Last updated: 23 May 2025

 

1. Who We Are

Armano, Inc. (“Armano,” “we,” “us,” or “our”) provides an all-in-one HR and workplace-productivity platform available at armano.io and through our mobile and desktop applications (collectively, the “Service”).

2. Scope

This Policy explains what personal data we collect, why, how we process it, who we share it with, and what rights you have. It covers:

Covered Not Covered
Visitors to armano.io Third-party sites you reach via links
Customers and their Authorized Users Partner sites with their own policies
Job applicants Offline activities not related to the Service

If any local law conflicts with this Policy, that law governs—but only to the extent of the conflict.

3. Data We Collect

Category Examples Purpose (see §4)
Account Data Name, email, company, role A, B
HRIS & Payroll Data Compensation, bank details, national ID, dependents B, C
Workplace Content Chat messages, uploaded files, org charts, goals, reviews B
Usage & Device Data IP address, browser type, time-tracking logs, crash logs D
Sensitive Data (EU “special categories”) Health leave reasons, diversity metrics (optional) B, C
Third-Party Integrations Google Workspace, Microsoft 365, calendar events, meeting recordings B
Cookies & Similar Tech UUID, session tokens, analytics beacons D

We do not intentionally collect data from children under 16 and will delete it if discovered.

4. Why We Use Your Data

Code Lawful Basis* Why
A Contract Provide, secure, and troubleshoot the Service you or your employer requested.
B Legitimate Interests Collaborate, communicate, and improve core features. We’ve balanced these interests against your rights.
C Legal Obligation Payroll, tax, employment, and financial-record retention.
D Consent Optional analytics cookies, marketing e-mails, or any processing you explicitly enable.

*As defined by the EU GDPR. If you’re in a jurisdiction that recognizes different legal bases (e.g., Brazil’s LGPD or California’s CCPA/CPRA “business purposes”), we rely on analogous grounds.

5. How We Process & Retain Data

  • Data are encrypted in transit (TLS 1.3) and at rest (AES-256).

  • Production runs on Kubernetes with per-tenant logical isolation; files live on AWS S3 bucket-level encryption.

  • Zero-trust access model: every microservice uses mTLS and short-lived tokens issued by Keycloak.

  • Retention: We delete or anonymize customer content 30 days after contract termination, unless law or a legitimate dispute requires longer. System logs roll after 180 days.

6. Sub-Processors

We vet each vendor for security, privacy, and GDPR Article 28 obligations.

Vendor Purpose Location Safeguard
Amazon Web Services Hosting, storage USA/EU DPF SCCs
Google Cloud Optional calendar sync Global SCCs
OpenAI, LLC On-demand text generation (Job descriptions, OKR suggestions) USA API data not used to train OpenAI models*
LiveKit Video meetings USA/EU Encryption in transit
Stripe, Inc. Billing USA PCI-DSS

*We have a no-data-sharing contract addendum with OpenAI; data are retained <30 days solely for abuse monitoring.

7. Disclosures & Transfers

International transfers outside the EEA/UK use (i) EU-US Data Privacy Framework certifications, (ii) UK Extension, and (iii) Standard Contractual Clauses with supplementary measures. We do not sell personal data. Period.

8. Google Workspace Limited Use Disclosure

Armano’s optional Google Workspace integration uses OAuth-scoped access (Calendars, Drive, Meet recordings) only to provide in-product functionality you enable. We do not use data obtained from Google Workspace APIs to develop, improve, or train generalized AI or ML models—ever. This complies with the [Google API Services User Data Policy, including the Limited Use requirements].

9. AI & Machine Learning Transparency

  • Our built-in AI features (e.g., job-description generator, quiz creator) use stateless, per-request prompts.

  • Customer data are never fed back into model training or fine-tuning for any generalized system.

10. Your Rights

Region Rights & How to Exercise
EU/EEA & UK (GDPR) Access, rectification, erasure, restriction, portability, objection, automated-decision opt-out. Email privacy@armano.io. You may lodge a complaint with your local DPA.
California (CPRA) Right to know, delete, correct, limit use of sensitive data, opt-out of “sharing,” non-discrimination. Use our Self-Service Privacy Center or email privacy@armano.io.
Brazil (LGPD) Confirm existence, access, correct, anonymize, delete, port, revoke consent. Use privacy@armano.io.

We will respond within 30 days (and within 15 days for CPRA verify-delete requests).

11. Cookies & Tracking

We use only:

  • Essential cookies (auth, load balancing) – always on.

  • Analytics (Matomo, self-hosted) – opt-in for EU; opt-out anytime.

  • No third-party ads, no cross-site cookies.

Browser Do-Not-Track is honored.

12. Security Incidents

If we discover a breach involving your data, we will notify Customer admins within 72 hours (GDPR) or without unreasonable delay (other regimes), including scope, impact, and remediation.

13. Changes to This Policy

We’ll post any material change here and email Customer admins 30 days before it takes effect. Continued use after the effective date means you accept the update.

14. Contact & Complaints

Data Protection Officer

DPO, Armano, Inc.
dpo@armano.io

If you are in the EEA, you may also contact our EU representative under Article 27 GDPR:

GDPR-Rep.eu GmbH
Kaiserplatz 2, 53113 Bonn, Germany
eu-rep@armano.io

Plain-English Summary (no legalese):

  • We collect exactly what we need to run an HR platform—no more.

  • We encrypt everything and let you delete anything.

  • We never sell or train big-brain models on your data.

  • Using Google Workspace? Relax; your docs and calendar data stay inside your account and don’t feed any AI.

  • You’re in control: download it, fix it, nuke it—just tell us.