Privacy policy

1. Introduction

This Privacy Policy explains how Ukigai (“we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit our websites, use our software and services (collectively, the “Services”), or otherwise interact with us (for example, marketing, events, or support).

We are committed to transparency and to handling personal data responsibly. This policy is designed to meet common expectations for business-to-business (B2B) software-as-a-service (SaaS) providers and to support compliance with applicable privacy laws, including where relevant the GDPR (EU/UK) and U.S. state privacy laws (such as the CPRA in California).

This policy is not legal advice. Laws vary by country and industry; consult qualified counsel for your specific situation.

2. Who this policy applies to

This policy applies to:

• Visitors to our marketing websites and landing pages.
• Prospective customers who request demos, download content, or contact us.
• Authorized users of the Services (for example, HR administrators and employees invited by their employer to use the platform).
• Other individuals whose personal information we process in connection with the Services (for example, when your employer uses Ukigai to manage HR processes involving you).

If you use the Services on behalf of an organization, that organization is typically the controller of personal information about its workforce. We process that information as a processor or service provider under their instructions and applicable agreements (including our customer terms and data processing terms where provided).

3. Personal information we collect

We collect information in the following categories, depending on how you interact with us:

3.1 Information you provide

• Account and profile: name, work email, organization name, role, password or authentication signals (we do not store passwords in plain text), and similar onboarding details.
• Communications: messages you send via forms, chat widgets, email, or support channels; feedback and survey responses.
• Billing (where applicable): billing contact details and payment-related information processed by our payment providers (we generally do not store full card numbers on our servers).

3.2 Information collected automatically

• Device and usage data: IP address, approximate location derived from IP, browser type, operating system, pages viewed, referring/exit URLs, timestamps, and diagnostic or performance data.
• Cookies and similar technologies: as described in Section 6.

3.3 Information from integrations and third parties

• Authentication providers (for example, single sign-on) where enabled by your organization.
• Analytics, email delivery, and infrastructure providers as described in Section 7.
• Public sources in limited cases (for example, company information to prevent fraud or improve onboarding).

3.4 Customer content (employer-controlled data)

When your employer uses Ukigai, they may upload or generate employee-related data (for example, directory fields, time off, performance notes, documents, expenses). Your employer decides what data is entered and for what HR purposes. We process that data to provide the Services under their instructions.

4. How we use personal information

We use personal information to:

• Provide and improve the Services (hosting, authentication, security monitoring, troubleshooting, product analytics in aggregated or de-identified form where appropriate).
• Communicate with you about the Services, security notices, policy updates, and (where permitted) product education.
• Operate our website and marketing (measuring interest, improving content, and—where you have opted in or law allows—sending relevant communications).
• Protect rights and safety (fraud prevention, abuse detection, enforcing our terms, complying with law).
• Comply with legal obligations and respond to lawful requests from public authorities.

We do not sell personal information in the conventional sense of selling lists of individuals for money. We do not use your employer’s employee data to train public-facing AI models for unrelated third parties.

5. Legal bases (EEA, UK, and similar jurisdictions)

Where the GDPR or UK UK GDPR applies, we rely on one or more of the following legal bases:

• Contract: processing necessary to provide the Services you or your organization requested.
• Legitimate interests: for example, securing our systems, improving the product, and understanding aggregate usage—balanced against your rights.
• Consent: where required for certain cookies, marketing emails, or optional features (you may withdraw consent at any time).
• Legal obligation: where we must retain or disclose information to comply with law.

6. Cookies and similar technologies

We use cookies and similar technologies for essential functions (for example, session security, load balancing, remembering preferences), analytics (understanding traffic and performance), and sometimes marketing (where allowed).

You can control many cookies through your browser settings. Where required, we will obtain consent before using non-essential cookies and provide a way to update preferences.

7. How we share information and subprocessors

We share personal information only as needed to operate the Services:

• Service providers (subprocessors) who host infrastructure, send email, provide analytics, payment processing, customer support tooling, or security services—under contracts that require appropriate confidentiality and security.
• Professional advisers (lawyers, auditors) under confidentiality obligations.
• Corporate transactions (merger, acquisition, financing)—subject to standard safeguards.
• Legal and safety when we believe disclosure is required by law, regulation, legal process, or to protect rights, safety, and security.

We maintain an up-to-date understanding of our subprocessors and notify customers as required by contract or law when the list materially changes.

8. International transfers

We may process and store information in countries other than your own, including the United States and the European Economic Area, depending on our infrastructure and providers.

Where transfers from the EEA, UK, or Switzerland are involved, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or other mechanisms recognized by applicable law, together with supplementary measures where appropriate.

9. Retention

We retain personal information only as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law (for example, tax, accounting, or dispute resolution).

Customer content is generally retained according to your organization’s settings and our agreement with them. After account termination, we may retain certain records for a limited period as required by law or for legitimate business purposes (for example, backups with defined deletion cycles).

10. Security

We implement technical and organizational measures appropriate to the risk, including access controls, encryption in transit (and where appropriate at rest), logging, vulnerability management, and staff training.

No method of transmission or storage is 100% secure. We encourage customers to use strong authentication and to limit access within their organizations.

11. Your privacy rights

Depending on where you live, you may have rights to:

• Access personal information we hold about you.
• Correct inaccurate or incomplete data.
• Delete certain data, subject to legal exceptions.
• Restrict or object to certain processing.
• Data portability where technically feasible.
• Withdraw consent where processing is consent-based.
• Opt out of certain “sharing” or targeted advertising where U.S. state law applies (we describe sale/share practices above).
• Lodge a complaint with a supervisory authority.

To exercise rights regarding data your employer controls in Ukigai, contact your employer first. To exercise rights regarding data we hold as controller (for example, your marketing or account contact details), contact us using the details in Section 17. We will respond within timelines required by applicable law.

12. California residents (summary)

If you are a California resident, the CPRA may grant you additional rights, including rights to know, delete, and correct personal information, and to opt out of certain types of sharing for cross-context behavioral advertising (we do not characterize our activities as “selling” personal information as defined in CPRA).

You may designate an authorized agent in line with California rules. We will not discriminate against you for exercising privacy rights.

13. Children’s privacy

The Services are not directed to children under 16 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

14. Marketing communications

Where law requires it, we will obtain opt-in consent before sending promotional emails. You can unsubscribe at any time using the link in our emails or by contacting us. Transactional messages (security alerts, billing, service notices) may continue as needed.

15. Automated decision-making

We do not use personal information for solely automated decisions that produce legal or similarly significant effects about individuals, unless we clearly disclose otherwise and provide a meaningful opportunity for human review where required by law.

16. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. If changes are material, we will provide additional notice as appropriate (for example, email or in-product notice).

17. Contact us

For privacy questions or requests regarding information we process as a controller, contact us through the Contact page on our website or at the email address published there.

For supervisory authority contacts in the EEA/UK, you may contact the authority in your country of residence.