide, operate, maintain, and improve all Platform modules (Workspace, Company, Projects, Attendance, Payroll, Recruitment, Reporting, and Settings)
• Payroll Processing: to perform payroll calculations, manage expense claims and cash advances, and generate payslips on behalf of Clients
• Attendance Management: to record, process, and display attendance data including check-in/out times, late arrivals, and absences
• Recruitment Operations: to manage vacancies, receive candidate applications via public links at app.kadrhr.com, support interview scheduling, and manage hiring pipelines
• HR Analytics and Reporting: to generate reports across all modules including Project Reports, Employee Reports, Vacancy Reports, and Candidate Reports
• Account Management: to manage Accounts, process Subscription payments, and send billing communications
• Customer Support: to respond to support requests, investigate and resolve Platform issues
• Security: to detect, prevent, and respond to unauthorized access, fraud, and security threats
• Legal Compliance: to comply with applicable laws, regulatory requirements, and lawful government requests
• Service Communications: to send service notifications, security alerts, and Platform updates
• Marketing Communications: to send promotional content and product updates — only where the Customer has given consent and may withdraw at any time

4.2We may also process personal data where necessary: (a) for the establishment, exercise, or defense of legal claims; (b) to obtain or maintain insurance or professional advice; or (c) where required by applicable law or to protect vital interests.

5.1We process personal data under the following legal bases consistent with GDPR and equivalent frameworks:

• Contractual Necessity (GDPR Art. 6(1)(b)): processing required to deliver the Platform services under our agreement with the Customer
• Legitimate Interests (GDPR Art. 6(1)(f)): processing for Platform security, fraud prevention, product improvement, analytics, and customer relationship management, where these interests are not overridden by individual rights
• Legal Obligation (GDPR Art. 6(1)(c)): processing required to comply with applicable laws including tax, employment, and data protection regulations
• Consent (GDPR Art. 6(1)(a)): for direct marketing communications and newsletter subscriptions. Consent may be withdrawn at any time without affecting the lawfulness of prior processing
• Special Categories — Explicit Consent (GDPR Art. 9(2)(a)): for biometric data processed through attendance device integrations. The Customer must obtain this consent from employees before activation

5.2Customers, as Data Controllers for their employees' data, are responsible for identifying and documenting their own lawful basis for each processing activity within their Workspace.

6.1The Platform's analytics features (Company Dashboard, Reporting module) process employee and HR data to generate statistical outputs such as age distribution, gender distribution, department distribution, attendance trends, and KPI metrics. These analytics are presented to the Customer's Administrators as informational dashboards to support management decisions.

6.2KadrHR does not make any automated decisions that produce legal effects or significantly affect individuals without human review. All Platform analytics are tools to assist human decision-makers; final HR decisions remain the responsibility of the Customer.

6.3Customers who use the Platform's analytics to inform decisions about employees must ensure they comply with applicable laws on automated decision-making and profiling in their jurisdiction.

7.1We do not sell, rent, or trade personal data to any third party under any circumstances.

8.1The Platform's primary servers are located in the Republic of Uzbekistan. Personal data may be transferred internationally in connection with sub-processor services (such as cloud infrastructure or email delivery) or when providing services to international Clients.

8.2For transfers of personal data from the European Economic Area (EEA) or United Kingdom, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent legally recognized transfer mechanisms. Customers may request a copy of applicable transfer safeguards by contacting info@kadrhr.com.

8.3For transfers involving other jurisdictions, we apply protections equivalent to those in this Policy and comply with applicable local data transfer laws.

9.1We retain personal data only as long as necessary for the purposes described in this Policy, in accordance with the following retention periods:

• Active Account Data: retained for the duration of the active Subscription
• Post-Termination: Client Data is retained for 30 days following account termination to allow data export, after which it is permanently and securely deleted
• Financial and Payroll Records: retained for 5 years to comply with Uzbek tax and accounting legislation (or equivalent periods for international Clients as required by local law)
• Recruitment Candidate Data: retained for a maximum of 2 years after the conclusion of a recruitment process, unless a longer retention period is required by local employment law or agreed with the Customer
• Security and Access Logs: retained for up to 12 months for security investigation and fraud prevention purposes
• Legal Hold: data subject to active legal proceedings or regulatory investigation is retained until the matter is fully resolved

9.2Where it is not possible to specify a fixed retention period in advance, we determine the appropriate retention period based on the purpose of processing and applicable legal requirements.

9.3Customers may request earlier deletion of specific data by contacting info@kadrhr.com. We will honour deletion requests subject to any applicable legal retention obligations.

10.1Depending on your location and applicable law, you or your employees may have the following rights regarding personal data:

• Right of Access (GDPR Art. 15): request a copy of personal data held about you, including information on how it is being used
• Right to Rectification (GDPR Art. 16): request correction of inaccurate or incomplete personal data
• Right to Erasure (GDPR Art. 17): request deletion of personal data where no legal basis for retention exists ('right to be forgotten')
• Right to Restriction (GDPR Art. 18): request that we limit our processing of your data in certain circumstances
• Right to Data Portability (GDPR Art. 20): receive your personal data in a structured, machine-readable format (JSON or CSV) where processing is based on consent or contract
• Right to Object (GDPR Art. 21): object to processing based on legitimate interests, including profiling for analytics purposes
• Right to Withdraw Consent: withdraw consent at any time for consent-based processing (e.g., marketing communications), without affecting prior lawful processing
• Right Not to be Subject to Automated Decisions: where applicable, object to decisions made solely by automated processing that produce legal or significant effects on you
• Right to Lodge a Complaint: lodge a complaint with your national Data Protection Authority — e.g., ICO (UK), CNIL (France), DPC (Ireland), or the relevant authority in your country

10.2Clients wishing to exercise rights on behalf of themselves should contact info@kadrhr.com. Employees seeking to exercise their rights should contact their employer (the Client) in the first instance, as the Client is the Data Controller for employee data. KadrHR will provide technical assistance to Clients to fulfil such requests.

10.3We will respond to all verifiable rights requests within 30 calendar days. We may extend this to 60 days for complex requests, in which case we will notify you of the extension and reason within the initial 30-day period.

10.4For California residents: the CCPA grants the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising privacy rights.

11.1Our website at kadrhr.com and the Platform use cookies and similar tracking technologies. We use cookies for the following purposes:

• Strictly Necessary Cookies: essential for Platform authentication, session management, CSRF protection, and security. These cannot be disabled and do not require consent
• Functional Cookies: used to remember user preferences, language settings, and Workspace configurations across sessions
• Analytics Cookies: used to analyze website and Platform usage patterns and improve performance. Applied only with your prior consent

11.2When you first visit our website or Platform, you will be asked to consent to non-essential cookies. You may update your cookie preferences at any time through the cookie consent settings on the Platform.

11.3You may also control cookies through your browser settings. Note that disabling certain cookies may impair Platform functionality. For further information on managing cookies, refer to your browser's help documentation.

12.1We implement robust technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: AES-256 encryption of all data at rest; TLS 1.2+ encryption of all data in transit
• Access Controls: strict role-based access controls through the Platform's Role Management module; access limited to authorized personnel on a need-to-know basis
• Authentication: multi-factor authentication (MFA) support available for all User accounts
• Backups: automated daily encrypted backups retained for at least 30 days with tested restoration procedures
• Security Testing: regular penetration testing, vulnerability assessments, and security audits
• Incident Response: a documented data breach response plan with notification procedures meeting GDPR's 72-hour DPA notification requirement and 24-hour Customer notification commitment

12.2Despite these measures, no internet-based service can guarantee absolute security. In the event of a personal data breach likely to result in risk to individuals' rights and freedoms, we will notify affected Customers within 24 hours and, where required, relevant Data Protection Authorities within 72 hours.

13.1The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors.

13.2If a Customer uploads data relating to a minor employee (for example, a minor employed in compliance with applicable child labor laws in their jurisdiction), the Customer bears full responsibility for ensuring the lawfulness of such processing. If KadrHR becomes aware that data of a minor has been uploaded without lawful basis, we will investigate and may delete such data.

14.1We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, legal requirements, or business operations. We will communicate material changes via email notification to the Customer's registered Administrator and/or a prominent notice within the Platform at least 14 days before the changes take effect.

14.2The revised Policy will display the updated effective date. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

14.3If you disagree with any changes to this Policy, you should stop using the Platform and contact us to discuss your options, including data deletion.

15.1For questions, rights requests, or concerns about this Privacy Policy or our data processing practices, please contact:

15.2We are committed to resolving privacy concerns promptly. If you are not satisfied with our response, you have the right to escalate to your national Data Protection Authority. EU/UK Clients may contact their local DPA directly.