Hexense HR

Privacy Policy

Last updated: 4 July 2026

This Privacy Policy explains how Hexense Tech OÜ, registry code 17371031, registered address Gonsiori tn 29, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia (“Hexense”, “we”, “us”) processes personal data in connection with the Hexense HR platform (the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and Estonian data protection law.

1. Our two roles: controller and processor

Hexense HR is used by organizations (“Customers”) to manage their HR processes. This creates two distinct roles:

2. Personal data we process as controller

3. Purposes and legal bases

PurposeLegal basis (GDPR Art. 6)
Providing the Service: accounts, authentication, core featuresPerformance of a contract (Art. 6(1)(b))
Billing and invoicing; accounting recordsContract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) — Estonian accounting law)
Security, abuse prevention, audit loggingLegitimate interests (Art. 6(1)(f) — keeping the Service and tenant data secure)
Service announcements and operational emailContract (Art. 6(1)(b))
Responding to inquiries; establishing or defending legal claimsLegitimate interests (Art. 6(1)(f))

We do not use personal data for third-party advertising, we do not sell personal data, and we do not use Customer Data to train machine learning models.

4. Cookies

The Service uses only strictly necessary cookies: authentication session cookies set by our auth provider (Supabase Auth) that keep you signed in. We do not use analytics, advertising, or other third-party tracking cookies. Because these cookies are essential to provide the Service you request, they do not require consent.

5. Where data is stored and international transfers

The Service’s database, authentication, and file storage run on Supabase infrastructure hosted on AWS in the European Union (eu-west-1, Ireland), and our application compute is co-located in the same region on Vercel. Some subprocessors (see our subprocessor list) may process limited personal data outside the EEA (for example, Stripe and Resend in the United States). Where that happens, transfers are protected by the EU–US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses, with supplementary measures as appropriate.

6. Recipients

We share personal data only with: (a) the subprocessors listed on our subprocessor page, under data processing agreements; (b) your organization’s administrators, who can see membership and role information within their organization; (c) professional advisors and authorities where required by law. We never share one Customer’s data with another Customer — tenant isolation is enforced at the database layer with row-level security.

7. Retention

8. Security

We apply technical and organizational measures appropriate to HR data: encryption in transit (TLS) and at rest, per-tenant row-level security enforced in the database, role-based access control, multi-factor authentication support, audit logging of administrative actions, and the principle of least privilege for our own operational access.

9. Your rights

For data we control, you have the right to access, rectify, erase, and receive a copy of your personal data, to restrict or object to processing (including processing based on legitimate interests), and to withdraw consent where processing is based on consent. Contact us at privacy@hex-tech.xyz; we respond within one month. For Customer Data, please contact your employer (the controller); we will assist them in fulfilling your request.

You also have the right to lodge a complaint with a supervisory authority — in Estonia, the Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee), or the authority of your habitual residence.

10. Automated decision-making

We do not make automated decisions with legal or similarly significant effects. Approval workflows in the Service (leave, expenses, requests) are decided by humans in your organization.

11. Changes to this policy

We will post updates to this policy here and, for material changes, notify account holders via the Service or email before they take effect.

12. Contact

Hexense Tech OÜ · Gonsiori tn 29, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia · privacy@hex-tech.xyz