Privacy Policy

StriderTeam ("we," "us," or "our") operates a cloud-based multi-tenant HR and workforce management platform ("Service"). We act as a data processor with respect to employee personal data that your organization submits to the platform, and as a data controller with respect to account, billing, and security/audit log data that we collect directly.

Data controller contact: privacy@striderteam.com

This policy applies to:

• Organization Administrators: Individuals who register and manage an organization account on StriderTeam.
• Employee Users: Individuals whose accounts are provisioned by an Organization Administrator.
• Visitors: Anyone who visits our public-facing website or landing pages.

For employee data processed on behalf of organizations, the employing organization is the data controller and StriderTeam is the data processor. Employees should also review their employer's internal privacy notice.

3.1 Account and Organization Information

When an organization registers or an administrator configures the platform, we collect:

• Organization name, domain name(s), and industry.
• Administrator name, email address, and profile picture (from Google OAuth).
• Billing contact information and payment method details (processed by our payment provider — we do not store raw card numbers).
• Subscription plan, seat count, and billing history.

3.2 Employee Profile Data

Organization Administrators enter the following personal data into the platform on behalf of their employees:

• Full name, email address, and profile photograph.
• Job title, department, employment start date, and employment status.
• Compensation records and salary history.
• Leave requests, leave balances, and leave history.
• Reporting structure (manager relationships for org chart).
• Documents uploaded to employee profiles (e.g., contracts, ID copies).
• Access roles and permissions within the organization.

3.3 Authentication and Session Data (Login Tracking)

On each authenticated sign-in, we automatically collect and permanently store:

• ▸
  IP Address — the public internet address of the device used to sign in. This may be a shared IP (e.g., a corporate NAT) or a VPN exit IP.
• ▸
  Geographic Location (IP-derived) — city, country, and approximate latitude/longitude coordinates estimated from the IP address using a third-party geolocation database (MaxMind GeoLite2). This is an approximation and is typically accurate to the city level. It is not based on GPS or browser geolocation APIs. VPN or proxy users will show the VPN server's location, not their physical location.
• ▸
  Browser Name and Version — e.g., "Chrome 124.0.6367.208", parsed from the HTTP User-Agent header.
• ▸
  Operating System and Version — e.g., "Windows 11 23H2", parsed from the HTTP User-Agent header.
• ▸
  Device Type and Model — desktop, mobile, or tablet; and where available, manufacturer and model (e.g., Samsung Galaxy S24), parsed from the HTTP User-Agent header.
• ▸
  Authentication Event Type — successful login, failed authentication attempt, logout, or session expiry.
• ▸
  Timestamp — date and time in UTC.

This data is visible to Organization Administrators within their organization's security/audit section, and to StriderTeam System Portal administrators for platform-wide security monitoring.

3.4 Usage and Analytics Data

We collect non-identifying usage data to improve the Service, including:

• Pages visited and features used within the platform.
• Session duration and navigation patterns.
• Errors encountered during use.

3.5 Communications

If you contact us via email or a support channel, we retain the contents of that communication and your contact details to respond to you and improve our support processes.

We collect information through the following methods:

• Directly from you or your organization — when registering, configuring, or entering employee data into the platform.
• Automatically on authentication — IP address, browser, OS, device, location, and timestamp are recorded at every sign-in event via server-side header inspection. No browser JavaScript is required for this collection.
• Via Google OAuth — when you use "Sign in with Google," we receive your name, email address, and profile picture from Google's API, scoped to the permissions you grant.
• From cookies and local storage — we use a session cookie to maintain your authenticated state. See Section 12 for details.

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar laws, we process personal data under the following legal bases:

We use collected data for the following purposes:

• ▸
  Service Delivery: To create and maintain accounts, authenticate users, enable HR management workflows, and fulfill subscription obligations.
• ▸
  Security and Fraud Prevention: To detect unauthorized account access, investigate suspicious login patterns, and alert administrators to anomalous activity (e.g., logins from new countries or devices).
• ▸
  Audit Trails: To maintain records of who accessed the platform, from where, and when — which are made available to Organization Administrators and retained for compliance purposes.
• ▸
  Product Improvement: Aggregate, anonymized usage analytics help us prioritize features and fix usability issues.
• ▸
  Customer Support: To diagnose issues and respond to support requests.
• ▸
  Billing and Subscription Management: To process payments, send invoices, and notify of subscription changes.
• ▸
  Legal Compliance: To respond to lawful requests from authorities, comply with applicable regulations, and enforce these Terms.
• ▸
  Communications: Product updates, security alerts, and (where opted in) marketing communications. You can unsubscribe from marketing emails at any time.

We do not sell your personal data. We do not share personal data with advertisers or data brokers. We may share data in the following limited circumstances:

We retain personal data for as long as necessary to fulfill the purposes described in this policy, subject to the following:

When data is no longer needed, we securely delete or anonymize it. You may request early deletion of your personal data subject to legal retention obligations (see Section 9).

Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, email privacy@striderteam.com. We will respond within 30 days (or within the timeframe required by applicable law).

9.1 Rights Under GDPR (EEA and UK Users)

• ▸
  Right of Access (Art. 15): You may request a copy of the personal data we hold about you.
• ▸
  Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete data.
• ▸
  Right to Erasure / "Right to be Forgotten" (Art. 17): You may request deletion of your data where no overriding legal basis requires retention (e.g., legal holds, billing records).
• ▸
  Right to Restriction of Processing (Art. 18): You may request that we limit how we use your data in certain circumstances.
• ▸
  Right to Data Portability (Art. 20): You may request your data in a structured, machine-readable format.
• ▸
  Right to Object (Art. 21): You may object to processing based on legitimate interests, including to the authentication session logging described in Section 3.3. Note: objecting to security logging may prevent you from using the Service.
• ▸
  Right to Lodge a Complaint: You have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, CNIL in France).

9.2 Rights Under CCPA (California Residents)

California residents have the right to: (a) know what personal information we collect; (b) delete personal information; (c) opt out of the sale of personal information (we do not sell personal information); and (d) non-discrimination for exercising their rights. To submit a request, email privacy@striderteam.com with "CCPA Request" in the subject line.

9.3 Employee Users

If you are an employee user and wish to access, correct, or delete your profile data, we recommend contacting your Organization Administrator first, as they are the data controller for your employment data. You may also contact us directly and we will facilitate the request with the appropriate party.

StriderTeam may store and process personal data on servers located in the United States and other countries. If you are located in the EEA, UK, Switzerland, or another jurisdiction with data transfer restrictions, we ensure appropriate safeguards are in place:

• Transfers to processors in the US are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission.
• We assess and document the transfer impact for all cross-border data flows involving EEA personal data.

To obtain a copy of our data transfer safeguards or our DPA, contact privacy@striderteam.com.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

• TLS encryption for all data in transit.
• Encrypted storage for sensitive data at rest.
• Session tokens signed with industry-standard cryptographic algorithms (HS256 JWT); tokens are never stored in URLs.
• Role-based access controls (RBAC) ensuring users can access only data relevant to their role and organization.
• Multi-tenant data isolation ensuring organizations cannot access each other's data.
• Immutable audit logs for all significant platform actions.
• Regular security reviews and dependency updates.
• Strict input validation and parameterized database queries to prevent injection attacks.

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@striderteam.com.

StriderTeam uses a minimal set of cookies and strictly necessary browser storage:

We do not use third-party advertising or tracking cookies. We do not participate in cross-site tracking networks. The session cookie is marked HttpOnly, Secure, and SameSite=Lax.

The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 16 (or under the applicable age of digital consent in your jurisdiction). If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@striderteam.com and we will delete it promptly.

The Service integrates with or relies on the following third-party services whose own privacy policies apply:

StriderTeam is not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will:

• Update the "Effective date" and "Last updated" dates at the top of this page.
• Display a prominent notice within the platform for 30 days.
• Send an email notification to Organization Administrators.

Continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.

For any questions, concerns, requests, or complaints related to this Privacy Policy or our handling of your personal data:

If you are in the EEA and your concern is not addressed by contacting us, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.