Privacy Notice

Effective Date: 2026-05-18 (or the date you first interacted with SeasideHR, whichever is later)

This Privacy Notice describes how Michael Sieben — SeasideHR, an Einzelunternehmer (sole proprietorship) under the laws of the Federal Republic of Germany, registered office at Kurscheider Weg 6, 50767 Köln, Steuernummer 217/5278/9975, W-IdNr. DE288156645 ("SeasideHR", "we", "us", "our"), collects, uses, and shares Personal Data about you.

For questions or to exercise your rights, contact:

General: michael.sieben@seasidehr.org
Privacy: privacy@seasidehr.org

SeasideHR has not appointed a Data Protection Officer (no statutory obligation to do so under §38 BDSG at current scale). The competent supervisory authority for SeasideHR is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.

1. Scope of this Notice

This Notice covers SeasideHR's Controller-side Processing of Personal Data:

visitors to the SeasideHR websites (seasidehr.org, internal.seasidehr.org, customer.seasidehr.org, and any other SeasideHR-owned domain);
prospective customers who request information, book calls, or download materials;
signed-in users of the SeasideHR platform (operator, consultant, freelancer, customer-side users);
counterparties of contracts (signatories of NDAs, MSAs, SOWs, DPAs, ToS-acceptances);
recipients of marketing or service communications (e.g. newsletter subscribers);
candidates or other individuals identified in talent-market research that SeasideHR conducts for its own purposes (rare; typically aggregated).

Out of scope: Personal Data we Process on behalf of a Customer in providing the Services. That Processing is governed by the SeasideHR Data Processing Agreement at https://seasidehr.org/legal/dpa, where SeasideHR acts as a Processor (Article 4(8) GDPR) and the Customer is the Controller.

2. Categories of Personal Data we collect

2.1 Information you provide

Category	Examples	Source
Identity and contact data	Name, email, phone, employer / organisation, job title	You provide it directly via website forms, in conversations, on contract documents
Account credentials	Email + auth-provider identity (we use a passwordless / SSO model)	Sign-in flow
Communication data	Email content, chat content, meeting notes, calendar invitations	You communicate with us
Contractual data	Signatory name, signature, signature date, IP address at signature, billing details	Contract execution and invoicing
Payment information	Billing address, VAT-ID, payment-method identifier (the actual card number is held by Stripe, our payment processor — we do not store card data)	Checkout / invoicing
Marketing preferences	Newsletter opt-in, unsubscribe status, communication frequency preference	You manage these

2.2 Information collected automatically

Category	Examples	Source
Usage data	Pages visited, links clicked, time on site, referrer URL, search queries inside the platform	Web analytics; in-product event logging
Device data	IP address, browser type, operating system, device identifiers, language preference	HTTP request metadata
Cookies and similar technologies	Session cookies, preference cookies, analytics cookies (where you consent)	See our Cookie Policy at `https://seasidehr.org/legal/cookies`

2.3 Information from third parties

Category	Examples	Source
Enrichment data	Public company information (LinkedIn-style profile data, Companies House / Handelsregister entity data)	Public registries, public web; or business-data enrichment providers
Referrals	Name + email + introduction context	Where another party refers you to SeasideHR with your consent

We do not purchase identified candidate lists, nor do we collect any Personal Data for the purpose of scoring, ranking, or filtering individual candidates.

3. Purposes and legal bases for Processing

Under GDPR Article 6 (and equivalent provisions of UK GDPR, FADP, BDSG, PIPEDA, Alberta PIPA, B.C. PIPA, Quebec Law 25, and CCPA/CPRA), we Process Personal Data for the following purposes on the following legal bases:

Purpose	Categories of Personal Data	Legal basis (GDPR / equivalent)
Providing the Services and operating accounts	Identity, contact, account credentials, communication, usage	Performance of a contract (Art. 6(1)(b)); for prospective customers and pre-contractual measures, also Art. 6(1)(b)
Communicating with prospects and customers	Identity, contact, communication	Legitimate interests (Art. 6(1)(f)) — running and growing a business; for marketing emails, consent (Art. 6(1)(a)) and §7 UWG for German recipients
Invoicing, payment, and tax	Contractual, payment, identity	Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) — invoicing + §147 AO tax-retention
Improving the website and the Services	Usage, device	Legitimate interests (Art. 6(1)(f)) — product improvement; consent (Art. 6(1)(a)) for non-essential analytics
Security, fraud prevention, abuse handling	Identity, contact, usage, device	Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable
Legal claims, audits, compliance	All categories as needed	Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
Recruiting (if you apply to work with SeasideHR)	Identity, contact, application data	Pre-contractual measures (Art. 6(1)(b)); §26 BDSG for German applicants
Marketing communications (newsletter, product updates)	Identity, contact, preferences	Consent (Art. 6(1)(a)); legitimate interests for similar-product B2B outreach under §7(3) UWG

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Article 22 GDPR). SeasideHR's AI-assisted analytical work is performed under Human-in-the-Loop Review.

4. Cookies and similar technologies

SeasideHR uses cookies and similar technologies on its websites. We use strictly necessary cookies without consent, and we obtain your prior, informed consent before setting analytics, preference, or marketing cookies.

See the Cookie Policy at https://seasidehr.org/legal/cookies for the categories, names, retention, providers, and consent-management mechanism.

We share Personal Data with the following categories of recipients, only as necessary for the purposes set out in Section 3:

Recipient	Purpose	Country	Transfer mechanism (if outside EU/EEA)
Hosting and platform infrastructure (Vercel, Supabase)	Hosting and database for the SeasideHR platform	USA / EU/EEA	EU SCCs Module 2; EEA primary for Supabase
CRM (HubSpot)	Customer-relationship management; deal pipeline	USA / EU (Ireland)	EU SCCs Module 2
Payment (Stripe)	Payment processing; invoicing	EU (Ireland) / USA	EU SCCs Module 2; Stripe is Controller for PCI-DSS payment data
E-signature (DocuSign)	Contract execution	EU (Ireland) / USA	EU SCCs Module 2; DocuSign DPA
Email (Resend)	Transactional and marketing email	USA	EU SCCs Module 2
Productivity (Google Workspace, Notion, Airtable, Slack)	Communications, knowledge, internal records	USA / EU	EU SCCs Module 2
Source-code repository (GitHub)	Engineering and security	USA	EU SCCs Module 2
AI inference (Anthropic, OpenAI)	LLM-assisted analysis (under zero data retention)	USA	EU SCCs Module 3; zero-data-retention configuration
Research providers (Firecrawl, Perplexity)	Public-web research	USA	EU SCCs Module 3
Background-job orchestration (Trigger.dev)	Async workflow execution	EU / USA	EU SCCs Module 2/3
Professional advisors	Legal, accounting, audit	EU/EEA	n/a within EU; SCCs for non-EU advisors
Regulators and authorities	Where legally required	Variable	n/a (legal obligation)
Successor entities	M&A, asset sale, or transition to SeasideHR GmbH (§415 BGB Vertragsübernahme)	Initially Germany	n/a within EU

We do not sell or share Personal Data for cross-context behavioural advertising within the meaning of CCPA/CPRA.

A live list of Sub-processors with current entity, country, purpose, and data categories is published at https://seasidehr.org/legal/subprocessors.

6. International data transfers

Some of the recipients listed in Section 5 are located outside the EU/EEA (primarily in the United States). For transfers from the EU/EEA, UK, or Switzerland to a third country not benefiting from an adequacy decision, SeasideHR relies on:

the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — Modules 2 (controller→processor) or 3 (processor→processor) as applicable;
the UK International Data Transfer Addendum (ICO version B.1.0);
the Swiss FDPIC Addendum for transfers subject to the Swiss FADP;
additional supplementary measures including encryption in transit (TLS 1.2+), encryption at rest (AES-256), and the contractual safeguards described in our Data Processing Agreement.

A Transfer Impact Assessment is maintained for each Sub-processor located outside the EU/EEA and is available on reasonable request.

7. Retention

We retain Personal Data for as long as necessary for the purposes set out in Section 3, plus any period required by applicable law.

Category	Default retention period
Identity and contact data of active customers	Duration of the customer relationship + 3 years (limitation period)
Contractual data (NDA, MSA, SOW, DPA, ToS-acceptance records)	10 years (§147 AO German tax retention; 6 years §257 HGB; longest applicable)
Invoicing and payment data	10 years (§147 AO)
Email correspondence (general business)	6 years (§257 HGB commercial correspondence retention)
Prospect data (no purchase)	24 months from last interaction unless extended consent given
Newsletter subscribers (after unsubscribe)	Suppression record retained indefinitely to honour your unsubscribe choice; content of past communications deleted within 12 months
Website usage logs	12 months (security-significant logs may be retained longer under legitimate-interest balancing)
Cookies	Per Cookie Policy
Job applicant data (unsuccessful)	6 months after process closes (longer with consent for talent-pool)

After the applicable retention period, Personal Data is either deleted or anonymised so that you cannot be re-identified.

8. Your rights

Depending on the law that applies to you, you have some or all of the following rights:

Access (Art. 15) — receive confirmation of and a copy of Personal Data we hold;
Rectification (Art. 16) — correct inaccurate or incomplete data;
Erasure (Art. 17) — request deletion, subject to exceptions (e.g. tax-retention obligations);
Restriction (Art. 18) — limit Processing in specified circumstances;
Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format;
Objection (Art. 21) — object to Processing on legitimate-interest basis, including for direct marketing;
Withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful Processing;
Lodge a complaint with the LDI NRW or another supervisory authority.

8.2 Canada (PIPEDA, Alberta PIPA, B.C. PIPA, Quebec Law 25)

Access and correction of your Personal Information;
Withdraw consent subject to legal or contractual restrictions;
Complain to the Office of the Privacy Commissioner of Canada (for federally-regulated activities) or your provincial commissioner;
under Quebec Law 25 specifically: rights to de-indexing and data portability.

8.3 California (CCPA/CPRA)

right to know categories and specific pieces of Personal Information we have collected;
right to delete Personal Information;
right to correct inaccurate Personal Information;
right to opt out of "sale" or "sharing" (we do not sell or share, but the right exists);
right to limit use of sensitive personal information;
right to non-discrimination for exercising rights.

8.4 How to exercise

Send a request to privacy@seasidehr.org. We will respond within the statutory deadlines (typically 1 month under GDPR; 30 days under PIPEDA / Quebec Law 25; 45 days under CCPA/CPRA, extendable by 45 days). We may verify your identity before responding. We do not charge fees for first reasonable requests.

9. Children

The Services are intended for B2B use by adults aged 18+ and are not directed at children. We do not knowingly collect Personal Data from children under 16 (or the applicable age of digital consent in your jurisdiction). If you believe we have collected such data, contact privacy@seasidehr.org and we will delete it.

10. Security

We implement appropriate technical and organisational measures to protect Personal Data, including TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access controls with MFA, vulnerability management, and annual penetration testing. See the SeasideHR Schedule B-3 (TOMs) under our DPA for the full technical detail.

No security measures are perfect. If we become aware of a Personal Data Breach affecting your data, we will notify the competent supervisory authority within 72 hours per Article 33 GDPR and notify you without undue delay where required by Article 34 GDPR.

11. Marketing

Where you have given consent or where we rely on the legitimate-interest exception for B2B similar-product outreach under §7(3) UWG, we may send you marketing communications. You can unsubscribe at any time via the link in each message or by writing to privacy@seasidehr.org. Unsubscribing does not affect transactional communications relating to ongoing Services.

12. Automated decision-making and AI transparency

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Article 22 GDPR).

Where you interact with an AI system operated by SeasideHR (for example, an AI-assisted chat or an AI-generated document draft), you are informed of that interaction in the relevant context per Article 50 of the EU AI Act. AI-generated outputs that are made available to third parties are marked as machine-generated where required by Article 50.

SeasideHR's AI-assisted Services are not used to score, rank, recommend, or filter individual job candidates. Outputs are produced under Human-in-the-Loop Review.

13. Pre-incorporation transfer to SeasideHR GmbH

SeasideHR is currently operated by Michael Sieben — SeasideHR as a sole proprietorship. On formation of SeasideHR GmbH, the Controllership of all Personal Data covered by this Notice will transfer to SeasideHR GmbH under §415 BGB (Vertragsübernahme).

You will receive notice of the transfer at the time of incorporation. Your rights under this Notice and applicable law continue with the Successor Entity without interruption. Personal Data is not shared with any third party as a result of the transfer; the Successor Entity assumes the same Controller obligations.

14. Changes to this Notice

We may update this Notice from time to time. Material changes will be notified by email (to active customers and account-holders) and posted at https://seasidehr.org/legal/privacy. The "Effective Date" at the top reflects the latest version.

15. Contact and complaints

Channel	Address
Email — general	`michael.sieben@seasidehr.org`
Email — privacy	`privacy@seasidehr.org`
Postal	Michael Sieben — SeasideHR, Kurscheider Weg 6, 50767 Köln, Germany
Supervisory authority (Germany)	LDI NRW — Landesbeauftragte für Datenschutz und Informationsfreiheit NRW, Kavalleriestraße 2-4, 40213 Düsseldorf
Supervisory authority (UK)	Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF
Supervisory authority (Switzerland)	Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB / FDPIC), Feldeggweg 1, 3003 Bern
Supervisory authority (Canada — federal)	Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, Quebec K1A 1H3
Supervisory authority (Quebec)	Commission d'accès à l'information du Québec
Supervisory authority (Alberta / B.C.)	Office of the Information and Privacy Commissioner of Alberta / B.C.
Supervisory authority (California)	California Privacy Protection Agency (CPPA), 2101 Arena Boulevard, Sacramento, CA 95834