Privacy Policy

This Privacy Policy explains how Produktų inžinerija, MB, a company registered in Lithuania (company code 305570982), with its registered office at Užupio g. 26-6, LT-01203 Vilnius, Lithuania, trading as “HR Punks” (“HR Punks”, “we”, “us”, “our”), handles personal data in connection with our website, our Slack applications — Survey Punk, Celebrate Punk, and Kudos Punk — and our web dashboard (together, the “Service”).

Questions about this policy or your personal data: [email protected].

1. Our Roles: Controller and Processor

The way we handle personal data depends on the context.

• We are the data controller for our marketing website, for account, billing, and business-contact information about our customers, and for messages you send us through our support channels.
• We are a data processor for the employee and workspace data your organisation submits into Survey Punk, Celebrate Punk, and Kudos Punk. In that context your organisation (your employer) is the controller, and we process that data only on your organisation’s documented instructions under a Data Processing Agreement (GDPR Article 28). Our Data Processing Agreement is available separately and governs that processing; where it conflicts with this Policy on processor matters, the Data Processing Agreement prevails.

If you are an employee or end user and you want to access, correct, or delete data held in our apps, please contact your employer, which is the controller of that data. We will assist your employer in responding to your request, but we cannot act on it directly.

2. Personal Data We Collect

Website visitors and prospects

• Information you submit through forms (such as name, email address, job title, and anything you write).
• Analytics and cookie data when you visit www.hrpunks.com (see Section 8).

Customers (account and billing)

• The identity of the workspace administrator who installs or manages the Service, including name, email address, and Slack workspace and channel identifiers obtained via Slack authorisation.
• Billing and contact details necessary to provide the Service.

Workspace and employee data (processed on your employer’s behalf)

Depending on which apps your organisation uses, we process:

• Slack profile data: name, display name, email address, profile photo, Slack user ID, and the workspace/channel identifiers needed to operate.
• Survey Punk: survey answers and free-text comments, collected and reported anonymously. We show survey results only in aggregate and do not attribute individual answers to a named person. A respondent may choose to reveal their identity on a specific comment — in that case we attribute only that comment to them; their survey answers and any other comments stay anonymous.
• Celebrate Punk: dates of birth, work-anniversary and hire dates, recognition/leaderboard activity, and event records (such as birthdays, anniversaries, welcomes, and departures), together with celebratory messages.
• Kudos Punk: peer-recognition messages and the identifiers of senders and recipients.
• HR system data (optional): where your organisation connects an HR information system (for example Personio) or uploads an employee file, we import fields such as name, email, supervisor, department/team, employment type, hire date, termination date, gender, and date of birth.

Some of this data may include special categories of personal data within the meaning of GDPR Article 9 — for example dates of birth and, where imported from your employer’s HR system, gender. Establishing a lawful basis for special-category data under Article 9 is the responsibility of your employer as controller.

We only process data sent to us through your use of the Service. Our apps do not read, store, or analyse your past or archived Slack messages or unrelated channel activity. The Kudos app requests the Slack permission to read public-channel messages (channels:history) in order to operate within channels; we do not use that permission to store or analyse channel message history.

3. Support Requests

When you contact us through our support page or by email, we collect your name, email address, any company name you provide, and the content of your message, so that we can respond. If you paste employee or third-party data into a support message, that data is processed on your organisation’s behalf as described in Section 1.

4. Purposes and Legal Bases

Where we act as controller, we rely on the following legal bases under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)) — to create and manage accounts, provide the Service, and bill for it.
• Legitimate interests (Art. 6(1)(f)) — to secure and improve the Service, prevent fraud and abuse, respond to support requests, and send business-to-business communications to our customers. Our interest is operating and growing a secure, reliable Service; we balance it against your rights.
• Consent (Art. 6(1)(a)) — for non-essential cookies and analytics, and for marketing emails where consent is required. You can withdraw consent at any time.

Where we act as processor, we process personal data only on the documented instructions of your employer (the controller). The lawful basis for that processing, including any special-category data, is determined by your employer, not by us.

5. Automated Decision-Making and AI

We do not carry out solely automated decision-making that produces legal or similarly significant effects, and we do not profile you in that way. We do not use artificial-intelligence or large-language-model systems to process customer or employee data.

6. Recipients and Sub-Processors

We do not sell personal data. We share it only with service providers who help us run the Service, under contracts that require appropriate safeguards. Our sub-processors are:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting: compute, database, cache, queue	EU — Dublin, Ireland
DigitalOcean	Hosting of the marketing site and dashboard frontend	EU — Frankfurt, Germany
Sentry (Functional Software, Inc.)	Error and performance monitoring	EU — Germany

Error reports sent to Sentry may include technical context and identifiers such as your email address and Slack user ID where these are present at the time of an error.

Slack is the channel through which the apps operate, under your organisation’s own agreement with Slack Technologies (Salesforce, Inc.). Slack is not engaged by us as a sub-processor; your organisation maintains its own relationship with Slack.

Sub-processing of workspace and employee data is governed by our Data Processing Agreement, including at least 30 days’ prior notice of any change of sub-processor.

7. International Transfers

All personal data we process is stored and processed within the European Economic Area (EEA). We do not transfer personal data to countries outside the EEA. If this changes, we will update this Policy and put appropriate transfer safeguards (such as Standard Contractual Clauses) in place.

8. Cookies and Analytics

Our marketing website uses cookies. Strictly necessary cookies are used to make the site work. With your consent, we use analytics cookies (Google Analytics) to understand how the site is used and to improve it. You can refuse or withdraw consent to non-essential cookies through your browser settings or any cookie controls we provide, without affecting the lawfulness of processing before withdrawal.

9. Data Retention

• Website and analytics data: retained for the period set by our analytics configuration and then deleted or anonymised.
• Account, billing, and business-contact data: retained for the duration of the customer relationship and for as long afterwards as required by applicable Lithuanian accounting and tax law.
• Support requests: retained for as long as needed to handle the request and for a reasonable period afterwards for quality and record-keeping.
• Workspace and employee data (processed as processor): retained for the duration of the Service and deleted after termination in accordance with our Data Processing Agreement (deletion of primary copies within 90 days of termination, with routine backups rolling off shortly after). We also delete personal data on the controller’s documented instruction.

10. Security

We apply technical and organisational measures appropriate to the risk, including encryption of data in transit, network isolation within a private cloud environment, role-based access controls, restriction of personnel access to what is necessary, and error monitoring with alerting. No method of transmission or storage is completely secure, but we work to protect personal data and to review our measures over time.

11. Your Rights

Subject to the conditions in the GDPR, you have the right to access your personal data; to have it corrected or erased; to restrict or object to its processing; to data portability; and to withdraw consent where processing is based on consent.

• For data where we are the controller (website, account, billing, support), contact us at [email protected].
• For data inside our apps, where your employer is the controller, contact your employer; we will assist them.

You also have the right to lodge a complaint with a supervisory authority. In Lithuania this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija), L. Sapiegos g. 17, LT-10312 Vilnius, [email protected]. You may also complain to the supervisory authority where you live or work.

12. Changes to This Policy

We may update this Policy from time to time. We will post the updated version here with a new “Effective Date” and, where changes are material, take reasonable steps to notify affected customers.

13. Contact

Produktų inžinerija, MB (trading as HR Punks) Užupio g. 26-6, LT-01203 Vilnius, Lithuania · Company code 305570982 Email: [email protected]