GDPR Compliance

Last updated: April 2026

Peoplifi is committed to GDPR compliance for our EU and UK customers and the employees they manage on the platform. This page explains, in plain language, how we handle personal data under the EU General Data Protection Regulation (Regulation 2016/679) and the UK GDPR — including the lawful bases we rely on, the rights you have as a data subject, and the safeguards we apply to international transfers.

1. Roles: who is the controller, who is the processor?

Peoplifi takes one of two roles depending on whose personal data is involved:

  • Peoplifi as data processor. When a customer organization uses Peoplifi to manage HR, payroll, and time tracking for its own workforce, the customer is the data controller for those employee records. Peoplifi processes the records on documented instructions from the customer and only for the purposes set out in our Master Subscription Agreement and Data Processing Addendum.
  • Peoplifi as data controller. When an individual signs up for an account, contacts our sales or support team, downloads a free tool, or visits the marketing site, Peoplifi acts as the controller of that personal data.

2. What personal data we collect

We collect and process the following categories of personal data:

Account data: Name, work email, company name, role, and password hash for account holders and administrators.
Employee records: Employee names, employer-issued IDs, national ID numbers (where required for tax filing or benefits), salary, and employment history — uploaded by the customer (data controller).
Attendance data: Clock-in and clock-out timestamps, device identifiers, and (when geo-fencing is enabled) location data.
Payroll data: Salary, allowances, deductions, tax calculations, and bank-account details for payroll disbursement.
Productivity data: Active-window titles, activity rates, and configurable-interval screenshots, where the customer has enabled the Peoplifi Desktop Agent and met its own legal obligations to inform employees.
Usage data: Pages visited, features used, session duration, and browser/device information for analytics and support.

3. Lawful bases under Article 6

We process personal data under the following lawful bases:

  • Contract performance (Art. 6(1)(b)): To deliver the Peoplifi service to you, including payroll processing, attendance tracking, and leave management.
  • Legitimate interests (Art. 6(1)(f)): To improve our product, prevent fraud, ensure platform security, and provide customer support — balanced against the rights and freedoms of the data subjects involved.
  • Legal obligation (Art. 6(1)(c)): To comply with applicable laws, including tax and employment regulations in the jurisdictions where we (or our customers) operate.
  • Consent (Art. 6(1)(a)): For marketing communications, optional analytics, and any processing of special-category data (Art. 9). You can withdraw consent at any time.

4. Data retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:

  • Account data is retained for the duration of the subscription plus 90 days after cancellation.
  • Payroll and employee records may be retained for up to 7 years for tax and audit compliance.
  • Screenshots and detailed activity logs default to a 30-day retention window, configurable by the customer.
  • Usage analytics data is retained for up to 24 months in aggregated form.
  • You may request earlier deletion subject to our legal obligations.

5. Your rights under the GDPR

As a data subject, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you (Art. 15).

Right to Erasure

Request deletion of your personal data — the "right to be forgotten" (Art. 17).

Right to Data Portability

Receive your data in a structured, machine-readable format (Art. 20).

Right to Object

Object to processing based on legitimate interests or for direct marketing (Art. 21).

Right to Rectification

Request correction of inaccurate or incomplete personal data (Art. 16).

Right to Restrict Processing

Request that we limit how we use your data in certain circumstances (Art. 18).

Rights re: Automated Decisions

Not be subject to a decision based solely on automated processing that produces legal effects (Art. 22). Peoplifi does not make solely-automated decisions about employees.

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of past processing.

If you are an employee of a Peoplifi customer, please raise data-subject requests with your employer first — they are the controller of your HR record. Peoplifi will assist its customers in responding within the one-month GDPR statutory deadline (extendable by two months for complex requests). For all other requests, email our DPO at contact@peoplifi.com.

6. International data transfers

Peoplifi's production environment is hosted in the United States. When personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the US (or to any other jurisdiction not recognized as adequate by the European Commission), we rely on:

  • The European Commission's 2021 Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to-processor, as applicable).
  • The UK International Data Transfer Addendum where the transfer is from the United Kingdom.
  • Supplementary measures including encryption at rest and in transit, role-based access control, multi-tenant isolation, and audit logging — assessed against the Schrems II guidance issued by the EDPB.

EU and UK customers may execute our Data Processing Addendum, which incorporates these clauses by reference, as part of the onboarding process or at any time on request.

7. Data Processing Agreements

Peoplifi acts as a data processor when processing employee data on behalf of our customers (who are the data controllers). We offer a Data Processing Agreement (DPA) for customers subject to the GDPR. Our DPA covers:

  • Scope, nature, and purpose of data processing
  • Categories of data subjects and personal data
  • Sub-processor list and obligations, with prior-notice rights
  • Security measures (Annex II) and breach-notification procedures (Art. 33)
  • Cross-border data-transfer mechanisms (Standard Contractual Clauses)
  • Audit rights and assistance with data-subject requests

To request a DPA, contact us at contact@peoplifi.com.

8. Breach notification

In the event of a personal-data breach, Peoplifi will notify affected customer organizations without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in line with Article 33 of the GDPR. Notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the measures taken or proposed, and a contact for further information.

9. Contact our Data Protection Officer

For all GDPR-related queries, data-subject requests, or to report a concern about our data practices, contact our Data Protection Officer:

Postal:Data Protection Officer, Peoplifi, 225 Main St, South Bound Brook, NJ 08880, United States
Phone:+1 302-217-3058

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (for example, the ICO in the United Kingdom, the CNIL in France, the Garante in Italy, or the relevant data protection authority in the EU/EEA member state where you live or work).