Privacy Policy

This Privacy Policy describes how CreativeNook HR ("we", "us", or "our") collects, uses, stores, and protects personal information when you use the CreativeNook HR HR Management and Payroll System (the "System").

We are committed to protecting your personal information and being transparent about how it is used. This policy applies to all users of the System, including administrators, employees, and clients.

We collect information that is necessary to provide HR and payroll services. The types of data we process include:

We use your personal data only for the purposes described below. We do not use your data for advertising or sell it to third parties.

We do not sell, trade, or rent your personal information to third parties. We may share data only in the following limited circumstances:

• With your organization's authorized administrators, as necessary for HR operations
• With service providers who process data on our behalf (e.g., cloud hosting, email delivery) under strict data processing agreements
• When required by law, court order, or regulatory authority
• In the event of a business transfer, with appropriate notice to users

We implement a range of technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

• Encryption of sensitive data at rest and in transit (TLS/SSL)
• Encrypted storage of compensation and rate information
• Role-based access controls limiting data visibility by user role
• Account lockout after repeated failed login attempts
• Audit logging of sensitive operations and data changes
• Regular security reviews and dependency updates

We retain your personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Payroll and financial records may be retained for extended periods to comply with accounting and tax regulations. When data is no longer needed, we securely delete or anonymize it.

You may request deletion of your personal data by contacting your administrator or our support team. Please note that some data may be retained where required by law or legitimate business purposes.

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact your administrator or our support team.

We use a limited number of third-party services to operate the System. These providers are contractually required to handle your data securely and only for the purposes we specify.

Google OAuth 2.0

When you choose to sign in with Google, the following applies:

• We use Google's OAuth 2.0 service for secure, passwordless authentication
• We request only the minimum required scopes: email, name, and profile picture
• Your Google password is never transmitted to or stored by us
• You can revoke our access via your Google Account → Security → Third-party access
• Google's Privacy Policy governs the data Google collects during the authentication flow

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the effective date at the top of this page
• Notify users via email or in-app notification for significant changes
• Provide a summary of what has changed where possible

Continued use of the System after any policy update constitutes your acceptance of the revised terms.

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy-related concern, please contact us.