Hibiscus HR

Privacy Policy

Last updated: April 2026

Hibiscus HR (“we”, “our”, “us”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Information We Collect

We collect information you provide directly to us, including business contact information, employee records entered into the platform, and usage data. We do not sell your personal information to third parties.

Data Residency

All customer and employee data is stored in Canadian data centres (Microsoft Azure, Canada Central region). Sensitive fields such as Social Insurance Numbers and banking details are encrypted at rest using AES-256-GCM within these Canadian-hosted databases.

Transactional emails (such as onboarding invites, leave approvals, and password resets) are delivered through Resend, a US-based email delivery service. These emails may contain employee names and work email addresses but do not contain SINs, banking details, salary information, or health data. See the Sub-Processors section below for details.

Data Retention

We retain data according to the following schedule:

  • Active tenants: All data retained for the duration of the subscription.
  • After cancellation: Data is accessible for 90 days. Non-regulated data is permanently deleted within 30 days after the retention period (120 days total).
  • Regulated data: Certain records are retained beyond cancellation to comply with Canadian legal requirements:
    • Payroll records and T4 filings, 7 years (CRA Income Tax Act s.230)
    • ROE filings, 6 years (Service Canada)
    • Benefits enrollment records, 7 years (CRA taxable benefit reporting)
    • Workplace incident reports, 7 years (OHSA/WSIB)
    • Employee records, leave records, and timesheets, 3 years after termination (ESA)
  • Regulatory archive: Regulated data is stored in immutable (WORM, Write Once Read Many) storage that cannot be modified or deleted until the retention period expires. This storage is encrypted at rest and hosted in Canada.
  • Backups: Azure automated database backups are retained for 7 days. After certified deletion, data may persist in backups for up to 30 additional days.

Customers can request a Deletion Certificate after their non-regulated data has been purged, documenting what was deleted and what was archived for regulatory compliance.

Payment Processing

Payment processing is handled by Helcim Inc., a PCI-DSS Level 1 certified payment processor. When you enter payment card information, it is collected and tokenized directly by Helcim using HelcimPay.js. Card data is processed by Helcim and is never stored on or transmitted through Hibiscus HR servers. Helcim acts as a sub-processor for payment data only. For Helcim's privacy practices, see helcim.com/privacy.

How We Use Your Information

We use the information we collect to provide and improve our services, communicate with you, and comply with legal obligations. We do not use your employee data for advertising or marketing purposes.

Cookies & Tracking Technologies

On this marketing site (hibiscushr.ca) we use a small number of cookies. Strictly necessary cookies, including the one that remembers your cookie preferences, are always on. Analytics (Google Analytics) and marketing (Leadfeeder) cookies are off by default and only load if you actively opt in through our cookie consent banner. This applies to visitors from Quebec under Law 25 and all other Canadian visitors under PIPEDA's meaningful-consent standard.

The Hibiscus HR application at app.hibiscushr.ca uses only essential cookies (session, CSRF) and does not run third-party analytics or marketing trackers on any authenticated page.

You can change your preferences at any time by clicking Cookie Preferences in the footer of any page. For a complete list of the cookies we set, what they do, and how long they last, see our Cookie Policy.

PCI Compliance

Hibiscus HR is PCI compliant. We achieve this by never storing, processing, or transmitting cardholder data on our infrastructure. All payment card operations are handled by Helcim's PCI-DSS Level 1 certified systems. Card numbers are tokenized at the point of entry and only secure tokens are stored on our platform for recurring billing.

Sub-Processors

We use the following third-party sub-processors to operate the platform:

  • Microsoft Azure (Canada Central region), cloud hosting, database, and document storage. All platform data resides in Canada.
  • Helcim Inc. (Canada), payment processing and card tokenization. Card data is processed by Helcim and never touches Hibiscus HR servers.
  • Resend (United States), transactional email delivery. Resend processes employee names and work email addresses solely for the purpose of delivering platform notifications (onboarding invites, leave approvals, payroll alerts, password resets). No SINs, banking details, salary data, or health information is transmitted through this service.

If third-party integrations are introduced in the future, data shared with those services will be governed by the customer's own agreements with those providers. Any such integrations would be customer-initiated and can be disconnected at any time.

Your Rights Under PIPEDA

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Access personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information (subject to legal retention obligations)
  • Withdraw consent for non-essential data processing
  • Understand how your information is being used and disclosed

To exercise any of these rights, contact our Privacy Officer (see below). We will respond to your request within 30 days.

Privacy Officer

Our designated Privacy Officer is responsible for ensuring compliance with PIPEDA, responding to privacy-related inquiries and complaints, conducting Privacy Impact Assessments before new data-processing systems go live, and coordinating breach notifications to affected individuals and regulators.

Stephen Humphrey
Privacy Officer, Hibiscus HR Inc.
Email: privacy@hibiscushr.ca (monitored daily; stephen@hibiscushr.ca direct)

Privacy inquiries, access requests, correction requests, and complaints all reach the same address. We acknowledge receipt within 5 business days and respond substantively within 30 days as required by PIPEDA.

Complaints

If you have a complaint about how we handle your personal information, please contact our Privacy Officer. We will investigate and respond within 30 days.

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

Contact

General questions about this policy: support@hibiscushr.ca

Privacy-specific inquiries: privacy@hibiscushr.ca

This policy is effective as of April 2026. We may update it periodically, changes will be posted on this page with an updated date.