Privacy Policy
VonStaff (hereinafter "the application" or "we") is a SaaS software solution for managing human resources, attendance, leave, and employee management. The confidentiality and security of your personal data are a priority for us. This Privacy Policy explains how we collect, use, and protect personal data, what categories of data we process and for what purposes, as well as what your rights are under Regulation (EU) 2016/679 (GDPR) and similar legislation outside the EU, such as the California Consumer Privacy Act (CCPA). By using our application, you agree to the practices described in this personal data policy.
We collect only the personal data necessary for the operation and improvement of the VonStaff services. These data can be provided directly by users (for example, by employees or HR administrators of client companies) through the application’s forms and interfaces, or generated in the course of using the service. The categories of personal data that we may collect include:
We do not intentionally collect special categories of personal data (such as data regarding racial or ethnic origin, political opinions, sexual orientation, genetic or biometric data, health status, etc.), except in situations where this information is necessary and provided by the user or employer in the legal context of the employment relationship (for example, a medical fitness certification for employment). In such cases, we will apply additional protective measures, and processing will only be carried out on a basis permitted by law.
VonStaff processes personal data only for legitimate, specified purposes and on an appropriate legal basis in accordance with the GDPR. Below are the main purposes for which we collect and use data, along with the applicable legal grounds:
VonStaff will not use personal data in a manner incompatible with the above purposes without informing you and, if necessary, obtaining your prior consent.
We collect personal data directly from you in most cases: when you create an account, when you complete forms in the application (for example, filling out your employee profile) or when you actually use the platform’s features (time tracking, leave requests, etc.). In addition, certain data may be entered into the application by system administrators or by your employer (such as contractual or financial data required for personnel records). We also automatically collect some technical data when you interact with our application or website, such as the IP address, device type, operating system, and session information, through cookies and similar technologies (for details, see the Cookie Policy).
If we receive data about you from other sources (for example, updates provided by your employer or relevant public information regarding professional qualifications), we will ensure these data are processed in accordance with permitted purposes and with respect for your rights.
We have implemented appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of the personal data we process, in accordance with Art. 32 GDPR. The data are securely stored on secure servers provided by our hosting partner (CyberFolks, with data centers in the European Union), which applies high security standards, including encryption of stored data and secure transmission.
The security measures implemented by VonStaff include:
Although we make considerable efforts to protect your data, you must remember that no data transmission over the internet or storage technology is 100% secure. In the unlikely event of a security incident (data breach) that could affect your confidentiality, we will follow the legal notification procedures for both the competent authorities and the affected individuals, in accordance with our obligations (Art. 33 and 34 GDPR).
In principle, we store and process personal data within the territory of the European Union. However, in certain limited situations, some data may be transferred outside the European Economic Area (EEA), for example:
In all cases of international transfer, we ensure that an adequate level of data protection is provided, in accordance with Chapter V of the GDPR. This means we will use approved legal transfer mechanisms, such as the Standard Contractual Clauses (SCC) issued by the European Commission, and will assess in advance the risks associated with these transfers. For example, for transfers to the USA, data sent to Stripe or other providers will be protected via SCC and, if applicable, additional security measures or updated international agreements. We will inform users if there are changes to the transfer mechanisms (for example, the implementation of a new EU–US privacy framework).
Important: VonStaff does not disclose or "sell" users’ personal data to third parties for commercial purposes. In the sense of the CCPA, "selling" personal data refers to providing information to a third party for financial or commercial purposes without consent – something we do not engage in. Any transfer of your data to third parties takes place exclusively for the permitted purposes mentioned in this policy, and involves providers acting either as processors who process data only on our behalf and according to our instructions, or as recipients who need the data based on a legal ground (e.g., authorities).
Your rights under GDPR (for users in the European Union):
As a data subject, you have a number of rights guaranteed by the GDPR, which VonStaff respects. These rights include, primarily:
Right to be informed – you have the right to be informed about the personal data we collect and how we process it (this privacy policy helps fulfill this right).
Right of access – you can request confirmation of whether or not we are processing your personal data and, if so, access to that data and relevant additional information (purposes, categories of data, recipients, storage period, etc.).
Right to rectification – you can request the correction of inaccurate personal data or the completion of data that are incomplete.
Right to deletion (right to be forgotten) – under the conditions provided by law, you can request the deletion of your personal data (for example, if the data are no longer necessary for the purposes of collection or you have withdrawn consent and there is no other legal basis for processing). We will delete the data at your request if the legal conditions are met (Art. 17 GDPR), while also taking into account our archiving or retention obligations required by law.
Right to restriction of processing – you can request the temporary suspension of data processing in a number of situations, for example if you contest the accuracy of the data or if the processing is unlawful, until the issue is resolved.
Right to object – you can object, on grounds relating to your particular situation, to processing based on our legitimate interest. We will comply with the objection unless we have compelling legitimate grounds that justify continuing the processing or if we process the data for mandatory legal reasons. Additionally, you have the right to object at any time to the processing of data for direct marketing purposes (if any).
Right to data portability – you have the right to receive the personal data you have provided to us, in a structured, commonly used, and machine-readable format, and the right to request the transmission of this data to another controller, where technically feasible. This right only applies to data processed by automated means, based on consent or the performance of a contract.
Right not to be subject to an automated individual decision – VonStaff does not use exclusively automated decision-making processes that produce legal or similarly significant effects for users (such as automated profiling without human intervention). In general, you have the right not to be subject to a decision based solely on automated processing if that decision produces legal effects concerning you.
To exercise any of the above rights, you can contact us at any time at the email address indicated in the Contact section of this policy. We will respond to valid requests within the legal term of 30 days (which can be extended under the GDPR by up to 60 days if the request is complex, in which case we will inform you of the need for extension). Note that for certain requests we may ask for additional information to verify your identity (for example, an ID or other contact details) before complying, especially in the case of sensitive data, to ensure we do not disclose personal data to an unauthorized person.
You also have the right to file a complaint with the national data protection supervisory authority if you believe your rights have been violated. In Romania, this authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP – www.dataprotection.ro). However, we would appreciate the chance to resolve any issue amicably – we encourage you to contact us first, and we will make every effort to assist you.
Additional rights for California residents, under the CCPA (California Consumer Privacy Act, amended by CPRA):
If you are a California resident, local law grants you certain rights regarding your personal data, largely similar to those above, but also with some specifics. In accordance with CCPA/CPRA, as a consumer you have, mainly, the following rights:
Right to be informed (Right to notice) – the right to know what categories of personal information a business collects about you and for what purposes those informations are used. This includes the right to know if your data are sold or disclosed to other entities and to which categories of third parties. (This privacy policy provides you with this information.)
Right of access / Right to know – you can request a company that holds your data to inform you what personal information it has collected about you, from where it was collected, the purpose of collection, the categories of third parties with whom it was shared, and the specific personal information collected. Upon your request, we will provide a report on the personal data we have collected about you over a specific period (generally the last 12 months, according to the CCPA).
Right to deletion – similar to the right to be forgotten under the GDPR, you have the right to request the deletion of personal information that a company has collected from you, subject to the exceptions provided by law (for example, if the information is necessary to provide a requested service, to comply with a legal obligation, or for other permitted purposes). If we receive a valid deletion request, we will remove personal data from our systems, except for those data we are obliged to retain (e.g., for legal record-keeping or if the data are necessary to defend a legal right in court).
Right to opt out of the sale of personal data – you have the right to request that we do not sell your personal information to third parties. VonStaff does not engage in sales of personal data, as mentioned, but this right means that if we ever intend to share your data in a way that would be considered a "sale" under the CCPA, we will ensure you have the opportunity to opt out before such disclosure takes place. On our website, California residents can use cookie management options or tools like Global Privacy Control (GPC) to exercise this right with regard to online identifiers (GPC is a signal that the browser can send to indicate the preference not to sell data; we will honor such signals to comply with the CCPA).
Right to correction – you have the right to request that we correct any inaccurate personal information we hold about you. This right was introduced by the CPRA amendment and ensures that your data can be kept up to date and accurate upon request. If you notice that certain data in your profile or in our records are incorrect or incomplete, you can ask us to update them, and we will act accordingly.
Right to limit use of sensitive personal information – to the extent that we collect sensitive personal information about you (as defined by CCPA/CPRA, e.g., personal identification numbers or other unique identifiers, financial data, health or genetic information, racial or ethnic origin, religious beliefs, etc.), you have the right to request that we limit the use or disclosure of this information strictly to purposes permitted by law. In practice, if we process such sensitive data, they will be used only for providing the service or other essential purposes (such as security or legal compliance), and not, for example, for targeted behavioral advertising without consent.
Right not to be discriminated against – you have the right not to receive any unfavorable treatment from us for exercising any of the above rights. We will provide our services under the same conditions regardless of whether you choose to request data access, deletion, or exercised your right to object. We will not refuse services, provide a lower quality of service, or impose penalties just because you exercised your legal privacy rights.
To exercise any of the consumer rights granted by the CCPA, you can contact us at the same email address mentioned at the end of this policy (or through any available contact method). We will verify the identity of the requester (to ensure you are authorized to receive the data in question) and will respond to the request within the timeframes provided by California law. We assure you that we will not discriminate in any way against individuals who exercise their rights under the CCPA (for example, we will not deny access to the application or provide inferior services to those who make such requests).
Note: In most cases, the rights provided by GDPR and CCPA overlap in purpose and effect. Thus, we will attempt to fulfill any request in a comprehensive manner favorable to the data subject, regardless of which legislation it is made under. For example, a data access request from a user outside the EU will be handled with the same level of detail and transparency as required by the GDPR, and a deletion request from a user in the EU will be honored taking into account the exceptions provided by the CCPA (if applicable, for example for data necessary to provide the service). Our goal is to ensure all users have control over their personal data, according to the highest applicable privacy standards.
To provide the VonStaff service at high standards, we collaborate with certain trusted third-party providers. Your personal data may be transmitted to these third parties only when necessary for operating and maintaining the service, and only under conditions of safety and contractual confidentiality. The main recipients and processors who might have access to certain data are:
Hosting provider (hosting) – CyberFolks (or another equivalent EU partner) provides the cloud infrastructure on which the application is hosted. Consequently, data stored on our servers may be accessible to this provider strictly for technical purposes (hardware/software maintenance). CyberFolks is a company with data centers in the EU and is contractually obliged to comply with GDPR and to implement strong security measures to protect data.
Payment processor – Stripe, Inc. (USA) processes online payments made by users (for example, payment of VonStaff subscriptions or services). To process a payment, certain data may be necessary, such as the cardholder’s name, billing address, or payment details. Stripe is certified regarding industry data security standards (PCI DSS), and we have also signed Standard Contractual Clauses with Stripe for the protection of data transferred outside the EU. Stripe is committed to using personal data only for payment processing and as required by law.
Web analytics services – Google Analytics (provided by Google Ireland and Google LLC) may collect information about how you visit the public VonStaff website (e.g., pages visited, session duration, device type). These data are generally aggregated and anonymized (they do not directly identify an individual) and help us understand traffic and improve the website. Google acts as a processor for these analytics data. We have configured Google Analytics so that your IP address is anonymized (truncating the last octets) and we do not allow Google to use or share this data except to provide us the analytics service. You can always refuse analytics cookies (see the Cookie Policy) and, in that case, Google Analytics will not collect data about your visit.
Other service providers – Occasionally, we may use other companies or contractors for ancillary services: for example, software maintenance, email services (for sending notifications or communications to users), customer support services (helpdesk), or IT consulting. In all such cases, if these entities require access to personal data, they will act either as processors (processing data solely on our behalf and according to our instructions) or as joint controllers (if they have their own legal obligations, e.g., an external auditor). We will sign specific data processing agreements with each provider, ensuring that they respect the confidentiality and security of your data.
All our partners and providers are carefully selected to ensure they adhere to high data protection standards. We conclude data processing agreements with each provider acting as a processor, in accordance with Art. 28 GDPR, which legally obliges them to keep your data confidential, to use it exclusively for the purpose of providing the service to us, and to implement appropriate technical and organizational security measures. We also do not allow these third parties to use your data for their own purposes (e.g., their own marketing) and we forbid them from disclosing the data further without authorization.
Aside from the providers mentioned, we do not disclose your data to anyone else, except in situations where we have a legal obligation to do so (for example, at the legitimate request of a public authority or in the context of legal proceedings).
VonStaff (operated by Von Consulting) has adopted rigorous internal policies to ensure compliance with data protection legislation (GDPR) and to maintain the confidentiality of information:
Through these internal measures, we aim to ensure that personal data is processed in a responsible and transparent manner, in accordance with legal requirements and the expectations of our users.
To independently oversee the compliance of our operations with data protection rules, we have appointed a Data Protection Officer (DPO). The DPO’s role is to advise and inform the company and employees about GDPR obligations, to monitor compliance with the rules, and to be the contact point for data subjects and the supervisory authority.
If you have any questions, concerns, or requests related to your personal data or how VonStaff processes it, you can address our DPO using the contact details below (see the Contact section). The DPO’s involvement ensures that any such communication will be handled seriously and confidentially, and you will receive a response as soon as possible.
We retain personal data only for the duration necessary to fulfill the purposes for which it was collected, except when there are legal archiving obligations or legitimate interests that justify retention for a longer period. Specifically:
Upon the expiration of the relevant retention period, or if we receive a legitimate deletion request and have no legal ground to continue processing, we will securely remove personal data from our systems, through automated or manual mechanisms (ensuring the deletion is irreversible). If certain data are stored in backup copies that cannot be immediately deleted, we will continue to protect them until their removal (for example, by restricting any access or use).
This Privacy Policy may be updated periodically to reflect changes in our data processing practices or legal and technological developments. When we update the policy, we will publish the new version on our website (and in the application, if applicable) and will modify the "Last update" date at the end. In the event of substantial changes that could affect your rights or freedoms, we will attempt to inform you proactively (for example, through an in-app notification or email, if we have your email address). We recommend that you check this page periodically to stay informed of any updates. Continuation of using the VonStaff application after any updates take effect will constitute acceptance of the revised Privacy Policy.
For any questions, concerns, or requests related to this Privacy Policy or how VonStaff processes personal data, you can contact us using the following:
We will respond to all requests as soon as possible, but no later than the applicable legal deadlines. We are committed to resolving any privacy-related complaint or issue diligently and transparently.
Last update of this Privacy Policy: March 29, 2025