Skip to content
Looking for HR software built for US teams?Visit our US site
WalnutsHR is now live in Canada — try Pro free for 30 days. Start free
Skip to content
walnutsHR

Privacy Policy

Last updated: May 18, 2026

WalnutsHR Inc. ("WalnutsHR," "Company," "we," "us," or "our") is a Canadian-operated provider of HR software, committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard your information when you visit our website (www.walnutshr.com), use our application (app.walnutshr.com), or interact with any of our services (collectively, the "Service").

Our approach is shaped by Canadian privacy law — in particular, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy statutes (including Quebec's Act respecting the protection of personal information in the private sector as modernized by Law 25, Alberta's PIPA, and British Columbia's PIPA). We honour the ten fair information principles set out in PIPEDA Schedule 1: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

This Privacy Policy applies to all users of our Service, including website visitors, account holders, administrators, managers, employees, and any other individuals who interact with the Service. By using the Service, you acknowledge that you have read, understood, and agree to the practices described in this policy.

IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, PLEASE DO NOT ACCESS OR USE THE SERVICE.

Cross-Border Data Processing — Important Notice

WalnutsHR Inc. is a Canadian corporation operating the Service for customers in both Canada and the United States.

Primary application database. Your primary application database — operated by Supabase and containing employee records, documents, and time-off data — is provisioned in a Canadian region for organizations registered in Canada and a United States region for organizations registered in the United States, based on your country of registration at signup. We do not move the primary database between regions after signup without your instruction. This regional placement applies only to the primary database; other operational services we rely on are described in the paragraph that follows and in Section 4.2.

Other processing (all customers, regardless of region). Several services we rely on to operate WalnutsHR — authentication (Clerk), payment processing (Stripe), application hosting and edge delivery (Vercel), product analytics (PostHog), transactional email (Resend), AI features (Anthropic, only when explicitly invoked), and error tracking (Sentry) — are headquartered in the United States and process limited Personal Data (such as email addresses, IP addresses, payment details, session tokens, pseudonymous usage events, transactional email content, AI prompts, and scrubbed error reports) on US-based infrastructure. This applies to both Canadian and US customers.

By creating an account or using the Service, you acknowledge that some of your Personal Data will be processed outside of your country of residence and may become subject to the laws of those jurisdictions, including the United States CLOUD Act, which can compel US-based providers to disclose data to US government authorities under defined legal process.

A complete list of sub-processors and their default regions appears in Section 4.2. Cross-border transfer safeguards are described in Section 9.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when you:

  • Create an account or register for the Service
  • Complete your profile or update account settings
  • Enter employee data into the platform
  • Upload documents, files, or other content
  • Subscribe to a paid plan or enter payment information
  • Contact us through email, forms, or support channels
  • Subscribe to our newsletter or marketing communications
  • Participate in surveys, promotions, or feedback requests

This information may include:

  • Identity data: Full name, job title, company name, profile photo
  • Contact data: Email address, phone number, mailing address
  • Account data: Username, password (hashed), account preferences, role/permissions
  • Financial data: Billing address, payment card details (processed and stored by Stripe, not by us directly)
  • Employee/HR data: Employee names, contact information, job titles, departments, hire dates, salary information, time-off balances, documents, and any other HR data you choose to enter into the platform
  • Communication data: Content of emails, support requests, and other correspondence with us

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain technical and usage information:

  • Device data: Device type, operating system, browser type and version, screen resolution, device identifiers
  • Network data: IP address, internet service provider, approximate geographic location (city/region level)
  • Usage data: Pages viewed, features used, clicks, time spent on pages, navigation paths, search queries within the Service
  • Log data: Access timestamps, error logs, referral URLs, exit pages
  • Cookie data: Information collected through cookies, pixels, web beacons, and similar tracking technologies (see Section 8 and our Cookie Policy)

1.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

  • Authentication providers (Clerk): Identity verification data, SSO tokens, session data, OAuth profile information
  • Payment processors (Stripe): Transaction confirmations, payment status, billing details
  • Analytics services: Aggregated usage patterns and demographic data

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery and Operations

  • Provide, operate, and maintain the Service
  • Create and manage your Account
  • Process and fulfill Subscription orders and transactions
  • Authenticate users and manage sessions
  • Enforce our Terms of Service and Acceptable Use Policy

2.2 Communication

  • Send transactional emails (account confirmations, password resets, billing receipts)
  • Send service-related notifications (security alerts, maintenance notices, feature updates)
  • Respond to your inquiries, support requests, and feedback
  • Send marketing and promotional communications (only with your consent; you may opt out at any time)

2.3 Improvement and Analytics

  • Analyze usage patterns to improve the Service, user experience, and performance
  • Conduct research and development for new features
  • Monitor and analyze trends, usage, and activities
  • Debug and fix technical issues

2.4 Security and Compliance

  • Detect, prevent, and address fraud, abuse, security incidents, and technical issues
  • Enforce our Terms of Service and protect our rights, property, and safety
  • Comply with legal obligations, court orders, and government requests
  • Maintain audit logs for compliance and security purposes

3. Legal Bases for Processing

3.1 Under Canadian Law (PIPEDA and provincial statutes)

PIPEDA requires organizations to obtain meaningful consent for the collection, use, or disclosure of personal information, with limited statutory exceptions. We rely on:

  • Express consent: Obtained at signup for the information required to create and operate your Account, and for any marketing communications you opt into.
  • Implied consent: Reasonable to infer for processing that is obviously necessary to deliver a Service you have actively requested (for example, loading a page you have navigated to).
  • Statutory permissions under PIPEDA s. 7: Including situations where collection is clearly in your interests and consent cannot be obtained in a timely way, or where use or disclosure is required by Canadian law.
  • Provincial laws: In Quebec, Alberta, and British Columbia, provincial private-sector privacy statutes apply in place of PIPEDA for activities within those provinces. We comply with the stricter of the applicable standards.

You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may mean we can no longer provide all or part of the Service to you.

3.2 Under EU / UK / Swiss Law (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your Personal Data based on the following GDPR legal grounds:

  • Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Service, manage your Account, and fulfill our contractual obligations.
  • Legitimate interests (Art. 6(1)(f) GDPR): Improving the Service, fraud prevention, security, and direct marketing to existing customers, balanced against your rights and freedoms.
  • Consent (Art. 6(1)(a) GDPR): For marketing communications and optional analytics cookies. Consent can be withdrawn at any time.
  • Legal obligation (Art. 6(1)(c) GDPR): Tax reporting, anti-money laundering, and lawful authority requests.

3.3 Under U.S. State Privacy Laws (CCPA/CPRA and successor statutes)

For California residents (and residents of other U.S. states with comprehensive consumer-privacy laws — Virginia, Colorado, Connecticut, Utah, and Texas), we process Personal Data for the following enumerated business and commercial purposes:

  • Performing services on your behalf: Providing, maintaining, and supporting the Service; processing Subscriptions; authenticating users; honoring your requests.
  • Auditing related to current interactions: Counting impressions, verifying placement, and auditing compliance with this Privacy Policy and our Terms.
  • Detecting security incidents and protecting against malicious or fraudulent activity: Including responsibility for prosecuting those responsible.
  • Debugging: Identifying and repairing errors that impair existing intended functionality.
  • Short-term, transient use: For example, displaying contextual advertising solely from your current interaction with us.
  • Internal research for technological development and demonstration.
  • Quality and safety verification, maintenance, and improvement of the Service we own or control.
  • Compliance with legal obligations: Including responding to lawful requests, court orders, and subpoenas.

We do not sell or share Personal Data as those terms are defined under CCPA/CPRA (i.e., we do not exchange Personal Data for monetary or other valuable consideration, and we do not share Personal Data for cross-context behavioural advertising). We do not use or disclose Sensitive Personal Information beyond the purposes permitted under CPRA s. 1798.121.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

We do not sell, rent, or trade your Personal Data to third parties for their marketing purposes. We have never sold Personal Data and do not intend to.

4.2 Sub-Processors and Service Providers

We share data with trusted third-party service providers ("Sub-Processors") who assist us in operating the Service. Each Sub-Processor is contractually obligated to protect your data and process it only for the purposes we specify. Our data-residency posture is described on our Security page. Where a sub-processor offers regional placement, we store customer data in the region matching the customer's country of registration (Canadian organizations in Canadian regions; United States organizations in United States regions). Where a sub-processor does not offer regional placement, we rely on contractual safeguards (see Section 9).

ProviderPurposeData ProcessedLocation
SupabaseDatabase hosting, file storage, row-level securityAll Customer Data including employee records, documents, time-off dataCanadian region for Canadian organizations; United States region for US organizations
ClerkAuthentication, user management, SSO, sessionsUser identity data, email, session tokens, authentication logsUnited States
StripePayment processing, subscription billingBilling name, email, payment card details, transaction historyPayments are processed by third-party payment providers including Stripe. These providers may process, store, or access payment and transaction information in jurisdictions outside Canada, including the United States, where data may be subject to foreign laws.
UpstashRate limiting on public forms and atomic counter for the public waitlist totalVisitor IP addresses used as rate-limit keys (auto-expire within one hour); anonymous waitlist countCanada (primary region, ca-central-1); read replicas globally distributed for low-latency lookups
VercelApplication hosting, CDN, serverless functionsIP addresses, request logs, performance metricsEdge network globally distributed for caching; origin compute on US infrastructure
CloudflareBot challenge (Turnstile) on signup and sign-in forms; protects against automated account-creation abuseVisitor IP address, browser fingerprint, challenge response token — held only for the duration of the challengeUnited States; edge-distributed globally
PostHogProduct analytics, feature flags, session dataPseudonymous event data, page views, clicks, device/browser metadata (only with your cookie consent)United States
ResendTransactional email delivery (welcome, invite, offer letter, time-off, onboarding reminder)Recipient email address, sender name, subject, message body (employee names, dates, task titles); delivery status logsUnited States (AWS us-east-1). Resend retains message content for up to 30 days for delivery troubleshooting and then deletes it; delivery metadata (timestamp, recipient, status) may be retained longer per Resend's standard retention policy.
AnthropicAI assistant features (policy drafting, candidate screening, draft review)Prompt content submitted by an admin or manager when invoking an AI feature (may include role descriptions, applicant resumes, draft text); responses are returned to the user. Anthropic retains prompt and response content for up to 30 days for safety and abuse monitoring under its standard API policy, then deletes it. We do not currently have a Zero Data Retention agreement in place.United States. Only fires when an admin or manager actively triggers an AI feature; never on routine reads.
SentryError tracking and performance monitoringError events including stack traces, request paths, user ID (no email), session ID, breadcrumbs, browser/device metadata. Sensitive field values (password, SSN, bank, salary, tokens, authorization headers) are scrubbed before transmission.United States
PrismaDatabase ORM (runs within our application)Database queries (no data stored externally by Prisma)N/A (in-application)

4.3 Other Disclosures

We may also disclose your information:

  • Legal requirements: When required by law, subpoena, court order, or other legal process
  • Rights protection: To protect the rights, property, or safety of WalnutsHR Inc., our users, or the public
  • Business transfers: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, in which case your data may be transferred to the acquiring entity
  • With your consent: In any other circumstances where you provide explicit consent
  • Aggregated or de-identified data: We may share aggregated or de-identified information that cannot reasonably be used to identify you

5. Data Retention

5.1 Account Lifecycle

When you close or stop paying for your Account, it moves through the staged lifecycle defined in our Terms of Service (§ 6.5):

  • Paused (60 days): You can still sign in and export your Customer Data. The Service is otherwise inaccessible.
  • Archived (270 days): Sign-in is disabled; the Account can be reactivated by contacting support. Customer Data remains stored in your region's primary database.
  • Final notice (30 days): We send a final deletion notice to the Account's admin email. This is the "90 days post-deletion" window referenced elsewhere in this section when read alongside the prior Archived stage.
  • Permanent deletion: Customer Data is deleted from active systems. Encrypted backups are purged on our rotation schedule, typically within 30 additional days.

You may request immediate deletion at any point in the lifecycle by contacting privacy@walnutshr.com; we will action the request within 30 days subject to applicable legal-hold obligations.

5.2 Retention by data category

Within the lifecycle above, we retain information for the following periods:

  • Account data: Retained while your Account is active, then through the lifecycle stages above (up to 360 days total before permanent deletion)
  • Customer Data (employee records, documents, etc.): Retained while your Account is active, then through the lifecycle stages above. Backup copies may persist for up to 30 additional days after permanent deletion
  • Billing and transaction records: Retained for 7 years for tax and accounting compliance
  • Audit logs: Retained for a minimum of 2 years for security and compliance purposes
  • Communication records (support tickets, emails): Retained for 3 years after resolution
  • Analytics data: Aggregated and anonymized after 26 months
  • Cookie data: Varies by cookie type (see our Cookie Policy)

When data is no longer needed, we securely delete or anonymize it. Deletion from active systems occurs within 30 days of the retention period expiring. Residual copies in encrypted backups are purged in accordance with our backup rotation schedule.

6. Data Security

We rely on well-established cloud providers for the underlying security controls and add product-level controls on top. See our Security page for the current posture and roadmap.

  • Encryption in transit: Traffic between your browser and WalnutsHR Inc. is encrypted using TLS, as configured by our hosting provider (Vercel).
  • Encryption at rest: Databases and object storage are encrypted at rest by our cloud-storage providers (Supabase / Postgres). Key management is handled by the provider.
  • Multi-tenant data isolation: Each organization's data is isolated using Postgres row-level security (RLS) policies, enforced at the database layer.
  • Role-based access control: Permissions ensure users only access data appropriate to their role (Admin, Manager, Employee). Salary and other sensitive fields are restricted by default.
  • Authentication: Authentication is delegated to Clerk, which supports multi-factor authentication, SSO/SAML (on supported plans), and session management. Passwords are never stored in plain text by WalnutsHR Inc.
  • Audit logging: Significant actions (logins, record changes, exports, role changes) are logged and visible to administrators within the product.
  • Provider certifications: We rely on infrastructure providers that hold SOC 2 Type II (including Vercel, Supabase, and Clerk). These certifications cover those providers, not WalnutsHR Inc. directly; our own SOC 2 posture is described on the Security page.
  • Access controls: Internal access to production systems is restricted to authorized personnel and logged.
  • Vulnerability management: We triage vulnerability reports received through responsible disclosure (security@walnutshr.com) and patch on a severity-weighted timeline.

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your Account credentials and for promptly reporting any suspected unauthorized access.

7. Data Breach Notification

In the event of a breach of security safeguards involving Personal Data under our control, we will:

  • PIPEDA: Where there is a real risk of significant harm, notify the affected individual(s), the Office of the Privacy Commissioner of Canada, and any organization or government institution that may be able to reduce or mitigate the harm, in accordance with the Breach of Security Safeguards Regulations.
  • Quebec Law 25: Where the incident presents a serious risk of harm, notify the Commission d'accès à l'information du Québec and the affected individuals.
  • Alberta PIPA and BC PIPA: Notify the applicable Commissioner when required by the province's breach-reporting regime.
  • GDPR: Notify the competent supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals, and notify affected individuals where the risk is high.
  • U.S. state breach-notification laws: Notify affected residents and, where required, the applicable state Attorney General, consumer reporting agencies, and other regulators in accordance with each state's breach-notification statute (including but not limited to California Civil Code §§ 1798.29 and 1798.82, New York's SHIELD Act, the Texas Identity Theft Enforcement and Protection Act, and the Massachusetts Data Breach Notification Law). Where the statute prescribes a specific timeline (typically "without unreasonable delay," with outside limits ranging from 30 to 60 days), we will meet the shorter applicable deadline.
  • All frameworks: Provide a description of the nature of the breach, the categories of data affected, the approximate number of individuals concerned, measures taken or proposed, and contact information for further inquiries. Keep internal records of all breaches regardless of notification threshold, as PIPEDA requires.

8. Cookies and Tracking Technologies

We use cookies and similar technologies (pixels, web beacons, local storage) to collect information about your interaction with the Service. For complete details about the types of cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

Categories of cookies we use include:

  • Strictly necessary cookies: Required for the Service to function (authentication, security, load balancing)
  • Functional cookies: Remember your preferences and settings (theme, language)
  • Analytics cookies: Help us understand how users interact with the Service

9. Cross-Border Data Transfers

Some of our sub-processors are headquartered in the United States. Where your Personal Data is transferred to or accessed from outside your country or province of residence, we take the following steps so the level of protection continues to meet Canadian, European, and other applicable standards:

  • Canadian customers (PIPEDA / provincial): We prefer Canadian regions for customer-data storage where sub-processors offer them. When US processing is unavoidable, we rely on contractual clauses requiring comparable protection and we disclose the transfer here in the spirit of the accountability principle.
  • Quebec customers (Law 25): Quebec residents' Personal Data may be transferred outside Quebec to the US-based sub-processors listed in Section 4.2. Law 25 requires us to assess the level of protection in the receiving jurisdiction before such transfers; we are completing that privacy impact assessment as part of our launch readiness and will publish a summary on our Security page once finalized. Quebec customers with questions about the assessment may contact privacy@walnutshr.com before signing up.
  • EU / UK / Swiss customers (GDPR): Where Personal Data of EEA, UK, or Swiss residents is transferred to the United States, we rely on the EU Standard Contractual Clauses incorporated into the data processing agreements offered by our sub-processors (including Supabase, Clerk, Stripe, Vercel, PostHog, Resend, Anthropic, and Sentry), together with the UK International Data Transfer Addendum and the Swiss revised SCCs where applicable. Supplementary technical measures include encryption in transit and at rest and role-based access controls enforced within the application. EU/UK/Swiss customers may request a copy of our Data Processing Agreement at privacy@walnutshr.com.
  • US CLOUD Act exposure: US-headquartered cloud providers may be compelled to disclose data under US law, including the CLOUD Act. We select sub-processors whose terms contractually require them to challenge unlawful requests and notify us of lawful ones where legally permitted.

10. Your Privacy Rights

If you are a Canadian resident, the rights most relevant to you are described in §10.1 below. Sections 10.2 through 10.5 cover EU/UK/Swiss and U.S. residents respectively and are included for transparency since we serve customers in those regions.

10.1 Canadian Rights (PIPEDA and provincial laws)

Under PIPEDA and applicable provincial privacy laws, Canadian individuals have the following rights with respect to their Personal Data:

  • Right to access: Request a copy of the Personal Data we hold about you and information about how it has been used and disclosed.
  • Right to correction: Request correction of inaccurate or incomplete Personal Data.
  • Right to withdraw consent: Withdraw consent to the collection, use, or disclosure of your Personal Data at any time, subject to legal or contractual restrictions. Withdrawal may affect our ability to provide the Service.
  • Right to challenge compliance: Challenge our compliance with PIPEDA through our Privacy Officer (below), and, if unresolved, with the Office of the Privacy Commissioner of Canada (priv.gc.ca).
  • Quebec (Law 25): Right to data portability, right to be informed when automated decision-making affects you, and right to lodge complaints with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).
  • Alberta (PIPA) / British Columbia (PIPA): Right to lodge complaints with the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca) or British Columbia (oipc.bc.ca).

10.2 GDPR Rights (EEA, UK, and Switzerland Residents)

If you are a resident of the EEA, UK, or Switzerland, you have the following rights under applicable data protection laws:

  • Right of access (Art. 15 GDPR): Request a copy of the Personal Data we hold about you
  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete Personal Data
  • Right to erasure (Art. 17 GDPR): Request deletion of your Personal Data ("right to be forgotten"), subject to legal retention requirements
  • Right to restriction of processing (Art. 18 GDPR): Request that we limit the processing of your Personal Data in certain circumstances
  • Right to data portability (Art. 20 GDPR): Receive your Personal Data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interests, including profiling and direct marketing
  • Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time where processing is based on consent
  • Right to lodge a complaint: File a complaint with your local data protection supervisory authority

10.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of Personal Data we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share data
  • Right to delete: Request deletion of your Personal Data, subject to certain exceptions
  • Right to correct: Request correction of inaccurate Personal Data
  • Right to opt out of sale/sharing: We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising
  • Right to limit use of sensitive Personal Data: You may request that we limit the use and disclosure of Sensitive Personal Information to purposes authorized by the CPRA
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights

Categories of Personal Information collected in the past 12 months: Identifiers; commercial information; internet/electronic network activity; geolocation data; professional/employment-related information; inferences drawn from the above categories.

10.4 Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with consumer privacy laws may have similar rights to access, delete, correct, and opt out of certain processing activities. Please contact us to exercise your rights under applicable state law.

10.5 Nevada Residents

Under Nevada law (SB 220), Nevada consumers have the right to opt out of the sale of certain covered information. We do not sell your covered information as defined under Nevada law. If you have questions, contact us at privacy@walnutshr.com.

10.6 How to Exercise Your Rights

To exercise any of your privacy rights, contact us at privacy@walnutshr.com. We will verify your identity before processing your request. We will respond to verified access or correction requests within 30 days (PIPEDA and GDPR) or 45 days (CCPA/CPRA), with extensions as permitted by law. You may also designate an authorized agent or representative to submit requests on your behalf.

11. Children's Privacy

The Service is not directed to children under 16 years of age (or the applicable age of consent in your jurisdiction). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child under the applicable age, we will take steps to promptly delete such information. If you believe a child has provided us with Personal Data, please contact us at privacy@walnutshr.com.

12. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. As there is no industry-wide standard for DNT signals, the Service does not currently respond to DNT signals. We will update this policy if a uniform standard is established.

13. Data Processing Agreement

For customers who require a formal Data Processing Agreement (DPA) pursuant to the GDPR or other applicable data protection laws, we offer a standard DPA upon request. Enterprise customers may negotiate custom DPA terms. Contact us at privacy@walnutshr.com to request a DPA.

14. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policies of every site you visit.

15. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. The Service may use automated processing for features such as analytics and reporting, but these do not involve decisions that have legal or similarly significant impacts on data subjects.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will: (a) update the "Last updated" date at the top of this page; (b) notify you via email to the address associated with your Account; and (c) where required by law, seek your consent to the changes. We encourage you to review this Privacy Policy periodically.

17. Privacy Officer and Complaints

PIPEDA requires every organization to designate a Privacy Officer accountable for its compliance. If you have questions or concerns about our data-processing practices, or if you wish to exercise your privacy rights, contact our Privacy Officer at:

WalnutsHR Inc. — Privacy Officer
Email: privacy@walnutshr.com
Written correspondence: send to support@walnutshr.com with “Attn: Privacy Officer” in the subject line; we will reply with our registered mailing address on request.
Website: https://www.walnutshr.com

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (federal), or with your provincial commissioner if you live in Quebec, Alberta, or British Columbia. If you are located in the EEA, UK, or Switzerland, you may lodge a complaint with your local supervisory authority. Residents of California and other US states with consumer privacy laws may contact the applicable state Attorney General's office.

18. Contact Us

For any questions or concerns about this Privacy Policy, contact us at:

WalnutsHR Inc.
Privacy: privacy@walnutshr.com
Security: security@walnutshr.com (vulnerability reports)
General inquiries: support@walnutshr.com
Website: https://www.walnutshr.com

Privacy you can read. Software you can ship with.

Canadian-region database hosting, role-based access, audit logs — built in. 30-day free trial.

Your primary HR database is hosted in a Canadian region. Subprocessors and cross-border processing are disclosed in our privacy policy.

Get started for free Try the demoView pricing

30-day free trial · No credit card required