Privacy Policy

Privacy Policy

ShandaHR (Private) Limited · Harare, Zimbabwe

Effective 1 Jan 2026Last Updated 18 May 2026CDPA Aligned

ShandaHR (Private) Limited is committed to responsible data stewardship. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and how you can exercise your rights under Zimbabwe’s Cyber and Data Protection Act [Chapter 12:07] (“CDPA”).

1. Who We Are

ShandaHR (Private) Limited (“ShandaHR”, “we”, “our”, or “us”) develops and operates a cloud-based Human Resources Information System for employers in Zimbabwe and the broader African market. Our registered office is in Harare, Zimbabwe.

Data Controller vs Data Processor

Our role varies depending on whose data is involved:

  • We are the Data Controller for personal data we collect directly from platform administrators, website visitors, and prospective customers (e.g. sign-up information, demo requests).
  • We are a Data Processor for employee personal data that our customers (employers) upload or generate within the Platform. In that context, the employer is the Data Controller and is responsible for establishing the lawful basis for processing.

2. Data We Collect

2.1 Account & Administrator Data

When you register or manage a ShandaHR account, we collect:

  • Full name, email address, phone number
  • Company name, company registration number, industry, and billing address
  • Your role within the organisation (e.g. HR Manager, Finance Director)
  • Authentication credentials (passwords are hashed; we never store plaintext passwords)

2.2 Employee Data (Customer Data)

Processed on behalf of our customers (employers), employee data may include:

  • Full name, NRC/passport number, date of birth, gender, nationality
  • Contact details: home address, personal email, phone numbers
  • Employment details: job title, department, employment date, contract type, reporting line
  • Compensation: basic salary, allowances, deductions, bank account details (for payroll)
  • Leave records: leave type, dates, approvals, balances
  • Performance data: reviews, goals, ratings, disciplinary records
  • Onboarding documents and HR correspondence
  • Emergency contacts

2.3 Usage Data

We automatically collect technical data when you use the Platform:

  • Log data: IP addresses, browser type and version, pages accessed, features used, timestamps
  • Device data: device type, operating system, screen resolution
  • Session data: session duration, navigation paths, feature interaction events

2.4 Payment Data

Payment processing is handled by our third-party payment gateway. We store only transaction reference numbers and billing addresses — we do not store, process, or transmit credit card numbers or banking credentials.

Category
Examples
Legal Basis
Account Data
Name, email, phone, company
Contract
Employee Data
Salary, leave, NRC, job title
Contract
Usage Data
IP, device, session logs
Legit. Interest
Payment Data
Transaction reference, billing
Contract

3. How We Use Your Data

We use the data we collect for the following purposes:

  • To create and manage your account and verify your identity
  • To deliver and maintain the Platform and all its features
  • To process payroll calculations and generate payslips on behalf of employers
  • To send transactional communications: account confirmations, password resets, billing receipts
  • To provide customer support and resolve technical issues
  • To send product updates, security notices, and service announcements
  • To detect, investigate, and prevent fraud, abuse, and unauthorised access
  • To comply with legal and regulatory obligations under Zimbabwe law
  • To generate aggregated, anonymised analytics to improve platform performance and features
  • To conduct research into HR trends in Zimbabwe using fully anonymised datasets

We will not use your personal data for purposes incompatible with those stated above without first obtaining your consent or establishing a new lawful basis.

5. Data Sharing & Third Parties

ShandaHR does not sell, rent, or trade your personal data or your employees’ data to any third party. Ever.

We may share data in the following limited circumstances:

5.1 Service Providers (Sub-processors)

We engage the following sub-processors who access data only to provide services on our behalf and are bound by data processing agreements:

ProviderPurposeLocation
SupabaseDatabase, authentication, file storageSouth Africa / US
VercelApplication hosting & CDNUnited States
ResendTransactional email deliveryUnited States
StripePayment processing (billing data only)United States

5.2 Legal Requirements

We may disclose personal data where required by a valid court order, subpoena, or lawful request from a Zimbabwean regulatory authority. Where permitted by law, we will notify you before complying.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of substantially all of ShandaHR’s assets, personal data may be transferred to the acquiring entity. We will provide at least 30 days’ notice before any such transfer and ensure the receiving entity upholds the same privacy standards.

6. Data Security

We take data security seriously and have implemented the following measures to protect your data:

AES-256 Encryption

All data encrypted at rest using AES-256

TLS 1.3 in Transit

All data in transit secured with TLS 1.3

Access Controls

Role-based minimum-privilege access

Audit Logs

Comprehensive audit trails for all admin actions

Penetration Testing

Annual independent security assessments

Backups

Automated encrypted daily backups with 30-day retention

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected customers within 72 hours of becoming aware of the breach, as required by the CDPA.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law:

Account & admin dataDuration of subscription + 90 days post-termination
Employee (Customer) dataPer employer instructions + 90 days post-termination
Usage & log data12 months from collection
Encrypted backup data30 days on rotating cycle
Billing & payment records7 years (ZIMRA compliance)
Suppression listsIndefinitely (to honour opt-outs)

When data is no longer required, it is securely and permanently deleted from our systems and those of our sub-processors.

8. Employee Data — Special Provisions

ShandaHR processes sensitive employee personal data on behalf of employers. Employers who use ShandaHR remain the Data Controllerfor their employees’ data and bear the following responsibilities:

  • Establishing a valid lawful basis for collecting and processing employee personal data under the CDPA
  • Notifying employees of their data rights and how their data will be processed
  • Ensuring employee data uploaded to ShandaHR is accurate and lawfully obtained
  • Responding to data subject access requests from employees in a timely manner
  • Maintaining appropriate internal data governance and HR policies

ShandaHR\'s Obligations as Processor

We will: (a) process employee data only on documented instructions from the employer; (b) ensure persons authorised to process data are bound by confidentiality obligations; (c) assist the employer in fulfilling data subject rights requests; (d) delete or return all employee data upon termination of the subscription; and (e) make available all information necessary to demonstrate compliance.

If an employee contacts us directly regarding their personal data, we will redirect them to the employer (Data Controller) unless we are the Controller in our own right for that specific data point.

9. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies on the ShandaHR Platform:

Essential / FunctionalAlways Active

Session cookies and authentication tokens necessary for the Platform to function. These cannot be disabled without breaking the service.

Preference / SettingsAlways Active

Cookies that remember your theme preference (light/dark), language settings, and UI customisations.

AnalyticsOptional

Anonymised usage data to help us understand how the Platform is used and identify areas for improvement. You may opt out.

We do not use advertising cookies or share cookie data with ad networks. Cookie preferences can be managed from your account settings or browser configuration.

10. Your Rights Under the CDPA

Zimbabwe’s Cyber and Data Protection Act confers the following rights on data subjects. You may exercise these rights by contacting us at privacy@shandahr.com:

Right of Access

Request confirmation of whether we hold your personal data and obtain a copy of it.

Right to Rectification

Request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure

Request deletion of your personal data where it is no longer necessary, or you withdraw consent.

Right to Restriction

Request that we restrict processing of your data in certain circumstances.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Right to Portability

Receive your personal data in a structured, commonly used, machine-readable format (e.g. CSV, JSON).

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting lawfulness of prior processing.

We will respond to verified requests within 30 days. In complex cases, we may extend this by a further 60 days with notice. We may ask you to verify your identity before processing a request. There is no charge for most requests, but we may charge a reasonable fee for unfounded or excessive requests.

If you believe your data rights have been violated, you may lodge a complaint with Zimbabwe’s Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) or the relevant data protection authority.

11. International Data Transfers

Our infrastructure relies on service providers operating outside Zimbabwe, primarily in South Africa and the United States. By using ShandaHR, you acknowledge that your personal data may be transferred to, processed, and stored in these jurisdictions.

We ensure that all international transfers are protected by appropriate safeguards, including contractual clauses that require our sub-processors to maintain standards consistent with Zimbabwe’s CDPA. Our principal sub-processors and their data locations are listed in Section 5.1.

If you require your data to remain within a specific geographic boundary, please contact us to discuss whether this can be accommodated within your subscription.

12. Children's Privacy

The ShandaHR Platform is designed for use by businesses and HR professionals. It is not directed at individuals under the age of 18 years. We do not knowingly collect personal data from minors.

If you become aware that a minor has submitted personal data to us without appropriate parental or guardian consent, please contact us immediately at privacy@shandahr.com and we will delete such data promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. All changes will be published on this page with an updated “Last Updated” date.

For material changes — those that significantly affect your rights or how we use your data — we will:

  • Send an email notification to the account administrator at least 14 days before the change takes effect
  • Display a prominent notice within the Platform
  • Where required, seek fresh consent

Continued use of the Platform after the effective date of changes constitutes your acceptance of the updated Privacy Policy. If you do not agree, you should discontinue use and may terminate your subscription.

14. Contact & Data Protection Officer

For any privacy-related questions, requests, or concerns, please contact us:

ShandaHR (Private) Limited

Harare, Zimbabwe

Privacy enquiries: privacy@shandahr.com

Data Protection Officer: dpo@shandahr.com

General support: support@shandahr.com

© 2026 ShandaHR (Private) Limited. All rights reserved.

Terms of ServiceSite MapHome