Legal

Data Privacy

PeopleHQ is built with privacy by design. Here's how we handle personal data in accordance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and international best practices.

Our role under RA 10173

When your organisation uses PeopleHQ to manage HR data, PeopleHQ acts as a personal information processor and your organisation acts as the personal information controller. We process employee personal data only on your documented instructions and in accordance with our Data Processing Agreement (DPA).

All customers on paid plans can request a signed DPA from legal@peoplehq.site.

Technical and organisational measures

We implement appropriate safeguards including:

  • AES-256 encryption at rest; TLS 1.3 in transit
  • Role-based access controls with full audit logging
  • Enterprise-grade cloud infrastructure (AWS ap-northeast-2)
  • Regular security testing and vulnerability reviews
  • Sub-processor agreements with all third-party vendors

Your rights as a data subject

Under the Philippine Data Privacy Act, individuals whose data we process have the following rights:

Right to be informed

Be notified about how and why your personal data is collected and used.

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Ask us to correct inaccurate or incomplete data.

Right to erasure

Request deletion of your data (“right to be forgotten”).

Right to restrict processing

Ask us to limit how we use your data in certain circumstances.

Right to data portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests or for direct marketing.

To exercise your rights, contact your employer (the personal information controller) or email us at legal@peoplehq.site. We respond to all verified requests within 30 days.

Data storage and transfers

Data is stored on AWS ap-northeast-2 (Seoul) via Supabase. Where transfers to sub-processors are necessary, we ensure appropriate contractual safeguards are in place to protect your personal data in accordance with RA 10173.

Data breach notification

In the event of a personal data breach, we will notify affected controllers within 72 hours of becoming aware, in accordance with the National Privacy Commission (NPC) guidelines. We maintain an incident response plan and conduct regular security reviews.

Further information

For detailed information see our Privacy Policy or contact our Data Protection Officer at legal@peoplehq.site.