GDPR Compliance

Last updated: 7/28/2025

1. Introduction

CitoHR is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR). This page outlines how we collect, use, store, and protect your personal data in accordance with GDPR requirements.

2. Data Controller Information

For the purposes of GDPR, CitoSoft is the data controller of your personal data:

  • Company: CitoSoft
  • Address: Ipswich, Suffolk, UK
  • Email: contact@citosoft.co.uk
  • Data Protection Officer: contact@citosoft.co.uk

3. Personal Data We Collect

We collect the following types of personal data:

Account Information

  • Name and contact details
  • Email address and phone number
  • Company information
  • Job title and role

Usage Data

  • Login and session information
  • Feature usage and preferences
  • Device and browser information
  • IP address and location data

Employee Data (HR Platform)

  • Employee records and profiles
  • Time tracking and attendance data
  • Performance and review information
  • Leave and absence records

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: To provide our HR services and fulfill our contractual obligations
  • Legitimate Interest: To improve our services, provide support, and ensure security
  • Consent: For marketing communications and optional features
  • Legal Obligation: To comply with applicable laws and regulations

5. How We Use Your Data

We use your personal data for the following purposes:

  • Providing and maintaining our HR platform services
  • Processing payments and managing subscriptions
  • Providing customer support and technical assistance
  • Sending important service updates and notifications
  • Improving our services and developing new features
  • Ensuring security and preventing fraud
  • Complying with legal and regulatory requirements

6. Data Sharing and Transfers

We may share your data with:

  • Service Providers: Cloud hosting, payment processing, and analytics services
  • Business Partners: Integration partners and third-party tools
  • Legal Authorities: When required by law or to protect our rights

All data transfers outside the EEA are conducted with appropriate safeguards, including Standard Contractual Clauses and adequacy decisions.

7. Your GDPR Rights

Under GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restriction: Limit how we process your data
  • Right to Portability: Receive your data in a structured format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for consent-based processing

8. Data Retention

We retain your personal data for as long as necessary to:

  • Provide our services and fulfill contractual obligations
  • Comply with legal and regulatory requirements
  • Resolve disputes and enforce agreements
  • Maintain security and prevent fraud

Data is securely deleted or anonymized when no longer needed for these purposes.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication measures
  • Employee training on data protection
  • Incident response and breach notification procedures

10. Data Breach Procedures

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, as required by GDPR.

11. Exercising Your Rights

To exercise your GDPR rights, please contact us:

  • Email: contact@citosoft.co.uk
  • Subject Line: "GDPR Rights Request"
  • Response Time: We will respond within 30 days

We may request additional information to verify your identity before processing your request.

12. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not addressed your concerns adequately. In the UK, this is the Information Commissioner's Office (ICO).

13. Updates to This Policy

We may update this GDPR compliance page to reflect changes in our practices or legal requirements. We will notify you of any material changes and update the "Last updated" date.

14. Contact Us

If you have any questions about our GDPR compliance or data protection practices, please contact us at contact@citosoft.co.uk.