Privacy Policy

Grove Ltd ("Grove", "we", "us", or "our") is committed to protecting your privacy and handling your data in an open and transparent manner.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our HR platform and services. It also explains your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Grove Ltd is the data controller for the personal data we process. For employee data processed on behalf of our customers, we act as a data processor, and our customers remain the data controllers.

Account Information

When you create an account or subscribe to Grove, we collect:

• Company name and registration details
• Contact name, email address, and phone number
• Billing information (processed securely by our payment provider)
• Account preferences and settings

Employee Data

On behalf of our customers (as data processor), we may process employee information including:

• Personal details (name, date of birth, contact information)
• Employment information (job title, department, start date)
• Leave and absence records
• Performance and appraisal data
• Payroll-related information
• Documents uploaded to the platform

Technical Data

When you use our platform, we automatically collect:

• IP address and device information
• Browser type and version
• Usage patterns and feature interactions
• Error logs and diagnostic data

We process your personal data for the following purposes and legal bases:

Contract Performance

• Providing and maintaining the Grove platform
• Processing your subscription and payments
• Sending service-related communications
• Providing customer support

Legitimate Interests

• Improving and developing our services
• Analysing usage to enhance user experience
• Protecting against fraud and security threats
• Sending relevant product updates (you may opt out)

Legal Obligations

• Complying with tax and accounting requirements
• Responding to legal requests from authorities
• Maintaining records as required by law

Your Consent

• Sending marketing communications (where consent is given)
• Processing special category data (with explicit consent)
• Using cookies for analytics and personalisation

Security Measures

We implement comprehensive security measures including:

• Encryption at rest: AES-256 encryption for all stored data
• Encryption in transit: TLS 1.3 for all data transmission
• Access controls: Role-based access with multi-factor authentication
• Regular audits: Annual penetration testing and security assessments
• Incident response: 24/7 security monitoring and incident response
• Employee training: Regular security awareness training for all staff

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations.

When data is no longer required, we securely delete or anonymise it in accordance with our data retention procedures.

Under UK GDPR, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us at privacy@grove.hr. We will respond to your request within one month.

If you are an employee whose data is processed through Grove on behalf of your employer, please contact your employer directly to exercise your rights, as they are the data controller for your information.

We use cookies and similar technologies to provide and improve our services. Our cookies fall into the following categories:

• Essential cookies: Required for the platform to function (e.g., authentication, security)
• Analytics cookies: Help us understand how users interact with our service
• Preference cookies: Remember your settings and preferences

You can manage your cookie preferences through your browser settings or our cookie consent banner. Note that disabling essential cookies may affect the functionality of the service.

We may share your personal data with:

• Service providers: Third parties who provide services on our behalf (e.g., hosting, payment processing), bound by data processing agreements
• Professional advisers: Lawyers, accountants, and insurers where necessary
• Legal authorities: When required by law or to protect our rights
• Business transfers: In connection with a merger, acquisition, or sale of assets

We do not sell your personal data to third parties for marketing purposes.