Privacy Policy

OnboardSwift is an employee onboarding and HR workflow platform operated by two affiliated entities depending on your region:

Each entity acts as a data controller for account and billing data you provide directly, and as a data processor for personal data about your employees and candidates that you upload or generate through the platform.

For privacy questions, contact us at: privacy@onboardswift.com.

2.1 Information you provide directly

• Account information: name, work email address, job title, organisation name, and password when you register.
• Billing information: payment card details (processed securely by Stripe — we never store full card numbers), billing address, and company registration number if applicable.
• Employee & candidate data: names, email addresses, phone numbers, gender, date of birth, start dates, departments, roles, identity documents (passport, national ID, work permits), e-signatures, and any other fields you configure within the platform for your hires.
• Communications: support tickets, chat messages, and emails you send us.

2.2 Information collected automatically

• Usage data: pages visited, features used, timestamps, and click events.
• Device & technical data: IP address, browser type and version, operating system, and time zone.
• Cookies and tracking technologies: see our Cookie Policy for details.

2.3 Information from third-party integrations

When you connect integrations (Microsoft 365, Slack, Google Workspace, Zoho People), we receive data from those platforms consistent with the scopes you authorise, such as user directory information or calendar data. We use this data solely to deliver the integration features you have enabled.

• To provide, operate, and improve the OnboardSwift platform.
• To process transactions and send billing receipts.
• To send service-related notifications (onboarding reminders, task assignments, meeting invites).
• To respond to your support requests.
• To monitor platform health, security, and prevent fraud or abuse.
• To comply with our legal obligations under applicable data protection law.
• To send product updates and marketing communications where you have given consent or where we have a legitimate interest (you can unsubscribe at any time).

We will never sell your personal data or your employees' personal data to third parties.

UK & EU users (UK GDPR / EU GDPR)

• Contract performance: processing necessary to deliver the service you have subscribed to.
• Legitimate interests: platform security, fraud prevention, improving our services, and direct marketing to existing customers.
• Legal obligation: compliance with applicable laws and regulations.
• Consent: marketing to prospects, cookies requiring consent, and any processing where we have specifically asked for your consent.

Nigerian & African users (Nigeria Data Protection Act 2023)

• Contract performance: processing necessary to deliver the onboarding platform service.
• Legitimate interests: platform security, fraud prevention, and service improvement.
• Legal obligation: compliance with the NDPA 2023 and any other applicable Nigerian law.
• Consent: where we have specifically requested consent for a processing activity.

We share personal data only with:

• Service providers (sub-processors): Supabase (database & authentication), Stripe (payments), Resend (transactional email), Vercel (hosting), and Google Gemini (AI features). All sub-processors are bound by data processing agreements.
• Third-party integrations you connect: Microsoft, Google, Slack, Zoho — only within the scope you authorise.
• Legal or regulatory authorities: where required by applicable law, court order, or to protect the rights or safety of OnboardSwift or others.
• Business transfers: in connection with a merger, acquisition, or sale of all or part of our assets, subject to standard confidentiality obligations.

We retain personal data in accordance with our Data Retention Policy. The key retention periods are:

You may request earlier deletion by contacting privacy@onboardswift.com or using the GDPR/privacy settings within the platform.

Our platform infrastructure is hosted by Supabase and Vercel, which are based in the United States. Personal data submitted through the platform is therefore transferred outside your home country. We ensure appropriate safeguards are in place depending on your region:

• UK & EU users: transfers are protected by UK International Data Transfer Agreements (IDTA) or EU Standard Contractual Clauses (SCCs).
• Nigerian & African users: transfers are made in accordance with NDPA 2023 Section 43, relying on Standard Contractual Clauses with our sub-processors as the applicable transfer mechanism.

Depending on your location, you may have the following rights:

UK & EU users (UK GDPR / EU GDPR)

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erasure ("right to be forgotten") of your personal data.
• Restrict or object to certain processing.
• Data portability — receive your data in a machine-readable format.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Nigerian & African users (NDPA 2023)

• Access personal data held about you.
• Rectification of inaccurate or incomplete data.
• Deletion of your personal data where there is no lawful basis for continued processing.
• Object to processing based on legitimate interests.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time.
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

To exercise any of these rights, email us at privacy@onboardswift.com. We will respond within 30 days (UK/EU) or 21 days (Nigeria, per NDPA).

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, JWT-based authentication, audit logging, and automated database backups. In the event of a personal data breach, we will notify affected controllers within 72 hours. However, no system is completely secure — please also take steps to protect your account credentials.

OnboardSwift is not directed at children under the age of 16 and we do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the platform at least 30 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

For any privacy-related questions or to exercise your rights, contact us at: