Privacy Policy
Last Updated: December 2025
INTRODUCTION
Welcome to Emformance. We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how Emformance, Inc. ("Emformance," "we," "us," or "our") collects, uses, discloses, and safeguards your information when you use our platform and services.
By using Emformance, you agree to the collection and use of information in accordance with this privacy policy.
If you do not agree to these Terms, you may not access or use the Services.
1. INFORMATION WE COLLECT
We collect several types of information from and about users of our services, including:
1.1 Information You Provide to Us
Account Registration Information:
Full name (first and last name)
Email address
Phone number
Job title and department
Company/organization name
Business address
Password (encrypted and never stored in plain text)
Organization Setup Information:
Organization name, type, and industry
Number of employees
Business registration details
Tax identification numbers (EIN)
Business address and contact information
Website URL
Employee Information (HR Module):
Employee personal details (name, date of birth, SSN/SIN)
Contact information (address, phone, emergency contacts)
Employment information (job title, department, manager, start date, employment type)
Compensation details (salary, hourly rate, bonus structure)
Benefits enrollment information
Performance review data and feedback
Time-off requests and attendance records
Training and certification records
Disciplinary actions and notes
Payroll and Financial Information:
Bank account numbers and routing numbers (for direct deposit)
Tax withholding information (W-4, T4)
Pay stubs and payroll history
Expense reports and reimbursement requests
Invoices and payment records
Credit card information (processed through Stripe, not stored by Emformance)
Project and Task Information:
Project details and descriptions
Task assignments and completion status
Time tracking and timesheet entries
File attachments and documents
Comments and collaboration notes
Communications:
Support ticket submissions and correspondence
Survey responses and feedback
Chat messages and emails sent through our platform
1.2 Information Collected Automatically
Usage Data:
IP address and geolocation data
Browser type and version
Device information (type, operating system, unique device identifiers)
Pages viewed and features used
Time spent on pages
Referring website URLs
Access times and dates
Cookies and Similar Technologies:
We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities. See Section 10 for detailed information about our cookie practices.
Log Data:
Authentication attempts and login history
API requests and responses
Error logs and system diagnostics
Security events and incident logs
1.3 Information from Third-Party Sources
Banking Information (via Plaid):
Bank account verification data
Account and routing numbers
Bank name and account holder information
Account balance information (for verification purposes only)
Payment Information (via Stripe):
Payment method details
Transaction history
Payment status and receipts
Single Sign-On (SSO) Providers:
If you authenticate using Google, Microsoft, or other SSO providers, we receive basic profile information (name, email, profile picture) as permitted by your SSO provider settings.
2. HOW WE USE YOUR INFORMATION
We use the information we collect for the following purposes:
2.1 Platform Overview
Emformance provides a cloud-based enterprise resource planning (ERP) platform that enables organizations to manage:
2.1 Service Delivery and Operations
Account Management:
Create and manage your user account and organization profile
Payroll Processing:
Calculate and process employee payroll, including direct deposit payments and tax withholdings
Project Management:
Enable task assignment, project tracking, team collaboration, and time tracking
Financial Management:
Process invoices, expenses, and payments; generate financial reports
Communication:
Send transactional emails and in-app notifications related to your account and service usage
2.2 Service Availability
Analyze usage patterns to improve our platform features and user experience
Develop new features and services based on user needs and feedback
Conduct research and analytics to understand how users interact with our platform
Test new features and functionality with user consent
2.3 Security and Fraud Prevention
Detect, prevent, and investigate fraudulent activity, unauthorized access, and security incidents
Monitor and analyze security threats and vulnerabilities
Enforce our Terms of Service and other policies
Verify user identity and prevent account abuse
2.4 Legal Compliance
Comply with applicable laws, regulations, and legal processes
Respond to law enforcement requests and court orders
Protect our legal rights and interests
Maintain records for tax, accounting, and regulatory purposes
2.5 Marketing and Communications (With Your Consent)
Send promotional emails about new features, updates, and special offers (you can opt-out anytime)
Conduct customer satisfaction surveys and request feedback
Provide customer support and respond to inquiries
Invite you to webinars, events, and training sessions
3. HOW WE SHARE YOUR INFORMATION
We do not sell your personal information to third parties. We share your information only in the following circumstances:
3.1 Service Providers and Business Partners
We engage trusted third-party service providers to perform functions on our behalf, including:
Payment Processing:
Stripe:
Credit card payment processing and subscription management
Plaid:
Bank account verification and connectivity for payroll direct deposit
Cloud Infrastructure:
Amazon Web Services (AWS):
Cloud hosting, data storage, and computing services
Communication Services:
Email delivery service providers for transactional and marketing emails
SMS providers for two-factor authentication and notifications
Analytics and Monitoring:
Usage analytics platforms to understand how users interact with our services
Error monitoring and performance tracking tools
Customer Support:
Help desk and ticketing systems to manage support inquiries
All service providers are contractually obligated to use your information only for the purposes of providing services to us and to implement appropriate security measures.
3.2 Within Your Organization
If you are using Emformance as part of an organization:
Administrators
Administrators can access and manage organization-wide settings, user accounts, and data
HR Managers
HR Managers can access employee records, payroll information, and performance data
Department Managers
Department Managers can access information about their direct reports and team members
Team Members
Team Members can access shared project information, task assignments, and collaboration tools
Your organization's administrator controls what information is shared within the organization and with whom.
3.3 Legal Requirements and Protection of Rights
We may disclose your information if required to do so by law or if we believe such action is necessary to:
Comply with legal obligations, court orders, or government requests
Enforce our Terms of Service and other agreements
Protect the rights, property, or safety of Emformance, our users, or the public
Detect, prevent, or investigate security incidents, fraud, or illegal activity
3.4 Business Transfers
If Emformance is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred to the acquiring entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
3.5 With Your Consent
We may share your information with third parties when you explicitly consent to such sharing.
4. DATA RETENTION
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
4.1 Retention Periods
Data Type | Retention Period | Legal Basis |
|---|---|---|
Active Account Data | Duration of subscription + 90 days | Contractual necessity |
Employee Records | 7 years after termination | Legal compliance (IRS, DOL, state laws) |
Payroll Records | 7 years | IRS and state tax regulations |
Financial Transactions | 7 years | Accounting standards, tax regulations |
Audit Logs | 1-3 years | Security and compliance |
Support Tickets | 3 years | Customer service improvement |
Marketing Data | Until opt-out or 2 years of inactivity | Legitimate interest (with consent) |
Backup Data | 90 days | Business continuity |
4.2 Data Deletion
When Personal Information Is No Longer Needed, We Securely Delete Or Anonymize It. You Can Request Deletion Of Your Personal Information At Any Time (See Section 6 For Details On Your Rights).
Deleted Data Is Permanently Removed From Our Active Systems Within 30 Days, And From Backup Systems Within 90 Days.
5. DATA SECURITY
We implement appropriate technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction.
5.1 Security Measures
Encryption:
All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted using AES-256 encryption
Database encryption is enabled on all production databases
Access Controls:
Role-based access control (RBAC) limits data access to authorized personnel only
Multi-factor authentication (MFA) is required for administrative access
User accounts are locked after 3 failed login attempts
Sessions automatically timeout after 30 minutes of inactivity
Network Security:
Firewalls and security groups restrict network access
Intrusion detection and prevention systems monitor for threats
Regular security patches and updates are applied
Monitoring and Logging:
All authentication attempts and administrative actions are logged
Security logs are retained for at least 1 year and reviewed monthly
Automated alerts notify our security team of suspicious activity
Third-Party Security:
All third-party service providers must maintain SOC 2 or equivalent certifications
Data Processing Agreements (DPAs) are in place with all vendors handling personal data
For more information about our security practices, please refer to our Information Security Policy available upon request.
5.2 Security Limitations
Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
You are responsible for:
Maintaining the confidentiality of your password
Restricting access to your computer and devices
Logging out after using shared devices
Promptly notifying us of any unauthorized access to your account
6. YOUR PRIVACY RIGHTS
Depending on your location, you may have certain rights regarding your personal information:
6.1 Rights for All Users
Access and Portability:
You have the right to access your personal information and request a copy in a portable format (CSV, JSON, or PDF).
Correction:
You have the right to request correction of inaccurate or incomplete personal information.
Deletion:
You have the right to request deletion of your personal information, subject to legal retention requirements.
Opt-Out of Marketing:
You have the right to opt out of marketing communications at any time by clicking "Unsubscribe" in our emails or contacting us.
6.2 Additional Rights for EU/EEA Residents (GDPR)
If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):
Right to Restriction:
You can request that we restrict processing of your personal information in certain circumstances.
Right to Object:
You can object to processing of your personal information based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent:
Where we process your information based on consent, you can withdraw consent at any time.
Right to Lodge a Complaint:
You have the right to lodge a complaint with your local data protection authority.
Legal Basis for Processing
We process your personal information based on:
Contractual Necessity:
To provide our services as outlined in our Terms of Service
Legal Obligation:
To comply with applicable laws and regulations
Legitimate Interests:
To improve our services, prevent fraud, and ensure security
Consent:
For marketing communications and optional features (you can withdraw consent anytime)
Data Protection Officer:
For GDPR-related inquiries, contact our Data Protection Officer at: [email protected]
6.3 Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know:
You can request information about the categories and specific pieces of personal information we've collected, the sources, purposes, and third parties with whom we share it.
Right to Delete:
You can request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out of Sale:
You have the right to opt out of the "sale" of your personal information. We do not sell your personal information.
Right to Non-Discrimination:
We will not discriminate against you for exercising your privacy rights.
Right to Correct:
You can request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information:
You can request that we limit use of your sensitive personal information (we only use it for permitted business purposes).
Authorized Agent:
You may designate an authorized agent to make requests on your behalf. We may require proof of authorization.
Shine the Light:
Under California's "Shine the Light" law, you can request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information for third-party direct marketing.
6.4 Additional Rights for Canadian Residents (PIPEDA)
If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
Right to Access:
You can request access to your personal information and information about how it's used.
Right to Correct:
You can request correction of inaccurate personal information.
Right to Withdraw Consent:
You can withdraw consent for processing at any time (subject to legal or contractual restrictions).
Right to File a Complaint:
You can file a complaint with the Office of the Privacy Commissioner of Canada.
6.5 How to Exercise Your Rights
To exercise any of these rights, please contact us at:
Email:
[email protected]
Phone:
+1 469-843-0206
Mail:
Emformance, Inc., 4012 Williamsburg Court Fairfax, VA 22032
We will respond to your request within 30 days (45 days for CCPA requests). We may require identity verification to process your request.
7. INTERNATIONAL DATA TRANSFERS
Emformance is based in the United States. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.
7.1 EU-U.S. Data Transfers
For transfers of personal data from the EU/EEA to the United States, we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Your explicit consent where applicable
We implement appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy and applicable data protection laws.
7.2 Data Processing Agreements
We enter into Data Processing Agreements (DPAs) with our customers that act as data controllers, outlining our obligations as a data processor. Contact us at [email protected] to request a DPA.
8. CHILDREN'S PRIVACY
Emformance is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will promptly delete such information from our systems.
9. THIRD-PARTY LINKS AND SERVICES
Our platform may contain links to third-party websites, applications, or services that are not owned or controlled by Emformance. This Privacy Policy does not apply to third-party websites or services.
We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services before providing them with your personal information.
Third-party integrations we use:
Stripe:
https://stripe.com/privacy
Amazon Web Services (AWS):
https://aws.amazon.com/privacy/
10. COOKIES AND TRACKING TECHNOLOGIES
We use cookies and similar tracking technologies to collect information about your browsing activities and to provide, maintain, and improve our services.
10.1 Types of Cookies We Use
Strictly Necessary Cookies:
These cookies are essential for the operation of our website and services. They enable core functionality such as authentication, security, and session management. You cannot opt out of these cookies.
Functional Cookies:
These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings. You can control these cookies through your browser settings.
Analytics Cookies:
These cookies help us understand how users interact with our services by collecting and reporting usage information. We use this data to improve our platform.
Marketing Cookies:
These cookies are used to deliver relevant advertisements and track campaign effectiveness. You can opt out of marketing cookies through your browser settings or our cookie preference center.
10.2 Cookie Management
Browser Controls:
Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies or alert you when cookies are being sent. Please note that disabling cookies may affect the functionality of our services.
Cookie Preference Center:
You can manage your cookie preferences through our Cookie Preference Center available at the bottom of our website.
Do Not Track (DNT):
We do not currently respond to Do Not Track (DNT) signals because there is no industry standard for how to interpret them.
10.3 Similar Technologies
In addition to cookies, we may use:
Web Beacons (Pixels):
Small graphic images embedded in emails or web pages to track user activity and email open rates
Local Storage:
Browser storage mechanisms to save data locally on your device
Session Storage:
Temporary storage that is deleted when you close your browser
11. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
Notice of Changes:
We will post the updated Privacy Policy on this page with a new "Last Updated" date
For material changes, we will provide prominent notice (such as an email notification or in-app banner) at least 30 days before the changes take effect
Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy
Review Regularly:
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
Version History:
Previous versions of this Privacy Policy are available upon request by contacting [email protected].
12. CONTACT US
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Emformance Privacy Team
Email:
[email protected]
Phone:
+1 469-843-0206
Data Protection Officer (for GDPR inquiries):
[email protected]
Response Time:
We will respond to your inquiry within 30 days (45 days for CCPA requests).
13. SPECIFIC DISCLOSURES
13.1 California Privacy Disclosures
Categories of Personal Information Collected (Last 12 Months):
Identifiers (name, email, phone, IP address)
Commercial information (purchase history, transaction records)
Financial information (bank account numbers, payment card details)
Employment information (job title, salary, performance reviews)
Biometric information (none collected)
Internet activity (browsing history, usage data)
Geolocation data (approximate location from IP address)
Sensory information (none collected)
Professional information (job title, employer)
Education information (training certifications)
Inferences (preferences, characteristics, behavior)
Business Purposes for Collection:
Service delivery and fulfillment
Security and fraud prevention
Service improvement and development
Legal compliance
Marketing and communications (with consent)
Categories of Third Parties with Whom We Share Information:
Service providers (payment processors, cloud infrastructure, analytics)
Within your organization (administrators, HR managers, team members)
Legal and regulatory authorities (when required by law)
Business transaction parties (in case of merger or acquisition)
Sensitive Personal Information:
We collect and use sensitive personal information (SSN, financial account information) only for the following permitted purposes:
Performing services requested by you (payroll processing, direct deposit)
Security and integrity of systems
Fraud prevention
Legal compliance
We do not sell or share personal information for cross-context behavioral advertising.
13.2 Nevada Privacy Disclosures
Nevada residents have the right to opt out of the sale of personal information. We do not sell your personal information. If you have questions, contact [email protected].
14. ADDITIONAL INFORMATION
14.1 Automated Decision-Making
We may use automated systems to analyze usage patterns and detect fraudulent activity. These automated processes do not make decisions that produce legal or similarly significant effects without human oversight.
If you are subject to automated decision-making and wish to request human review, contact [email protected].
14.2 Data Minimization
We collect only the personal information necessary to provide our services and fulfill the purposes outlined in this Privacy Policy. We do not collect excessive or irrelevant information.
14.3 Transparency Reports
We may publish transparency reports disclosing the number and nature of government requests for user information we receive. These reports are available upon request.
APPENDIX: COOKIE LIST
Below is a list of cookies we use on our platform:
Cookie Name | Retention Period | Type | Duration |
|---|---|---|---|
session_id | Maintains user session and authentication | Strictly Necessary | Session |
carton | Prevents cross-site request forgery attacks | Strictly Necessary | Session |
user_preferences | Stores user interface preferences | Functional | 1 year |
_ga | Google Analytics tracking | Analytics | 2 years |
_gid | Google Analytics session tracking | Analytics | 24 hours |
remember me | Remembers login credentials (if opted in) | Functional | 30 days |