HumaresoHumareso
LoginLet’s Talk
Let’s Talk

Privacy Policy

Last Updated: May 29, 2026

Introduction

Humareso, LLC ("Humareso," "we," "our," or "us") is a Florida limited liability company headquartered in Vero Beach, Florida. We operate humareso.com and a suite of HR platforms including Engage, Portal, Leave, and Hub. We also deliver HR Outsourcing (HRO) services to client organizations. This Privacy Policy describes how we collect, use, store, share, and protect information across these services.

This Policy applies to:

  • Visitors to humareso.com
  • Users of Humareso's platforms (Engage, Portal, Leave, Hub)
  • Employees of client organizations whose data Humareso processes on behalf of those organizations
  • Organizations and individuals engaged in Humareso's HRO practice
  • Job applicants who apply for positions at Humareso
  • Partners and vendors who engage with Humareso

Controller and processor roles by data type. Humareso's role under applicable data protection law depends on the data category in question. The following mapping governs:

  • Humareso acts as a data controller for: Hub subscriber data, humareso.com website visitor data, job applicant data submitted directly to Humareso, and partner and vendor contact data.
  • Humareso acts as a data processor for: Engage employee records, Portal HR documents, Leave case data, and HRO service data. In these contexts, the client organization is the data controller.

This Policy describes Humareso's general privacy practices. The Humareso Data Processing Agreement (DPA), available at humareso.com/legal/dpa, governs the specific terms of processing for controller-processor relationships and applies in addition to this Policy. The DPA does not substitute for or replace this Policy; the two documents operate together.

Employees of Humareso's clients with questions about their personal data should contact their employer's HR department in the first instance. Humareso will assist client organizations in responding as required by applicable law.

Information We Collect

Website Visitors

We collect information from visitors to humareso.com through three distinct touchpoints. We process this data based on our legitimate interest in sales, marketing, and service delivery, and with your consent for non-essential cookies.

(a) Contact forms. When you submit a contact form, demo request, or similar inquiry on humareso.com, we collect the information you provide, which typically includes name, email address, phone number, job title, and company. Contact form submissions are routed to HubSpot, our customer relationship management platform. When HubSpot receives this data, it is also subject to HubSpot's own privacy policy, available at https://legal.hubspot.com/privacy-policy.

(b) Cookies and analytics. We use cookies and similar technologies to collect technical information about your device and browsing activity. This includes browser type, operating system, device identifiers, IP address, geolocation inferred from IP address (typically at the city or regional level), referring URL, pages visited, time on site, and engagement events. See the Tracking Technologies section below for the list of analytics and advertising tools we use. Where required by law, Humareso presents a cookie consent and preference management mechanism for non-essential tracking technologies.

(c) Chatbot. Our website may offer a chatbot for visitor inquiries. If you interact with the chatbot but do not provide contact information, the transcript is not retained beyond the active session and is discarded when the session ends. If you provide contact information, the transcript is retained alongside that contact record so we can follow up. Chatbot transcripts are not used to train artificial intelligence or machine learning models. Where a third-party chatbot vendor is used, that vendor will be identified at humareso.com/legal/sub-processors.

Support contacts submitted through the website are stored for 120 days before archival. Email signups are retained until you unsubscribe.

Platform Users (Engage, Portal, Leave, Hub)

When you access Humareso's platforms as an authorized user of a client organization, we process:

  • Identity and account data: name, email address, job title, organizational role, and authentication credentials.
  • Platform activity: login events, access logs, and feature usage. We log feature usage (button clicks, page navigation, session duration) for operational debugging and product improvement. We do not build individual behavioral profiles, and we do not use this data for advertising.
  • HR records (Engage): employee profile data, performance records, engagement activity, and related HR information as configured by your organization.
  • HR documents and case data (Portal): uploaded documents, case submissions, and correspondence managed through the portal on behalf of your organization.
  • Hub subscription data: email address, name, subscription tier, and billing information. Content access activity (article views, downloads) is logged only to enforce subscription gating and is not used for behavioral advertising or profiling.

Processing of platform user data is based on the service contract between Humareso and the client organization. For Hub subscribers, processing is based on the subscription contract between Humareso and the subscriber.

Leave Case Data

Through the Leave platform, Humareso processes leave request details, dates, leave type, supporting documentation, and medical certification information. Medical certification is completed and submitted by the employee's healthcare provider in support of the employee's leave request.

Leave case data, including health information, constitutes sensitive personal information under applicable state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA). Humareso processes this data solely to administer the leave case as directed by the client employer.

Residents of California, New York, Washington, Colorado, and other states with health data privacy protections may have additional rights regarding their health information. See Your Rights below.

Do Not Sell or Share
Humareso does not sell employee, leave, ADA accommodation, or HRO service data. Certain marketing website analytics and advertising activities involving Meta Pixel or similar technologies may constitute a "sale" or "sharing" under California law. Users may opt out through cookie preference tools, Global Privacy Control signals, or by contacting DPO@humareso.com.

Submission of medical certification is required to qualify for leave under applicable law (for example, the federal Family and Medical Leave Act). The consequences of not submitting certification are determined by your employer's leave policy and applicable law. By submitting health information in support of a leave request, you consent to Humareso's processing of that sensitive information solely for leave administration.

Leave health data is not transmitted to Sentry, HubSpot, Mailgun, or any other marketing or analytics sub-processor. It is stored only in encrypted database infrastructure operated within Amazon Web Services (AWS) and is accessible only to authorized Humareso personnel and to HR administrators designated by the client organization.

Leave health data is archived upon closure of the leave case and retained in accordance with the client's retention policy and applicable law. Humareso's default is to retain closed leave case records for a minimum of three years to support FMLA recordkeeping requirements under 29 CFR 825.500, and longer where required by applicable state law or the client's service agreement.

Leave case data is processed on behalf of your employer. To exercise rights regarding your leave records, contact your employer's HR department. Humareso will assist your employer in responding as required by law.

ADA Accommodation Data

Where client organizations use the Leave platform to manage requests for reasonable accommodation under the Americans with Disabilities Act (ADA) or comparable state law, Humareso processes accommodation request details and any supporting medical documentation. ADA accommodation data is maintained separately from general leave records and personnel files. Access is restricted to personnel with a documented business need, as designated by the client organization. This data is used solely to administer the accommodation process as directed by the client employer.

Biometric Data
Humareso does not collect or process biometric identifiers or biometric information except where explicitly configured by a client organization under a separate written agreement. Where biometric functionality is enabled by a client, Humareso processes such data solely as a processor on behalf of the client organization and in accordance with applicable biometric privacy laws.

EEO and Protected Class Data

Engage and HRO services may involve processing of employee records that include protected class information (such as race, sex, national origin, disability, age, or other protected statuses) for Equal Employment Opportunity (EEO) reporting or affirmative action purposes. Humareso processes this data only as directed by the client employer, solely for lawful EEO reporting and compliance purposes. Humareso does not use protected class data for automated decision-making, profiling, or any purpose beyond the contracted service scope. Access is restricted to authorized personnel with a business need to know.

HRO Practice Clients and Their Employees

When Humareso provides outsourced HR services to a client organization, we may receive and process:

  • Employee roster and contact data
  • Compensation and benefits information
  • Leave and absence records
  • Performance and disciplinary records
  • HR policy documents
  • Other employment-related data necessary to deliver contracted services

This data is processed under a service agreement and a mandatory Data Processing Agreement with the client organization. Humareso acts as a data processor for this data. We do not use client employee data for any purpose beyond the scope of the service agreement.

Some employee data processed under HRO service agreements constitutes sensitive personal information, including health information in leave records, compensation data, and government-issued identification numbers where collected for employment verification. Humareso processes this data with heightened access controls and purpose limitations.

Client organizations are responsible for notifying their employees that Humareso processes their personal data as a service provider. If you have not received such notice and believe your data is processed by Humareso under an HRO engagement, contact DPO@humareso.com.

Humareso will assist clients in responding to data subject rights requests as required by applicable law and as set out in the Data Processing Agreement. Employees of HRO clients who wish to exercise data rights should contact their employer in the first instance.

Job Applicants

When you apply for a position at Humareso, we collect:

  • Name, contact information, employment history, and application materials
  • Information shared in connection with interviews, assessments, and reference checks

We use applicant data to evaluate candidates, conduct reference checks, and communicate regarding the application. We do not sell or share applicant data with third-party recruiters unless expressly disclosed at the time of application. Applicant data is not used for marketing.

This data is retained until you request deletion, which Humareso will process within commercially reasonable timeframes and subject to applicable legal retention obligations. Federal law requires employers to retain records of employment decisions, including records related to applicants who were not hired, for a minimum of one year from the date of the decision (29 CFR § 1602.14). Where this or another legal minimum applies, Humareso will honor the legal obligation and notify the requester that deletion will occur upon expiration of the required retention period.

Partners

When organizations or individuals engage Humareso as a partner or vendor, we collect professional contact information (name, email, phone, title, company) to facilitate the relationship.

AI-Assisted Features

Humareso uses artificial intelligence across its platforms to assist human administrators with drafting, summarization, and analytical tasks in HR workflows, including leave administration, performance management, and case communications. All AI-generated output is a draft for human review. No AI-generated content produces a final decision, is delivered to an employee, or is applied to any record without explicit review and approval by an authorized human administrator.

When AI features are used, structured data about you relevant to the task --- such as employment information, leave case details, or performance records --- may be processed by Anthropic, PBC as a sub-processor to generate the requested output. Humareso limits the data submitted to the structured fields necessary for each task. Raw uploaded documents (medical certifications, employment contracts, uploaded files) and unredacted sensitive health records are not transmitted to AI models. Humareso does not use your personal data to train or fine-tune AI models.

What AI does not do

Humareso does not use fully automated decision-making, without human review, to make employment decisions, leave eligibility determinations, compensation changes, or disciplinary actions. AI output is always a draft subject to human judgment. Client organizations retain full authority over all employment decisions.

Anthropic as sub-processor

Anthropic, PBC and any successor AI service providers identified on Humareso's Sub-Processor List may process structured data when AI-assisted features are used. Anthropic does not use API-submitted data to train its models. For details, see humareso.com/legal/sub-processors and Anthropic's privacy policy at anthropic.com/privacy.

As Humareso expands AI-assisted capabilities across its platforms, this section and the Sub-Processor List govern their use.

How We Use Information

We separate our use of information into two categories based on Humareso's legal role with respect to the data.

(a) Data Humareso Controls

For Hub subscribers, humareso.com website visitors, job applicants, and partner and vendor contacts, Humareso is the data controller. We use this data to:

  • Operate, maintain, secure, and improve humareso.com and the Hub platform.
  • Authenticate Hub subscribers and manage subscription accounts. Lawful basis: performance of the subscription contract.
  • Send transactional communications (account notifications, subscription information, billing receipts) to Hub subscribers. Lawful basis: performance of the subscription contract and compliance with legal obligations.
  • Respond to inquiries submitted through humareso.com contact forms and chatbot. Lawful basis: legitimate interest in responding to prospective and current customers.
  • Send periodic product, marketing, and service updates to recipients who have opted in or to existing customers in accordance with applicable law. Lawful basis: consent (where required) or legitimate interest in marketing to existing customers.
  • Evaluate job applications and communicate with candidates. Lawful basis: steps taken at the request of the applicant prior to entering an employment contract.
  • Manage partner and vendor relationships. Lawful basis: legitimate interest in vendor management and performance of contractual relationships.
  • Comply with legal obligations and respond to lawful requests. Lawful basis: compliance with legal obligation.

(b) Data Humareso Processes on Behalf of Clients

For Engage employee records, Portal HR documents, Leave case data, ADA accommodation data, EEO and protected class data, and HRO service data, Humareso is the data processor. The client organization is the data controller. Humareso uses this data only as directed by the client organization to:

  • Provide and operate the contracted platform or HRO service.
  • Authenticate platform users and manage account access on behalf of the client.
  • Administer leave cases, accommodation requests, and HR programs on behalf of the client.
  • Send transactional communications (leave status updates, platform notifications) to data subjects on behalf of the client.
  • Maintain records as required by the client's data retention policy and applicable law.
  • Provide operational support, security monitoring, and debugging.

Lawful basis: performance of the service contract between Humareso and the client organization, with the client serving as the controller responsible for establishing the lawful basis for processing of its employees' data.

We do not sell personal information for advertising purposes. We do not use client employee data, leave case data, ADA accommodation data, or EEO data for marketing or for product analytics that profile individuals.

Data Processor and Controller Relationship

Humareso's role under applicable data protection law depends on the data category. The mapping is:

  • Humareso is the controller for: Hub subscriber data, humareso.com website visitor data, job applicant data, and partner and vendor contact data.
  • Humareso is the processor for: Engage employee records, Portal HR documents, Leave case data, ADA accommodation data, EEO and protected class data, and HRO service data. In these contexts, the client organization is the controller.

For data Humareso processes on behalf of client organizations:

  • The client organization is the data controller and retains ownership of and responsibility for the data.
  • Humareso is the data processor and processes data only per the client's instructions under the applicable service agreement and Data Processing Agreement.
  • Employees and individuals whose data is processed in this capacity should direct data rights requests to their employer in the first instance.
  • Humareso will assist clients in responding to data subject rights requests as required by applicable law and as set out in the Data Processing Agreement.

Operational access carve-out. Humareso may access client data without advance client instruction where necessary to (a) detect, prevent, or remediate security incidents, (b) troubleshoot and debug platform functionality, or (c) comply with legal process. Any such access will be logged and reported to the client upon written request.

Data Processing Agreements. All client organizations must execute a Data Processing Agreement. The DPA is available at humareso.com/legal/dpa and is provided at no additional cost. Humareso will execute a DPA within 14 business days of written request.

This Privacy Policy does not constitute a Data Processing Agreement. Where you are a data controller, your processing relationship with Humareso is governed by the DPA, not this Policy.

Tracking Technologies

On humareso.com (Marketing Website)

We use the following technologies on the Humareso marketing website:

  • HubSpot is our customer relationship management platform; it tracks website interactions and form submissions.
  • Google Analytics provides website usage analysis. You may opt out using Google's opt-out tools.
  • Meta Pixel measures the effectiveness of advertising on Meta platforms.
  • Google Tag Manager manages and deploys tracking tags.

Our marketing emails contain tracking pixels that measure whether emails are opened and whether links are clicked.

Within Authenticated Platforms

Humareso's authenticated platforms (Engage, Portal, Leave, Hub) use session cookies and authentication tokens necessary to operate the platform and maintain your login state. These platforms do not use third-party behavioral advertising trackers. Platform analytics are limited to operational logging (error tracking, performance monitoring) using Sentry.

Cross-Domain Clarity

Users who visit humareso.com and then create an account on a Humareso platform (Engage, Portal, Leave, Hub) are subject to the marketing website tracking described above only while on humareso.com. Within the authenticated platform, only session cookies and Sentry error monitoring are active. Marketing trackers (HubSpot analytics, Google Analytics, Meta Pixel) do not operate within authenticated platform sessions.

Data Sharing

Humareso shares information in the following circumstances.

Internal teams. Access is limited to personnel who need it to perform their job functions.

Service providers (sub-processors). We share data with vendors who support our operations. The data categories each receives are described below.

  • HubSpot (CRM and subscription management): email, name, subscription tier, website engagement events. Marketing website data and Hub subscription contact data only; not employee records.
  • HubSpot Commerce: billing information and subscription status for Hub subscribers.
  • Mailgun: email address and email content for transactional delivery only.
  • Sentry: error stack traces, user session identifiers, and platform event logs. Sentry does not receive leave health data, ADA accommodation data, EEO or protected class data, or compensation data.
  • Amazon Web Services (AWS): encrypted database storage and media files for all platform data.
  • Neon and Vercel Postgres: encrypted database hosting.
  • Google Analytics: anonymized IP address, device type, and page views. Marketing website only.
  • Meta Pixel: hashed email (if provided), IP address, browser type, and engagement events. Marketing website only. This sharing may constitute a sale or sharing under the California Consumer Privacy Act.
  • Third-party HRIS, payroll, and benefits platforms as configured by client organizations under HRO service agreements.

HubSpot does not receive employee records, leave case data, ADA accommodation data, EEO or protected class data, or compensation data. HubSpot receives only contact and subscription data for Hub subscribers and marketing contacts.

The current sub-processor list is maintained at humareso.com/legal/sub-processors.

Sub-processor change notification. Humareso will notify client organizations and registered DPA contacts at least 30 days before adding or removing a sub-processor that processes client data.

Legal requirements. We may disclose information in response to a court order, subpoena, or other lawful request, or when necessary to protect Humareso's rights or the safety of others.

Corporate transactions. In connection with a merger, acquisition, or sale of assets, information may be transferred to the acquiring entity, subject to the same privacy commitments.

Some sharing of data with advertising and analytics vendors on the marketing website may constitute a "sale" or "sharing" under California and other state privacy laws. You may opt out as described below.

Data Retention

Data Type Retention Period

Website visitor and contact data 120 days from last interaction, then archived

Platform user accounts (Engage, Portal, Leave) Duration of client service agreement, plus 90 days. Clients may request extended retention of account metadata and access logs for legal hold or audit purposes.

Leave case records Per client data retention policy. Humareso's minimum is three years to comply with FMLA recordkeeping requirements (29 CFR 825.500) and longer where required by applicable state law or client contract. Health information within leave cases is deleted upon case closure subject to the foregoing minimum.

Hub subscription data Duration of active subscription, plus 90 days. The 90-day tail is retained to process refunds, disputes, and subscription cancellation requests.

HRO service data (client employee records) Per service agreement. Minimum retention varies by record type and applicable law (typically three to seven years). Clients must specify required retention periods in the service agreement. Humareso's default for records without a specified period is five years.

Job applicant data Until deletion request, processed within two business days, subject to applicable legal retention obligations.

Marketing email and partner contact data Until unsubscribe or deletion request

Audit and access logs Three years, or longer if subject to a legal hold

Security incident records Three years, or until all related proceedings are resolved, whichever is later

Backup and disaster recovery media Retained for the same period as the underlying data type, then securely destroyed

Retention periods may be extended where required by law, legal hold, or to fulfill contractual obligations.

Legal holds. Humareso will not delete records subject to a legal hold, court order, or preservation notice. Written notification of holds must be sent to DPO@humareso.com. Humareso maintains a register of active holds and will honor them regardless of standard retention periods.

Security

Humareso implements technical and organizational safeguards including encryption for data in transit and at rest, multi-factor authentication for administrative access to production systems, role-based access controls for platform data, and application-level error monitoring for operational purposes. These measures are intended to reduce risk and are reviewed periodically, but no system can be guaranteed fully secure.

Breach notification. In the event of a data breach affecting client employee data or other personal information Humareso processes as a processor, Humareso will notify the affected client organization within 24 hours of first discovering the breach. This notification is to enable the client organization, as data controller, to meet its own legal obligations to notify affected employees and regulators under applicable breach notification law. The client organization is responsible for notifying data subjects and applicable supervisory authorities; Humareso will provide reasonable factual assistance upon the client's request. For data Humareso controls as controller (Hub subscribers, website visitors, job applicants), Humareso will notify affected data subjects and regulators as required by applicable law.

Your Rights

California Residents (CCPA / CPRA)

California residents have the right to:

  • Know what personal information we have collected and how it is used.
  • Request deletion of personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information.
  • Limit our use and disclosure of sensitive personal information (including health information in leave records and compensation data) to purposes necessary to deliver the contracted services.
  • Non-discrimination for exercising these rights.

To exercise your rights, contact us at DPO@humareso.com or call 844-486-2737.

Note for employees of Humareso client organizations. Where Humareso processes your data as a processor on behalf of your employer, your employer is the party responsible for responding to rights requests. If you submit a request to Humareso directly, we will forward it to your employer and provide reasonable assistance in responding as required by law.

Nevada Residents

Nevada residents may opt out of the future sale of their personal information by contacting us at DPO@humareso.com.

Virginia, Colorado, Connecticut, Texas, Oregon, and Montana Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), and Montana (MCDPA) have rights under their state privacy laws including the rights to access, correct, delete, and opt out of the sale or processing of personal information for profiling or targeted advertising. To exercise these rights, contact DPO@humareso.com.

Automated Decision-Making

Humareso uses AI to assist human administrators in drafting leave eligibility determinations, case communications, and performance summaries. All AI-generated output is reviewed and approved by a human administrator before being applied or communicated. Humareso does not use fully automated decision-making, without human review, to produce decisions with legal or similarly significant effects on employees.

Global Privacy Control

Humareso honors Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal while you visit humareso.com, we will treat it as an opt-out of the sale or sharing of your personal information.

Response Timeframe and Verification

We will respond to rights requests within 45 calendar days of receiving a verifiable request. Montana residents: We will respond within 30 calendar days as required by the Montana Consumer Data Privacy Act (Mont. Code Ann. § 30-14-1703). For complex or voluminous requests (other than those from Montana residents), we may extend the response period by up to 45 additional days and will notify you of the extension in advance.

To verify your identity before processing a deletion or access request, we will ask for email confirmation or account login verification.

Other Jurisdictions

Humareso respects applicable privacy rights in other jurisdictions. If you believe you have rights under applicable law that are not addressed here, contact us at DPO@humareso.com.

Children's Privacy

Public-facing channels (COPPA). Humareso's website and Hub platform are not directed to children under 13. We do not knowingly collect personal information from children under 13 through public-facing channels. If we discover such information was collected without verifiable parental consent, we will delete it within 10 business days. Parents or guardians may contact DPO@humareso.com to verify and request deletion.

Employee data subjects. Humareso's platforms (Engage, Portal, Leave) process employment and HR data on behalf of client organizations. If a client directs Humareso to process data of an employee under 15 (such as a payroll, leave, or performance record for a young worker in states permitting such employment), Humareso will process that data only as directed by the client and for the period required by applicable law. The client organization, as data controller, is responsible for ensuring any required parental or guardian consent under applicable law.

Changes to This Policy

We may update this Policy from time to time. When we do, we will post the revised Policy with an updated effective date.

For material changes to this Policy, Humareso will provide at least 30 calendar days' advance written notice to client organizations via the email address on file and to the designated DPA contact if one is specified. Material changes include modifications to data retention periods, new purposes of use, changes to data sharing or sub-processor practices, and changes to user rights. If a client organization objects to a material change, it may terminate the affected service on 30 days' notice without early termination fees. This advance notice commitment does not waive Humareso's obligation to comply with state laws requiring faster or different notification.

Contact

Data Protection Officer DPO@humareso.com

Humareso, LLC 114 43rd Avenue SW, Vero Beach, FL 32968 Regional Office: 1500 Kings Highway North, Suite C-213, Cherry Hill, NJ 08034 Phone: +1 844.486.2737