Privacy Policy

This Privacy Policy covers how Apext Inc. collects, uses, discloses, and protects Personal Data when you access or use our Services. "Personal Data" means any information that identifies or relates to a particular individual and also includes information referred to as "personally identifiable information," "personal information," or "sensitive personal information" under applicable data privacy laws, rules, or regulations, including but not limited to the General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy laws ("Personal Data").

This Privacy Policy does not cover the practices of companies we do not own or control, or people we do not manage. This Privacy Policy applies to our Services and does not apply to third-party websites, applications, or services that may link to or be accessible from our Services.

Important: Apext is a business-to-business (B2B) service. If you are a workforce member (employee, contractor) whose data is processed through our Services, your employer is the data controller and determines how your data is used. Please see Section 3 for more information about data controller and processor roles.

• "Services" means Apext's human resources information system (HRIS), performance management platform, feedback tools, workforce analytics, and all related services, software, applications, and websites.

• "Customer" means the business entity (employer, organization) that has entered into a written agreement with Apext to use the Services for its workforce management needs.

• "Customer Data" means personal information about workforce members (employees, contractors, applicants) that Customers upload to, input into, or generate through the Services, including but not limited to HR records, performance data, feedback, goals, and employment information.

• "Workforce Members" means employees, contractors, consultants, applicants, and other individuals whose personal data is processed through the Services on behalf of a Customer.

• "Sensitive Data" or "Special Categories of Personal Data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, health data, data concerning sex life or sexual orientation, Social Security numbers, financial account information, precise geolocation, and other categories defined as sensitive under applicable law.

• "Subprocessor" means third-party service providers engaged by Apext to process personal data on our behalf in connection with providing the Services.

• "Data Controller" means the entity that determines the purposes and means of processing personal data.

• "Data Processor" or "Service Provider" means an entity that processes personal data on behalf of a Data Controller.

Apext as Data Processor for Customer Data:

• For Customer Data (workforce member information processed through the Services), the Customer is the data controller, and Apext acts as the data processor or service provider.

• Customers determine what personal data is collected, how it is used, how long it is retained, and who has access to it within the Services.

• Apext processes Customer Data solely in accordance with the Customer's documented instructions, our written agreement with the Customer (including any Data Processing Agreement or DPA), and applicable law.

• Workforce members should direct privacy rights requests, questions, or concerns about their employment data to their employer's HR department or designated privacy contact, not directly to Apext.

Apext as Data Controller:

• For data collected through our website, demo requests, contact forms, marketing activities, and operational data (account administration, billing, support), Apext is the data controller.

• This includes information about Customer administrators, billing contacts, and individuals who interact with our website or request information about our Services.

Scope of Services:

• Our Services are intended for workforce management by businesses and organizations, not for consumer use or direct use by children.

• The Services are designed to help organizations manage HR processes, performance reviews, feedback, goals, compensation, and workforce analytics.

We collect and process the following categories of personal data. The specific data collected depends on how our Services are used and configured by Customers.

We collect personal data from the following sources:

Directly from You:

From Your Employer (Customer):

Automatically from Your Use of the Services:

From Third-Party Service Providers:

From Social Networks:

We use personal data for the following purposes. For each purpose, we identify the applicable legal basis under GDPR and other privacy laws.

Important Limitations:

Important for Workforce Members: As a B2B service, your employer (the Customer) determines the purposes and means of processing your workforce data. Individual workforce members cannot opt out of data processing that is necessary for the employment relationship, HR operations, performance management, payroll, benefits administration, or legal compliance. If you have concerns about how your employer processes your data, contact your employer's HR department or Data Protection Officer.

For Customer Data (Workforce Members):

• Your employer (the Customer) provides instructions to Apext on how to process your data. Apext acts as a data processor on behalf of your employer.

• Individual workforce members cannot opt out of data processing that is necessary for employment, HR operations, performance management, or legal compliance.

• If you have concerns about how your employer processes your data, contact your employer's HR department or Data Protection Officer.

• For optional data processing (e.g., voluntary surveys, optional benefits enrollment), your employer may seek your consent. Contact your employer's HR department to manage such consents.

For Website/Demo Users:

• Where we process personal data based on consent (particularly for marketing or non-essential cookies), you have the right to withdraw consent at any time.

• Website/demo users may withdraw consent by contacting privacy@apext.co or adjusting cookie preferences in their browser.

• Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.

• Note that withdrawal of consent may affect our ability to provide certain Services or features.

We disclose personal data to the categories of recipients listed below. Depending on applicable state laws, some of these disclosures may constitute a "sale" or "sharing" of personal data, though we do not sell personal data for monetary consideration and do not share personal data for cross-context behavioral advertising.

Service Providers and Subprocessors:

• We disclose personal data to third-party service providers who perform services on our behalf, such as cloud hosting, data storage, email delivery, analytics, customer support, payment processing, and security monitoring. These service providers are contractually obligated to protect personal data and use it only for the purposes we specify. See Section 9 for our subprocessor list.

Within Customer Organizations:

• Customer Data is accessible to authorized users within the Customer's organization based on roles and permissions configured by the Customer (e.g., HR administrators, managers, employees).

Legal and Regulatory Authorities:

• We may disclose personal data to law enforcement, regulatory agencies, courts, or other governmental authorities when required by law, legal process, or to comply with legal obligations.

Protection of Rights and Safety:

• We may disclose personal data when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Apext, our Customers, workforce members, or the public, or to detect, prevent, or address fraud, security, or technical issues.

Business Transfers:

• In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal data may be transferred to the acquiring or successor entity, subject to this Privacy Policy and applicable law.

With Your Consent:

• We may disclose personal data for other purposes with your consent or at your direction (e.g., when you authorize integrations with third-party services).

• We may engage subprocessors (such as cloud hosting, email delivery, analytics, SSO) under written contracts that require them to protect your data.

• We disclose information only to service providers, for legal/safety reasons, or in connection with business transfers (mergers, acquisitions).

• Subprocessor list: A current, versioned list of subprocessors is available at apext.co/subprocessors or upon request to privacy@apext.co.

• This list is maintained and versioned, and new processors are updated periodically.

• We do not sell or rent personal information to third parties.

• We may process data in the United States, European Union member states, and other countries where our subprocessors operate.

• Transfer mechanisms: When transferring personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we use:

• Regional hosting options are available for Customers with data residency requirements (EU, UK, US regions).

• Copies of our data transfer agreements are available upon request to privacy@apext.co.

• Customer Data is retained per the Customer agreement, typically for the duration of the service relationship plus any legally required retention period.

• Upon termination of a Customer agreement, data is deleted or returned within 30 days unless otherwise specified or legally required to retain.

• Backups are retained no longer than 90 days before rolling off.

• Website/ops data is retained only as long as necessary for the purposes in this Policy, typically no longer than 2 years.

• Audit logs are retained for 7 years to comply with legal and regulatory requirements (e.g., SOX, employment law).

• Jurisdictional variations: Retention periods may be shorter where required by local law (e.g., GDPR's data minimization principle). Customers may specify shorter retention periods in their agreements, subject to our legal obligations.

• We maintain a data retention schedule that documents retention periods for each category of personal data.

• Org‑scoped isolation (row‑level security).

• Least‑privilege access and field‑level masking.

• Insert‑only audit trails for data changes and access.

• Encryption in transit (TLS 1.3) and at rest (AES-256), with rotating tenant-based keys for sensitive data.

• No support impersonation: all admin actions are explicit and logged.

• Multi-factor authentication (MFA) available and encouraged for all users.

• Regular security assessments, penetration testing, and vulnerability scanning (quarterly).

• Compliance & Audits: We are actively pursuing SOC 2 Type II certification. We conduct annual third-party security audits and maintain an information security management system aligned with ISO 27001 standards.

• Incident response procedures with 24/7 security monitoring and alerting.

• Employee security training and background checks for personnel with access to Customer Data.

• In the event of a data breach that affects personal information, we will notify affected Customers without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR and other applicable laws.

• Additional requirements: We also comply with breach notification requirements under U.S. state laws (California, New York, etc.), and sectoral regulations where applicable.

• We will provide information about the nature of the breach, the categories and approximate number of data subjects affected, the data affected, and steps being taken to address it.

• Customers are responsible for notifying their workforce members (data subjects) as required by applicable law. We will provide reasonable assistance to Customers in fulfilling this obligation.

• We maintain an incident response plan and conduct regular security drills to ensure rapid, effective response to potential breaches.

• Our Services may include features that assist with performance calibration, rating distributions, and talent analytics.

• These are decision-support tools only. They analyze performance data, suggest rating distributions, and provide insights to help managers make informed decisions.

• Human oversight is required. Final employment decisions (promotions, terminations, compensation, performance ratings) are always made by human managers and HR personnel, not by automated systems alone.

• Data used: Performance reviews, goals, feedback, tenure, role information, and historical performance data.

• Safeguards: Managers can override any system suggestions, and all final decisions are subject to HR review and approval processes.

• If you have concerns about how automated tools are used in your employment decisions, contact your employer's HR department or exercise your right to human review under applicable law.

Your privacy rights depend on your relationship with Apext and the applicable laws in your jurisdiction. This section explains the rights available to different categories of individuals.

For Website/Demo Users and Customer Contacts:

If you are a website visitor, demo requester, or Customer contact (not a workforce member whose data is processed through the Services), you may exercise the following rights by contacting privacy@apext.co:

California Residents (CCPA/CPRA Rights):

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Limitations & Exceptions:

We may deny, limit, or delay requests where permitted or required by law, including to:

If we deny a request, we will explain the reason and inform you of your right to appeal (where applicable) or lodge a complaint with a supervisory authority.

How to Exercise Your Rights:

We comply with GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy laws to the extent they apply to our processing activities. This Privacy Policy does not limit any rights you may have under applicable law.

• Our Services are not directed to children under 16 (or under 13 in the United States under COPPA, or the applicable age in your jurisdiction).

• We do not knowingly collect children's personal information.

• Age verification: Customers are responsible for ensuring that workforce members using the Services meet minimum age requirements. We rely on Customers to verify ages during onboarding.

• If we learn we have collected information from a child without proper authorization, we will delete it promptly (within 30 days).

• Parents or guardians who believe we have collected information from a child may contact us at privacy@apext.co to request deletion.

• Strictly necessary cookies: Required for platform operation, authentication, and security. These cookies persist for the duration of your session or up to 30 days for "remember me" functionality.

• Analytics cookies: We use privacy-respecting analytics tools (Plausible Analytics or similar) that do not use cross-site tracking or collect personally identifiable information. We collect:

• Analytics cookies persist for up to 24 months.

• We do not use advertising cookies or cross-site tracking cookies.

• Your choices: You can control cookies through your browser settings (Chrome, Firefox, Safari, Edge all provide cookie management). You may also opt out of analytics by enabling "Do Not Track" in your browser or contacting privacy@apext.co.

• Note that disabling necessary cookies may affect platform functionality (e.g., you may need to log in repeatedly).

• We may use de-identified or aggregated data to test, improve, and ensure reliability of our Services.

• De-identified data cannot be reverse engineered or re-identified.

• We may update this Policy from time to time to reflect changes in our practices, legal requirements, or new features.

• Material changes include: new purposes for data processing, new categories of data collected, changes to data retention periods, new subprocessors with access to Customer Data, or changes that reduce your rights.

• Material updates will be posted on this page with an updated effective date and highlighted in a change summary at the top of the policy.

• For material changes affecting Customer Data processing, we will notify Customers via email at least 30 days in advance and through the platform.

• Active website/demo users will be notified of material changes via email to the address on file.

• Version history: Previous versions of this Policy are available upon request to privacy@apext.co.

• Continued use of our Services after updates constitutes acceptance of the revised Policy.

• This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict of law provisions.

• For Customers and users in the European Economic Area, UK, or Switzerland, nothing in this section affects your rights under applicable data protection laws, including the right to lodge a complaint with your local supervisory authority.

• Any disputes arising from this Privacy Policy will be resolved in accordance with the dispute resolution provisions in your Customer agreement, or for website/demo users, through binding arbitration in Delaware or your local jurisdiction as required by law.

• You retain the right to bring claims in your local jurisdiction where required by applicable consumer protection or data protection laws.

For privacy questions, to exercise your rights, or to raise concerns about how we handle personal information, please contact us at:

Data Protection Officer:

For GDPR-related inquiries or to contact our Data Protection Officer, email privacy@apext.co with "Attn: DPO" in the subject line.

EU and UK Representatives:

If required under GDPR Article 27 or UK GDPR Article 27, we will appoint representatives in the EU and UK. Contact information will be provided here when applicable.

Supervisory Authorities:

You have the right to lodge a complaint with a data protection supervisory authority if you believe we have violated your privacy rights:

We are committed to working with you to resolve any privacy concerns. We will investigate and attempt to resolve complaints and disputes in accordance with this Privacy Policy and applicable law.