Legal

GDPR & Data Protection

PeopleHQ is built with privacy by design. Here's how we handle personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR.

Our role under GDPR

When your organisation uses PeopleHQ to manage HR data, PeopleHQ acts as a data processor and your organisation acts as the data controller. We process employee personal data only on your documented instructions and in accordance with our Data Processing Agreement (DPA).

All customers on paid plans can request a signed DPA from legal@peoplehq.com.

Technical and organisational measures

We implement appropriate safeguards including:

  • AES-256 encryption at rest; TLS 1.3 in transit
  • Role-based access controls with full audit logging
  • ISO 27001-certified infrastructure
  • Regular penetration testing by independent third parties
  • Data residency options (EU and UK regions)
  • Sub-processor agreements with all third-party vendors

Your rights as a data subject

Under GDPR, individuals whose data we process have the following rights:

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Ask us to correct inaccurate or incomplete data.

Right to erasure

Request deletion of your data (the “right to be forgotten”).

Right to restrict processing

Ask us to limit how we use your data in certain circumstances.

Right to data portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests or for direct marketing.

To exercise your rights, contact your employer (the data controller) or email us at legal@peoplehq.com. We respond to all verified requests within 30 days.

International transfers

Data is stored in EU data centres by default. Where transfers outside the EEA are necessary (for example, to sub-processors in the US), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

Data breach notification

In the event of a personal data breach, we will notify affected controllers within 72 hours of becoming aware, in accordance with Article 33 of GDPR. We maintain an incident response plan and conduct regular drills.

Further information

For detailed information see our Privacy Policy or contact our Data Protection Officer at legal@peoplehq.com.