Privacy Policy

At PayPilot, Inc. ("PayPilot," "we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our cloud-based human resources and payroll management platform (the "Service"), visit our website at paypilot.com (the "Website"), or interact with us in other ways.

By accessing or using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service. This Privacy Policy may change from time to time, and your continued use of the Service after we make changes is deemed acceptance of those changes.

1. Introduction

1.1 Scope of This Policy

This Privacy Policy applies to all information collected through our Service, Website, mobile applications, and any related services, sales, marketing, or events (collectively, the "Services"). It also applies to information we collect offline or through any other means, including on any other website operated by us or any third party, that links to this Privacy Policy.

1.2 Data Controller Information

PayPilot, Inc. is the data controller responsible for your personal information. We are headquartered at 548 Market Street, Suite 35000, San Francisco, CA 94104, United States. For questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at privacy@paypilot.com.

1.3 Definitions

• "Personal Information" means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• "Customer Data" means personal information that our customers upload, submit, or otherwise provide to the Service regarding their employees, contractors, or other individuals.
• "Usage Data" means information collected automatically when using the Service, such as IP addresses, browser type, pages visited, and time spent on pages.
• "Processing" means any operation performed on personal information, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

2. Information We Collect

2.1 Information You Provide to Us

We collect information you provide directly to us, including:

Account Information

• Name, email address, phone number, and postal address
• Company name, job title, and department
• Username, password, and account preferences
• Profile photo and biographical information
• Payment and billing information (credit card numbers, billing address)

Customer Data (Employee Information)

When you use our Service to manage your workforce, you may provide us with information about your employees, including:

• Full legal name, date of birth, and Social Security Number or tax identification number
• Home address, phone number, and personal email address
• Employment information (hire date, job title, department, salary, employment status)
• Banking information for direct deposit (bank name, routing number, account number)
• Tax withholding information (W-4 elections, state tax forms)
• Benefits enrollment information (health insurance selections, 401(k) contributions)
• Time and attendance records (clock-in/out times, PTO requests, leave balances)
• Emergency contact information
• Immigration and work authorization status (I-9 information)
• Performance review and compensation history

Communications

• Information you provide when you contact us for support
• Survey responses and feedback
• Content of messages sent through the Service

2.2 Information We Collect Automatically

When you access or use our Service, we automatically collect certain information, including:

Device and Connection Information

• IP address, browser type and version, and operating system
• Device identifiers and hardware information
• Mobile network information and device settings
• Time zone setting and geographic location (country, region, city)

Usage Information

• Pages viewed, features used, and actions taken within the Service
• Date and time of access, session duration, and navigation paths
• Search queries and filters applied
• Error logs and performance data
• Referring website addresses and exit pages

Cookies and Similar Technologies

• Session cookies, persistent cookies, and flash cookies
• Pixel tags, web beacons, and clear GIFs
• Local storage and similar technologies

2.3 Information from Third Parties

We may receive information about you from third parties, including:

• Identity verification services to confirm your identity
• Background check providers (with your consent)
• Credit reporting agencies for business verification
• Social media platforms if you choose to link your account
• Business partners and integration providers
• Publicly available sources such as public records and directories

3. How We Use Your Information

3.1 Providing and Improving Our Service

We use the information we collect to:

• Create and manage your account
• Process payroll, calculate taxes, and generate pay stubs
• Administer employee benefits and manage enrollments
• Track time and attendance and manage PTO
• Generate reports and analytics for your organization
• Provide customer support and respond to inquiries
• Improve, personalize, and expand our Service
• Develop new products, services, and features
• Monitor and analyze usage patterns and trends

3.2 Communications

We may use your information to:

• Send transactional messages (payroll confirmations, password resets, account notifications)
• Provide customer support and respond to your requests
• Send marketing communications (with your consent where required)
• Notify you about changes to our Service or policies
• Send product updates, tips, and best practices

3.3 Legal and Compliance

We may use your information to:

• Comply with applicable laws, regulations, and legal processes
• File required tax forms and reports with government agencies
• Respond to lawful requests from public authorities
• Enforce our Terms of Service and other agreements
• Protect our rights, privacy, safety, or property
• Detect, prevent, or address fraud, security, or technical issues

3.4 Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, our legal basis for collecting and using personal information depends on the specific information and context:

• Contract Performance: Processing necessary to provide the Service you requested
• Legitimate Interests: Processing for our legitimate business interests, such as improving our Service, marketing, and fraud prevention
• Legal Obligation: Processing necessary to comply with applicable laws
• Consent: Processing based on your explicit consent, which you may withdraw at any time

4. Information Sharing and Disclosure

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, such as payment processing, data hosting, customer support, email delivery, analytics, and marketing. These providers are contractually obligated to protect your information and may only use it for the purposes we specify.

4.2 Business Transfers

If PayPilot is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal information.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

• Compliance with a legal obligation, court order, or governmental request
• Protection and defense of our rights or property
• Prevention or investigation of possible wrongdoing
• Protection of the personal safety of users or the public
• Protection against legal liability

4.4 Government Agencies

As part of payroll processing, we transmit required information to government agencies, including the Internal Revenue Service (IRS), Social Security Administration (SSA), state tax agencies, and other regulatory bodies as required by law.

4.5 Third-Party Integrations

If you choose to connect third-party services to PayPilot (such as accounting software, benefits providers, or time tracking systems), we may share information with those services as necessary to enable the integration. Your use of third-party services is subject to their privacy policies.

4.6 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

4.7 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, benchmarking, or other purposes.

5. Data Retention

5.1 Retention Periods

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. The retention period may vary depending on the context of our relationship with you and the type of information:

• Account Information: Retained for the duration of your account plus 7 years
• Payroll Records: Retained for 7 years after the end of employment, as required by tax laws
• Tax Documents: Retained for 7 years or longer as required by applicable tax regulations
• Employment Records: Retained for 7 years after termination of employment
• Benefits Records: Retained for 6 years after the plan year ends
• Usage Data: Retained for 3 years
• Marketing Data: Retained until you unsubscribe or request deletion

5.2 Deletion

When personal information is no longer needed for the purposes for which it was collected, we will securely delete or anonymize it. If deletion is not possible (for example, because the information has been stored in backup archives), we will securely store the information and isolate it from further processing until deletion is possible.

6. Data Security

6.1 Security Measures

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Access Controls: Role-based access controls and multi-factor authentication
• Network Security: Firewalls, intrusion detection systems, and regular security monitoring
• Physical Security: Data centers with 24/7 security, biometric access controls, and environmental protections
• Employee Training: Regular security awareness training for all employees
• Vendor Management: Security assessments of all third-party service providers
• Incident Response: Documented procedures for responding to security incidents
• Regular Audits: Annual SOC 2 Type II audits and penetration testing

6.2 Your Responsibilities

While we take extensive measures to protect your information, you also play a role in maintaining security. We encourage you to use strong, unique passwords, enable multi-factor authentication, keep your login credentials confidential, and promptly report any suspected unauthorized access to your account.

6.3 Breach Notification

In the event of a security breach that affects your personal information, we will notify you and relevant authorities as required by applicable law. We will provide information about the breach, the information affected, steps we are taking to address the breach, and recommendations for protecting yourself.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the operation of our Service. They enable core functionality such as security, network management, and account access. You cannot opt out of these cookies.

Functionality Cookies

These cookies allow us to remember choices you make and provide enhanced, personalized features. They may be set by us or by third-party providers whose services we have added to our pages.

Analytics Cookies

These cookies collect information about how visitors use our Service, including which pages are visited most often and whether users receive error messages. We use this information to improve our Service and user experience.

Marketing Cookies

These cookies are used to track visitors across websites to display relevant advertisements. They may be set by us or by advertising partners.

7.2 Managing Cookies

Most web browsers are set to accept cookies by default. You can usually modify your browser settings to decline cookies if you prefer. However, if you choose to decline cookies, some features of our Service may not function properly. You can also manage your cookie preferences through our cookie consent banner.

7.3 Do Not Track

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. Because there is no uniform standard for DNT signals, our Service does not currently respond to DNT browser signals.

8. Your Rights and Choices

8.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of that information in a structured, commonly used, and machine-readable format.

8.2 Correction

You have the right to request correction of any inaccurate or incomplete personal information we hold about you. You can update much of your information directly through your account settings.

8.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions. We may retain information as required by law or for legitimate business purposes, such as compliance with legal obligations, resolving disputes, or enforcing our agreements.

8.4 Restriction and Objection

You have the right to request restriction of processing of your personal information or to object to processing in certain circumstances. If you object to processing, we will stop processing your information unless we have compelling legitimate grounds to continue.

8.5 Withdrawal of Consent

Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.6 Marketing Communications

You can opt out of receiving marketing communications from us by clicking the "unsubscribe" link in any marketing email, updating your communication preferences in your account settings, or contacting us directly. Even if you opt out of marketing communications, we may still send you transactional messages related to your account.

8.7 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@paypilot.com or use the contact information provided below. We will respond to your request within the timeframe required by applicable law, typically within 30 days. We may need to verify your identity before processing your request.

9. International Data Transfers

9.1 Data Location

Our Service is operated in the United States, and information we collect is stored and processed in data centers located in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.

9.2 Transfer Mechanisms

When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses approved by the European Commission, to ensure that your information receives adequate protection.

9.3 Data Processing Agreement

If you are a customer subject to GDPR or other data protection laws, we will enter into a Data Processing Agreement that includes Standard Contractual Clauses and outlines our respective responsibilities for protecting personal information.

10. Children's Privacy

Our Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe that we may have collected information from a child under 16, please contact us at privacy@paypilot.com.

11. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, or services that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

12. California Privacy Rights (CCPA/CPRA)

12.1 Your Rights Under California Law

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: You can opt out of the sale or sharing of your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: You can limit our use and disclosure of sensitive personal information to purposes necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

12.2 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, phone number, IP address)
• Personal information categories listed in Cal. Civ. Code Section 1798.80(e)
• Protected classification characteristics (age, gender, for equal employment purposes)
• Commercial information (transaction history, products/services purchased)
• Internet or network activity information (browsing history, search history)
• Geolocation data (city, region, country)
• Professional or employment-related information
• Inferences drawn from the above to create a profile

12.3 How to Submit a Request

To exercise your rights, submit a request to privacy@paypilot.com or call us at 1-800-XXX-XXXX. You may also designate an authorized agent to make a request on your behalf. We will verify your identity before processing your request.

13. European Privacy Rights (GDPR)

13.1 Your Rights Under GDPR

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of processing
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

13.2 Data Protection Officer

We have appointed a Data Protection Officer who can be contacted at dpo@paypilot.com for any questions or concerns regarding our data processing practices.

13.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law. A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this policy. For material changes, we will provide more prominent notice, such as by sending you an email notification or displaying a prominent notice within the Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the revised policy.

15. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

By using PayPilot, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and disclosure of your information as described herein.