Privacy Policy

AnooreHR ("we", "us", "our") is an HR, payroll, and accounting platform operated by Executive Talents Group Ltd., a company registered in Nigeria (RC No. on request). For the purposes of the Nigeria Data Protection Act 2023 ("NDPA"), we act as a data processor for the employee, payroll, and financial records you upload, and as a data controller for your account and billing information.

Data Protection contact: privacy@anoorehr.com. General contact: hello@anoorehr.com.

This policy is written to meet the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Commission (NDPC) implementation framework, and to align with comparable laws across Africa and internationally — including the EU GDPR, UK GDPR, South Africa's POPIA, Kenya's Data Protection Act 2019, and Ghana's Data Protection Act 2012.

Where you operate in multiple jurisdictions, the strictest applicable standard governs our handling of your data.

Account data you provide: name, work email, phone, company name, role, and billing details.

HR and payroll records you upload or generate: employee identifiers (including National Identification Number, Bank Verification Number, tax IDs, pension PIN, NHF and NSITF numbers), employment terms, compensation, attendance, leave, performance, training, and disciplinary records.

Financial and accounting records: chart of accounts, journals, invoices, expenses, vendor and customer details, bank statements you import, and tax filings (PAYE, VAT, WHT, ITF, pension, NHF, NSITF).

Usage and device data: IP address, browser and device type, pages visited, feature interactions, and security logs.

Cookies and similar technologies — strictly limited to what is needed to keep you signed in and to measure aggregate product usage.

Performance of a contract — to deliver the service you have subscribed to.

Legal obligation — to help you comply with Nigerian tax and labour law (FIRS, PenCom, NHF, NSITF, ITF, Federal and State IRS) and equivalent obligations in other African jurisdictions you operate in.

Legitimate interests — to secure the service, prevent fraud, and improve the product, balanced against your rights.

Consent — for optional features such as marketing communications, which you can withdraw at any time.

Tenant isolation: PostgreSQL row-level security enforces customer-level segregation on every query, in addition to application-layer checks.

Encryption: sensitive PII (NIN, BVN, bank account numbers, pension PINs) is encrypted at rest using authenticated symmetric encryption. All traffic is protected by TLS 1.2 or higher.

Access control: production access is least-privilege, multi-factor, time-bound, and fully audit-logged.

Resilience: encrypted daily backups with 14-day retention and tested restore procedures.

Our security program is designed around the principles of ISO/IEC 27001 and SOC 2, and payment data is handled exclusively through PCI-DSS-compliant providers — we do not store full card numbers.

Your data is hosted in secure data centres with redundancy and disaster-recovery zones. Where data is transferred outside its country of origin, we rely on adequacy decisions, standard contractual clauses, or your explicit consent, as required by the NDPA, GDPR, POPIA, and equivalent laws.

On request, customers on our Business and Enterprise plans can specify a preferred hosting region (West Africa, East Africa, EU, or US).

Account data is retained while your subscription is active and for 90 days after termination, after which it is deleted or anonymised.

Financial and tax records are retained for at least 6 years to satisfy the Companies and Allied Matters Act (CAMA), FIRS, and equivalent record-keeping rules across Africa.

Payroll and employee records are retained for the period required by local labour law (commonly 6 years in Nigeria, longer in some jurisdictions for pension and tax).

Backups expire on a rolling 14-day schedule.

Under the NDPA — and equivalent rights under GDPR, POPIA, and other African data-protection laws — you have the right to access, correct, port, restrict, or delete your personal information, to object to processing, and to lodge a complaint with the NDPC or your national supervisory authority.

Employees and other data subjects whose information sits in a customer's tenant should contact their employer first; we will support the employer in fulfilling the request.

To exercise rights against AnooreHR directly, email privacy@anoorehr.com from the address on file. We respond within 30 days, in line with the NDPA.

Account deletion anonymises personal identifiers while preserving financial records we are legally required to retain.

We do not sell personal data and we do not use it for advertising.

We share data only with vetted sub-processors strictly necessary to operate the service — hosting, transactional email, payment processing, error monitoring, and customer support tooling. The current sub-processor list is available at privacy@anoorehr.com and is updated when changes occur.

We disclose data to authorities only when compelled by valid legal process under Nigerian law or the law of the relevant jurisdiction, and we will notify you unless legally prohibited.

Where you use AI-assisted features (for example job description generation, candidate scoring, or accounting insights), prompts and the relevant context are sent to our AI providers under contractual terms that prohibit training on your data.

AI outputs are decision-support only — final HR, payroll, and financial decisions remain with you.

We use strictly-necessary cookies to keep you signed in and to remember your workspace.

We use limited first-party analytics to understand product usage in aggregate. We do not use advertising or third-party tracking cookies.

In the event of a personal data breach likely to result in risk to data subjects, we will notify affected customers without undue delay and, where required, the NDPC within 72 hours, in line with the NDPA and comparable laws in your jurisdiction.

AnooreHR is a workplace product not intended for individuals under 18. We do not knowingly collect data from children.

We may update this policy as the product and the law evolve. Material changes will be notified to account owners by email at least 30 days before they take effect. The effective date at the top of this page reflects the most recent update.

Privacy and data-protection enquiries: privacy@anoorehr.com. General enquiries: hello@anoorehr.com. Postal address available on request.