Privacy Policy
Last updated: 4 July 2026
This Privacy Policy explains how Hexense Tech OÜ, registry code 17371031, registered address Gonsiori tn 29, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia (“Hexense”, “we”, “us”) processes personal data in connection with the Hexense HR platform (the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and Estonian data protection law.
1. Our two roles: controller and processor
Hexense HR is used by organizations (“Customers”) to manage their HR processes. This creates two distinct roles:
- Hexense as processor. HR data that a Customer and its members enter into the Service — employee profiles, leave records, documents, payroll records, expenses, survey responses, and similar (“Customer Data”) — is controlled by the Customer (typically your employer). We process it only on the Customer’s instructions under our Data Processing Agreement. If you are an employee of a Customer and want to exercise your data protection rights over this data, please contact your employer’s HR administrators first; we support Customers in responding to such requests.
- Hexense as controller. We are the controller for the data described in the rest of this policy: your user account, billing relationships with Customers, security and audit logs we keep for our own purposes, and communications with us.
2. Personal data we process as controller
- Account data — name, email address, hashed authentication credentials, multi-factor authentication settings, and single sign-on identifiers, when you create and use an account.
- Billing data — subscription plan, invoicing details, and payment status for the Customer’s organization. Card details are collected and processed by Stripe; we never see full card numbers.
- Usage and security data — sign-in events, IP addresses, and technical logs needed to operate and secure the Service and to investigate abuse.
- Communications — messages you send us (for example, support or legal inquiries).
3. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Service: accounts, authentication, core features | Performance of a contract (Art. 6(1)(b)) |
| Billing and invoicing; accounting records | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) — Estonian accounting law) |
| Security, abuse prevention, audit logging | Legitimate interests (Art. 6(1)(f) — keeping the Service and tenant data secure) |
| Service announcements and operational email | Contract (Art. 6(1)(b)) |
| Responding to inquiries; establishing or defending legal claims | Legitimate interests (Art. 6(1)(f)) |
We do not use personal data for third-party advertising, we do not sell personal data, and we do not use Customer Data to train machine learning models.
4. Cookies
The Service uses only strictly necessary cookies: authentication session cookies set by our auth provider (Supabase Auth) that keep you signed in. We do not use analytics, advertising, or other third-party tracking cookies. Because these cookies are essential to provide the Service you request, they do not require consent.
5. Where data is stored and international transfers
The Service’s database, authentication, and file storage run on Supabase infrastructure hosted on AWS in the European Union (eu-west-1, Ireland), and our application compute is co-located in the same region on Vercel. Some subprocessors (see our subprocessor list) may process limited personal data outside the EEA (for example, Stripe and Resend in the United States). Where that happens, transfers are protected by the EU–US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses, with supplementary measures as appropriate.
6. Recipients
We share personal data only with: (a) the subprocessors listed on our subprocessor page, under data processing agreements; (b) your organization’s administrators, who can see membership and role information within their organization; (c) professional advisors and authorities where required by law. We never share one Customer’s data with another Customer — tenant isolation is enforced at the database layer with row-level security.
7. Retention
- Account data — kept while your account exists; deleted or anonymized within 90 days of account deletion.
- Customer Data — retained per the Customer’s instructions and deleted after the end of the contract per the DPA (30-day grace period, then deletion), except where law requires longer retention.
- Billing records — 7 years, as required by Estonian accounting law.
- Security logs — up to 12 months, unless needed longer for an ongoing investigation.
8. Security
We apply technical and organizational measures appropriate to HR data: encryption in transit (TLS) and at rest, per-tenant row-level security enforced in the database, role-based access control, multi-factor authentication support, audit logging of administrative actions, and the principle of least privilege for our own operational access.
9. Your rights
For data we control, you have the right to access, rectify, erase, and receive a copy of your personal data, to restrict or object to processing (including processing based on legitimate interests), and to withdraw consent where processing is based on consent. Contact us at privacy@hex-tech.xyz; we respond within one month. For Customer Data, please contact your employer (the controller); we will assist them in fulfilling your request.
You also have the right to lodge a complaint with a supervisory authority — in Estonia, the Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee), or the authority of your habitual residence.
10. Automated decision-making
We do not make automated decisions with legal or similarly significant effects. Approval workflows in the Service (leave, expenses, requests) are decided by humans in your organization.
11. Changes to this policy
We will post updates to this policy here and, for material changes, notify account holders via the Service or email before they take effect.
12. Contact
Hexense Tech OÜ · Gonsiori tn 29, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia · privacy@hex-tech.xyz