Completely FREE & open-source HR software.
Comprehensive solution to manage all HR challenges in one single place.
(Revision July 2023)
OrangeHRM customers (“Customer”, “You”) use our Cloud-Based Enterprise Applications (the
“Cloud Service”) or On-Premise Enterprise applications (the “On-Premise Service”) or both
any information or data obtained by OrangeHRM for any other purpose, such as marketing
When we use the terms “OrangeHRM”, or “us” or “we” in this policy, we are referring to
Our Data Protection Officer oversees how we collect, use, distribute and secure your
information to ensure your rights are respected. Our Data Protection Officer can be contacted at
In the normal course of using the OrangeHRM Cloud or On-Premise Service, Customers will
enter electronic data into the OrangeHRM systems (“Customer Data”).
Customers may input Customer Data into data templates and submit these to OrangeHRM
through secure channels. OrangeHRM Implementation consultants will assist with the import of
such data into the OrangeHRM Cloud or On-Premise Service
Customer may submit Personal Data to the Services, the extent of which is determined and
controlled by Customer in its sole discretion, and which may include, but is not limited to
the categories of Personal Data listed below based on the OrangeHRM modules purchased:
We have a comprehensive, written information security program in place that includes
industry-standard, administrative, technical, and physical safeguards to protect Customer Data
from unauthorized access
For OrangeHRM Cloud Service, Our infrastructure service provider is Rackspace Inc. They
maintain various certifications that help us validate our security policies and processes as well as
comply with applicable legislation such as GDPR and international standards. If you want to
know more about OrangeHRM GDPR Compliant please refer to this. the The following
compliance frameworks have been examined and validated by Rackspace:
For an On-Premise Service, we may temporarily retain customer submitted data templates
containing customer data in the OrangeHRM secure facility, until Customer data is successfully
imported into the On-Premise Service. OrangeHRM Vault is a secure file transfer platform where customers can submit password-protected data files directly. Only authorized consultants
will have access to these files through OrangeHRM Vault. OrangeHRM Vault will automatically
validate these files for security and remove them from storage on a regular basis.
We process customer data at the request of our customers and do not have direct control or
ownership of the personal data processed by the system. Prior to sending data to OrangeHRM for
processing purposes, you are responsible for complying with any regulations or laws that require
you to provide notice, disclosure and/or obtain consent.
We offer a comprehensive set of data protection capabilities ranging from role-based access
control to data encryption; from corporate policy publishing tools to data management with
extensive audit logs. It enables Customers to gain access to, correct and limit the processing of
their personal data.
New capabilities in OrangeHRM software version 6.4 upwards allow you to purge terminated
employees and candidates from the entire system including audit trails. This is to help you to
practice data subject requests such as the right to be forgotten.
If you are using the Recruitment module, you can now obtain job application consent by laying
out your data policy and requiring a check in the checkbox before allowing a candidate to apply
for a vacancy.
Any data subject request that is directed to us will be forwarded to the customer and we will
assist the customer in meeting any obligation to respond to such data subject requests. If the
customer requests help from OrangeHRM to comply with data protection regulations,
OrangeHRM will respond to their request within 30 business days.
In the OrangeHRM Cloud Service, if you have a valid SAAS agreement with OrangeHRM, your
data will be retained in our servers. Should you purge any specific employee or candidate
records, this data will be immediately purged from the system . Such information will then be
completely removed from OrangeHRM backups after 4 weeks
Between 10 and 30 days after the agreement between OrangeHRM and the Customer is
terminated, OrangeHRM will remove the customer personal data from the OrangeHRM servers
and all customer personal data will be fully purged from OrangeHRM backups after a further 4
For On-Premise service, we will ensure that any temporary data such as customer data
templates, is purged between 10 and 30 days after the termination of the agreement between
OrangeHRM and the Customer
Under OrangeHRM standard agreements, the aforementioned data retention periods will be
valid. Customers who have subscribed to OrangeHRM extended services will have their data
retained for longer than the above mentioned periods (can go up to 12 weeks).
OrangeHRM may, where it concludes that it is legally obligated to do so, disclose personal data
to law enforcement or other government authorities. OrangeHRM will notify customers of such
requests unless prohibited by law.
Prior to using sensitive personal information about you for any service improvements, we will
first request your consent. Before you give your consent, we tell you what information we collect
and how we use it. You have the right to withdraw your consent at any time by contacting us.
In accordance with the relevant agreement between the Customer and OrangeHRM, we may
access customer data within OrangeHRM for the purposes of providing the service, preventing or
addressing service or technical problems, responding to support issues, responding to the
customer’s instructions or as may be required by law.
We may process anonymized data to troubleshoot customer specific issues and for quality control
We may process anonymized data to track how the Service’s various components are used . This
information is used to drive feature development and service enhancements as well as to provide
recommendations on how our products and services can add value for you. OrangeHRM does
not sell your information to any party under any circumstances and OrangeHRM is not
responsible for any PII data sold by the data controller.
Customers and their authorized users may access the Service directly via a URL that is unique to
their tenant or may elect to use internal launch pages for single sign-on or other purposes. As
they utilize the service, customers provide information for processing and storage. Customers
may also configure the Service to allow end users to input information directly into the Service
To comply with applicable law, regulation or authorized requests, we may share your information
with third parties. We will notify you of such incidents unless prohibited by law.
Sub-processors processing personal data as part of the Services
In Cloud Service, we store customer data within the same business region, Eg: European clients
data is stored in European Economic Area data centers. This will ensure your rights are
In Cloud Service and On-Premises Service, we may transfer anonymized data from European
region Data Centers to North American Rackspace Data Centers and Asian technical support
centers for the purposes of providing the Service, preventing or addressing service or technical
problems, responding to support issues, and responding to the Customer’s instructions.
OrangeHRM will not discriminate against you for exercising your privacy rights. Regardless of
your privacy preferences, OrangeHRM will provide the product and services you require.
If you have a complaint about the use of your personal information, please contact your
application admin within the organization. If you have a complaint about the OrangeHRM
We may update this privacy statement to reflect changes in our information practices. If we
make any material changes, we will notify you by means of a notice on this site prior to the
change taking effect . We encourage you to periodically review this page for the latest
information on our privacy standards .