Privacy Policy

Last updated: February 24, 2026

Symph ("we", "us", or "our") operates Alignly, an HR and people operations platform. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service. By using Alignly, you agree to the practices described here.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, organization name, and a password. If you are invited by your employer, we may also receive your job title, department, and employee ID.

1.2 Employee Data

As an HR platform, Alignly stores employee records entered by your organization. This may include names, contact details, employment status, department, role, leave balances, time-tracking records, onboarding checklists, and documents uploaded by your organization's HR administrators.

This data is controlled by your employer (the "Customer"). If you are an employee and have questions about how your employer handles your data, please contact your HR department.

1.3 Usage Data

We automatically collect certain information when you use the Service, including your IP address, browser type, pages visited, features used, timestamps, and device information. This helps us improve the Service and diagnose issues.

1.4 Communications

If you contact us for support or with feedback, we retain records of those communications to help resolve issues and improve our services.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Alignly Service
  • Authenticate users and secure accounts
  • Process payments and manage subscriptions
  • Send transactional emails (account verification, password resets, invite notifications)
  • Respond to support requests and provide customer service
  • Monitor and analyze usage trends to improve features
  • Detect, investigate, and prevent fraudulent or unauthorized activity
  • Comply with legal obligations

We do not sell your personal data to third parties. We do not use your employee data for advertising or marketing purposes.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

  • Contract performance — to provide the Service you have subscribed to
  • Legitimate interests — to improve our Service and prevent abuse
  • Legal obligation — to comply with applicable laws
  • Consent — where you have provided consent (e.g., marketing emails)

4. Data Sharing and Disclosure

4.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service, including:

  • Google Firebase — authentication, database, and hosting
  • Stripe / PayMongo — payment processing (we do not store card numbers)
  • Email providers — transactional email delivery

These providers are contractually bound to process your data only as directed by us and in accordance with this Privacy Policy.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

If Symph is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

5. Data Retention

We retain your account and Customer Data for as long as your subscription is active. After account termination, we retain data for 30 days to allow for data export, after which it is securely deleted, unless we are required by law to retain it for longer.

Usage logs and analytics data may be retained in anonymized or aggregated form indefinitely.

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest (AES-256 via Google Cloud)
  • Role-based access controls within the platform
  • Regular security reviews and dependency updates

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of your personal data
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your data (subject to legal obligations)
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Restriction — request that we restrict processing in certain circumstances

To exercise any of these rights, contact us at privacy@symph.co. If you are an employee whose data is managed by your employer, please contact your HR department first, as they are the data controller.

We will respond to requests within 30 days. We may need to verify your identity before processing your request.

8. Cookies

Alignly uses essential cookies necessary for the Service to function, including session cookies for authentication and preference cookies to remember your settings. We do not use advertising or tracking cookies.

You can control cookie settings through your browser, but disabling essential cookies may prevent certain features from working correctly.

9. Children's Privacy

Alignly is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

10. International Data Transfers

Alignly is operated from the Philippines and uses infrastructure provided by Google (Firebase / Google Cloud). Your data may be processed in countries outside your own. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses or other approved mechanisms.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

12. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal data:

Symph — Data Privacy

Email: privacy@symph.co

Website: symph.co