Privacy Policy

1. Overview

Sira HRM ("we", "us", "our") is committed to protecting the privacy of your data. This Privacy Policy explains how we collect, use, store, and protect information when you use our human resource management platform. By using Sira HRM, you agree to the practices described in this policy.

2. Information We Collect

We collect the following categories of information:

Account Information

• Name, email address, and password for account holders
• Organization name and team details
• SMTP configuration (stored securely, used only to send your transactional emails)

Employee Data

• Personal details: name, date of birth, address, contact information
• Employment information: hire date, discipline, employment status
• Documents: licenses, certifications, and identification documents uploaded by your organization
• Sensitive identifiers: Social Security Numbers (SSN), stored encrypted at rest
• Work history, education background, and skills

Usage Data

• IP addresses logged when sensitive data (e.g. SSN) is accessed
• Actions performed within the platform (audit logs)
• Contact form submissions from our website

3. How We Use Your Information

• To provide and operate the Sira HRM platform
• To send transactional emails (onboarding invitations, orientation documents, reference questionnaires) on your behalf
• To respond to contact inquiries submitted through our website
• To maintain audit logs of sensitive data access for compliance purposes
• To improve and maintain the security and reliability of the Service
• To comply with applicable legal obligations

4. Sensitive Data Handling

Sira HRM handles highly sensitive employee data including Social Security Numbers and identity documents. We apply the following protections:

• Encryption at rest: SSNs are encrypted using AES-256-CBC before storage. Plain-text values are never stored in the database.
• Access control: Sensitive fields are hidden from API responses by default. Only users with the FullControl role can reveal sensitive data, and only after password verification.
• Audit logging: Every reveal of an SSN or sensitive document is logged with the user's identity, IP address, and timestamp.
• Rate limiting: Access to sensitive reveal endpoints is rate-limited to prevent abuse.

5. Data Sharing

We do not sell your data. We may share data only in the following circumstances:

• Service providers: We use Resend (email delivery) to send transactional emails. These providers access only the data necessary to perform their function.
• Legal requirements: We may disclose data if required by law, court order, or government authority.
• Business transfer: In the event of a merger or acquisition, data may be transferred to the successor entity, with notice provided to users.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Employee records, documents, and audit logs are retained in accordance with your organization's requirements. If you request deletion of your account, we will remove your data within 30 days, except where retention is required by law.

7. Security

We implement industry-standard security measures including encrypted data storage, HTTPS-only access, role-based access controls, and audit logging. However, no system is completely secure. We encourage you to use strong passwords and to report any suspected security issues immediately.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict certain processing of your data
• Data portability (receive your data in a structured format)

To exercise any of these rights, contact us at info@siratms.com.

9. Cookies

Sira HRM uses session cookies to maintain your authenticated state within the application. We do not use tracking cookies or third-party advertising cookies. You can disable cookies in your browser settings, but this may prevent you from accessing authenticated areas of the platform.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify users of material changes via email or a notice within the platform. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

11. Contact Us

For any privacy-related questions or requests, please contact: