Privacy Notice

1. Introduction

1.1 Grace Pariser HR ("we", "us", "our") is a registered Data Controller with the Information Commissioner's Office (ICO).

1.2 This Privacy Notice sets out how we collect, store and use personal information through The HR Vault in accordance with the UK General Data Protection Regulations (UK GDPR) and Data Protection Act of 2018.

1.3 It applies to all users of The HR Vault website and platform.

1.4 We reserve the right to amend this Privacy Notice at any time. It does not form part of any contract with us.

1.5 By using our platform, you agree to the collection and use of information in accordance with this policy.

2. Data Controller Information

3. The Information We Store

3.1 We collect, store and use the following categories of personal information through The HR Vault:

Account Information:

• First name and surname
• Email address
• Company name (optional)
• Professional role (HR Consultant or In-House HR)
• Account preferences and settings

Subscription and Payment Data:

• Stripe customer ID and payment method information
• Subscription plan type (monthly/annual, HR Consultant/In-House HR)
• Payment history and transaction records
• Billing dates and subscription status

Usage and Activity Data:

• Documents downloaded and access history
• Login times and session information
• Download count and remaining allowances
• Platform usage patterns and preferences

Technical and Security Data:

• IP addresses and device information
• Browser type and operating system
• Session tokens and authentication data
• Security logs and access records

Communication Data:

• Support enquiries and correspondence
• Feedback and service requests
• Email communication preferences

AI Document Generation Data (Premium Subscribers):

• Conversation history with the AI document generation tool
• Documents and files uploaded for AI processing
• Generated document content and revisions
• AI usage metrics (tokens used, sessions created)

4. Data Collection Process

4.1 Account Registration: When you create an account on The HR Vault, we collect your name, email address, company details, and professional role.

4.2 Subscription Process: When you subscribe to premium services, we collect payment information through Stripe and link it to your account.

4.3 Platform Usage: When you use our platform, we automatically record your document downloads, access patterns, and usage statistics.

4.4 Communications: When you contact our support team or provide feedback, we store your communications for service improvement.

4.5 AI Document Generation: When you use the AI document generation feature, we collect your conversation messages, any files you upload, and the documents generated. This data is encrypted and stored on HR On Call Ltd's servers. Conversation content is sent to Anthropic via their enterprise API for processing; Anthropic does not store your data beyond the immediate request. Where personal data about employees or third parties is entered, the relevant data controller (typically the client organisation for HR consultants, or your own organisation for in-house HR) retains responsibility for that data. HR On Call Ltd acts as the data processor and Anthropic acts as a sub-processor.

5. Information Automatically Collected

5.1 When you use The HR Vault, we may automatically collect:

• Technical Data: IP address, browser type, operating system, device information
• Usage Data: Pages visited, documents accessed, time spent on platform, download patterns
• Session Data: Login/logout times, session duration, authentication tokens
• Performance Data: Page load times, error logs, system performance metrics

5.2 Our platform may contain links to other websites. Once you leave our platform, this privacy policy no longer applies.

6. How We Use Personal Information

6.1 We process personal information for The HR Vault under the following legal bases:

Contract Performance:

• Providing access to HR documents and templates
• Managing your subscription and billing
• Delivering premium features and services
• Processing downloads and tracking usage limits
• Providing customer support and technical assistance

Legitimate Interests:

• Improving platform functionality and user experience
• Analyzing usage patterns to develop new features
• Maintaining platform security and preventing fraud
• Conducting business operations and administration
• Communicating important service updates

Legal Obligations:

• Compliance with financial and tax regulations
• Data protection and privacy law compliance
• Responding to legal requests and investigations
• Meeting regulatory reporting requirements

Consent (where applicable):

• Sending marketing communications (HR updates and industry insights)
• Analytics and performance tracking (via cookies)
• Optional premium features requiring additional consent

7. Sharing Data with Third Parties

7.1 We share your data with trusted service providers who help us operate The HR Vault:

Essential Service Providers:

• Stripe: Payment processing and subscription management
• Brevo (formerly Sendinblue): Email communications and newsletters
• Anthropic (Sub-Processor): AI document generation is powered by Anthropic's enterprise API (Claude). Anthropic processes conversation content and uploaded files solely to generate your requested documents. Anthropic acts as a sub-processor under our instruction and does not use your data to train its AI models, does not store your data beyond the immediate processing request, and does not share your data with any third parties. This is a commercial enterprise API integration, not a consumer AI product.
• Web Hosting Provider: Platform hosting and technical infrastructure
• Backup Services: Data backup and disaster recovery

Analytics (with your consent):

• Google Analytics: Website usage analytics and performance monitoring

7.2 We do not sell, trade, or rent your personal information to third parties.

7.3 All data processing agreements with third parties include appropriate privacy and security safeguards.

7.4 We will not transfer personal data outside the UK unless adequate protections are in place.

7.5 AI document generation data is processed by Anthropic in the United States via their enterprise API. Where personal data about employees or third parties is entered, the relevant data controller (typically the client organisation for HR consultants, or your own organisation for in-house HR) retains responsibility for that data. HR On Call Ltd is the data processor, and Anthropic is a sub-processor acting solely on our documented instructions. This transfer is made under appropriate safeguards including standard contractual clauses. Anthropic does not retain, train on, or share your data. Your conversations are not visible to other users or used for any purpose other than generating your requested document.

8. Data Storage and Retention

8.1 We retain your data for different periods depending on its purpose:

8.2 We conduct annual data reviews to ensure we only retain necessary information.

8.3 When data is no longer needed, it is securely deleted or anonymized.

9. Data Security

9.1 We implement comprehensive security measures to protect your data:

Technical Safeguards:

• SSL/TLS encryption for all data transmission
• Encrypted database storage
• Secure authentication and session management
• Regular security updates and patches
• Firewall protection and intrusion detection

Organizational Measures:

• Access controls limiting data access to authorized personnel
• Staff training on data protection and security
• Regular security assessments and audits
• Incident response and breach notification procedures
• Data processing agreements with all service providers

9.2 However, no internet-based system is 100% secure, and we cannot guarantee absolute security.

10. Your Rights

10.1 Under UK GDPR, you have the following rights regarding your personal data:

10.2 To exercise any of these rights, please contact us at grace@gp-hr.co.uk.

10.3 You can also update your account information and privacy preferences through your account settings.

11. Marketing Communications

11.1 We may send you marketing communications about HR industry updates, new documents, and platform improvements if you have:

• Given us your consent, or
• Subscribed to our services and not opted out

11.2 You can unsubscribe from marketing emails at any time by:

• Clicking the unsubscribe link in any marketing email
• Emailing us at grace@gp-hr.co.uk
• Updating your preferences in your account settings

12. Children's Privacy

12.1 The HR Vault is designed for business and professional use and is not intended for individuals under 18 years of age.

12.2 We do not knowingly collect personal information from children under 18.

12.3 If we become aware we have collected data from a child, we will take steps to delete that information promptly.

13. Changes to This Policy

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

13.2 We will notify you of significant changes by:

• Posting the updated policy on our platform
• Updating the "Last updated" date
• Sending email notifications for material changes
• Displaying a notification on the platform

13.3 We encourage you to review this Privacy Policy periodically.

14. Contact and Complaints

14.1 Grace Pariser is responsible for data protection matters. For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

14.2 We aim to respond to all data protection enquiries within 30 days.

14.3 If you remain unhappy with our response, you can raise your concerns with the Information Commissioner's Office (ICO):