General Privacy Notice
Last Updated: November 16, 2023
Our privacy notices include this General Privacy Notice and our California Privacy Notice. To understand our privacy practices, you should refer to our General Privacy Notice (“Notice”) and if you are a California resident, please also see our California Privacy Notice. BambooHR complies with the General Data Protection Regulation (“EU GDPR”), the EU GDPR as it applies to the laws of England and Wales (the “UK GDPR”) (together with the EU GDPR the “GDPR”) Switzerland’s Federal Act on Data Protection of 1992 (“FDAP”), the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (together with the CCPA, “CPRA”), and all other applicable privacy laws.
For purposes of this Notice, “Bamboo HR” includes Bamboo HR LLC, BambooHR Payroll LLC, Front & Main, Inc. d/b/a Honey, and Glide Holdings, Inc. d/b/a Welcome (together “BambooHR,” “we,” “our,” and “us”). We collect information in connection with our products and services as well as how our website and mobile applications automatically collect information.
1. What This Privacy Notice Covers
Attention: Employees or Prospective Employees of BambooHR Customers:
If you are an individual employee or prospective employee of a BambooHR customer, this Notice does not apply to you. For more information on your privacy rights and your employer’s privacy practices, please refer to your employer’s privacy notices. Under applicable privacy laws, we are a Data Processor under the GDPR or a Service Provider under CPRA and your employer is the Data Controller under the GDPR or the Business under CPRA.
Attention: BambooHR Customers:
If you are a BambooHR customer, please see Section 12 of this Notice for information on collection, use, and sharing of Customer Data, including Personal Information.
Attention: Visitors, Users, and BambooHR’s Prospective Employees, Employees, and Independent Contractors
This Notice applies to Visitors, Users, and BambooHR’s Prospective Employees, Employees, and Independent Contractors (“individuals” or “you”). If you are a California resident, please see our California Privacy Notice.
This Notice applies to Personal Information, as defined below, we collect to provide you with certain products and services (collectively, “Services”). This Notice does not apply to anonymized, de-identified or aggregate information if it is not Personal Information.
This Notice describes the rights available to you regarding our use of your Personal Information (defined below). Use of Personal Information collected through the BambooHR Services shall be limited to the purposes of providing the Services for which the individual has engaged BambooHR, as described in this Notice, and otherwise with your consent. Some information provided to us that may, either alone or when connected with other information to which we may have access, individually identify you.
2. What Personal Information We Collect
Personal Information is information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual or household.
Below are the categories of information, including Personal Information that we may have collected or shared for a business purpose as permitted by law and depending on the Services you receive:
Children’s Personal Information
Our Services are not intended for or directed to children under the age of thirteen. We do not knowingly collect personal information directly from children under the age of thirteen without parental consent. If we become aware that a child under the age of thirteen has provided us with personal information, we will delete the information from our records. Please contact us if you believe we have collected Personal Information from an individual under the age of thirteen.
We collect your name, address, title, company name, employer, business phone number, and email address when you contact us to register for an event, request information, or register for a free trial. We also document the products or services you purchase from BambooHR.
We collect browsing and search history, usage of, and information regarding your use of our applications or website using cookies. For more information about cookies, please see Section 5 below. This information may be used to create anonymous data to help us better understand customer preferences and needs. We draw inferences from the information we collect when you visit our website, use our app, or interact with our tools, widgets, or plug-ins.
We collect the city and state location of your device, which may include GPS-based, Wi-Fi based, or cell-based location information. You can disable collection of location information by our app at any time in your device location settings.
We may collect information via audio recordings of calls when you call our customer service.
We collect cookies, as managed by you, as described in Section 5 of this Notice.
Every customer identifies a user (account owner, primary contact, or secondary contact) before using BambooHR. We collect your name, title, business phone number and email address. We use your information to set up the account and for service-related communications or to provide you with our newsletter when you request it.
Prospective Employees, Employees, Independent Contractors
When you apply for employment with BambooHR, we collect your resume and employment application information, including your name, postal address, telephone number, and email address so that we can communicate with you during the job application process.
When you are hired as an employee, we collect information required for us to manage your employment and comply with applicable laws. This information may include your photograph, signature, social security number, telephone number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, or any other financial information, health insurance information. We may also collect your age, marital status, gender, veteran, or military status. Where applicable, we may collect student information related to eligibility for benefits.
This information may also include ‘special categories’ of Personal Information under the GDPR where this is necessary, including racial and ethnic origin and medical information including medical conditions.
When you are retained as an independent contractor, we collect your name, business name, business address, email, and telephone number and any other information required for tax and billing purposes.
3. How Long Do We Keep Your Personal Information
We retain Personal Information about you necessary to fulfill the purpose for which that information was collected and if applicable, in accordance with your employer’s contract with us, consistent with applicable laws. For example, we generally retain information regarding our payroll services for at least ten years from the date of our last interaction/account closure/etc., in compliance with our obligations under applicable laws, or for longer if required to do so according to our regulatory obligations or where we believe necessary to establish, defend, or protect our legal rights or those of others. When we destroy your Personal Information, we do so in a way that prevents that information from being restored or reconstructed.
4. How Do We Collect Your Personal Information
Below are the sources from which we may receive your Personal Information:
- directly from you when you inquire about our Services
- from your device when you access our website, mobile app, and other online services
- from third parties that assist us in providing relevant Services
We may combine Personal Information that you provide us through our website with other information we have received from you or your employer, whether online or offline, or from other sources such as from our service providers.
You may update, change, or read more about the specific cookies we collect by reviewing your Cookie Preferences here.
BambooHR collects the following cookies via our website:
These cookies are required for proper operation of our website and use of our Services. For example, cookies enable you to access the website. A "persistent cookie" remains on your hard drive for an extended period. We use persistent cookies to determine from where you were referred to our website, as well as the last user ID that you used to log in. BambooHR may set and access BambooHR persistent cookies on your computer; persistent cookies are required to use the BambooHR® Services.
We collect only strictly necessary cookies within the BambooHR application.
Functional cookies allow us to analyze usage of our site to evaluate and improve its performance. They are used to provide a better user experience on the site, such as by measuring interactions with content or remembering settings. They are also used to recognize and count the number of visitors accessing the website and see how Visitors move around the site.
We may place tracking pixels in our Applicant Tracking System (ATS). These pixels are used for analytics purposes, including to track statistical information around when an email sent to you is opened.
Specifically, we use the following third-party services: Microsoft’s Bing Ads, Google Ads and Analytics, Quora Ads, LinkedIn Ads, Twitter Ads, Facebook Ads, Instagram Ads, and Hotjar Analytics.
To learn more about Microsoft’s privacy practices, see: privacy.microsoft.com/en-us/privacystatement; to opt-out of interest based advertising with Microsoft, see https://about.ads.microsoft.com/en-us/resources/policies/personalized-ads.
To learn more about Google’s advertising policies, see: policies.google.com/technologies/ads; your ad settings with Google, see: adssettings.google.com; and Google’s ad personalization, see: policies.google.com/technologies/partner-sites.
To learn more about Quora’s privacy practices, see quora.com/about/privacy; to opt-out of interest-based advertising with Quora, see: http://www.aboutads.info/choices and https://www.youronlinechoices.com/.
To learn more about LinkedIn’s privacy practices, see linkedin.com/legal/privacy-policy; to opt-out of interest-based advertising from LinkedIn, see www.aboutads.info/choices and www.youronlinechoices.eu and www.youradchoices.ca/choices.
To learn more about Facebook’s privacy practices, see facebook.com/policy.php; to opt-out of interest-based advertising with Facebook, see http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.
To learn more about Hotjar’s analytics services and privacy practices, see the ‘about Hotjar’ section of Hotjar’s support site; to opt-out data collection by Hotjar, see https://www.hotjar.com/legal/compliance/opt-out/.
This site is being monitored by one or more third-party monitoring software(s), which may capture information about your visit that will help us improve the quality of our Service. You may control the data being collected from your visit by visiting https://smart-pixl.com through a universal consumer options page located at https://smart-pixl.com/Unsub/unsub.html.
6. How We Use and Disclose Your Personal Information for Business and Commercial Purposes
We only disclose your personal information (i) at your express request or at the direction of your employer; (ii) to our partner or co-sponsor with your consent, and (iii) to our service providers for the business purpose(s) described below.
We will only use your Personal Information when the law allows us to, for more information about the legal basis for processing which we rely on if you are located in the UK, EU, EEA, or Switzerland, please see Section 11 of this Notice. We may use or disclose the Personal Information listed in Section 2 of this Notice for the following purposes:
Business Purposes. BambooHR uses information, including Personal Information, provided by you to provide the Services and for business purposes such as:
- Processing your registration for a BambooHR event, request for information, or a free trial.
- Processing and fulfilling orders, billing, implementation, service improvement, research, marketing and for other general business purposes.
- Conducting internal research to develop and demonstrate technology.
- Keeping a record of our transactions and communications.
- Conducting audits and reporting related to transactions and interactions, including online interactions, you may have with us or others on our behalf.
- Delivering marketing communications (emails, calls, invitations, etc.) under applicable law or with your consent.
- Delivering user surveys, customized content and analytics on our websites or app.
- Operating and improving our website, performing analytics, and improving our Services.
- Helping to protect you and us from fraud or economic loss and protecting your health, safety, or welfare.
- Detecting, analyzing, and preventing security incidents, and other fraudulent or illegal activity.
- Identifying, debugging, and repairing errors in our systems, websites, or app that impair existing functionality.
- Short-term, transient use of Personal Information that is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
Consent. BambooHR may disclose your Personal Information when you provide your consent and intentional direction. For example, when you request content or register for an event, you consent to receiving marketing communications from BambooHR and our third-party partner or co-sponsor of that content or event. For example, you may consent to participate in marketing, product, or customer service research or user surveys.
You may always opt-out of receiving marketing communications by unsubscribing or submitting a privacy rights request. Please Contact us.
Legal Proceedings. BambooHR will share your information, including Personal Information, to respond to investigations, court orders, legal process, or to investigate, prevent or act regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person, violations of BambooHR's Terms of Service, or as otherwise required by law. If BambooHR is required by law or an order of a court of competent jurisdiction to disclose your information, BambooHR will promptly notify you of this requirement, if permitted by the court or applicable law, so that you may seek a protective order or other appropriate relief.
Service Providers. BambooHR may also share Personal Information with our service providers, who help us to provide the Services, such as cloud storage, security, application communications, customer support, backup, and data analytics.
Merger, Acquisition, Sales. If BambooHR is involved in a merger, acquisition, restructuring or sale of all or a portion of its assets, equity or similar transaction, Personal Information may be transferred to the acquiring person or entity and you will be notified via email and/or a prominent notice on our website of any change in ownership or uses of Personal Information, as well as any choices you may have regarding Personal Information. We will use reasonable efforts to direct the acquiring person or entity to use your Personal Information in a manner that is consistent with our Privacy Notice.
7. How We Protect Your Information
The security of your Personal Information is important to us. When you enter information in our systems, we encrypt the transmission of that information using secure socket layer technology (SSL).
BambooHR maintains a comprehensive written information security program that complies with applicable law and generally accepted industry standards. Our program includes appropriate administrative, technical, and physical safeguards, procedures, and practices to protect Personal Information submitted to us, both during transmission and once we receive it. No method or transmission over the Internet, or method of electronic storage, however, is 100% secure. Therefore, we cannot guarantee its absolute security. If you have any questions about the security on our website, the BambooHR® web application owned and operated by BambooHR, or the Services, please see our Security page and contact us.
BambooHR and its representatives will never request your account credentials. You should never share your BambooHR account information, including your username and password, with anyone else. We recommend that you use a unique password for your BambooHR account that is not associated with other websites. You should check your BambooHR account regularly to ensure that your Personal Information has not been tampered with or altered. You should only use the Services within a secure environment.
Any suspicious activity regarding your account, including automated messages or calls from parties you cannot identify, should be reported to BambooHR using the contact information below.
8. Your Privacy Choices
You may make certain choices regarding your Personal Information as permitted under applicable privacy laws. You may make these choices free of charge except as otherwise permitted under applicable law. We may limit our response to your requests as permitted under applicable law.
Residents of the European Union, United Kingdom, or Switzerland, please see Section 11 of this Notice.
Residents of California, please see our California Privacy Notice.
Right to Rectify or Correct
You may rectify or correct Personal Information that BambooHR has collected about your directly or indirectly, including Personal Information collected by a service provider or contractor on our behalf.
If you have an online account or profile with us, you may update your Personal Information by accessing your account through the website and mobile app. Alternatively, you may submit your request using our toll-free number or via our online form. Please see our Contact Information.
Right to Request Deletion
You may request that BambooHR delete your Personal Information, subject to certain limited exceptions. For example, we may retain an archived copy of your records consistent with applicable law, to continue to provide Services, or for other legitimate business purposes. We will use commercially reasonable efforts to honor your requests.
Service-related Communications. BambooHR will send a welcome email to Users for billing purposes, and at times may send Service-related announcements. A User may not opt out of service-related emails, as this is part of the BambooHR® Services.
Marketing Communications. You may choose to stop receiving our newsletter or marketing emails or texts by following the unsubscribe instructions included in each of these emails or texts, or you can contact us.
9. Third Party Links and Applications
Our website includes links to other websites whose privacy practices may differ from those of BambooHR. Our Services include links to third party applications with privacy practices that may differ from those of BambooHR. If you submit information to any of those sites, your information is governed by the privacy policies that apply to those sites. We encourage you to carefully read the privacy notice of any website or application you visit.
10. Publicly Accessible Parts of our Website and Social Media Features
Our website offers publicly accessible blogs and community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Information from our blog or community forum, please contact us.
We display personal testimonials of satisfied customers on our website in addition to other endorsements. With your consent we may post your testimonial along with your name. If you wish to update or delete your testimonial, please contact us.
Our website includes social media features, such as the Facebook Like button and widgets, the Share this button or interactive mini programs that run on our site. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy notice of the company providing the features.
11. General Data Protection Regulation Compliance
The following tables set out how we use and share Visitor and User Personal Information and our legal basis for doing so:
Purpose of Processing
Art. 6(1)(a) - Consent
Art. 6(1)b) - Performance of a contract
Purpose of Processing
For more information about our GDPR compliance, please see our security profile.
Wherever you use our website as a Visitor or access our Services as a User, you understand and acknowledge that we may transfer, process, and store information about you in the United States and other countries, both within and outside of the UK, EU, EEA, or Switzerland. By providing us with your information, you consent to the transfer to, and to the processing and storage of your information in countries outside of your country of residence, which may have different data protection laws than those in the country in which you reside, in accordance with this section.
Whenever we transfer your personal data out of the UK, EU, EEA, or Switzerland, we ensure a similar degree of protection is afforded to it by ensuring one of the appropriate safeguards are implemented. For example:
- The transfer is to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission, UK Secretary of State, or Swiss Federal Data Protection and Information Commissioner.
- Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection such as the EU Standard Contractual Clauses or UK International Data Transfer Agreement.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK, EU, EEA, or Switzerland.
Individual Privacy Rights
Your privacy rights as a Visitor or User include:
- Right to be Informed: You have the right to be informed about the collection and use of your personal data.
- Right to Access: You have the right to view and request copies of your Personal Information. If you have an online account or profile with us, you may access your Personal Information via your account through the website or mobile app.
- Right to Rectify or Correct: You have the right to update the Personal Information that BambooHR has collected about your directly or indirectly, including Personal Information collected by a service provider or contractor on our behalf. If you have an online account or profile with us, you may update your Personal Information by accessing your account through the website and mobile app.
- Right to Request Erasure: You have the right to request that BambooHR erase your Personal Information, subject to certain conditions.
- Right to Data Portability: You have the right to request that BambooHR transfer data that we have collected to another organization, or directly to you under certain conditions.
- Right to Restrict Processing: You have the right to request that BambooHR restrict the processing of your personal information under certain conditions.
- Right to Withdraw Consent: You have the right to withdraw previously granted consent to process your personal information.
- Right to Object to Processing: You have the right to object to BambooHR’s processing of your personal information, under certain conditions.
- Right to Object to Automated Processing: You have the right to object to decisions being made with your information solely based on automated decision making or profiling. BambooHR does not currently engage in automated decision-making or profiling. If you have questions, please contact us.
Privacy Questions and Concerns
To speak with or file a complaint with our Data Protection Officer, please contact us. You may also lodge a complaint with your supervisory authority. If you reside in the UK, you can contact the ICO at https://ico.org.uk/make-a-complaint.
12. Data Privacy Framework
BambooHR’s participation in the Data Privacy Framework applies to all Personal Information that is subject to this Privacy Notice and is received from individuals who are residents of the European Union, European Economic Area, Switzerland, and the United Kingdom. BambooHR will comply with the Data Privacy Framework Principles in respect of such Personal Information.
BambooHR’s accountability for Personal Information that it receives under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles located at https://www.dataprivacyframework.gov/s/article/Participation-Requirements-Data-Privacy-Framework-DPF-Principles-dpf. In particular, BambooHR remains responsible and liable under the Data Privacy Framework Principles if third party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless BambooHR proves that it is not responsible for the event giving rise to the damage.
We encourage you to contact us should you have a Data Privacy Framework-related (or general privacy-related) complaint regarding our handling of your data. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
For human resources data and in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, BambooHR commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
As further explained in the Data Privacy Framework Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. BambooHR is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK, EU, EEA, or Switzerland.
13. BambooHR Customer Data
As discussed in Section 2 above, this Notice does not apply to individual employees or prospective employees of BambooHR customers. Such individuals should access the customer or employer’s privacy notice.
If you are a BambooHR customer or employer, this section describes how your customer Data is collected, used, and disclosed.
Customer Data collected by a BambooHR Customer as a Data Controller or Business
In the BambooHR Terms of Service located here: https://www.bamboohr.com/legal/terms-of-service, BambooHR customer “Data” is defined as all information provided, inputted, or uploaded to a customer database in the BambooHR® Service by a customer on their behalf.
Customer Data collected by BambooHR as a Data Processor or Service Provider
BambooHR may also collect customer Data, including Personal Information included in the Data, under the direction of its customers and has no direct relationship with the individuals whose Personal Information it processes. BambooHR may collect Personal Information that identifies, relates to, describes, references, or is reasonably capable of being associated with the customer including location data. Note that precise location will only be collected with permission and in connection with the use of our mobile app and certain BambooHR® features if enabled by the customer. Customers are not required to use such features and individuals are not required to consent to the collection of location data, but such features may not be available without location data. BambooHR may collect only strictly necessary or required cookies within the BambooHR application.
How We Use and Disclose Customer Data
BambooHR will not disclose customer Data except as compelled by applicable law or as expressly authorized by the customer in the Terms of Service or in writing and will only retain and use the Data for the purpose of providing the Customer with the Service or to comply with applicable laws, including:
BambooHR will share customer Data, including Personal Information included in the Data, to respond to investigations, court orders, legal process, or to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person, violations of BambooHR's Terms of Service, or as otherwise required by law. If BambooHR is required by law or an order of a court of competent jurisdiction to disclose customer Data, BambooHR will promptly notify the customer of this requirement, if permitted by the court or applicable law, so that the customer may seek a protective order or other appropriate relief.
BambooHR may also share customer Data, including Personal Information included in the Data, with our service providers, who help us to provide the Services, such as cloud storage, security, application communications, customer support, backup, data analytics. We will ensure that those service providers are obligated to protect customer Data under contract terms which are no less protective than those set out in this Privacy Notice.
Mergers, Acquisitions, Sales
If BambooHR is involved in a merger, acquisition, restructuring or sale of all or a portion of its assets, equity or similar transaction, your Data, including Personal Information included in the Data, may be transferred to the acquiring person or entity and the customer will be notified via email and/or a prominent notice on our website of any change in ownership or uses of customer Data, as well as any choices the customer may have regarding their Data. We will use reasonable efforts to direct the acquiring person or entity to use customer Personal Information in a manner that is consistent with our Privacy Notice.
Privacy Rights Requests
Customers are responsible for processing privacy requests from their prospective employees, employees, or independent contractors who have data in the BambooHR Service. If we receive the request, we will forward the request to the customer to process according to applicable privacy laws. Customers may access, correct, amend, or delete the Data without BambooHR’s involvement, but BambooHR will assist the customer as needed.
BambooHR collects only required cookies within the BambooHR application.
Privacy Concerns and Complaints
BambooHR will forward any concerns or complaints from your employees to you.
14. Changes to Our Privacy Notice
We reserve the right to amend this Notice at our discretion and at any time. We will do so by updating this Notice. Amended terms take effect upon being incorporated into this Notice, and your continued use of the website or association with your employer following the posting of any changes constitutes acceptance of any updated terms. If the changes will materially affect the way we use your Personal Information in connection with Services that we have already collected, we will notify you or your employer.
15. Requesting Notice in Other Languages or Formats
You may be able to request this Notice in another language where we provide such notices in the ordinary course of business or in an alternative format if you have a disability. Please contact the Privacy Office below to request an alternative format.
16. Contact Information
If you have questions or comments about this Notice, our privacy notices, the ways in which we collect and use your information, your choices, and rights regarding such use, or wish to exercise your rights under California law, please contact us at:
Bamboo HR LLC
BambooHR Payroll LLC
Front & Main, Inc. d/b/a/ Honey
Glide Holdings, Inc. d/b/a Welcome
Attn: Legal Department/Privacy
335 South 560 West
Lindon, UT 84042-1911