NewBIR TRAIN Law brackets are now live in WORKSPHR. Learn more
Legal

Privacy Policy

Effective: April 1, 2026Last updated: April 29, 2026

1. Introduction

CRUD.IT Solutions Inc. (“WORKSPHR,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR).

This Privacy Policy explains how we collect, use, store, share, and protect personal information when you use our HRIS & Payroll Software-as-a-Service (“Service”) and our website at worksphr.com.

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Data Controller / Personal Information Controller

The data controller responsible for your personal information is:

  • Company: CRUD.IT Solutions Inc.
  • Address: Berthaphil III, Clark Center 45, Clark Freeport Zone, Pampanga 2023, Philippines
  • Data Protection Officer (DPO): Available at dpo@worksphr.com
  • NPC Registration: Pending submission per NPC Circular 17-01

3. Personal Data We Collect

3.1 Account Information

When you register, we collect: name, email, phone number, company name, designation, and authentication credentials.

3.2 Employee Data (Processed on Behalf of Customers)

When you upload employee records to WORKSPHR for HR/payroll processing, we process: full names, employee IDs, dates of birth, gender, marital status, addresses, contact information, salary, statutory numbers (SSS, PhilHealth, Pag-IBIG, TIN), bank account details, dependents, employment history, performance records, leave records, and time/attendance data.

3.3 Usage Data

Information about how you use our Service: IP address, browser, device, pages visited, actions performed, timestamps, error logs.

3.4 Cookies and Tracking

We use cookies for authentication, preferences, and analytics. See our Cookie Policy.

We process personal data only when we have a lawful basis under the Data Privacy Act:

  • Consent: When you sign up or provide explicit consent for specific uses.
  • Contract: To deliver the Service you requested.
  • Legal Obligation: To comply with Philippine tax, labor, and statutory laws.
  • Legitimate Interest: For security monitoring, fraud prevention, and Service improvements.

5. How We Use Your Data

We use personal data to:

  • Provide, maintain, and improve the Service
  • Process HR and payroll transactions on your behalf
  • Generate compliance reports for SSS, PhilHealth, Pag-IBIG, BIR, DOLE
  • Authenticate users and prevent unauthorized access
  • Communicate with you about Service updates, billing, and support
  • Detect and prevent security incidents
  • Comply with legal obligations

6. Data Sharing and Disclosure

We do NOT sell your personal data. We share it only:

  • With your authorization: To third-party services you connect (e.g. banks, accounting software).
  • With service providers: Cloud hosting (AWS Asia Pacific), email services, support tools, all bound by data processing agreements.
  • With government agencies: When required to file SSS, PhilHealth, Pag-IBIG, BIR returns on your behalf.
  • For legal compliance: When compelled by court order, NPC inquiry, or law enforcement.
  • In business transfers: If WORKSPHR is acquired, your data may transfer to the acquirer (with notice and continued protection).

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy and to comply with legal requirements:

  • Active customer data: Retained throughout your subscription
  • Payroll records: Retained for 10 years (per BIR / NIRC requirements)
  • 201 files (employment records): Retained for 5 years post-termination (per Labor Code)
  • SSS / PhilHealth / Pag-IBIG remittance records: Retained for 10 years
  • Account closure: Anonymization within 90 days unless legal holds apply

8. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption: AES-256 at rest, TLS 1.3 in transit
  • Access control: Role-based access, MFA required for admin actions
  • Audit logs: All data access and modifications logged
  • Penetration testing: Annual third-party security audits
  • SOC 2 Type II: In progress (target: Q4 2026)
  • NPC compliance: Privacy Impact Assessment (PIA) on file

9. Your Rights Under the Data Privacy Act

You have the following rights regarding your personal data:

  • Right to be informed: About collection and use
  • Right to access: Request a copy of your data
  • Right to rectification: Correct inaccuracies
  • Right to erasure: Request deletion (subject to legal retention)
  • Right to data portability: Export in machine-readable format
  • Right to object: To processing for direct marketing
  • Right to lodge a complaint: With the National Privacy Commission

To exercise these rights, email privacy@worksphr.com. We respond within 15 working days per NPC guidelines.

10. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the National Privacy Commission within 72 hours per NPC Circular 16-03
  • Notify affected data subjects without undue delay
  • Take immediate corrective and remedial actions
  • Document the incident and response in our breach register

11. Children’s Privacy

Our Service is intended for businesses and their adult employees. We do not knowingly collect personal data from children under 18. If we discover such data, we will delete it promptly.

12. International Data Transfers

Your data is primarily stored in AWS Asia Pacific (Singapore) data centers. Any transfer outside the Philippines is subject to:

  • Cross-border data transfer safeguards per RA 10173 Section 21
  • Contractual data processing agreements with all sub-processors
  • Equivalent-level data protection assurance

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last Updated” date. Material changes will be communicated via email to active customers at least 30 days before taking effect.

14. Contact Us

For privacy questions or to exercise your rights:

  • Email: privacy@worksphr.com
  • DPO: dpo@worksphr.com
  • Mail: Data Protection Officer, CRUD.IT Solutions Inc. Berthaphil III, Clark Center 45, Clark Freeport Zone, Pampanga 2023, Philippines
  • NPC: To file a complaint with the National Privacy Commission, visit privacy.gov.ph