Legal Notice

Privacy Notice

This Privacy Notice describes how we collect, use, share and protect personal data in connection with the Hobasa platform and Services. Our Platform may contain links to third-party websites and services that are not covered by this Notice; please review their privacy statements to understand their information practices.

Scope

This Notice applies to Hobasa Subscribers (including Direct Subscribers and Partner-managed subscribers), Invited Users, Partner personnel, and End Client personnel whose personal data is processed through the Services — across both the Financial Intelligence Product and the HR Compliance Product.

It does not apply to personal data that Subscribers or their Invited Users enter about their own customers, suppliers, employees or third parties. In those cases the Subscriber is the Controller and Hobasa processes the data only as a service provider (Processor) under the Data Processing Addendum. For HR data entered via HRMS Integrated Systems, the Subscriber is the Controller. If you are an employee whose data is processed through Hobasa by your employer, contact your employer directly.

Personal Data We Collect

The categories of personal data we may collect are set out below.

Category
What it includes
Source
  • Identity & Contact Data
    Name, email, phone, job title, business name, social media handle, etc.
    Directly from you; the SSO provider.
  • Account & Subscription
    Login credentials, subscription plan, MFA settings, billing contact.
    Directly from you.
  • Payment
    Truncated card details, bank account (ACH), billing address, payment history.
    Directly from you; payment processors.
  • End Client Financial Data
    Accounting records, transaction data, financial reports and other information accessed via Integrated Systems.
    Integrated Systems.
  • HR & Employee Data
    Employee names, job titles, classifications; wages, bonuses, pay rates; hours, overtime and shift data; leave records (FMLA, sick, statutory); payroll deductions; and other HR data available in the connected HRMS.
    Integrated Systems.
  • Sensitive HR Data
    Health-related leave information for FMLA eligibility, and disability-related data for ADA reasonable accommodation analysis.
    Integrated Systems.
  • AI Interaction Data
    Deep Analysis reports, Root Cause Analysis reports, queries processed by AI Assistant, AI outputs, dashlet interactions.
    Platform usage.
  • Communications
    Support emails, chat, feedback, call recordings (with consent, where required by law).
    Directly from you.
  • Device & Usage
    IP address, browser type, session tokens, pages visited, click data.
    Collected based on your usage.
  • SSO Data
    Name, email and profile picture from Google or Microsoft.
    Third-Party SSO provider.
  • Marketing & Preferences
    Communication preferences, survey responses, promotional interactions.
    Collected based on your usage.
  • Uploaded Content
    Any personal data in photographs, videos or audio recordings uploaded to Hobasa.
    Directly from you.

Processing Your Personal Data

We may use your personal data to make available the Services, manage your subscription, respond to enquiries and manage our relationship with you. Your information may be processed:

  • To deliver our services, including sign-up, purchases, subscription management, monitoring, testing, reporting and hosting of data.
  • To communicate service updates, invoices, technical notices, security alerts and support responses across email, phone, SMS and in-platform.
  • For security management, including malware and threat detection and blocking unauthorized access.
  • To ensure compliance with our Terms of Use and related internal reporting.
  • To develop, enhance, market, sell or provide our products or services, or those of commercial partners.
  • For any specific purpose for which you have voluntarily provided personal data.
  • To provide tips or guidance on how to use the Platform and personalize your experience.
  • To collect feedback, prevent fraud, run competitions or surveys, and analyze software usage.
  • To comply with legal or regulatory requirements and preserve our legal rights.

HR data from connected HRMS Integrated Systems is processed as Controller data of the Subscriber under the DPA and is not used by Hobasa for any purpose other than delivering the HR Compliance Product. Sensitive HR data (health-related leave or disability data) is processed solely as instructed by the Subscriber for HR Compliance Outputs. Equivalent restrictions apply to LLM API sub-processors.

Basis for Processing Personal Data

We only process personal data where at least one of the following applies:

  • Contractual necessity to deliver our Services.
  • Legitimate uses or interests.
  • Legal obligations.
  • Your consent to processing for one or more specific purposes.

Contract Performance

Providing platform access, connecting Integrated Systems, generating AI outputs, processing payments, managing accounts and subscriptions, calculating Partner commissions and sending transactional communications.

Legitimate Interests

Operating, improving and securing the platform; fraud detection; de-identified analytics; service communications; and improving AI model performance using anonymised, aggregated data.

Legal Obligation

Complying with lawful regulatory requests, issuing tax documents and record-keeping for HR data processed on behalf of Subscribers.

Children’s Data

We do not knowingly collect personal data of individuals under the age of 18. Source data pulled from Integrated Systems may contain information about minors as stored by the End Client. In such cases the Subscriber is responsible for ensuring it has the necessary rights and legal basis to provide the data to Hobasa.

Cookies & Tracking Technologies

Cookies are small files stored on your browser when you visit our platform. Some are session-only, while “persistent cookies” are stored for longer. We also use pixel tags, web beacons and local storage — collectively referred to as “cookies.”

Categories of Cookies We Use

  • Strictly Necessary — session management, authentication, security and consent enforcement. Always active.
  • Functional — remember choices such as language, display and dashboard layout. Set only with consent.
  • Performance — analytics (e.g., Google Analytics with IP anonymization) about how the Platform is used. Set only with consent.
  • Targeting & Advertising — profile your interests to serve relevant advertising. Set only with consent.

Today, we use only Strictly Necessary session-management cookies for login. Some cookies may be set by third parties such as analytics providers or payment processors and are subject to their own privacy policies.

Cookie Management

Most browsers let you view, delete and block cookies. Blocking strictly necessary cookies will prevent the Platform from functioning correctly; deleting cookies will remove saved preferences and may require you to log in again.

Disclosure of Personal Data

Except as described in this Notice, we will not disclose information about you without your consent. We may disclose your personal data in the following circumstances:

  • End Client personal data is shared with the End Client’s designated Partner as necessary to provide the Services and as authorized by the Client Authorization Form.
  • To third-party sub-processors bound by data processing agreements meeting our DPA standards (cloud infrastructure, payment processors, email delivery, customer support tooling, analytics providers and LLM API providers).
  • When required by law, in response to a court order, subpoena or warrant, or to cooperate with law enforcement or government agencies.
  • In the event of a merger, acquisition, reorganization or sale of assets, with 30 days’ prior notice.
  • Within the Hobasa Group (Hobasa LLC and its subsidiaries).
  • To protect our rights, property or safety, defend against third-party claims, or safeguard the security and integrity of the Service.
  • As you may consent from time to time.

Integrated Systems

If you connect Integrated Systems (including HRMS Integrated Systems), any processing by those third-party services is governed by their own privacy policies and terms — not this Notice. Hobasa is not responsible for their data practices.

Data Security

Hobasa implements appropriate technical and organizational measures, including:

  • AES-256 encryption at rest.
  • End-to-end encryption in transit (TLS 1.2+).
  • Role-based access control limiting employee access.
  • MFA enforcement for Partner accounts.
  • Regular security audits and vulnerability assessments (at minimum annually).
  • A documented incident response plan.

In the event of a Security Incident, Hobasa will notify affected Subscribers without undue delay and within the timeframe required by applicable law. The escalation path is governed by the SLA (automatic Stage 4 escalation). Partners must report Security Incidents to Hobasa within 24 hours per our Partner Code of Conduct.

Data Retention

We store personal information for a period consistent with the purposes described in this Notice or as required by law. Retention is determined based on the purpose of collection, the volume and sensitivity of the data, potential risk of harm, whether the purpose can be achieved with less data, and applicable legal requirements. On expiry, data is securely deleted or anonymized.

Your Rights

Depending on your location and applicable law, you may have some or all of the following rights in respect of your personal data.

  • Access & correction
    Request a copy of your personal data or ask us to correct inaccuracies.
  • Deletion
    Ask us to delete personal data we have collected. Where data has been shared with sub-processors or Partners, we will notify them of your request so they can comply with their own obligations.
  • Object to continued processing
    Where we process your data on the basis of legitimate interests, you can object. We will cease processing unless we can demonstrate compelling legitimate grounds, or the processing is necessary for legal claims.
  • Not be subject to automated decisions
    You have the right not to be subject to wholly automated decisions with legal or similarly significant effects, and to request human review.
  • Portability
    Receive a copy of the personal data you provided in a structured, commonly used, machine-readable format, and transmit it to another provider where technically feasible.
  • Withdraw consent
    Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Limit use of sensitive personal information
    California residents may direct Hobasa to limit use of sensitive personal information to the delivery of the Services (see the California section below).

You may email us at partnersupport@hobasa.com with any Rights Request, and we will respond within 30 days. Partners and End Clients can also access, correct, export or update Account Information by editing their profile. We may need to verify your identity before completing your request.

Where a Rights Request is denied, residents of Virginia and Colorado may appeal by replying to the denial or submitting a Rights Request to partnersupport@hobasa.com, and we will respond within 60 days. In the EEA and UK, you also have the right to lodge a complaint with a supervisory authority.

Aggregated Anonymous Data

Hobasa may aggregate technical and other non-personally-identifiable data about your use of our website and Services (“Aggregated Anonymous Data”) and use it to improve, support and operate our products and Services and for any other lawful purpose.

Cross Border Transfers

The Services are operated in the United States. Personal data is stored and processed on servers located in the United States. Users outside the US should note that data will be transferred to and processed in the US. Prior to operations in the EU, UK or Canada, Hobasa will implement appropriate transfer mechanisms as required by applicable law.

Updates and Changes to Privacy Policy

Hobasa may update this Notice from time to time. Material changes will be communicated by email to the registered account address or by a prominent notice on the Platform before they take effect. The most recent update date is displayed at the top of this Notice.

Notice to California Residents

This section applies only to California residents. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a consumer or household as defined in the CCPA.

How We Collect, Use and Share Your Personal Information

  • Identifiers for the categories of users defined in this Notice.
  • Payment and customer records of our Partners and End Clients.
  • Protected classification characteristics voluntarily disclosed to us.
  • Commercial information such as records of services considered or obtained.
  • Professional or employment information.
  • Internet or other electronic network activity information.
  • Inferences about your interests or preferences.

Your California Privacy Rights

  • Knowledge — what personal information we have collected, its sources, purposes, third-party recipients and specific pieces.
  • Access — request a copy of your Personal Information.
  • Deletion — ask us to delete Personal Information we collected from you.
  • Correction — ask us to correct inaccurate personal information.
  • Opt-out of sales or sharing — direct us not to “sell” or “share” your Personal Information under the CCPA.
  • Non-discrimination — exercise rights free from discrimination.

Right to Opt Out of the Sale and Sharing of Your Personal Information

Hobasa does not sell your Personal Information. We may share Personal Information with third-party service providers, advertising partners, analytics providers and business partners to support the operation, improvement, marketing and security of our platform, which may be considered a “sale” or “sharing” under the CCPA. You may opt out by emailing partnersupport@hobasa.com.

Contact Information

Privacy & Rights Requests
partnersupport@hobasa.com
Security Incident Reports
partnersupport@hobasa.com
General Legal Notices
Legal@hobasa.com
Registered Office
Hobasa, Inc. — 8 The Green, Suite A, Dover, DE 19901, United States.