Privacy Policy

1. Scope and Application

This Privacy Policy applies to all users of the Services, including:

• Customers: Organizations that license the platform to manage their contingent workforce
• Workers: W-2 employees, 1099 contractors, and other individuals managed through the platform on behalf of a Customer
• Client Users: Authorized administrators, hiring managers, and approvers who act on behalf of a Customer
• Visitors: Individuals browsing our website or marketing materials
• Partners: Staffing suppliers, EOR vendors, and integration partners

Controller vs. Processor Roles.When we provide the platform to a Customer, the Customer is generally the "controller" (or "business") of personal data about its workers and users, and we act as a "processor" (or "service provider") under applicable law. When we operate our website, handle account registration, process beta applications, or conduct marketing, we act as a controller of the relevant personal data. If you are a Worker, you should also consult the Customer's own privacy notice for information about how the Customer processes your data.

2. Information We Collect

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Information from Third Parties

• Background-check and identity-verification providers
• Payment processors and financial institutions
• Integration partners you or your Customer connect (HRIS, payroll, accounting, VMS, ATS, e-signature)
• Staffing suppliers that submit candidates through our VMS module
• EOR vendors that deliver employment services in their jurisdictions
• Public sources and data-enrichment services used for Customer onboarding (e.g., company registration look-ups, professional profiles)
• Analytics, advertising, and fraud-prevention partners

2.4 Sensitive Personal Information

Because we support workforce management, we necessarily process categories that U.S. state laws and the GDPR treat as "sensitive" or "special category" data, including:

• Government identifiers (SSN, ITIN, passport or driver's license numbers)
• Financial account and routing numbers used for payroll
• Precise geolocation, where punch-clock geofencing is enabled by the Customer
• Information about immigration or work-authorization status (via I-9 or equivalent)
• Racial, ethnic, disability, or veteran status where the Customer uses the platform for EEO-1, diversity, or accommodation reporting
• Health-related information limited to leave, workers' compensation, or accommodation requests where the Customer elects to process such data

We process this information only for the specific purposes for which it was provided and apply enhanced safeguards, including encryption, restricted access, and tokenization where feasible. We do not use sensitive personal information to infer characteristics about individuals for advertising or profiling.

2.5 Biometric Information

Engage does not currently collect facial, fingerprint, or other biometric identifiers. If we enable a biometric feature (for example, a future biometric punch-clock option) in a jurisdiction with specific biometric-privacy laws (such as Illinois BIPA, Texas CUBI, or Washington H.B. 1493), we will provide separate written disclosures and obtain any required consent before collection begins.

3. Cookies and Tracking Technologies

We and our service providers use cookies, pixels, SDKs, local storage, and similar technologies to operate the Services and understand how they are used.

You can manage cookies through your browser settings or our cookie preference controls where presented. We honor recognized universal opt-out signals, including the Global Privacy Control (GPC), for residents of jurisdictions that require us to do so.

4. How We Use Your Information

4.1 Service Delivery

• Create and administer user accounts and Customer tenants
• Process worker onboarding, offboarding, and offer-letter generation
• Facilitate 1099 classification checks, I-9 verification, and background screening
• Process time entries, expenses, approvals, payroll exports, and invoicing
• Generate dashboards, reports, and analytics for authorized users
• Provide customer support and respond to inquiries

4.2 Legal and Compliance

• Comply with employment, tax, and immigration laws
• Detect and prevent fraud, abuse, and security incidents
• Respond to lawful requests and enforce our terms and policies
• Defend legal claims and exercise legal rights
• Maintain records required by applicable law

4.3 Platform Improvement

• Analyze usage patterns and diagnose issues
• Develop, test, and improve features and workflows
• Train, tune, and evaluate AI models in aggregate or de-identified form, subject to Section 5
• Measure the performance and reliability of the Services

4.4 Communications

• Send transactional emails, in-app messages, and notifications
• Provide product updates, security alerts, and policy changes
• Share educational content, best practices, and webinars
• Send marketing communications where permitted and with opt-out options
• Conduct surveys and collect feedback

5. Automated Decision-Making and AI

The Services include artificial-intelligence features such as AI-assisted candidate screening, resume matching, 1099 classification review, receipt OCR, timecard anomaly detection, AI chat support, and other analytic tools (collectively, "AI Features"). These features produce suggestions, scores, or draft outputs intended to assist human decision-makers; they are not a substitute for human judgment, legal advice, or authoritative classification determinations.

• Human oversight. Customers and their authorized users review AI-generated output and make the final hiring, classification, payment, and approval decisions.
• Accuracy limits. AI outputs may contain errors or omissions. We recommend independent verification before acting on them.
• No solely-automated decisions with legal effects. We do not use AI to make solely-automated decisions that produce legal or similarly significant effects concerning individuals without meaningful human review, except where expressly authorized by the Customer and permitted by law.
• Model training. We do not use Customer-identified personal data to train third-party foundation models. Where we fine-tune or evaluate our own models, we use aggregated or de-identified data and apply access controls.
• Your rights. Where required by law, you may request information about the logic of a significant automated decision, object to processing, or request human review. See Section 11.

6. Legal Basis for Processing (EEA, UK, Switzerland)

Where the GDPR or UK GDPR applies, we process personal data on these legal bases:

• Contract Performance: To provide the Services to you or to the Customer that engages us on your behalf.
• Legal Obligations: To comply with applicable laws, regulatory requirements, and court orders.
• Legitimate Interests: To secure the platform, prevent fraud, improve the Services, and conduct direct marketing to business contacts where such interests are not overridden by your rights.
• Consent: Where you have given consent for a specific processing activity, such as marketing email or optional data collection. You may withdraw consent at any time.
• Vital Interests: In rare cases, to protect someone's life or physical safety.

7. Data Sharing and Disclosure

We do not sell personal informationas "sale" is defined under U.S. state privacy laws, and we do not "share" personal information for cross-context behavioral advertising as defined under California law. We disclose information only as described below.

7.1 Service Providers and Sub-processors

We share data under written contracts with vetted service providers who help us deliver the Services, including:

• Cloud hosting, storage, and content delivery
• Payment processing and banking partners
• Background-check and identity-verification providers
• Email delivery, SMS, and in-app communication tools
• Analytics, product-telemetry, and customer-support platforms
• Security, monitoring, and fraud-prevention services
• AI inference providers engaged under zero-retention or limited-retention terms

A current list of key sub-processors is available on request at privacy@engageapp.ai. Customers may also request our Data Processing Addendum.

7.2 Employer of Record (EOR) and Staffing Partners

Where a Customer uses our EOR, international EOR, or VMS services, we share the information necessary to engage workers, deliver payroll and benefits, and obtain candidate submissions with the relevant EOR vendor, staffing supplier, or partner. Those parties are independent controllers of the data they receive for their own lawful purposes.

7.3 Customer-Directed Disclosures

Customers configure which of their authorized users can see what data within the platform. Disclosures between a Customer's administrators, managers, and approvers occur under the Customer's own access controls and policies. Workers should direct questions about those practices to the Customer.

7.4 Legal and Protective Disclosures

We may disclose information when we reasonably believe it is necessary to:

• Comply with subpoenas, court orders, or other legal process
• Respond to government, law-enforcement, or regulatory requests
• Protect the rights, property, or safety of HQ Simple, our users, or the public
• Investigate, prevent, or respond to fraud, abuse, or security incidents
• Enforce our agreements and policies

7.5 Business Transfers

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal information may be transferred to the successor or acquiring entity subject to commitments consistent with this Privacy Policy. We will notify affected users of material changes.

8. International Data Transfers

We are headquartered in the United States, and personal data may be transferred to, stored in, or processed in the United States or other jurisdictions where we or our service providers operate. Where required by law, we implement appropriate safeguards for international transfers, including:

• European Commission and UK Standard Contractual Clauses (SCCs / UK Addendum)
• Adequacy decisions where applicable
• Supplementary technical and organizational measures (encryption, access controls, pseudonymization)
• The EU-U.S. Data Privacy Framework, Swiss-U.S. DPF, and UK Extension where we self-certify
• Your explicit consent where required for a specific transfer

9. Data Security

We maintain an information-security program appropriate to the sensitivity of the data we process. Our controls include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Tokenization of highly sensitive fields (such as SSNs and bank accounts) before transmission to payroll providers
• Role-based access control, least-privilege provisioning, and tenant isolation (including row-level security in the database)
• Multi-factor authentication for administrative access
• Continuous monitoring, vulnerability scanning, and periodic third-party penetration testing
• Secure software-development lifecycle, code review, and dependency management
• Personnel background checks, confidentiality agreements, and security training
• Documented incident-response and business-continuity plans

Your responsibilities. You must safeguard your login credentials, use strong unique passwords, enable multi-factor authentication where available, and promptly report suspected compromises to security@engageapp.ai.

Breach notification. If we discover a personal-data breach that affects your information, we will notify you and, where we are the processor, the affected Customer without undue delay and within timelines required by applicable law.

No method of electronic transmission or storage is completely secure. While we work hard to protect your information, we cannot guarantee absolute security.

10. Data Retention

We retain personal information only as long as needed for the purpose for which it was collected, subject to longer retention required by law or for the establishment or defense of legal claims. Typical retention periods include:

• Active accounts: For the duration of the subscription and any post-termination export window set forth in your agreement.
• Financial and tax records: Generally seven (7) years from the end of the relevant tax year, consistent with IRS and state requirements.
• Employment and immigration records: Retained for the periods required by the Fair Labor Standards Act, IRCA, and applicable state laws.
• Security logs and audit trails: Typically 12–24 months, longer if required for investigation.
• Marketing data: Until you unsubscribe or request deletion, and then retained only to honor your suppression request.

When retention is no longer required, we delete or de-identify data using industry-standard methods. Back-up copies are purged on regular cycles.

11. Your Privacy Rights

Subject to applicable law and verification of your identity, you may have the following rights with respect to your personal information:

How to exercise your rights. Submit a request to privacy@engageapp.ai. We will respond within the time required by law (generally within 30–45 days, extendable with notice). We may need to verify your identity before responding. If you are a Worker whose data is processed by Engage on behalf of a Customer, we will generally refer your request to the Customer and assist them in responding.

12. United States State Privacy Rights

12.1 California (CCPA/CPRA)

California residents have the rights set out in Section 11, plus the following additional rights:

• Right to know the categories and specific pieces of personal information collected, the sources, the business or commercial purposes, and the categories of third parties to whom it is disclosed
• Right to delete personal information, subject to statutory exceptions
• Right to correct inaccurate personal information
• Right to limit the use and disclosure of sensitive personal information to purposes specified in Civil Code § 1798.121
• Right to opt out of the sale or sharing of personal information (we do not sell or share, as defined)
• Right to non-discrimination for exercising your rights
• Right to designate an authorized agent to make requests on your behalf

Shine the Light (Cal. Civ. Code § 1798.83). California residents may request information about our disclosure of personal information to third parties for their direct-marketing purposes by emailing privacy@engageapp.ai.

Notice at collection. The categories of personal information we collect and our purposes are described in Sections 2 and 4. We retain that information as described in Section 10. We do not use sensitive personal information to infer characteristics about individuals.

12.2 Other U.S. States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, and other states with comprehensive privacy laws have rights that may include:

• The right to access, correct, delete, and obtain a portable copy of personal data
• The right to opt out of targeted advertising, sale of personal data, and certain profiling
• The right to appeal a denial of your request

To exercise state privacy rights, email privacy@engageapp.ai. We honor recognized universal opt-out signals such as Global Privacy Control. If we decline a request, you may appeal by replying to our response; we will respond to the appeal within the time required by your state's law.

13. European, UK, and Swiss Privacy Rights

If you are in the EEA, UK, or Switzerland, you have the rights described in Sections 11 and 6, including the right to lodge a complaint with your local supervisory authority. If you believe we have not resolved your concern, you may contact:

• Your national data-protection authority (for EEA residents: list of EU DPAs)
• The UK Information Commissioner's Office (ICO) at ico.org.uk
• The Swiss Federal Data Protection and Information Commissioner (FDPIC)

EU/UK Representative inquiries may be directed to privacy@engageapp.ai. We will appoint and publish a formal Article 27 Representative if and when required by the volume or nature of our EU/UK-directed processing.

14. Workforce and Employment Data

When we process data about a Customer's workers (W-2 employees, 1099 contractors, staffing-supplier candidates, or foreign EOR workers), the Customer is generally the controller of that data and is responsible for:

• Providing workers with a privacy notice describing the Customer's own processing
• Establishing a lawful basis for processing (including employment or contract performance)
• Collecting any required consents for biometric, location, or sensitive data
• Determining worker classification, work eligibility, and pay rates
• Responding to worker privacy rights requests in the first instance

Engage processes workforce data only on documented instructions from the Customer, except where we are required by law to do otherwise, and in accordance with our Data Processing Addendum.

15. SMS, Calls, and Electronic Communications

By providing us your mobile number, you consent to receive service-related SMS messages and calls from us and our providers (for example, verification codes, shift reminders, approval notifications, and account-security alerts). Message and data rates may apply. Message frequency varies based on your configuration.

You can opt out of non-essential SMS at any time by replying STOP to any SMS or by adjusting your notification settings. Essential security and transactional messages may continue. For help, reply HELP or email support@engageapp.ai.

We do not share mobile opt-in data or consent with third parties or affiliates for their marketing purposes.

16. Marketing Communications

We may send marketing communications about our products, services, and events when:

• You have opted in to receive them, or
• You are a business contact of an existing customer or prospect in a jurisdiction that permits legitimate-interests marketing, and you have not opted out.

You may opt out at any time by:

• Clicking the unsubscribe link in any marketing email
• Updating your communication preferences in your account
• Emailing privacy@engageapp.ai

17. Children's Privacy

The Services are designed for business use and are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions that apply the higher threshold). If we learn that we have inadvertently collected such information, we will delete it promptly. Parents or guardians who believe a child has provided us personal information may contact privacy@engageapp.ai.

18. Third-Party Links and Integrations

The Services may link to or integrate with third-party websites, applications, or services. We are not responsible for the privacy practices of those third parties. If you connect a third-party integration, you are authorizing the exchange of data described in the integration's configuration and subject to that third party's privacy policy.

19. Accessibility

We strive to make the Services accessible to users with disabilities consistent with the Web Content Accessibility Guidelines (WCAG) 2.1 AA. If you experience difficulty accessing any part of the Services, or need this Privacy Policy in an alternative format, please contact accessibility@engageapp.ai.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. We will notify you of material changes by:

• Posting the updated policy with a new effective date
• Sending an email notification to registered users, where practicable
• Displaying a prominent notice inside the platform for a reasonable period

Non-material changes take effect when posted. Your continued use of the Services after an update constitutes acceptance of the revised policy, to the extent permitted by law.

21. Contact Us