Privacy Policy

1. Introduction

This Privacy Policy describes how HR Cluster AS (org. no. 937 565 690) handles personal data in connection with the HR Cluster platform. We are committed to protecting the privacy of individuals whose data is processed through our service, and to operating in line with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

2. Roles and responsibilities

HR Cluster operates as a workforce management platform used by customer organizations to manage their teams. In most cases:

• The customer organization is the data controller — they determine the purposes and means of processing personal data.
• HR Cluster AS is the data processor — we process personal data on behalf of the customer organization to provide the service.

The specific terms of that processing are governed by our Data Processing Agreement (DPA), which is available on request. Where HR Cluster AS acts as a controller in its own right — for example for billing, account administration, and security logging of platform access — this Privacy Policy applies directly.

3. Data we process

Depending on how the customer organization configures the platform, the following categories of personal data may be processed:

• Identity data — name, email, phone number, date of birth, employee number
• Account and access data — login credentials, PIN hashes, roles, permissions
• Employment data — role, position, group, department, hourly rate, contracts
• Scheduling data — shift assignments, availability, schedules
• Attendance data — clock-in and clock-out records, including geolocation where enabled by the customer, and session adjustments
• Documents and credentials — certifications, qualifications, training records, ID documents uploaded by the customer
• Operational data — incident and safety reports, messages, inventory assignments
• Sensitive identifiers — national ID or bank details, where entered; stored encrypted at rest (AES-256-GCM)
• Technical data — IP address, browser type, device type, and audit log timestamps

4. Spam, fraud, and abuse prevention

To protect selected public forms and security-sensitive requests from automated abuse, we use Google reCAPTCHA Enterprise, provided by Google Ireland Limited.

When you load or submit one of these forms, your browser communicates directly with Google. The data Google processes for this purpose includes:

• IP address and approximate geolocation
• Browser and device information (user agent, screen and time-zone information, plug-ins)
• Mouse, touch, and keyboard interaction signals on the page
• A reCAPTCHA-specific cookie (_GRECAPTCHA) set on Google's domain
• The action label associated with the form

The processing is limited to producing a risk score that we use to decide whether to accept the submission. We do not receive Google's analytical data and we do not use reCAPTCHA for advertising, profiling, or analytics.

Lawful basis. Article 6(1)(f) GDPR — our legitimate interest in keeping the platform free of spam, fraudulent submissions, and automated attacks against authentication endpoints. We have assessed this interest against your rights and consider it proportionate, since reCAPTCHA only runs on a limited set of public endpoints, the data set is limited, and you can complete the same actions through alternative channels (for example by contacting your administrator) if you object to this processing.

International transfer. Google may process this data on servers outside the European Economic Area, including in the United States. Transfers are covered by the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

Retention. We do not store the raw signals Google processes. We log the verification outcome (action label, accept/reject result, and aggregated context such as account ID and IP for security monitoring) for up to 90 days.

For more information see Google's Privacy Policy and Terms of Service.

5. Legal basis for processing

Where HR Cluster AS processes personal data as a controller, we rely on the following legal bases under GDPR Article 6:

• Contract (Art. 6(1)(b)) — to provide the service to the customer organization and the individuals who access it.
• Legitimate interests (Art. 6(1)(f)) — to maintain platform security, prevent abuse, keep audit logs, and improve the service. We balance these interests against the rights of affected individuals.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable accounting, tax, and information-security law.
• Consent (Art. 6(1)(a)) — for optional analytics cookies, where applicable.

Where HR Cluster AS acts as a processor, the customer organization is responsible for identifying the legal basis for the underlying processing, typically contract of employment, legal obligation, or legitimate interest.

6. How data is used

Personal data processed through HR Cluster is used to:

• Provide and operate the platform
• Manage users, roles, and organizational structures
• Enable scheduling, shift planning, and staffing
• Record attendance and time tracking
• Maintain security and prevent unauthorized access
• Improve platform reliability and performance
• Provide customer support
• Generate reports, statistics, and exports as requested by the customer organization

7. Workforce and employment-related data

HR Cluster is designed for workforce management and operational staffing. As part of this purpose, the platform may process the following categories of data on behalf of the customer organization:

• Shift assignments and schedules
• Attendance and time tracking records
• Clock-in and clock-out records
• Certifications, qualifications, and training records
• Incident and safety reports
• Equipment and inventory assignments
• Role, department, and group information
• Availability and scheduling preferences
• Notes and comments added by administrators

This data is processed on behalf of the customer organization in accordance with their instructions and applicable law.

8. Audit logging

HR Cluster may log actions performed within the platform for security and operational purposes. Logged events may include:

• Login and access events
• Clock-in and clock-out events
• Shift assignments and changes
• User profile updates
• Permission and role changes
• Incident creation and status updates
• Data exports
• Administrative actions

Audit logs are used for security monitoring, dispute resolution, operational troubleshooting, and compliance and accountability purposes. Audit logs may be retained for a longer period than other operational data.

9. Time tracking disclaimer

Time tracking and attendance functionality within HR Cluster is provided for administrative and operational purposes only. Customer organizations are solely responsible for payroll calculations, compliance with applicable labor laws, overtime calculations, break and rest period compliance, and employment classification. HR Cluster AS does not guarantee that time tracking data recorded through the platform complies with the requirements of any specific jurisdiction or labor regulation framework.

10. Hosting and data residency

HR Cluster is hosted on dedicated infrastructure provided by Hetzner Online GmbH, primarily in Helsinki, Finland, within the European Union. Application servers, databases, backups, and file storage are all operated within this EU environment.

Our primary application infrastructure is hosted within the European Union. Some ancillary services — in particular transactional email delivery and privacy-friendly analytics — are provided by subprocessors that may process limited personal data outside the EEA. Where that is the case, we rely on the safeguards described in section 11 below.

11. Subprocessors

HR Cluster AS does not sell personal data. To operate the service we use a small number of subprocessors, each bound by a written data-processing agreement:

• Hetzner Online GmbH (Germany) — hosting, compute, storage, backups. Data processed in the EU.
• Postmark (ActiveCampaign, LLC), United States — delivery of transactional emails such as account, security, and operational messages. Recipient name, email address, and message content are processed in the United States under Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
• Google Analytics (Google Ireland Limited) — privacy-friendly usage analytics on our marketing pages, loaded only with user consent. IP anonymisation is applied where supported.
• Google reCAPTCHA Enterprise (Google Ireland Limited) — anti-spam and abuse protection on selected public forms and security-sensitive requests. Loaded as a strictly necessary security measure; not used for analytics or advertising. Data processed under SCCs and the EU–US Data Privacy Framework where applicable.

An up-to-date list of subprocessors is maintained as part of our DPA. Customers are notified of material changes.

Within the customer organization, personal data may also be visible to authorized administrators and managers in accordance with the roles and permissions configured by the customer.

12. International transfers

Our primary application infrastructure is hosted within the European Union, and the majority of customer data is stored and processed there. A limited number of subprocessors — for example our transactional email provider and our analytics provider — may process personal data outside the EEA. Where such transfers occur, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. We transfer only the personal data that is necessary for the specific service — for example, a recipient's name and email address in order to deliver a transactional email.

13. Data retention

Personal data is retained for as long as it is needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, or as instructed by the customer organization.

As a general guideline:

• Active account data is retained for the duration of the customer agreement.
• Session, shift, and scheduling records are retained at the platform default of 90 days in the active store before being moved to an encrypted archive; customers may set a longer retention period.
• Audit logs are retained for a longer period for security and accountability purposes.
• Encrypted backups are retained for a limited rolling window before being overwritten.

When a customer agreement ends, customer data is deleted or returned within a reasonable period, as described in the DPA.

14. Your rights

Under the GDPR you may have the following rights regarding your personal data:

• Access — request a copy of the personal data held about you.
• Rectification — request correction of inaccurate or incomplete data.
• Deletion — request erasure of your personal data.
• Restriction — request limitation of processing.
• Objection — object to certain types of processing based on legitimate interests.
• Portability — request transfer of your data in a structured, machine-readable format.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

Since the customer organization is typically the data controller, requests regarding workforce personal data should in most cases be directed to the customer organization first. HR Cluster AS will support the customer organization in fulfilling such requests.

15. Security

HR Cluster AS implements technical and organizational measures appropriate to the risk, including:

• TLS (HTTPS) for all traffic in transit
• Sensitive fields (e.g. national ID and bank details) encrypted at rest using AES-256-GCM with a per-user salt and a server-side pepper
• Passwords stored with bcrypt; PINs stored hashed; session tokens bound to the browser and validated against the database
• Role- and permission-based access control, with per-account data isolation enforced at the query layer
• CSRF protection on all state-changing actions; rate limiting on authentication
• Audit logging of administrative actions
• Daily automated backups to EU-based off-site storage
• Dedicated database host with no public network exposure
• Regular review of dependencies, access, and security practices

We will notify affected customers without undue delay of any personal data breach that is likely to result in a risk to the rights and freedoms of individuals, in line with GDPR Article 33–34.

16. Cookies

HR Cluster uses cookies and similar technologies as described in our Cookie Policy.

17. Contact and supervisory authority

For questions or concerns about this Privacy Policy or our data practices, contact us at:

HR Cluster AS
Org. no.: 937 565 690
Email: privacy@hrcluster.com

If you are located in Norway or the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no, or with the supervisory authority in your country of residence.

Last updated: April 2026