CALIFORNIA PRIVACY POLICY

HRdeck.com  | Aspect Solutions Inc. 

Last Updated: December 2025
Effective Date: December 1, 2025

1. Introduction and Scope

This California Privacy Policy supplements the Website Privacy Policy with respect to specific rights granted under the California Consumer Privacy Act of 2018 (as amended, the “CCPA”) and the California Privacy Rights Act of 2020 (the “CPRA,” and together with the CCPA, collectively “California Privacy Laws”) to natural person California residents.

This supplement provides information regarding how California residents can exercise their rights under California Privacy Laws. This California Privacy Policy is only relevant to you if you are a resident of California as determined in accordance with the CCPA/CPRA.

Regulated Entity

This policy applies to Aspect Solutions Inc., operating as: – HRdeck (hrdeck.com)

Important Distinction: Employer vs. Employee Data

Employee Personal Information:
If you are an employee of a company using HRdeck’s platform, that company is the primary data controller, and we are the data processor. You should request privacy information from your employer first. This California Privacy Policy applies only to personal information you provide directly to HRdeck or information HRdeck collects from you as a website visitor.

2. Applicability

2.1 Scope of This Policy

This California Privacy Policy applies solely to your interactions with us as: – Website visitors (hrdeck.com) – Prospective customers evaluating our services – Company administrators and HR professionals setting up HRdeck – Support and compliance users

2.2 Not Applicable To

This California Privacy Policy does not apply to: – Employee data stored by your employer through HRdeck – Your employer is the controller; see your employer’s privacy notice – Employment relationships with HRdeck (separate privacy notice provided) – Job applicants seeking employment at Aspect Solutions Inc. (separate notice provided) – Investor communications and accounts – B2B contracts with other companies

If your employer uses HRdeck, your personal data is controlled by your employer as data controller. Request privacy disclosures from your employer.

2.3 Children’s Privacy

We do not knowingly collect information from children under 13. For users 13-15, we require notice and opportunity for opt-out before collection. We do not sell or share personal information of children under 16 without parental consent.

3. Categories of Personal Information Collected

3.1 Information Collected Over Last 12 Months

We collect information about website visitors and customers. The categories of personal information we have collected from individuals on our Websites over the last twelve (12) months include:

Identifiers

• Name and business title
• Email address and phone number
• Business mailing address
• Internet Protocol (IP) address
• Company name and business identifier
• Account username and account ID
• Device identifiers
• Unique identifiers assigned by us

Other Customer Records

• Telephone number and contact information
• Information provided during account registration and access
• Payment method information (processed through third-party providers only)
• Account history and transaction records
• Support and service request records

Commercial Information

• Account data and service usage history
• Subscription information and service tier
• Pricing information and billing records
• Payment history and transaction records
• Service preferences and configuration settings
• Feature usage patterns and analytics
• Training and onboarding history

Professional or Employment-Related Information

• Job title and company role
• Company information and industry
• Professional credentials and certifications
• HR expertise and experience level
• Compliance responsibilities
• Staffing and organizational structure information (if disclosed)

Internet or Other Electronic Network Activity Information

• Website usage data (pages visited, features accessed, actions taken)
• Cookies and tracking technologies (analytics)
• Browsing history within our platform
• Time spent on pages and session information
• User action logs and feature interaction patterns
• Download and document access history
• Integration connections and third-party platform access logs
• Mobile app usage and feature adoption data

Precise Geolocation Data

• GPS coordinates (if you enable location services; generally not collected for B2B services)
• Location derived from IP address
• Geographic information inferred from registration data

Sensitive Personal Information (per CPRA)

Limited Collection:
HRdeck may collect the following only when necessary for service delivery: – Government-issued identifiers (only if business requires verification) – Financial account information (credit card details processed by third parties; we do not store) – Citizenship and immigration status (if disclosed for compliance training purposes) – Trade secrets and confidential business information (if shared for HR compliance consulting) – Union membership status (if disclosed for compliance purposes) – Health and safety information (if disclosed for compliance training) – Contents of communications (support tickets, emails, chat logs retained per policy)

Inferred Information

• Inferences about your company’s HR needs and challenges
• Predicted compliance risks based on company profile
• Staffing patterns and organizational needs (inferred)
• Industry-specific compliance challenges (inferred)
• Company stage and growth trajectory (inferred)

3.2 Sensitive Personal Information Notice

Under the CPRA, we handle Sensitive Personal Information with enhanced care: – We limit collection of SPI to only what is necessary for service delivery – We limit use and disclosure of SPI to specified business purposes – We provide consumers the right to limit use and disclosure of their SPI – We implement additional security measures for SPI protection – We provide transparency about how SPI is used

4. Sources of Personal Information

4.1 How We Obtain Your Personal Information

In connection with operating HRdeck, we collect personal information from:

Information You Provide Directly

• Website registration and account creation
• Online forms and inquiry submissions
• Email and support communications
• Phone calls and live chat conversations
• Payment and billing information
• Training and onboarding sessions
• Feature configuration and preference settings
• Support requests and inquiries
• Survey responses and feedback
• Webinar and event participation
• Documentation and file uploads
• Integration setup and configuration

Information Captured Automatically

• Website analytics and usage tracking
• Browsing history and navigation patterns
• Device information and identifiers
• IP address and approximate location
• Cookie data and tracking technologies
• Session logs and login information
• Feature usage and adoption analytics
• Error logs and troubleshooting data
• Performance metrics and usage statistics

Information from Third Parties

• Payment processors (Stripe, PayPal, etc.)
• Email and communication service providers
• Analytics providers (Google Analytics, Mixpanel, etc.)
• Cloud infrastructure providers (AWS, Google Cloud, etc.)
• Customer support platforms
• Business information providers (business registries, D&B)
• Social media platforms (if you link accounts)
• Third-party integrations (with your authorization)

Aggregated and Inferred Information

• Information combined from multiple sources
• Inferences about your business needs
• Analytics based on platform usage patterns
• Aggregated compliance risk assessments

5. Business Purposes for Using Personal Information

5.1 How We Use Your Personal Information

We use personal information for one or more of the following business purposes:

Service Delivery

• To provide HRdeck compliance platform services
• To maintain your account and access
• To process your requests and respond to inquiries
• To deliver compliance tools and resources
• To provide HR compliance templates and guidance
• To track your compliance progress and provide recommendations
• To integrate with your third-party HR systems
• To provide technical support and troubleshooting

Website and Service Improvement

• To improve our Websites and services
• To notify you about changes to services
• To test features and conduct user research
• To optimize user experience and platform performance
• To develop new features and functionality
• To conduct usability testing and analytics
• To understand compliance needs and pain points

Communication

• To send administrative communications and notifications
• To respond to requests for information and support
• To notify you of changes to policies or services
• To send security alerts and notifications
• To provide training and onboarding materials
• To notify you of compliance updates and regulatory changes

Compliance and Legal

• To comply with employment and HR regulations
• To comply with California Privacy Laws
• To establish, exercise, or defend legal claims
• To respond to government requests and regulatory requirements
• To prevent fraud and illegal activity
• To comply with record retention requirements

Operations and Administration

• Ongoing operations, administration, accounting, reporting
• Account maintenance and billing
• Payment processing and invoicing
• Dispute resolution and customer service
• Internal record-keeping and documentation

Security and Safety

• To detect security incidents and protect against malicious activity
• To investigate and prevent unauthorized access
• To protect the rights, property, and safety of our company and users
• To implement security measures and monitor system integrity
• To prevent spam and policy violations

Marketing and Analytics

• To keep you informed of our products and services (with consent)
• To contact you about products similar to those you use
• To conduct market research and analyze usage patterns
• To measure campaign effectiveness
• To create aggregate insights
• NOT for behavioral advertising without consent

5.2 Legal Basis for Processing

We process personal information based on: – Your explicit consent – Performance of a contract or service with you – Compliance with legal obligations – Legitimate business interests – Public task or authority

6. Sharing and Disclosure of Personal Information

6.1 We Do NOT Sell Your Personal Information

Clear Statement:
We do not sell any of the personal information we collect about you to third parties for monetary consideration. We have not sold personal information in the last 12 months and maintain this commitment.

We also do not share your personal information for cross-context behavioral advertising without your consent.

6.2 Disclosure to Third Parties

We do not disclose personal information except as permitted by law and to:

Service Providers

• Cloud hosting providers (AWS, Google Cloud, DigitalOcean, Cloudflare)
• Payment processors (Stripe, PayPal)
• Email and communication service providers
• Customer support platforms
• Analytics providers
• Database and security providers
• Backup and disaster recovery providers

Legal and Regulatory Requirements

• Governmental agencies and law enforcement
• In response to legal process (subpoenas, court orders)
• As required by law or regulation
• To comply with California Privacy Laws

Business Transfers

• In the event of merger, acquisition, or business transfer
• We will provide advance notice

6.3 Data Processing Agreements

All service providers maintain written Data Processing Agreements requiring: – Compliance with CCPA, CPRA, and all privacy laws – Appropriate security measures – Use of data only for specified business purposes – No sale or unauthorized sharing of data – Cooperation with consumer privacy rights requests

7. Data Security and Protection

7.1 Security Measures

We implement organizational, physical, technical, and procedural safeguards: – Encryption of data in transit (TLS 1.2+) and at rest (AES-256) – Access controls and role-based permissions – Multi-factor authentication – Network firewalls and intrusion detection systems – Regular security assessments and penetration testing – Employee training on data protection – Secure deletion of data at end of retention period – Incident response procedures

7.2 Data Breach Notification

In the event of a data breach: – We will notify affected California residents within 30 calendar days – We will notify the California Privacy Protection Agency within 15 days if 500+ residents are affected – Notifications will describe the breach, information involved, and protective steps – Notifications will include contact information for more information

8. Data Retention

8.1 Retention Periods

We retain personal information only as long as necessary:

8.2 Deletion Upon Request

Subject to legal exceptions, we will delete personal information upon your request as provided in Section 9 within 45 calendar days of verification.

9. Your California Privacy Rights

9.1 Comprehensive Overview

California residents have the following rights under CCPA/CPRA:

Right to Know – Request disclosure of information we collect and use
Right to Delete – Request deletion of your personal information
Right to Correct – Request correction of inaccurate information
Right to Opt-Out of Sales/Sharing – Opt out of data sales or behavioral advertising
Right to Limit SPI – Limit use of sensitive personal information
Right to Non-Discrimination – Equal service regardless of privacy choices
Right to Authorized Agent – Designate someone to make requests on your behalf

9.2 Right to Know

Right Description:
You have the right to request that we disclose: – Categories of personal information we collected – Categories of sources of personal information – Our business purpose for collecting information – Categories of third parties with whom we share information – Whether we disclosed or sold information, and to whom – The specific personal information we have about you

Timeframe:
You may submit up to two requests in a twelve-month period at no charge.

Response Timeline:
We will respond within 45 calendar days of receipt (up to 90 days if necessary).

9.3 Right to Delete

Right Description:
You have the right to request deletion of personal information we retain, subject to exceptions.

Exceptions:
We may retain information if necessary to: – Complete transactions you initiated – Provide services you requested – Detect security incidents or prevent fraud – Comply with legal obligations – Enable other uses compatible with context of collection – Defend against legal claims

Response Timeline:
We will delete within 45 calendar days (with possible extension).

9.4 Right to Correct

Right Description:
You have the right to request correction of inaccurate information we maintain.

Response Timeline:
We will correct within 45 calendar days (with possible extension).

9.5 Right to Opt-Out of Sales and Sharing

Right Description:
You have the right to opt out of: – Sale of your personal information – Sharing for cross-context behavioral advertising

Current Status:
We do not currently sell or share your personal information.

How to Opt-Out:
Submit a request with “DO NOT SELL MY PERSONAL INFORMATION” in the subject line using methods in Section 11.

9.6 Right to Limit Use of Sensitive Personal Information

Right Description:
You have the right to limit our use of SPI to only what is necessary to provide services.

How to Exercise:
Submit a request with “LIMIT USE OF MY SENSITIVE PERSONAL INFORMATION” in the subject line.

9.7 Right to Non-Discrimination

We will not discriminate against you for exercising your rights: – We will not deny service or charge different prices – We will not provide different service quality – We will not coerce you into waiving your rights

9.8 Right to Authorized Agent

You may designate an authorized agent to make requests. Your agent must: – Provide a signed, notarized letter of authorization – Provide proof of authority (power of attorney, etc.) – Be verified according to our procedures

10. How to Exercise Your Rights

10.1 Submission Methods

To exercise your rights, submit a request using any of the methods below:

Email:
Send your request to: support@hrdeck.com
(Monitored during business hours)

Mailing Address:
Aspect Solutions Inc.
717 K Street
Sacramento, CA 95814
Attn: Privacy Team

10.2 Verification Process

Identity Verification:
We will request information to verify your identity, including: – Confirmation of account details – Basic identifying information (name, email, phone) – Account login credentials (optional)

What We Will NOT Request:
– Government-issued identification numbers (SSN, driver’s license) – Full financial account information or passwords – Sensitive information unrelated to your request

Response Timeline:
We will respond within 45 calendar days (up to 90 days if necessary).

11. California Privacy Protection Agency

If you have concerns about our privacy practices, you may file a complaint with:

California Privacy Protection Agency
Email: info@cppa.ca.gov
Website: cppa.ca.gov
Mailing Address: 3000 El Camino Real, Suite 200, Palo Alto, CA 94306

12. Privacy Policy Relationship

12.1 Integration with Main Privacy Policy

This California Privacy Policy supplements our Website Privacy Policy. In the event of conflict, this policy governs for California residents.

12.2 Information in Main Privacy Policy

For additional information not addressed here, please refer to our Website Privacy Policy.

13. Updates to This Policy

13.1 Right to Modify

Aspect Solutions Inc. reserves the right to modify this California Privacy Policy at any time. Material changes will be posted with an updated “Last Updated” date.

13.2 Notice of Changes

For material changes: – We will post prominent notice on our Websites – We will send email notification to users – We will update the “Last Updated” date – We will explain material changes

14. Contact Us

Privacy Questions and Requests:

Email:
support@hrdeck.com

Mailing Address:
Aspect Solutions Inc.
717 K Street
Sacramento, CA 95814
Attn: Privacy Team

For Complaints:
California Privacy Protection Agency
Email: info@cppa.ca.gov

15. Special Provisions for HR Professionals

15.1 Dual Capacity

If you are an HR professional using HRdeck, you may have: – Personal information (as described in this policy) – Access to employee data (your employer is the controller)

Your personal information rights are in this policy. Employee data handling is controlled by your employer.

15.2 Compliance Information

You have the right to request: – How HRdeck uses compliance data – Which compliance information is collected – How long compliance information is retained – Who has access to compliance information

16. Employee and Applicant Privacy

If you are an employee of Aspect Solutions Inc. or a job applicant, you will receive a separate privacy notice specific to your employment or application. That notice will govern personal information collected in that context.

17. Acknowledgment

By using our Websites, you acknowledge that you have read and understood this California Privacy Policy. You understand your rights under California Privacy Laws and how to exercise them.

Last Updated: December 2025
Effective Date: December 1, 2025