Privacy Policy

Last Updated: 07/01/2025

This Privacy Policy defines the legal entities, responsibilities, and mechanisms that demonstrate the continuous compliance of Newployee OÜ ("we," "our," or "Newployee") with the fundamental principles of data protection, including the Accountability principle under the EU General Data Protection Regulation (GDPR).

1. Our Role, Identity, and Accountability

1.1 Who We Are and Our Contact Details
Newployee OÜ is a fully registered legal entity specializing in HR automation solutions and acts as the legal data controller for all self-processed data.
Our official registered address for all legal and administrative correspondence is: Harju maakond, Tallinn, Kesklinna linnaosa, Viru väljak 2, 10111, Estonia.
The designated legal representative for Newployee OÜ, responsible for regulatory liaison, is the Legal Director or General Manager.

1.1.1 Dedicated Privacy Contact
Our mandatory, verified contact point for all data subject rights requests, inquiries, and regulatory communications is privacy@newployee.com. This channel is specifically dedicated to handling privacy matters and is managed by our Privacy Team to ensure timely response and documented compliance. Our primary regulatory body for GDPR compliance is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

1.2 Defining Our Responsibilities: Data Controller vs. Data Processor
Our legal responsibilities are strictly differentiated based on the context of the data.

A. When Newployee Acts as the Data Controller
We are the Controller for data collected during direct interactions, where we exclusively determine the purpose and the means of processing.

  • Scope of Control: This includes all data necessary to run our business and our platform's front-end, specifically: website visitor data, platform user authentication data, subscription data, billing records, internal systems usage data, and direct marketing subscription lists.
  • Our Obligations: As Controller, we are directly liable for full compliance with all data protection principles, ensuring lawful basis, security, and fulfilling data subject rights related to this data.
  • Documentation: This processing is logged and maintained in our internal Records of Processing Activities (RoPA).

B. When Newployee Acts as the Data Processor
We act strictly as a Processor when handling data about our Clients' employees ("Employee Data").

  • Scope of Processing: This data is used solely for executing the automated onboarding, offboarding, and related HR workflows defined and configured by the Client (the Employer).
  • The Client's Role: The Client remains the Controller and is fully responsible for establishing the legal basis (e.g., employment contract necessity, legitimate interest, or explicit consent) for collecting and transferring their employees' data to us.
  • Our Mandate and Prohibitions: We process this data only on the documented, written instructions of the Client. We are contractually and legally prohibited from using Employee Data for any secondary purpose outside of the direct service provision, this includes our own internal product development, analytics, or marketing, unless such use is explicitly mandated by the Client in writing and incorporated into the DPA.
  • Governing Document: This non-use and processing mandate is codified in the legally binding Data Processing Addendum (DPA), which is executed with every Client.

1.3 Our Commitment to Accountability
Newployee maintains continuous accountability through stringent documentation and risk assessment protocols:
We conduct and maintain detailed Records of Processing Activities (RoPA) detailing all data flows, processing purposes, and legal bases.
We perform mandatory Data Protection Impact Assessments (DPIAs) for high-risk processing activities (e.g., new data integrations or large-scale processing) to proactively identify, assess, and mitigate privacy risks before deployment.
We are committed to providing full cooperation and demonstrable evidence of compliance to our Supervisory Authority upon request.

2. Categories of Personal Data We Collect

We adhere strictly to the principle of data minimization, ensuring that we collect Personal Data that is adequate, relevant, and strictly limited to what is necessary for our specified processing purposes.

a) Client & User Data (Data We Control)
This data is provided by the Client administrator or end-user during account setup, billing, or support interactions.

  • Identifiers & Authentication: This includes the user's Full name, Professional work email address (primary identifier for login), Job title, and Company name. It also includes the platform Username and the securely hashed password (never stored in plain text). For enterprise clients, we may also collect the Client's internal Organizational Identifier (or Vendor ID) if such data is required for billing reconciliation or centralized account management.
  • Financial Data: We collect the necessary Billing address and Invoice history to fulfill contractual and legal obligations. We must emphasize: We do not store, process, or transmit Payment Card Industry (PCI) sensitive data (e.g., full credit card numbers). All payment processing is delegated to compliant, external third-party processors. You can review Stripe's Privacy Policy.
  • Communication Logs: This comprises the Metadata (e.g., time, date, source channel) and the Content of all written support tickets and sales inquiries. Furthermore, Sales or Support Calls may be recorded for quality assurance or training purposes, but only with explicit, upfront notification and affirmative consent from the participant.

b) Employee Data (Data We Process on Behalf of Our Clients)
This data is input by the Client (Employer) for the express purpose of automating their HR workflows. This data is owned and controlled exclusively by the Client.

  • Organizational Data (Core Identifiers): Employee ID (Client's internal identifier), Full name, Work email, Department, Cost center information, Manager’s name/ID, Employment status, and Start/end dates.
  • Workflow Interaction Data (Metrics): This includes dynamic data generated as part of the Client's process configuration: Task/Process Status: Mandatory task completion status, percentage of workflow completion. Performance Inputs: Goal attainment scores, or input fields designated for structured peer feedback (e.g., check-ins, mentoring notes) as defined by the Client. Binding Actions: Records of digital signatures or formal acknowledgments required within the workflow steps.
  • Data Minimization Commitment: We process only the minimum necessary fields required to execute the specific workflow logic defined by the Client and do not extrapolate or infer characteristics from this data for our own purposes.

c) Automatically Collected Technical and Usage Data
This technical data is collected passively to ensure system security, availability, and usability.

  • Network & Device Data: This includes the IP address (used strictly for security monitoring, throttling, and approximate geographic location, not precise GPS tracking), browser type and version, operating system version, and persistent application identifiers (for troubleshooting).
  • Usage Metrics (Pseudonymized Analytics): We collect metrics such as pseudonymized user identifiers, feature usage logs, detailed platform navigation paths, time stamps, clickstream data, and session duration. This data is primarily used for proactive technical troubleshooting, diagnosing system stability, and identifying feature performance bottlenecks. This data is handled in an aggregated and/or pseudonymized format whenever technically feasible.

d) Our Protocol on Sensitive Personal Data
We enforce a rigorous protocol concerning Special Categories of Personal Data.

  • Explicit Prohibition: We strictly do not solicit or intentionally process data related to health, genetic information, religious or philosophical beliefs, political opinions, trade union membership, or biometric data for the purpose of unique identification.
  • Accidental Upload Handling: We maintain robust internal protocols designed to identify and quarantine any Special Categories of Personal Data if accidentally uploaded by a Client. We promptly notify the Client (Controller) if such data is detected.
  • Required Client Guarantee: If a Client determines that such data must be included in Employee Data for a necessary, lawful purpose, we require the Client to guarantee that its processing is lawful, that the necessary legal exception is met, and we apply the highest level of technical security controls to isolate it.

3. Purposes and Legal Bases for Processing Your Data

We explicitly justify every processing activity with a valid legal basis. This ensures transparency and guarantees that your data is processed only when absolutely necessary and lawful.

3.1 Processing Necessary for Our Contract with You
Processing under this basis is mandatory for us to fulfill our contractual obligations to you or to take steps at your request before entering a contract.

  • Purpose: Account Provisioning and Service Delivery: This involves using your professional contact details (name, email) to register your user account, manage authentication, grant access to the Newployee platform, and ensure technical service continuity (uptime guarantees).
  • Purpose: Payment Collection and Billing: Utilizing necessary financial identifiers and billing addresses to process subscription fees, issue invoices, and manage license compliance according to the agreed-upon Terms of Service.
  • Necessity Statement: Without processing this data, we would be unable to enter into or maintain the contractual relationship, rendering the provision of the Newployee service impossible.

3.2 Processing to Comply with Our Legal Obligations
We process data when we are under a strict legal duty to do so, independent of your consent or our contractual relationship.

  • Purpose: Statutory Record Keeping: Maintaining financial transaction records, contract logs, and sales tax documentation for the mandatory duration specified by Estonian and European Union fiscal and corporate law.
  • Purpose: Regulatory Response: Responding fully and accurately to verified and lawfully issued judicial subpoenas, court orders, or mandatory inquiries from regulatory or government authorities.
  • Necessity Statement: This processing overrides other interests as it is required to comply with binding laws and is not optional.

3.3 Processing Based on Our Legitimate Interests
We process data under our Legitimate Interest where the purpose is justified and necessary, provided your interests or fundamental rights do not override our own. We maintain detailed internal documentation of our Balancing Test for each activity:

  • Purpose: Platform Security and Integrity:
    • Activity: Proactive monitoring of access logs, network traffic, and pseudonymized usage patterns (IP addresses, timestamps) to detect, investigate, and prevent unauthorized access, malware, brute-force attacks, and systemic fraud.
    • Justification: We deem this necessary for the security of our entire user base and the integrity of the data stored on our platform. The processing is strictly limited to network defense and forensic analysis, using data minimization techniques, ensuring the protective measure is proportionate to the risk and does not override your right to privacy.
  • Purpose: Service Optimization and Quality Assurance:
    • Activity: Analyzing aggregated and pseudonymized usage statistics, feature adoption rates, diagnosing platform bottlenecks, and conducting A/B testing to drive product roadmap decisions and improve overall user experience (UI/UX).
    • Justification: This processing is essential for continuous product improvement and market competitiveness. By minimizing data identification and focusing on statistical trends, we ensure the processing benefits the users collectively while having a minimal impact on individual privacy.
  • Purpose: Internal Administrative Operations:
    • Activity: Using data for internal reporting, managing licensing compliance (to prevent unauthorized use), corporate risk management, and insurance purposes.
    • Justification: Processing is necessary for the effective and responsible management of the business and its financial risks, which is a widely accepted and expected administrative function.

3.4 Processing Based on Your Consent
We process data based on your freely given, specific, informed, and unambiguous consent.

  • Purpose: Marketing Communications: Sending non-transactional newsletters, promotional offers, and product updates where we do not rely on Legitimate Interest.
  • Purpose: Optional Cookies and Tracking: Utilizing non-essential cookies (e.g., performance, advertising) for tracking and personalization.
  • Mechanism and Control: Consent is always obtained via an explicit, unbundled opt-in checkbox or via our Cookie Consent Banner. You retain the right to withdraw consent at any time by utilizing the "unsubscribe" link in our emails or by adjusting settings in the Cookie Preference Center. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4. How We Share Your Personal Data

We operate under a "need-to-know" principle, meaning Personal Data is only shared with specified third-party recipients who require it to perform essential services and who provide comprehensive data protection assurances. We guarantee that we do not sell, rent, or trade your Personal Data for monetary consideration.

4.1 Our Trusted Service Providers
All third-party processors are strictly bound by a legally enforceable Data Processing Addendum (DPA) with Newployee, explicitly incorporating the latest Standard Contractual Clauses (SCCs) where necessary.

  • Infrastructure & Hosting:
    • Recipients: Large-scale, accredited cloud providers (e.g., Google Cloud, AWS).
    • Guarantees: We rely exclusively on providers that maintain industry-leading security certifications and practices. Data is stored in highly secure, physically protected data centers, and access is controlled solely by Newployee's configuration.
  • Analytics & Performance Monitoring:
    • Recipients: Analytics platforms (e.g., Google Analytics).
    • Guarantees: Data sharing is restricted to pseudonymized or aggregated identifiers. We implement IP anonymization and data minimization techniques before transmission to these providers, ensuring that individual users cannot be directly identified from the usage metrics.
  • Financial & Payment Processing:
    • Recipients: PCI-DSS compliant payment vendors (e.g., Stripe).
    • Guarantees: We use vendors certified as compliant with the Payment Card Industry Data Security Standard (PCI-DSS). As noted, we never handle or store sensitive payment card details ourselves.
  • Technology Partners (AI/ML and Feature Enhancement):
    • Recipients: Specialized technology firms providing advanced services like smart suggestions or internal tool efficiencies.
    • Guarantees (Crucial): Processing is performed within strictly isolated, non-production environments or via secure APIs. We require contractual clauses that explicitly prohibit the partner from using Newployee's or our Clients' Personal Data to train or improve their general models, ensuring data is used only for the defined enhancement purpose and is immediately deleted after the processing task is completed.
  • Communication & CRM:
    • Recipients: Email delivery services, support ticket platforms, and Customer Relationship Management (CRM) software.
    • Guarantees: Data sharing is limited to necessary contact details and interaction history for the purpose of communicating service changes, support replies, or license management.

4.2 Sharing Within the Newployee Corporate Group
Personal Data may be shared internally within the Newployee corporate group.

  • Purpose: Sharing is strictly limited to the necessary execution of centralized functions, such as global IT management, internal finance consolidation, and dedicated centralized customer support (follow-the-sun model).
  • Guarantee: All affiliated entities are subject to this Privacy Policy and the same stringent internal data protection standards and access controls.

4.3 Disclosures to Professional Advisers and Public Authorities

  • Professional Advisers: We disclose data on a limited and necessity basis to our external lawyers, auditors, and insurers. These parties are bound by strict professional confidentiality and, where applicable, the relevant professional secrecy laws.
  • Public Authorities: Disclosure occurs only when legally compelled—that is, in response to a verified judicial order, subpoena, or mandatory regulatory compliance demand. We will always attempt to challenge broad, non-specific requests where possible to protect your privacy.

4.4 Corporate Transactions

  • Disclosure: Data may be disclosed to a buyer or successor entity in the event of a merger, acquisition, divestiture, or sale of assets.
  • Guarantee: This transfer is subject to a legally binding confidentiality agreement requiring the successor entity to adhere to privacy standards equal to or exceeding those set forth in this Policy. You will be notified of any such change via individual email notification and a prominent banner or notice on our website homepage, preserving your right to object and request deletion of your data prior to the transfer. This notification will be issued at least 30 calendar days in advance of the data transfer taking effect.

5. International Transfers of Your Data

We process and store data within the European Economic Area (EEA) as a default. However, as a global service, data may be transferred to, and processed in, jurisdictions outside the EEA (e.g., the United States or Singapore) that have not received an adequacy decision from the European Commission.
We guarantee that all such transfers are lawful and maintain an equivalent level of protection to that afforded under the GDPR.

Newployee’s regional entities in the United States and Singapore are planned for future establishment. Until such entities are operational, all data processing is managed exclusively by Newployee OÜ in Estonia.

5.1 Our Transfer Safeguards
We ensure compliance by implementing the following robust mechanisms:

  • Standard Contractual Clauses (SCCs): We execute the latest European Commission-approved SCCs (and the equivalent UK International Data Transfer Addendum) with every third-party processor receiving data from the EEA. These SCCs are directly incorporated into our Data Processing Addendum (DPA), making them legally binding.

5.2 Assessing and Mitigating Transfer Risks
In accordance with relevant legal rulings, the implementation of SCCs must be validated by a risk assessment:

  • Mandatory Transfer Impact Assessments (TIAs): We commit to performing mandatory and documented Transfer Impact Assessments (TIAs) for all non-EEA transfers. This comprehensive assessment evaluates the legal framework of the recipient country, particularly focusing on the existence and enforcement of governmental surveillance laws and local authority access to data.
  • Mitigation and Supplementary Measures: If a TIA identifies a legal risk (e.g., access by foreign public authorities), we implement supplementary technical and organizational measures to mitigate that risk, ensuring the protection offered by the SCCs is upheld. These measures include:
    • Enhanced Encryption: Utilizing state-of-the-art end-to-end encryption or cryptographic pseudonymization even while the data is held by the processor.
    • Transparency Obligations: Contractually requiring the processor to immediately notify Newployee of any legally binding requests for data access by governmental authorities, enabling us to challenge the request legally.

5.3 Transparency Regarding Transfer Documentation
Our DPA, which includes the SCCs and outlines the scope of the transfer, is readily available upon request by contacting our Privacy Contact, ensuring full compliance with the principle of transparency.

6. Data Retention and Erasure

We strictly adhere to the principle of storage limitation, meaning we only retain Personal Data for the minimum period necessary to fulfill the original purpose of collection or to meet mandatory legal and financial obligations.

6.1 Our Data Retention Schedule
We apply different retention schedules based on the nature and legal necessity of the data:

  • Client & User Data (Controller Scope):
    • Duration: Retained for the entire contractual term (duration of active service subscription).
    • Post-Termination: Data is retained for an additional maximum of three (3) years after the contract termination date.
    • Justification: This post-termination period is strictly limited to the necessity of defending legal claims (e.g., potential claims under commercial law), resolving disputes, enforcing agreements, and complying with mandatory auditing and financial reporting requirements. This period covers the typical statute of limitations for commercial disputes in many European jurisdictions.
  • Marketing Data (Controller Scope):
    • Duration: Retained until consent is explicitly withdrawn (e.g., via unsubscribe link).
    • Passive Retention Limit: If consent is not withdrawn, the data is subject to automatic deletion after twelve (12) months following the last recorded engagement (e.g., last email open, click, or login). This ensures we only market to genuinely engaged prospects and minimize risk associated with stale data.
  • Employee Data (Processor Scope):
    • Duration and Control: As the Processor, we do not determine the retention period. This data is retained as long as required by the Client (Controller).
    • Action Upon Termination: We commit to the immediate deletion or secure return of all Employee Data upon the Client’s written instruction or upon the termination of the service agreement, as explicitly defined in the Data Processing Addendum (DPA). We do not retain copies unless legally mandated by a separate, overriding legal obligation.

6.2 Our Secure Deletion Protocol
We ensure that all data deletion is irreversible and follows industry best practices to prevent unauthorized recovery.

  • Methodology: Upon expiry of the applicable retention period, Personal Data is actively and permanently destroyed using certified irreversible methods, which may include:
    • Cryptographic Erasure: Deleting the encryption key used to scramble the data.
    • Secure File Shredding: Using software protocols to overwrite the storage space multiple times.
    • Irreversible Anonymization: Where necessary for statistical analysis or product testing, data is processed using techniques that prevent re-identification, ensuring the data is no longer considered "Personal Data."
  • Timeframe Commitment: We commit to completing the permanent deletion cycle from all primary systems and backups within 90 days of the retention period expiring or the verified deletion request.

7. Your Data Subject Rights

As a data subject under the GDPR, you possess strong, comprehensive rights regarding your Personal Data. We are committed to honoring these rights in full.

How to Exercise Your Rights
You may exercise any of the following rights by submitting a verified request to our dedicated contact channel: privacy@newployee.com.
We are obligated to respond to your verified request without undue delay and in any event within one (1) calendar month of receipt. We may extend this period by two further months where necessary, taking into account the complexity and number of requests.

Detailed Breakdown of Your Rights

  1. Right of Access
    • What it means: You have the right to obtain confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to the Personal Data and related supplementary information (e.g., the purposes of the processing, the categories of data concerned, and the recipients to whom the data has been disclosed).
    • Our commitment: We will provide a detailed copy of the Personal Data we process, free of charge for the first request.
  2. Right to Rectification
    • What it means: You have the right to request the correction of inaccurate Personal Data and to have incomplete Personal Data completed, including by means of providing a supplementary statement.
    • Your responsibility: We rely on the accuracy of the data you or your employer provide. Please notify us immediately if your details change or are incorrect.
  3. Right to Erasure ("Right to be Forgotten")
    • What it means: You have the right to request that we delete your Personal Data where the data is no longer necessary for the original purposes for which it was collected, or where you have successfully withdrawn consent or objected to processing.
    • Exceptions: This right is not absolute. We are legally required to refuse erasure if the processing is necessary for compliance with a legal obligation (e.g., tax law) or for the establishment, exercise, or defense of legal claims.
  4. Right to Restriction of Processing
    • What it means: You have the right to obtain a temporary restriction of processing under specific conditions. This means we may store your data but cannot actively process it further (e.g., while the accuracy of the data is being verified, or if the processing is unlawful but you oppose erasure).
  5. Right to Data Portability
    • What it means: You have the right to receive the Personal Data that you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV). This right applies only to data processed based on consent or contractual necessity, and where processing is carried out by automated means.
    • Our commitment: We will ensure the data is provided in a format that is technically feasible for you to transmit to another controller without hindrance.
  6. Right to Object
    • What it means: You have the right to object to processing based on our legitimate interests. We must cease processing unless we demonstrate compelling legitimate grounds that override your interests.
    • Direct Marketing: Your right to object to the processing of Personal Data for Direct Marketing purposes is absolute and unconditional. We will cease processing for marketing immediately upon receipt of this objection.
  7. Right to Withdraw Consent
    • What it means: Where processing is based on your consent, you have the right to withdraw your consent at any time.
    • Effect: Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. After withdrawal, we will cease the specific processing activity for which consent was required.

8. Our Security and Data Breach Procedures

We prioritize the confidentiality, integrity, and availability of your Personal Data. Our security framework is built on industry best practices and robust, established controls.

8.1 Our Technical and Organizational Security Measures
Our security controls are applied consistently across all data processing environments and are designed to meet high industry standards:

  • Encryption Guarantees:
    • Data At Rest: All sensitive data stored on our servers is protected using AES-256 encryption, ensuring that even if physical storage were compromised, the data remains unreadable.
    • Data In Transit: All communication between your device and our platform, and internally between our services, is secured via TLS 1.2+ encryption (Transport Layer Security), preventing eavesdropping and man-in-the-middle attacks.
  • Access Control and Minimization:
    • Strict Access Control: We enforce Role-Based Access Control (RBAC) across all internal systems, ensuring personnel can only access the minimum data strictly necessary for their defined job function (principle of least privilege).
    • Just-in-Time (JIT) Provisioning: Employee access to production environments is temporary, time-limited, and logged, meaning access must be explicitly approved for each specific instance, significantly reducing internal exposure risk.
    • Multi-Factor Authentication (MFA): We enforce MFA for all administrative access to our core systems and infrastructure.
  • Vulnerability and Risk Management:
    • Proactive Vulnerability Management: We maintain a rigorous program for the ongoing identification, assessment, and remediation of security vulnerabilities in our systems and software.
    • External Security Assessments: We engage in regular external security reviews to validate our defenses and identify potential areas for improvement.
    • Internal Security Policies: We maintain and enforce comprehensive internal information security policies that are regularly reviewed and updated.
  • Physical and Environmental Security:
    • Our infrastructure is hosted with leading, accredited cloud providers that maintain industry-leading physical security controls at their data centers, including 24/7 monitoring, biometric access, and environmental safeguards.
  • Business Continuity and Disaster Recovery:
    • We have implemented robust business continuity and disaster recovery plans to ensure the availability of our service and the protection of your data in the event of a significant incident.

8.2 Our Data Breach Response Protocol
We maintain a detailed Incident Response Plan (IRP) to ensure rapid containment and transparent communication in the event of a security breach:

  • Notification Commitment: We commit to notifying the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach.
  • Data Subject Communication: If the breach is likely to result in a high risk to your rights and freedoms, we will notify the affected data subjects directly without undue delay. This notification will provide specific, actionable information, including the nature of the breach and measures taken to mitigate its adverse effects.

For a comprehensive, technical overview of our entire security architecture, operational processes, and compliance certificates, please review our Information Security Policy (link).

9. Use of Cookies and Tracking Technologies

We utilize cookies, pixels, web beacons, and similar tracking technologies to ensure the necessary functionality of our website and services, analyze performance, and, where consented, for marketing purposes.

9.1 Your Control and Consent
We strictly adhere to the requirement of obtaining granular, informed, and explicit consent for all tracking technologies that are not strictly necessary for the operation of the service.

  • Consent Mandate: Consent is never bundled; you have the right to consent to one purpose (e.g., performance) while rejecting another (e.g., marketing). We obtain clear, explicit, and separate Consent for all non-essential cookies via our Consent Management Platform (CMP).
  • Opt-in Default: All non-essential categories of cookies (Performance, Functional, Advertising) are set to "Off" by default until you provide affirmative consent.

9.2 Types of Cookies We Use
We categorize the cookies we use to facilitate your control:

  • Strictly Necessary Cookies: Essential for enabling core website functions, security, and authentication. These cookies are used under our Legitimate Interest to provide the service you request and do not require consent.
  • Performance & Analytics Cookies: Used to count visits, analyze traffic sources, track platform feature usage, and monitor site performance. This data is primarily aggregated or pseudonymized. Consent is required.
  • Functional Cookies: Used to remember your site preferences (e.g., language selection, remembered login status) to provide enhanced and personalized features. Consent is required.
  • Advertising & Targeting Cookies: Used to track browsing habits across websites to build a profile of your interests and show you relevant advertising on external third-party sites. Explicit Consent is mandatory.

9.3 Managing Your Preferences
You retain the absolute right to manage your preferences and withdraw consent at any time.

  • Detailed Policy: A comprehensive list of all specific cookies used, their purpose, duration, and whether they are first-party or third-party, is maintained in our dedicated Cookie Policy.
  • Control Center: You can manage and withdraw your consent for any non-necessary category of cookie at any time by accessing our Cookie Preference Center (link).
  • Withdrawal Effect: Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Any withdrawal is effective immediately upon updating your preferences.

For detailed information about the specific cookies used, please refer to our full Cookie Policy at https://www.newployee.com/cookie-policy.

10. Third-Party Websites

Our Policy applies strictly and solely to data processing activities carried out by Newployee OÜ via the Newployee platform and associated websites.

  • Scope and Disclaimer: This Privacy Policy does not apply to, and we are not responsible for, the content, security, or data collection practices of any external websites, applications, or platforms linked from our service (including social media platforms, partner sites, or client external resources).
  • User Guidance and Responsibility: We strongly advise and encourage all users to carefully review the privacy policy and terms of service of any third-party website or application before providing any Personal Data or engaging in any transaction.

11. Changes to This Policy

We reserve the right to modify this Privacy Policy to reflect changes in our legal obligations, service offerings, data processing practices, or technological advancements. Our commitment to transparency dictates a clear protocol for notifying you of these changes.

11.1 Updates and Revisions
We will always indicate the revision by updating the "Last Updated" date displayed at the very beginning of this Policy. Minor changes, such as typographical corrections, clarification of existing language, or adding external links, will take effect immediately upon posting the revised policy.

11.2 Notification of Material Changes
For Material Changes, defined as any changes that significantly affect your rights as a data subject, the core nature of our processing (e.g., changing the legal basis for a key process), or the introduction of new processing activities, we commit to a mandatory advance notice period:

  • Advance Notice Period: We will provide notice at least thirty (30) calendar days before the material changes take effect.
  • Notification Methods: We will ensure effective communication via a combination of methods: Direct Individual Communication: Sending a dedicated email notification to the primary email address associated with your user account. Public Notice: Displaying a prominent banner or notice on the homepage of our website and/or within the platform's user interface.
  • Your Right to Action: This advance notification period allows you time to review the changes. If you disagree with the new terms, you retain the right to exercise your data subject rights (e.g., the right to object or request erasure of your data) before the revised policy becomes binding.

12. Contact Us and Your Right to Complain

Dedicated Privacy Contact: privacy@newployee.com

Right to Lodge a Complaint
You have the right to lodge a complaint with our lead supervisory authority, the Estonian Data Protection Inspectorate Andmekaitse Inspektsioon, if you believe we have processed your Personal Data unlawfully.

Newployee iconnewployee icon
Simplify HR, streamline employee journeys.

Transform onboarding, offboarding, and everything in between with newployee. Schedule your personalized demo today!

Schedule a demo
Not ready to automate your HR process yet?
Get a free newployee demo to see how we ease onboarding and offboarding!
Schedule a demo