Privacy Policy

Learn how we treat personal data across the websites we operate and services we provide.

1. Overview

Welcome to Employment Hero! We value the trust you place in us when providing us with your Personal Data, and we aim to protect your data to the highest of standards as we provide our products and services to you. This Privacy Policy is effective from 1 June 2026.

View the archived versions here

2. Scope of this policy

This Privacy Policy explains how we collect, use, and share your Personal Data, and the data protection rights that apply to you. It applies to our customers, end-users, website visitors, vendors, partners, and anyone who participates in our promotions or events (referred to as ‘you‘ or ‘your‘).

Our Services

Services	Features + Description
EH Platform	The Employment Operating System that includes the HR and payroll services with Hero Passport, Perks, workforce management and insights, and talent recruitments features.
EH Services	Our subscription services like Managed Payroll, HR Advisory, HR Partner, Payroll Partner, Benefits (+). The availability of these services vary based on region.
Humi by Employment Hero Classic Platform	The legacy HR, payroll and benefits platform that is available to customers in Canada.
EH Work app	The Employment Hero app, including the HR features of the EH Platform under its Work feature, along with financial products and services under the Money feature, and special offers, discounts and cashbacks under the Perks feature.
EH Jobs	Employment Hero Job board (EH Jobs board), the Employment Hero Jobs app (EH Jobs app). These are services that can only be accessed if you separately sign up for them.
HeroForce	Our Employer of Record (EOR) services.
HR Advisory	HR advice and support services.

This Privacy Policy also covers Personal Data processed through AI-powered features in our platform and through AI-assisted tools used by our team in the course of delivering those Services. For details on how AI is incorporated into our Services, you can view our AI Services Statement.

Depending on how you interact with our Services, we may process your Personal Data as a data controller or a data processor. For example, where you access our Services through your employer, your employer is typically the data controller and we process your Personal Data on their behalf. Where you have a direct relationship with us, such as a personal account independent of an employer, then we act as the data controller. This Privacy Policy applies to our processing as a data controller. For details on our role as a data processor, refer to our Data Processing Addendum.

When does this Privacy Policy apply?

This Privacy Policy applies to you when you do any of the following:

create or administer your account with us;
use our Services to the extent where we are a data controller;
use the EH Jobs services as a candidate;
participate in a benefits program through your employer where your employer is using our benefits brokerage services;
participate in our Hero Foundation program (in which case Annex 2 of this Privacy Policy also applies to you);
register to, or participate in our marketing, webinars, or events;
provide services to us; and
receive communications from, or otherwise interact or communicate with us, including via email, phone, or social media channels.

This Privacy Policy does not apply to the following:

Personal Data processed on behalf of business customers – where we process Personal Data under the instruction of a business customer as a data processor, including payroll data and employment details. That processing is governed by our Data Processing Addendum.
Our role as an employer – any Personal Data we process as a prospective, current, or former employer. If you are applying for a role with us or our affiliates, please refer to our Applicant Privacy Policy.
Third-party data – any products, services, websites or content that are offered by third parties through integrations with our Services, which are governed by their own privacy practices.
HeroForce Workers – if you are engaged as a HeroForce Worker, Personal Data we process about you in our capacity as your employer of record is covered by our HeroForce Worker Privacy Policy. This Privacy Policy applies to your use of our platform and Services as a user.

3. Who are we

When we say ‘Employment Hero’, ‘us’, ‘our’, or ‘we’ in this Privacy Policy, we’re referring to Employment Hero Pty Ltd and its affiliates.

4. Personal Data

Data classification	Description
Personal Data	Personal Data (also known as “Personal Information”) is any information relating to an identified or identifiable natural person, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Special Categories of Personal Data	Special Categories of Personal Data (also known as “Sensitive Information”) include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Data classification

Description

Personal Data

Personal Data (also known as “Personal Information”) is any information relating to an identified or identifiable natural person, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Special Categories of Personal Data

Special Categories of Personal Data (also known as “Sensitive Information”) include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

If you cannot be identified, then this notice does not apply to you. An example of this is when your Personal Data has been aggregated and/or anonymised.

5. Information that we collect and how we collect it

The Personal Data we collect will vary depending on how you interact with us and the Services we provide to you. We collect Personal Data in three main ways: directly from you, automatically when you use our Services, and from third parties.

We may also collect and process Special Categories of Personal Data with your explicit consent where necessary to provide our Services to you.

Personal Data you provide to us

We collect Personal Data that you provide when you fill in a form on our website, create an account, use our Services, or engage with us directly in other ways. This varies depending on how you interact with us, and includes the following:

Personal Data you give us directly	Relevant Services
Individual account information including name, username, date of birth and age, details regarding gender, sex, marital status, profile photo, and login credentials	• EH Platform • EH Services • EH Work app • EH Jobs • HeroForce
Individual contact information including residential and/or postal address, email address, telephone number, emergency contact information, and social media handles	• EH Platform • EH Services • EH Work app • EH Jobs • HeroForce
Business contact information including administrator and account owner names, signatures, business address, and the name and contact details of any personnel involved in the recruitment process	• EH Platform • EH Services • EH Work app • HeroForce
Employment related information including occupation or job title, information relating to your current employer, information relating to your former employer and role, key dates relating to your current role and/or past roles, superannuation information, salary and/or pension details including documents such as payslips and payment summaries, citizenship and visa status for work eligibility purposes, and tax information	• EH Platform – Hero Passport • EH Services • EH Work app – Work feature – Hero Passport • EH Jobs
Recruitment information including CV, cover letter, profile photo, videos you upload, work preferences, salary expectations, education history, work history, qualifications, languages, references (if you are applying for a role with Employment Hero or our affiliates, please refer to our Applicant Privacy Policy)	• EH Jobs
ID verification and credit report information including government-issued identification documents such as passport and driver’s licence to comply with global anti-money laundering (AML), know your customer (KYC) and know your business (KYB) obligations	• EH Platform • EH Services • EH Work app – Money feature • EH Jobs
General engagement data including company/employer information, reason for contacting us, survey and research responses, social media information, video and call recordings, and general correspondence	• EH Platform • EH Services • EH Work app • EH Jobs • HeroForce
Billing information including payment details such as banking, or debit/credit card details	• EH Platform • EH Services • EH Work app – Money and Perks feature • HeroForce
Special Categories of Personal Data including health or disability information, biometric information, immigration information, criminal history and background checks, and certain diversity related information	• EH Platform • EH Services • EH Work app – Money feature • EH Jobs • HeroForce Only as necessary and with consent.

Personal Data we collect automatically

We collect certain information automatically when you use our Services, including through cookies, web beacons, and similar tracking technologies that operate on your device or in our emails. This includes the following:

Personal Data we collect automatically	Relevant Services
Usage and interaction data including clickstream data showing how you navigate to, through, and from our website and Services which may also include dates and times, content you viewed or searched for, page load and response times, download errors, time spent on pages, and page interaction data such as scrolling, clicks, and mouse movements	• EH Platform • EH Work app • EH Jobs
Device and technical identifiers including device data derived from its hardware configuration, browser type and version, operating system, time zone, IP addresses, network identifiers, behavioural signals and other device attributes collected when you access or use our Services	• EH Platform • EH Work app • EH Jobs
Location information including specific location information you provide us via your device using GPS, wireless, or Bluetooth technology, including IP addresses and information about your internet service provider, computer and device information like device, application, or browser type and version, and location information you manually input (you can control access to precise location information through your device settings)	• EH Platform • EH Work app • EH Jobs
Information contained in cookies and similar tracking technologies including those described in our Cookie Policy	• EH Platform • EH Work app • EH Jobs
Marketing and consent preferences including records of any consent you have given us, your marketing preferences, and opt-in or opt-out signals collected through our Services or via third-party platforms such as social media sites	• EH Platform • EH Work app • EH Jobs • HeroForce

Personal Data we receive from third parties

We may also collect your Personal Data from third parties where you have provided consent or where we have another lawful basis for doing so.

Source	What we collect	Relevant Services
Your employer or organisation	Personal Data provided by an employer about their employees through our platform or apps, including name, contact details, employment details, job title, payroll information, demographic information, and other HR data your employer enters into the platform on your behalf	• EH Platform • EH Services • EH Work app
Identity verification and fraud prevention providers	Name, address, date of birth, government-issued ID details, and credit or risk-related information received from identity verification and fraud prevention services to support KYC, AML, and security obligations	• EH Platform • EH Services • EH Work app
Financial partners	Banking details, transaction history, and account verification data received from banks, payment processors, card networks, and money transmitters to support the delivery of financial products and services	• EH Platform • EH Work app
Third-party service providers and APIs	We may receive your Personal Data from partners and service providers who support the delivery of our Services. This includes referral and reseller partners who distribute our Services to businesses, and Benefits+ partners (including insurers, brokers, and their appointed agents) where your employer uses our benefits brokerage service (Benefits +). Personal Data received may include your name, contact details, company information, employment details, and benefits enrolment and claims information. We may also receive Personal Data via third-party APIs who support the delivery of our Services.	• EH Platform • EH Work app • EH Jobs
Social media platforms	Personal Data from social media sites where permitted by their terms and where you have consented or another lawful basis applies	• EH Platform • EH Work app • EH Jobs
Applicant Tracking Systems (ATS)	If you apply for a role through a third-party platform integrated with our ATS, we may collect Personal Data provided via that platform like CV, work history, qualifications, contact details, and other recruitment information you have submitted via third-party platforms integrated with our ATS	• EH Platform • EH Jobs
Superannuation funds (Australia)	Fund membership number and membership status, received where you have consented to verification of your superannuation membership in connection with our Super Services	• EH Platform • EH Work app
Public and commercial sources for marketing	Name, email address, job title, company, and professional profile information collected from publicly available sources (such as LinkedIn) and commercial data providers to support sales and marketing activities	All Services
Google services	We may receive Personal Data like account credentials and profile data via Google APIs, including Limited Use requirements. Our use of Personal Data received from Google APIs will adhere to the Google API Services User Data Policy. We also use Google Analytics You may opt-out from the Google Analytics service using your information by installing the Google Analytics Opt-out Browser tool. and Google reCAPTCHA Enterprise. Your use of reCAPTCHA Enterprise is subject to Google’s Privacy Policy and Terms of Use.	All Services
HR Advisory partners	We may receive information from third parties who support the delivery of HR Advisory services, to the extent that no legal privilege is breached	HR Advisory
Our affiliates	Contact details, account information, and other Personal Data may be shared between members of the Employment Hero group in connection with the delivery of our Services	All Services

Information we collect from you about third parties

From time to time, you may provide us, and we may collect from you, Personal Data of or about a third party (for example, information you put into our systems as an employer on behalf of your employees). When you provide the Personal Data of a third party, it is your responsibility to ensure that the necessary consent has been acquired or other lawful basis is relied on, and that those individuals are aware of this Privacy Policy, and that they understand it and agree to accept it.

6. Children’s Privacy

Our Services are not directed at children. We do not knowingly collect Personal Data from anyone under the age of 16 (or the applicable minimum age in your jurisdiction) without verifiable parental or guardian consent.

If you are a parent or guardian and believe your child has provided us with Personal Data, or if you become aware that a minor has accessed our Services, please contact us at privacy@employmenthero.com. We will take prompt steps to delete that information from our records.

7. Why we process your information

The legal basis we may rely on when processing Personal Data

We must have a legal basis to process your Personal Data and we explain these legal bases below.

Contractual performance – we have obligations under our contract with you. To fulfil those obligations, we will have to use your data.
Consent – in certain cases, we ask for your consent to use your data. Whenever we ask for your consent, we will explain the situations where we use your data, and the purposes for which the data will be used.
Legitimate interest – we can process your data when this is necessary for us to achieve a business purpose, or where this is necessary for someone else to achieve their purpose. We explain below what interests we, or others, are trying to achieve when we process your data. Where we process Personal Data on the basis of a legitimate interest, then to the extent required by data protection law, we carry out a balancing test to document our interests, to consider what the impact of the processing will be on individuals, and to determine whether individuals’ interests outweigh our interests in the processing activity taking place.
Legal obligation – as an organisation, we are obliged to comply with applicable legal and regulatory requirements. In certain cases, we will have to use your Personal Data to meet these obligations.

Purposes for processing Personal Data

In the table below, we have explained the reasons for which we process your Personal Data, the processing activity that we carry out, the legal basis that applies in each instance, and the categories of data that we use for such activities.

What We Do And Why	Legal Basis	Personal Data
Fulfilling our contract, or taking steps linked to our contractual obligations	Contractual performance, consent	Any types of data identified as is necessary for this purpose
Providing implementations services (including AI-powered implementation) to implement our products and services for you, and onboard you on to our platform	Contractual performance, consent	Individual account information, Individual contact information, Employment related information
Providing our Services, including ancillary Services such as customer support implementation, and operations directly linked to Service delivery	Contractual performance, consent, legitimate interest	Any types of data identified as is necessary for this purpose
Using approved tools and platforms, including AI-assisted tools, when our staff perform tasks directly connected to delivering and supporting your contracted Services	Contractual performance, legitimate interest	Any Personal Data necessary for the relevant Service, including Special Categories of Personal Data where strictly necessary to deliver the contracted Service
Processing payments for our Services	Contractual performance	Billing information
Storing payment history information	Legal obligation	Billing information
Sending direct marketing and sales reach outs	Consent, legitimate interest	Individual account information, Individual contact information, Business contact information, Employment related information
Reporting on marketing campaign activities and understanding effectiveness of the campaigns	Legitimate interest, consent	Individual account information, Individual contact information, Business contact information, Employment related information
Conducting surveys and other market research to ensure our Services are relevant to your needs	Consent, legitimate interest	Individual account information, Individual contact information, Business contact information, Employment related information
Managing our use of tracking technologies such as cookies and analysing collected data to learn about our Services	Consent	Device data and data relating to the usage of Services
Sending service, technical and other administrative messages relating to our Services	Contractual performance, legitimate interest	Individual account information, Individual contact information, Employment related information
Ensuring Services are working as intended, and tracking outages or troubleshooting issues	Contractual performance	Data relating to the usage of Services
Personalising your experience with the Services, and tailoring our communications and marketing to you	Legitimate interest, consent, contractual performance	Individual account information, Employment related information, Location information, Search function inputs
Anonymising, pseudonymising, and aggregating personal data to enable us to analyse and improve our Services and platform while protecting individual privacy	Legitimate interest	Any types of data identified as is necessary for this purpose
Aggregating anonymised salary data for the purpose of salary benchmarking in various industries and geographies	Legitimate interest	Employment related information (aggregated and anonymised salary data)
Investigating any complaints by or about you	Legitimate interest	Any types of data identified as is necessary for this purpose
Investigating, raising or defending ourselves from legal claims	Legitimate interest, legal obligation	Any types of data identified as is necessary for this purpose
Investigating any suspected breach of any of our terms and conditions or unlawful activity engaged in by you	Legal obligation	Any types of data identified as is necessary for this purpose
Responding to legal matters, including court orders, subpoenas, or other legal processes	Legal obligation	Any types of data identified as is necessary for this purpose
Complying with our compliance, regulatory, auditing, and investigative obligations (including disclosure of such information in connection with legal process or litigation)	Legal obligation	Any types of data identified as is necessary for this purpose
Verifying your identity and/or carrying out credit report checks, and enabling us to monitor suspicious or fraudulent activity	Consent, legal obligation	ID verification and credit report information, Special Categories of Personal Data
Assessing data to protect the security of our premises, assets, systems, and intellectual property, and to enforce company policies, including monitoring communications as permitted by law	Legal obligation, legitimate interest	Any types of data identified as is necessary for this purpose
Processing data when undertaking mergers, acquisitions, reorganisations, or disposals, as permitted/required in accordance with applicable law	Legitimate interest, legal obligations	Any types of data identified as is necessary for this purpose

Use of non-personal data to improve and develop products and models

We do not use your Personal Data to train any AI models or for machine learning. We may analyse data relating to your activity and engagement on our Services to improve and develop our products, services, algorithms and models using machine learning. We may also analyse the performance of our Services to do things like optimise the product design, and develop and improve our products and services (including in relation to our engineering prompts used for our AI features).

Automated processing relating to EH Jobs candidates

Where you apply for a role through EH Jobs or an employer’s recruitment process powered by our platform, the employer may use AI-powered tools provided by us to screen, match, and assess your application, including by evaluating your responses to screening questions and, where applicable, conducting an AI voice interview. These tools analyse information you provide against employer-defined criteria to generate scores, rankings, or recommendations. They do not make final decisions.

Depending on how the employer has configured the process, this may include automated messaging, automatically progressing your application to the next stage where your application meets the employer’s set criteria, scheduling interviews, and conducting AI-powered screening interviews. The employer is responsible for how these features are configured and used in their recruitment process.

You can request human review of any assessment or an explanation of how AI was used in your evaluation.

Direct marketing and other communications

When we send you direct marketing based on our legitimate interests or where you have provided us with consent, these communications may be sent in various forms, including email, SMS, or social media.

You have a right to opt out of direct marketing at any time. You can do this by following the instructions in the communication within the electronic message we send to you, or by contacting us via email at privacy@employmenthero.com. Outside of such direct marketing, you may receive push notifications on your device, which can be controlled by your device settings.

We may also send you system trigger notifications about your use of the Services that you may be able to turn off using the preference settings within the platform.

We will still send you important notices relating to your account, operational activities, and technical updates, even after you have opted out of receiving direct marketing communications.

Phone numbers, emails, and opt-in consents will not be shared to third parties for their marketing purposes without your consent.

Cookies and tracking technologies

The Services we provide use cookies and similar technologies on our platform, app and websites. Cookies are small text files containing a string of alphanumeric characters which are sent to your computer that uniquely identifies your browser and lets us enhance your experience when using our Services. Cookies also convey information to us about how you use our Services.

When you use our Services, we may use cookies and similar technologies for the purpose of authenticating your use, remembering your preferences and settings, determining the popularity of content, and analysing and understanding your interactions with our Services.

The information that may be recorded includes information regarding your:

server address;
domain name;
date and time of visit;
previous websites visited;
use of our sites; and
browser type.

You can also read our Cookie Policy to further understand how cookies and similar technologies may be used to collect and use your Personal Data.

8. How we share your Personal Data

We may share your Personal Data with our affiliates and with third parties from time to time for the purposes described in this Privacy Policy. We will only share your Personal Data where we have a lawful basis to do so. We may disclose your information to:

Who we share with	Why we share it
Employment Hero group members and personnel	We may share your information between our affiliates and business functions, including with our employees, contractors, and representatives for the purposes of delivering and operating our Services.
Sub-Processors and vendors	We may disclose your Personal Data (including via APIs) to specific third-party service providers who facilitate the delivery of our Services. These providers may do things like support the functionality of some features, support our operations, and perform verification checks. For the purpose of ID verification and fraud prevention, we may disclose your Personal Data to telecommunication providers, mobile network operators, credit reporting agencies, and other third parties that run checks. These parties may only use your data to perform tasks on our behalf and are not permitted to use it for their own purposes.
Third-party service providers	We may disclose your Personal Data to third parties who provide services, software, and content made available for use on or through our Services (including add-ons and integrated services). In some cases, our Services simply provide a link to the third-party services, and you engage with the third party directly.
AI technology partners	We use approved AI tools in our operations. Providers of those tools may process your Personal Data as sub-processors, subject to strict data protection obligations and prohibitions on model training. See our approved sub-processor list
Your organisation	Where you access our Services as an employee of one of our customers, we may share relevant information with your employer and other authorised personnel where necessary to deliver the Services.
Recruitment parties — EH Jobs	If you are an EH Jobs candidate, we share candidate profile and application data with businesses advertising roles on EH Jobs. If you have a public profile, it may be viewable by business customers. See our EH Jobs Product Statement for more information.
HeroForce parties	To deliver our HeroForce employer of record services, we may share Personal Data between the HeroForce worker, our customer, and any partners who support us in providing the service.
Benefits and financial partners	Where you or your employer uses our Benefits or Perks products and services, we may share relevant Personal Data with the partners who support the delivery of these services, including insurers, brokers, superannuation funds, banks, card networks, and payment processors to facilitate those services.
Super Services	In connection with providing our Super Services, we may share your relevant Personal Data with our partner superannuation funds to check your membership with them (provided that you have given us consent to disclose your Personal Data to the superannuation funds). Once we verify you as a member of a superannuation fund, we will continue sharing your Personal Data with your chosen superannuation fund (including changes to your personal details, employment changes, life event information and other matters) only in connection with providing you access to their services and delivering our Super Services to you.
Referral and reseller partners	Where your organisation was referred or onboarded to our Services by a referral or reseller partner, we may share relevant account and contact information with that partner.
HR Advisory	We may share your Personal Data with partners, including affiliate entities, that directly support the provision of the HR Advisory services strictly for the purpose of providing the service. When doing so, we will make sure you are aware of the other parties involved and the role they play in providing the HR Advisory service
Legal and regulatory authorities	We may share your information with courts, law enforcement, regulators, or government authorities where required by law or to protect our legal rights. We will notify you of such disclosure to the extent permitted by law.
Business transaction parties	In the event of a merger, acquisition, restructure, or sale of assets, your information may be disclosed to advisers and the other entity as needed to complete the transaction.
Business Partners	We may share your data with our existing or potential agents, business partners, or joint venture entities to enable us to perform our business activities in relation to our services.
Event and promotion partners	We may share your data with partners if you participate in events or promotions we co-host or sponsor.

Where we share data with third parties, we take steps to ensure appropriate contractual protections are in place, including data processing agreements and restrictions on further use where required.

9. International data transfers

We may disclose Personal Data outside of the country in which our customers and users are based in connection with the purposes identified in this Privacy Policy, and the Services described. International data transfers may occur when we share Personal Data with Employment Hero’s team members and affiliates based globally, including in Australia, United Kingdom, New Zealand, Singapore, Malaysia, Vietnam, and the Philippines and other locations from which the team members may work remotely. International data transfers may also occur when we share Personal Data with third party service providers located globally where it is deemed reasonably necessary for us to make such transfers.

We take measures to ensure that international data transfers take place in compliance with applicable laws relating to international data transfers and in accordance with at least the standards that apply in the country whose privacy or data protection laws apply to that Personal Data. If you are a EEA or UK customer or user of our Services, your Personal Data is transferred outside the EEA or the UK in compliance with the relevant requirements under the GDPR.

Adequacy decisions

Where the European Commission or the UK government has determined that certain countries outside of the EEA or the UK have an adequate level of Personal Data protection, e.g., New Zealand, Personal Data can be transferred to such a country from the EEA or UK without any further safeguards being necessary. A full list of such adequate countries is available here (for the EEA) and here (for the UK).

Where information is transferred outside the UK, or the EEA to a location that is not subject to an adequacy decision by the European Commission or the UK government, we ensure data is adequately protected. We may transfer your Personal Data (as described in section 5 above) for the purposes described in section 7 above to another country by relying on the EU Standard Contractual Clauses for the transfers from the EU, or the International Data Transfer Agreement or International Data Transfer Addendum to the EU Standard Contractual Clauses for the transfers from the UK, or relying on such other data transfer mechanisms as available under applicable data protection laws.

A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

10. Third-party links

The Services may contain links to other websites operated by third parties. We make no representations or warranties in relation to the privacy practices of any third-party website. Third-party websites are responsible for informing you about their own privacy practices and policies and you are encouraged to review the privacy notices.

11. Storage and security of Personal Data

Personal Data held by us will be stored and managed on secure data centres in Australia, Ireland and Canada by our third-party storage provider. Further details on our third-party storage provider’s location and security can be found here.

Please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Data we have collected from you.

You can also play an important role in keeping your Personal Data secure by maintaining the confidentiality of any password and accounts used on the Services. Please notify us immediately if there is any unauthorised use of your account by any other internet user, or any other breach of security relating to your account via email at privacy@employmenthero.com.

You can learn more about how we keep your Personal Data secure by visiting our Security Portal.

12. Data retention

We retain data for as long as necessary to provide our Services and in accordance with our internal Data Retention Policy. This is a case-by-case determination that depends on things such as the nature of the data, why it is collected and processed, and relevant legal or operational retention needs. We may delete (or anonymise) your Personal Data once this data is no longer needed for us to provide our Services to you, and this data will not be retrievable in the future once deleted.

You can delete some data whenever you like, some data is deleted automatically, and some data we retain for longer periods of time.

For example:

We keep account information for as long as your subscription or agreement continues or for as long as it is necessary to deliver our Services.
We will keep a record of the fact that you have asked us not to send you direct marketing, so that we can respect your request in future. If you unsubscribe from receiving direct marketing, then we will remove your details from our direct marketing mailing list.
We will keep the usage information and analytics data relating to your use of the Services to understand how people use our Services. We will do this through the use of cookies and tracking technologies to provide us with user analytics data to improve our Services and enhance your user experience. More information about the retention period of cookies can be found in our Cookie Policy.

Sometimes business and legal requirements oblige us to retain certain information, for specific purposes, and for an extended period of time. Reasons we might retain some data for longer periods of time include security, fraud prevention, financial record-keeping, complying with legal or regulatory requirements, ensuring the continuity of our Services, and when you have had direct communications with us.

13. Your rights and choices

You have the right to access your Personal Data, or to correct, delete or restrict processing of your Personal Data (to the extent practicable). You can also obtain the Personal Data you provide to us on a contractual basis or with your consent, in a structured, machine-readable format. To exercise your data deletion rights (or “your right to be forgotten”) and request full deletion of your data from our Services, you must reach out to us directly by emailing us at privacy@employmenthero.com. You can also correct and delete some Personal Data through your account provided by our Services. Our ability to delete your Personal Data may be limited to the extent we act as a data controller. Where your Personal Data has been provided to us by a third party acting in the capacity of a data controller (such as your employer), you must ask that third party to correct or delete your Personal Data on your behalf. This third party will then request us to correct or delete the Personal Data from our systems.
You can also object to the processing of your Personal Data in some circumstances where it is practicable to do so, i.e., when we are using the data for direct marketing.
You also have the right to request information about whether automated decision-making applies to you in a way that produces legal or similarly significant effects, and where applicable to request human review of that decision and an explanation of the logic involved.
You also have a right to complain, which you can do by following the process set out in section 15.
These rights may be limited, for example, if fulfilling your request would reveal Personal Data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of relevant exemptions we rely upon when responding to any request you make.

To exercise any of these rights, you can get in touch with us using the details set out below. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or where you believe a breach may have occurred.

For the provision of information marked as mandatory when you register to use our Service, if such information is not provided, then you will not be able to use our Services. All other provisions of your information are optional. If you do not provide such information, our provision of certain Services to you may be detracted from.

Where we rely on your consent, such as in relation to direct marketing communications, you will always be able to withdraw that consent at any time.

If you withdraw your consent to our processing of your data, this will not affect any processing which has already taken place.

14. How to get in touch with us

If you have any questions or concerns about how we process your data, please contact us via email at privacy@employmenthero.com.

We have appointed a Data Protection Officer (DPO) in the UK and Singapore, and a representative in the EU. If you wish to contact them about our privacy practices in these jurisdictions, you may do so using the contact details provided below.

Appointment	Details
Data Protection Officer	• Name: Bird & Bird DPO Service SRL • Email: dpo.employmenthero@twobirds.com • Address: Avenue Louise 235 b 1, 1050 Brussels, Belgium
EU Representative	• Name: Bird & Bird GDPR Representative Services Ireland • Email: eurepresentative.employmenthero@twobirds.com • Address: Deloitte House, 29 Earlsfort Terrace, Dublin 2, D02 AY28

Appointment

Details

Data Protection Officer

• Name: Bird & Bird DPO Service SRL

• Email: dpo.employmenthero@twobirds.com

• Address: Avenue Louise 235 b 1, 1050 Brussels, Belgium

EU Representative

• Name: Bird & Bird GDPR Representative Services Ireland

• Email: eurepresentative.employmenthero@twobirds.com

• Address: Deloitte House, 29 Earlsfort Terrace, Dublin 2, D02 AY28

15. Enforcement and complaints

If you have a complaint regarding this Privacy Policy or any breach of applicable data protections laws, please contact us in accordance with section 14 above. Once we receive a complaint, we will commence an investigation as soon as practicable. We may contact you during the process to seek any further clarification if necessary. We may also contact you to inform you of the outcome of the investigation.

We will aim to ensure that all questions and concerns are resolved in a timely and appropriate manner. If you are not satisfied with the outcome of your complaint, or require further information on privacy, you are entitled to contact your local data protection supervisory authority.

16. Changes to our Privacy Policy

We reserve the right to make changes to this Privacy Policy from time to time to reflect changes in the laws or regulations, our practices, our Services, or our operational requirements. You may periodically review this Privacy Policy to stay up to date with the latest changes. In the event that we make any significant changes in terms of data processing operations or any other change that may be relevant to you or impact you, we may additionally notify you via email or in-platform notifications on our Services.

Annex 1: Additional information for California residents

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

This Annex applies to California residents whose Personal Data we process and supplements the rest of this Privacy Policy. It sets out our practices under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2022 (together, the CCPA).

Categories of Personal Data we collect

The Personal Data we collect is described in Section 4 of this policy. Under the CCPA, those categories map to the following:

CCPA Category	Examples
Identifiers	Name, email address, IP address, account credentials, device identifiers
Personal information under Cal. Civil Code § 1798.80	Name, address, telephone number, financial information
Characteristics of protected classifications	Gender, age, citizenship or visa status, disability status
Commercial information	Billing and payment information, transaction history
Internet or electronic network activity	Usage data, clickstream data, page interactions, device information
Geolocation data	Precise and approximate location information
Professional or employment-related information	Job title, employer, employment history, payroll data, performance information
Education information	Qualifications, education history
Sensitive Personal Information	Government-issued ID, health or disability data, biometric data, precise geolocation, racial or ethnic origin
Inferences	Derived insights used to personalise your experience with our Services

Do we sell or share your Personal Data?

We do not sell your Personal Data. We may share certain data such as device identifiers and usage data with advertising and analytics partners in ways that may constitute ‘sharing’ under the CCPA for cross-context behavioural advertising. You have the right to opt out of this, as set out below.

Your rights under the CCPA

If you are a California resident, you have the following rights:

Right to know: you can request information about the categories and specific pieces of Personal Data we have collected about you, the sources it came from, why we collected it, and who we share it with.
Right to delete: you can request deletion of your Personal Data, subject to certain exceptions.
Right to correct: you can request correction of inaccurate Personal Data we hold about you.
Right to limit use of Sensitive Personal Information: you can direct us to limit our use of your Sensitive Personal Information to what is necessary to provide our Services.
Right to opt out of sale or sharing: you can opt out of the sale or sharing of your Personal Data for cross-context behavioural advertising.
Right to information about automated decision-making: consistent with regulations effective 1 January 2026, you can request information about whether automated decision-making technology (including AI-powered systems) is used in ways that significantly affect you, and opt out of such use in certain circumstances.
Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.

How to exercise your rights

To submit a request, contact us at privacy@employmenthero.com. We will respond within 45 days. We may need to verify your identity before processing your request. You may also designate an authorised agent to make a request on your behalf.

Shine the Light

California Civil Code § 1798.83 permits California residents to request information about our disclosure of Personal Data to third parties for their direct marketing purposes. We do not disclose Personal Data to third parties for their own direct marketing purposes without your consent.

Annex 2: Information for Hero Foundation Candidates

Privacy information for Hero Foundation candidates

Hero Foundation is the charitable arm of Employment Hero. We work with people who are unemployed, underemployed, or facing barriers to the workforce, and we offer personalised support that goes beyond a standard job board.

This Annex explains how we handle your Personal Data when you engage with Hero Foundation as a candidate. It supplements the main Employment Hero Privacy Policy, especially anything regarding EH Jobs, which also applies to you.

What Hero Foundation does

Through Hero Foundation, eligible candidates get access to EH Jobs and a higher level of personalised placement support. When you apply for a role through Hero Foundation:

Our team follows up with employers on your behalf;
Your profile is actively promoted to our network of businesses; and
You get access to interview preparation and job search resources.

We partner with community organisations, charities, and not-for-profit partners who refer individuals to Hero Foundation and may provide additional wraparound support services.

Personal Data we collect

We collect Personal Data to assess your eligibility for Hero Foundation support and to facilitate your job search. This includes:

Name, contact details, and profile information;
CV, work history, qualifications, job preferences, and salary expectations;
Eligibility information gathered through qualification questions at the time of registration; and
Any additional information provided by you or a referring partner organisation to help us support your placement.

Where relevant and with your explicit consent, we may also collect sensitive information, for example, health or disability information relevant to workplace adjustments. We handle this information with particular care, and only collect it with your consent.

How we use your Personal Data

We use your Personal Data to match you with suitable roles, promote your profile to relevant employers, provide placement support, and deliver interview preparation and job search resources. We process your Personal Data on the basis of your consent and, where applicable, our legitimate interests in delivering the Hero Foundation program.

Who we share your Personal Data with

To support your job search and placement, we may share your Personal Data with:

Employers in our network who may be a match for your skills and experience, which may include identifying you as a Hero Foundation candidate;
Partner organisations that referred you or provide wraparound support services for the purpose of facilitating your placement and support; and
Employment Hero personnel and systems used to operate and administer the platform and Hero Foundation program.

We will not share your Personal Data with partner organisations for their own marketing or unrelated purposes.

Your rights and how to contact us

Your rights in respect of Personal Data collected through Hero Foundation are the same as those set out in Section 13 of this Privacy Policy. If you have questions specifically about how your data is handled through Hero Foundation, please contact us at privacy@employmenthero.com.