Privacy Notice

1. Introduction

Isurdan ("we", "us", "our") is committed to protecting your privacy. This Privacy Notice explains how we collect, use, store, and share personal data when you use the Isurdan platform (including People Experience, Goals, Trust, Transformation, and RevOps products) and visit our website.

We act as a data processor on behalf of our customers (your employer), who act as the data controller. This notice also covers data we collect as a data controller when you interact with our website or contact us directly.

2. Data We Collect

Depending on how you interact with Isurdan, we may collect:

• Account & profile data: name, email address, job title, department, employee ID, profile photo.
• Employment data: compensation details, equity grants, time-off balances, employment history, performance data.
• Equipment data: assigned hardware, software licenses, IT inventory information.
• Usage data: log-in times, pages visited within the platform, feature interactions, browser type, IP address.
• Website analytics data: pages visited on isurdan.com, scroll depth, CTA interactions, traffic source, anonymous visitor identifier (with consent only).
• Communication data: messages sent through the platform, support requests, feedback.
• Website visitor data: name, email, and message content submitted through contact forms.

3. How We Use Your Data

We process personal data for the following purposes:

• Providing and operating the Isurdan people experience platform on behalf of your employer.
• Managing employee profiles, compensation, time off, equipment, and recruitment workflows.
• Generating AI-powered insights such as career recommendations and performance analytics.
• Providing an AI chat assistant that allows employees and managers to query HR data conversationally. Queries and relevant platform data (excluding compensation and personal identification details) are processed by our AI sub-processor (see Section 6). A consent notice is displayed before first use.
• Ensuring platform security, preventing fraud, and enforcing our terms of service.
• Responding to support requests and communications.
• Improving our services through anonymized, aggregated analytics.

4. Legal Basis for Processing

Under the GDPR, we process personal data on the following legal bases:

• Contract performance: processing necessary to provide our services to customers.
• Legitimate interest: improving our platform, ensuring security, and conducting analytics.
• Legal obligation: compliance with applicable laws and regulations.
• Consent: where required, such as for marketing communications.

5. Data Storage, Security & International Transfers

Personal data is stored on secure cloud infrastructure within the European Economic Area (EEA), specifically Google Cloud Platform (europe-west2, London). We implement industry-standard technical and organizational measures to protect your data, including encryption at rest and in transit, access controls, and regular security audits.

International transfers: Certain data is transferred outside the EEA when processed by our sub-processors. Specifically, AI chat queries are processed by Anthropic (based in the United States). Payment data is processed by Stripe (United States). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, supplementary technical measures such as encryption in transit. Anthropic's API data policy states that API inputs are not used for model training.

6. Data Sharing & Sub-Processors

We do not sell personal data. We may share data with:

• Your employer: as the data controller, your employer has access to employee data within the platform.
• Sub-processors: trusted third parties bound by data processing agreements. Our current sub-processors are listed below.
• Legal authorities: when required by law, regulation, or legal process.

Sub-processor list:

We notify customers of changes to our sub-processor list at least 30 days in advance. All sub-processors are bound by data processing agreements that include Standard Contractual Clauses where data is transferred outside the EEA.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this notice, or as required by law. When a customer's contract ends, we delete or anonymize all associated data within 90 days, unless a longer retention period is required by law.

8. Your Rights

Under the GDPR, you have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") in certain circumstances.
• Restrict processing of your data.
• Port your data to another service in a machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact your employer (the data controller) or reach out to us directly. You also have the right to lodge a complaint with your local data protection authority.

9. Cookies, Analytics & AI Consent

Platform cookies: The Isurdan application platform uses the following strictly necessary storage:

• Authentication token (localStorage) — JWT token for session authentication. Cleared on logout.
• Cookie consent preference (localStorage) — Records your cookie choice. Persists until cleared.
• AI chat consent (localStorage) — Records your acknowledgment of AI data processing. Persists until cleared.
• Theme preference (localStorage) — Light/dark mode setting.

AI chat consent: Before using the AI chat assistant, users are presented with a consent notice explaining that queries and relevant HR data are processed by Anthropic. Users must acknowledge this before the feature becomes available. Organizations can disable the AI chat feature entirely via their admin settings.

Marketing website analytics: With your consent, we collect anonymous usage data on our marketing website to understand how visitors interact with our pages and to improve the experience. This includes:

• Pages visited and time spent on each page
• Scroll depth and interactions with calls to action
• Traffic source and campaign attribution (UTM parameters)
• Anonymous visitor identifier (stored in your browser's local storage)

This data is collected only after you accept the analytics consent banner. You may decline analytics tracking without any impact on your ability to use the website. No personal data is collected until you voluntarily provide it (e.g., by signing up for a trial).

Trial signup linking: If you accept analytics tracking and subsequently sign up for a trial, your anonymous browsing history on isurdan.com is linked to your email address. This helps us understand the visitor-to-trial journey and improve our onboarding experience. This data is retained for 90 days after trial signup and then deleted.

In-app product analytics: Within the Isurdan platform, we collect aggregated usage data (page views, feature usage, interaction patterns) to improve product quality and identify usability issues. This data is processed as part of the service under your employer's data processing agreement. Individual analytics data is retained for 12 months.

We also use Plausible Analytics, a privacy-friendly, cookie-free analytics service that does not require consent under GDPR.

10. Changes to This Notice

We may update this Privacy Notice from time to time. We will notify customers of material changes via email or in-platform notification. The "Last updated" date at the top of this page indicates when this notice was last revised.

11. Contact Us

If you have questions about this Privacy Notice or our data practices, please contact us at:

[email protected]