Privacy Policy

1. Information We Collect

We collect information in the following categories:

1.1 Information You Provide

When you register for an account or use the AchillesHR Service, you or your organization may provide us with information including your name, email address, company name, job title, and other details necessary to set up and manage your account.

1.2 Customer Content

Our customers and their authorized Users may upload or transmit content to the AchillesHR Service, including employee data, HR records, and other business information (“Customer Content”). Customers are responsible for the accuracy and legality of all Customer Content they submit.

1.3 Google User Data

When a customer chooses to connect their Google account to the AchillesHR Service, we may access the following Google user data:

Google Calendar Data: Calendar event details, including event titles, descriptions, dates, times, attendees, and associated metadata. We access Google Calendar data only when a customer or authorized User explicitly enables the Google Calendar integration within the AchillesHR Service. We request only the minimum scopes necessary to provide the functionality described in this policy.

1.4 Microsoft User Data

When a customer chooses to connect their Microsoft 365 account to the AchillesHR Service, we may access the following Microsoft user data via the Microsoft Graph API:

Microsoft Calendar Data: Calendar event details, including event titles, descriptions, dates, times, attendees, locations, and associated metadata from Microsoft Outlook/Exchange calendars.

Microsoft Teams Data: Teams presence and availability status, Teams chat messages and channel messages sent or received in the context of HR workflows, and user profile information (such as display name and email address) as made available through Microsoft Teams.

We access Microsoft user data only when a customer or authorized User explicitly enables the Microsoft 365 integration within the AchillesHR Service. We request only the minimum permissions (scopes) necessary to provide the functionality described in this policy, consistent with the principle of least privilege.

1.5 Performance and Usage Data

We automatically collect general performance and usage data related to how the AchillesHR Service is accessed and used, such as technical logs, feature usage patterns, and system performance metrics (“Performance Data”). Performance Data does not include Customer Content, Google user data, or Microsoft user data.

1.6 Cookies and Similar Technologies

We may use cookies, web beacons, and similar technologies to collect information about your interactions with the AchillesHR Service. Please refer to our Cookie Policy for more details.

2. How We Use Your Information

2.1 Providing and Improving the AchillesHR Service

We use the information we collect to operate, maintain, and improve the AchillesHR Service, including to provide customer support and to develop new features.

2.2 Use of Google Calendar Data

We use Google Calendar data accessed through the integration to:

Display and synchronize calendar events within the AchillesHR Service so that Users can view scheduling information alongside their HR workflows.

Schedule and manage meetings such as interviews, performance reviews, and other HR-related events.

Generate AI-powered messages and content for Users. Specifically, we may send calendar event data (such as event details and attendee information) to third-party large language models (“LLMs”) to generate contextual messages, summaries, or recommendations for Users within the AchillesHR Service.

2.3 Use of Microsoft User Data

We use Microsoft user data accessed through the integration to:

Display and synchronize calendar events within the AchillesHR Service so that Users can view Microsoft Calendar scheduling information alongside their HR workflows.

Schedule and manage meetings such as interviews, performance reviews, and other HR-related events directly through Microsoft Calendar.

Facilitate team communication by integrating with Microsoft Teams to enable HR-related notifications, meeting coordination, and workflow updates within the Teams environment.

Generate AI-powered messages and content for Users. Specifically, we may send Microsoft Calendar event data and relevant Teams context (such as event details and attendee information) to third-party large language models (“LLMs”) to generate contextual messages, summaries, or recommendations for Users within the AchillesHR Service.

We do not use Microsoft user data to monitor employee communications beyond what is necessary to deliver the specific HR features enabled by the customer.

2.4 Use of AI Tools

The AchillesHR Service incorporates third-party artificial intelligence and machine learning tools (“AI Tools”), including third-party LLMs. We may process Customer Content, including Google Calendar data and Microsoft user data, through these AI Tools to generate outputs such as messages, summaries, and recommendations. Users should review any AI-generated outputs for accuracy before relying on them.

2.5 Aggregated and De-Identified Data

We may use Customer Content on an aggregated and de-identified basis to analyze trends, improve the AchillesHR Service, and for other lawful business purposes. Aggregated and de-identified data cannot be used to identify any individual user or customer.

2.6 Compliance and Legal Obligations

We may use information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests.

3. How We Share Your Information

3.1 No Sale of Personal Data

We do not sell personal data, Google user data, or Microsoft user data to third parties.

3.2 Google User Data Sharing

We do not share Google user data with any third parties except as described below:

AI Tool Providers: Google Calendar data may be transmitted to third-party LLM providers solely for the purpose of generating AI-powered messages and content for Users within the AchillesHR Service, as described in Section 2.2. These providers process data only as instructed by AchillesHR and are contractually obligated to maintain the confidentiality and security of the data.

We do not share Google user data with third parties for their own advertising, marketing, or independent use.

3.3 Microsoft User Data Sharing

We do not share Microsoft user data with any third parties except as described below:

AI Tool Providers: Microsoft Calendar event data and relevant Teams context may be transmitted to third-party LLM providers solely for the purpose of generating AI-powered messages and content for Users within the AchillesHR Service, as described in Section 2.3. These providers process data only as instructed by AchillesHR and are contractually obligated to maintain the confidentiality and security of the data.

We do not share Microsoft user data with third parties for their own advertising, marketing, or independent use. We do not use Microsoft user data for purposes unrelated to the functionality of the AchillesHR Service.

3.4 Service Providers

We may engage trusted third-party service providers to assist in operating the AchillesHR Service (such as cloud hosting and infrastructure providers). These service providers have access to information only as necessary to perform their functions and are bound by contractual obligations to protect the confidentiality and security of the data.

3.5 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

3.6 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, information may be transferred as part of that transaction. We will notify affected customers of any such transfer.

4. Data Storage and Security

4.1 Storage

All data, including Google user data and Microsoft user data, is stored on Amazon Web Services (AWS) infrastructure located in the United States. AWS data centers maintain industry-standard physical and environmental security controls.

4.2 Security Measures

We implement and maintain appropriate administrative, technical, and physical safeguards designed to protect information against unauthorized access, use, alteration, or disclosure. These measures include:

•  Encryption of data in transit using TLS 1.2 or higher, and encryption of data at rest.

•  Access controls that limit data access to authorized personnel on a need-to-know basis.

•  Regular security assessments and monitoring.

•  Secure authentication mechanisms for all user accounts, including support for multi-factor authentication.

•  Secure storage of API credentials and tokens used to access third-party services such as Google and Microsoft APIs.

4.3 Account Security

Customers and Users are responsible for maintaining the confidentiality of their account credentials. Each User account is protected by unique credentials that may not be shared. Customers must promptly notify AchillesHR of any actual or suspected unauthorized access to their accounts.

5. Data Retention and Deletion

5.1 Retention

We retain Customer Content, including Google Calendar data and Microsoft user data, for as long as a customer’s account is active or as needed to provide the AchillesHR Service. After a customer disconnects a third-party integration (such as Google Calendar or Microsoft 365) or cancels their account, the associated third-party data is retained until the customer requests its deletion.

Performance Data may be retained in aggregated and de-identified form indefinitely for analytics and service improvement purposes.

5.2 Deletion Requests

Customers and Users may request the deletion of their data, including Google Calendar data and Microsoft user data, at any time by contacting us at:

privacy@achilleshr.com

Upon receiving a valid deletion request, we will delete or de-identify the requested data within thirty (30) days, except where retention is required by applicable law or legitimate business purposes (such as resolving disputes or enforcing our agreements). We will confirm completion of the deletion to the requester.

5.3 Effect of Account Termination

Upon expiration or termination of a customer’s agreement with AchillesHR, we will retain Customer Content (including any Google user data and Microsoft user data) in accordance with this Section 5 until a deletion request is received.

5.4 Disconnecting Integrations

Customers may disconnect any third-party integration (Google Calendar, Microsoft Calendar, Microsoft Teams) at any time through the AchillesHR Service settings. Once disconnected, we will no longer access new data from that integration. Previously accessed data will be retained in accordance with this Section 5 until a deletion request is received.

6. Your Rights and Choices

6.1 Access and Correction

You may access and update your account information through the AchillesHR Service or by contacting us at privacy@achilleshr.com.

6.2 Data Portability

Where required by applicable law, you may request a copy of your data in a structured, commonly used, and machine-readable format.

6.3 Withdrawal of Consent and Integration Controls

You may disconnect any third-party integration (including Google Calendar, Microsoft Calendar, and Microsoft Teams) at any time through the AchillesHR Service. Once disconnected, we will no longer access new data from that integration. Previously accessed data will be retained in accordance with Section 5.

For Microsoft 365 integrations, Users and tenant administrators may also revoke the AchillesHR application’s permissions through the Microsoft Entra admin center or the Microsoft 365 admin center at any time.

For Google integrations, Users may revoke access through their Google Account security settings at any time.

6.4 Rights Under Applicable Privacy Laws

Depending on your jurisdiction, you may have additional rights under applicable privacy laws, including the right to know what personal data we collect, the right to request deletion, the right to correct inaccurate data, and the right to opt out of certain processing activities. To exercise any such rights, please contact us at privacy@achilleshr.com. We will respond to valid requests within the timeframes required by applicable law.

7. Google API Services Compliance

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

•  We only access Google user data that is necessary to provide and improve the AchillesHR Service’s features for the user.

•  We do not use Google user data for serving advertisements.

•  We do not allow humans to read Google user data unless we have obtained the user’s affirmative consent, it is necessary for security purposes or to comply with applicable law, or the data has been aggregated and de-identified for internal operations.

•  All transfers of Google user data to third parties (including AI Tool providers) are only for purposes necessary to provide the AchillesHR Service and are subject to appropriate confidentiality and security obligations.

8. Microsoft 365 and Microsoft Graph Compliance

Our use of information received from Microsoft APIs adheres to the Microsoft APIs Terms of Use and the Microsoft Store Policies (where applicable). Specifically:

•  We only request and access Microsoft user data using the minimum permissions (scopes) necessary to provide the AchillesHR Service’s features, consistent with the principle of least privilege.

•  We do not use Microsoft user data for serving advertisements or for any purpose unrelated to the functionality of the AchillesHR Service.

•  We do not sell, license, or share Microsoft user data except as expressly described in this Privacy Policy.

•  We collect, store, and transmit Microsoft user data securely using modern cryptography methods, including TLS 1.2 or higher for data in transit and encryption at rest.

•  We provide Users and administrators with clear controls to disconnect the Microsoft 365 integration and to request the deletion of their Microsoft user data at any time.

•  We do not use Microsoft user data to build user profiles for purposes unrelated to the AchillesHR Service.

9. AI Tools and Automated Processing Disclosure

The AchillesHR Service uses third-party AI Tools, including large language models, to provide features such as automated message generation, scheduling recommendations, and content summaries. When these features are used:

•  Calendar event data and relevant context from Google Calendar, Microsoft Calendar, or Microsoft Teams may be transmitted to third-party AI Tool providers for processing.

•  AI Tool providers process data solely as instructed by AchillesHR and are contractually prohibited from using this data for their own purposes, including training their models on your data, unless separately disclosed.

•  AI-generated outputs may not always be accurate. Users are solely responsible for reviewing and verifying any AI-generated content before relying on it or sharing it with others.

•  Customers may contact us at privacy@achilleshr.com to inquire about which AI Tool providers are currently in use.

10. Children’s Privacy

The AchillesHR Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such information promptly.

11. International Data Transfers

If you are accessing the AchillesHR Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States where our servers are located. By using the AchillesHR Service, you consent to such transfers. We take appropriate measures to ensure that your data receives an adequate level of protection in accordance with applicable privacy laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify customers by email or through the AchillesHR Service prior to the changes taking effect. Your continued use of the AchillesHR Service after any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: