Privacy Policy

Last Updated: October 29, 2025

Introduction

FrancesHR ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our HR services platform.

This policy complies with the General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and other applicable data protection laws in the United States and Puerto Rico.

Data Controller

FrancesHR acts as the data controller for the personal information we process. For inquiries regarding your data, please contact us at: privacy@franceshr.com

Information We Collect

1. Personal Information (Unencrypted)

  • Google Email Address: Used for authentication and communication
  • Full Name: Used for personalization and service delivery

2. Encrypted Information

All other personal and sensitive information is encrypted at rest and in transit, including:

  • Resume/CV documents
  • Professional history and qualifications
  • Contact information (phone numbers, addresses)
  • Employment preferences and career goals
  • Payment information (processed via Stripe - we do not store card details)

3. Automatically Collected Information

  • IP address and device information
  • Browser type and version
  • Usage data and analytics
  • Cookies and similar tracking technologies

How We Use Your Information

We process your personal information for the following purposes:

  • Service Delivery: To provide HR services, resume optimization, and career guidance
  • Authentication: To verify your identity and manage your account
  • Communication: To send service updates, notifications, and respond to inquiries
  • Payment Processing: To process transactions via Stripe (PCI-DSS compliant)
  • Legal Compliance: To comply with legal obligations and protect our rights
  • Service Improvement: To analyze usage patterns and improve our platform

Legal Basis for Processing (GDPR/UK GDPR)

  • Contract Performance: Processing necessary to fulfill our service agreement with you
  • Legitimate Interests: To improve our services and prevent fraud
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: Where you have provided explicit consent for specific processing activities

Data Security Measures

We implement industry-standard security measures to protect your information:

  • Encryption: AES-256 encryption at rest and TLS 1.3 in transit
  • Access Controls: Role-based access with multi-factor authentication
  • Secure Infrastructure: Hosted on Supabase with SOC 2 Type II compliance
  • Regular Audits: Periodic security assessments and vulnerability scanning
  • Data Minimization: We only collect data necessary for service delivery
  • Secure File Storage: Resume files stored with signed URLs and time-limited access

Data Sharing and Third Parties

We share your information only with trusted third-party service providers:

  • Supabase: Database and authentication services (GDPR compliant)
  • Stripe: Payment processing (PCI-DSS Level 1 certified)
  • Resend: Transactional email delivery (GDPR compliant)
  • Google OAuth: Authentication services (subject to Google's Privacy Policy)

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

Your Privacy Rights

GDPR/UK GDPR Rights (EU/UK Residents)

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time
  • Right to Lodge a Complaint: File a complaint with your data protection authority

CCPA Rights (California Residents)

  • Right to Know: Request disclosure of data collection and sharing practices
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the sale of personal information (we do not sell data)
  • Right to Non-Discrimination: Equal service regardless of privacy choices

Puerto Rico Residents

Puerto Rico residents have rights under both US federal law and local regulations. You may exercise the same rights as California residents under CCPA.

To exercise your rights: Contact us at privacy@franceshr.com with your request. We will respond within 30 days (GDPR) or 45 days (CCPA).

Data Retention

We retain your personal information only as long as necessary:

  • Active Accounts: Data retained while your account is active
  • Account Deletion: Data deleted within 30 days of account closure request
  • Legal Requirements: Some data may be retained longer to comply with legal obligations (e.g., tax records for 7 years)
  • Backup Systems: Deleted data removed from backups within 90 days

International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all third-party processors
  • Adequacy decisions where applicable
  • Encryption and security measures during transfer

Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or prominent notice on our platform. Continued use of our services after changes constitutes acceptance of the updated policy.

Contact Us

For privacy-related inquiries, data subject requests, or concerns:

Email: privacy@franceshr.com

Data Protection Officer: dpo@franceshr.com

Response Time: Within 30 days (GDPR) or 45 days (CCPA)

Supervisory Authorities

If you are located in the EU/UK, you have the right to lodge a complaint with your local data protection authority:

  • UK: Information Commissioner's Office (ICO) - ico.org.uk
  • EU: Your national data protection authority
← Back to Home