Skip to main content
FeaturesComparePricingGuidesSecurity
Sign inJoin the list →
FeaturesComparePricingGuidesSecuritySign inJoin the list →

Privacy Policy

Last updated: 14 July 2026

Pre-launch reference: HollyHR is not yet open for unrestricted self-service accounts. The contracting legal entity and registered-office disclosure are being verified; an approved privacy notice is provided before any customer workspace is activated.

1. Who we are

HollyHR provides HR software for small and medium-sized UK businesses: a people directory, employee records, time-off tracking, and related tools. This pre-launch reference explains how personal data is handled when you visit our website or use the HollyHR application, and the rights you have under UK data protection law (the UK GDPR and the Data Protection Act 2018).

2. Our roles: controller and processor

The provider of HollyHR acts in two distinct roles, and your rights run differently in each:

  • Employee data — HollyHR is a processor.When your employer uses HollyHR to manage your employment records, your employer is the data controller and decides what data is held and for how long. We process that data only on your employer's instructions. If you are an employee and want to access, correct, or erase your data, please contact your employer (usually your HR administrator) — we will assist them in responding.
  • Account, billing, and website data — HollyHR is a controller. For the data we collect to run the service itself — customer account details, billing records, support correspondence, waitlist sign-ups, and website usage — we decide how and why it is processed, and you can contact us directly about it.

3. The data we process

As processor (for your employer):

  • Identity and contact details (name, work and personal email, phone, home address)
  • Employment details (role, department, start date, working pattern, employment history)
  • Time-off requests, approvals, and absence records
  • Compensation and compensation history
  • Bank account details (for payroll administration)
  • Emergency contacts
  • Documents your employer stores about you (contracts, reviews, right-to-work)
  • Profile photo, if provided

Bank account details, tax and government identifiers, and compensation values are encrypted at the field level in our database, in addition to encryption in transit and at rest.

As controller:

  • Account and sign-in data (email address, authentication events)
  • Billing details and subscription status (payment cards are handled by Stripe; we never see full card numbers)
  • Support requests and correspondence
  • Contact and walkthrough requests (name, email, organisation where supplied, selected topic and the message or product context you choose to provide)
  • Waitlist and marketing sign-ups
  • Service logs, server-side product analytics, and consent-based browser analytics for signed-in users (we do not run third-party advertising trackers)

4. Lawful bases for processing

Where we act as controller, we rely on the following lawful bases under Article 6 UK GDPR:

  • Contract — providing the service to your organisation, managing accounts, and billing.
  • Legitimate interests — securing the service, preventing fraud and abuse, responding to general, security and partnership enquiries, improving the product, and limited service analytics.
  • Steps requested before a contract — responding to product, pricing, migration and walkthrough enquiries where you are considering HollyHR for your organisation.
  • Legal obligation — tax, accounting, and regulatory record-keeping.
  • Consent — marketing communications and the pre-launch waitlist; you can withdraw consent at any time.

Where we act as processor, the lawful basis is your employer's to establish — typically performance of the employment contract, legal obligations as an employer, and their legitimate interests in administering staff.

5. Sub-processors

We use a small number of service providers (sub-processors) to run HollyHR. Each is bound by contractual data protection terms, and transfers outside the UK rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or UK adequacy regulations. The standalone sub-processor page is the linkable inventory for customer legal materials. Last reviewed: 18 July 2026.

ProviderPurposeData categoriesHosting / transfers
VercelApplication hosting, serverless runtime, deployment, CDN, runtime logs, and cookieless aggregate website analytics (Web Analytics and Speed Insights).Customer account data, application metadata, request metadata, limited service logs, and aggregate page-view and performance data points that carry no persistent visitor identifier.

EU/USA

Provider data processing terms and applicable UK transfer safeguards for non-UK processing.

NeonManaged PostgreSQL database hosting, branching, and point-in-time recovery.Customer organisation data, employee HR records, authentication/session metadata, and audit data.

EU (AWS eu-central-1)

Provider data processing terms; production branch hosted in the intended region.

StripeSubscription billing, checkout, billing portal, invoices, and payment records.Customer billing contact, subscription state, invoices, and payment metadata.

EU/USA

Provider data processing terms and UK transfer safeguards for payment processing.

ResendTransactional email delivery for authentication, invitations, service messages, and consent-gated product-update or launch Broadcasts.Recipient email addresses, opted-in waitlist or customer-admin contact metadata, message metadata, and email body content.

USA

Provider data processing terms and UK transfer safeguards.

UpstashRedis-backed rate limiting and abuse prevention for authentication and sensitive routes.Pseudonymous rate-limit keys and request counters.

UK primary region (eu-west-2)

Provider data processing terms and region controls where configured.

Amazon Web Services (S3)Private uploaded HR document storage, encrypted Neon database backup storage, and Terraform remote state.Uploaded employee documents, object metadata, encrypted database backup archives, and infrastructure state metadata.

UK (eu-west-2)

AWS data processing terms and configured bucket-region controls.

PostHogProduct analytics for signed-in tenant users, including manual pageview capture and organisation-level usage grouping.Account identifiers, product usage events, and pageview metadata.

EU (PostHog Cloud EU, AWS eu-central-1)

Provider data processing terms; EU project host and IP anonymisation verified by API on 16 June 2026.

MigaduHuman mailbox hosting for HollyHR team mailboxes.Mailbox content, sender/recipient metadata, and mailbox account metadata.

EU/Switzerland/other provider locations subject to Migadu terms

Provider data processing terms and applicable UK transfer safeguards for non-UK processing.

SentryError tracking, CSP violation reporting, source maps, and operational alerting.Sanitised error metadata, stack traces, release/environment metadata, and CSP report metadata.

EU (Sentry Germany region)

Provider data processing terms; production DSN is hosted on the provider's EU ingest region.

Freshdesk / FreshworksCustomer support portal and SSO-assisted support access.Customer contact details, support requests, and support correspondence.

EU/USA

Provider data processing terms; support-data handling still requires legal/operator confirmation.

We will update this list before adding or replacing a sub-processor that handles customer personal data.

6. Data retention

  • Employee data is retained for as long as your employer instructs us to hold it. Employers typically retain employment records for statutory periods after employment ends (for example, HMRC payroll record-keeping and limitation periods for employment claims).
  • Deleted data is removed from live systems immediately when deleted in the application. Isolated encrypted backup copies use a 35-day recovery window and are then scheduled for deletion through provider lifecycle processing.
  • Account and billing records are retained for up to 6 years after the end of the customer relationship, to meet tax and accounting obligations.
  • Audit logsof security-relevant actions are retained as compliance evidence; where a person's data is erased, identifying details in audit records are anonymised rather than the event history being destroyed.
  • Contact and walkthrough correspondence is held in our transactional email logs and human mailbox systems rather than the HollyHR waitlist database. We retain it only for as long as needed to handle the enquiry and any related legal or security obligations, and handle access or deletion requests across those providers.

7. Your rights

Under UK GDPR you have the right to access your personal data, to have inaccurate data corrected, to erasure, to restrict or object to processing, and to data portability. Controllers must respond to these requests within one month.

  • For employee data, send your request to your employer — they are the controller and we will assist them.
  • For account, billing, or website data, contact us directly using the details below.

You also have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO): ico.org.uk or 0303 123 1113.

8. Security

We protect personal data with encryption in transit (TLS) and at rest, additional field-level encryption for banking, identifier, and compensation data, role-based access controls within each organisation, organisation-level data isolation, audit logging of sensitive actions, and encrypted backups.

9. Cookies and analytics

HollyHR uses cookies that are necessary to operate the service: session authentication, your organisation selection, and theme preference. Browser product analytics through PostHog Cloud EU is limited to signed-in tenant users and only runs after you allow analytics; this can use browser storage or cookies to remember analytics identifiers. We do not use third-party advertising cookies, sell personal data, or send HR record contents, free-text fields, employee names, or email addresses to PostHog.

On our public website we measure page views and page performance with Vercel Web Analytics and Vercel Speed Insights. These set no cookies and store nothing in your browser: visitors are counted using a hash derived from the incoming request, which is discarded within 24 hours, your IP address is not stored, and the resulting data points are aggregate only. Because nothing is stored on or read from your device, no consent is required for them. Full detail is in our cookie policy.

10. International transfers

Some sub-processors listed above store data outside the UK. Where that happens, we rely on UK adequacy regulations or appropriate safeguards (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses), together with the providers' own security commitments.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified to customer organisations and reflected in the "Last updated" date above.

12. Contact us

For privacy questions, data subject requests relating to data we control, or to reach our data protection contact:

Email: info@hollyhr.com

The contracting legal name and registered office will appear here after verification and are supplied in the approved customer documents before activation.

← Back to Home
Holly

Simple, modern HR for small UK teams. Free to start, fair as you grow, easy to leave.

Product

Time offWho's awayPeople recordsDocumentsOnboardingPricingAI & API

Compare

vs Breathevs CharlieHRvs Sense HRvs Sage HRvs BambooHRBest HR software UK

Choose a route

Compare HR softwareFrom spreadsheetsSee who's awayOnboarding checklistAnnual leave guideRequest a walkthrough

Resources

GuidesSpreadsheet migrationData freedomSecurity & trustHelp & contact

Company

Why HollyHRSecurityNo lock-inContactRequest a walkthroughEarly access
© 2026 HollyHR · Built for small UK teamsPrivacyTermsDPASub-processorsCookies