Last updated: 2026-01-05
This Privacy Policy explains how we process personal data when you use hcapp.ee and the HCAPP service (the "Service").
HCL Systems OÜ is the data controller for personal data processed through the
platform.
Contact email:
support@hcapp.ee
1) Controller (who is responsible)
HCL Systems OÜ
Registry code: 17389479
Address: Vana-Tartu mnt 79a, 75312 Peetri, Estonia
Email: support@hcapp.ee
2) What data we process
- Account data: name, email, authentication data (password hash), roles/permissions, organization name (if provided).
- Usage data: IP address, device/browser information, timestamps, actions within the Service, and security logs, processed for security and audit purposes (not used for profiling or marketing).
- Customer content: data you (or your organization) upload, enter, or generate in forms/registries/tasks, including files and attachments.
- Support communications: messages you send to support and related metadata.
3) Cookies and similar technologies
The Service does not use advertising or tracking cookies.
We use strictly necessary technologies to operate the Service, including authentication tokens stored in the browser's local or session storage. These technologies are required to maintain user sessions, provide security, and ensure proper functioning of the Service.
Such technologies do not involve cross-site tracking and are not used for marketing or profiling purposes.
4) Purposes and legal bases
- To provide the Service (accounts, authentication, core features). Legal basis: contract (GDPR Art. 6(1)(b)).
- Security, abuse prevention, troubleshooting (logs, auditing, fraud prevention). Legal basis: legitimate interests (Art. 6(1)(f)).
- Support and communications (responding to requests, service notices). Legal basis: contract and/or legitimate interests.
- Compliance where required by law. Legal basis: legal obligation (Art. 6(1)(c)).
5) Processor / customer role (B2B usage)
If you use the Service on behalf of an organization, that organization is typically the controller of Customer content. We act as a processor for such Customer content and process it on the customer's instructions. Customers are responsible for ensuring that they have a lawful basis to process personal data of their end users.
6) Sharing
We do not sell personal data. We may share data with:
- Service providers (processors) that host infrastructure and support delivery of the Service (e.g., hosting, email, monitoring), under appropriate contracts.
- Authorities if required by law.
- Business transfers (merger/acquisition), with appropriate safeguards.
7) International transfers
Our database and primary hosting are located in Europe (EU/EEA). If a transfer outside the EU/EEA ever occurs, we will use appropriate safeguards such as Standard Contractual Clauses.
8) Retention
We keep personal data only as long as needed for the purposes described above:
- Account and Service data: while the account is active and as required to provide the Service.
- Customer content: until you delete it or your account is deleted, subject to technical backup retention. Backups are rotated and overwritten, and deletion from backups happens automatically as part of the backup lifecycle.
- Security and access logs: typically up to 90 days, unless we must keep them longer for security investigations or legal reasons.
- Support communications: typically up to 24 months.
9) Security
We apply reasonable technical and organizational measures to protect personal data (access controls, encryption in transit, backups, logging, least-privilege access). Access to personal data is limited to authorized personnel. No method of transmission or storage is 100% secure.
10) Your rights (EU/EEA)
You may have the right to access, correct, delete, restrict or object to processing, and request data portability. To exercise your rights, contact support@hcapp.ee. We typically respond within 30 days.
11) Data Processing Agreement (DPA)
Where required, a Data Processing Agreement (DPA) is available upon request or incorporated into the applicable terms. You can also review it here: /dpa/.
12) Facebook and Meta Platform Integration
HCApp allows users to connect their Facebook Pages in order to receive and manage customer messages within the Service.
When a Facebook Page is connected, HCApp may access and process the certain data provided through the Meta Platform APIs, including:
- Facebook Page identifiers
- Messenger conversation data
- Message content
- Sender identifiers provided by Facebook
- Page access tokens (securely stored and encrypted)
This data is processed solely to provide messaging functionality within the Service, including:
- Receiving messages from connected Facebook Pages
- Creating structured workflow tasks based on incoming conversations
- Allowing authorized users to respond to customer inquiries
Facebook data is not retained longer than necessary to provide the messaging functionality and is subject to the retention rules described in Section 8.
HCApp does not use Facebook data for advertising, profiling, or marketing purposes.
Users may disconnect their Facebook Page at any time through the application settings. Upon disconnection, HCApp removes the stored access token and stops receiving new messages from the Page.
13) Data Deletion
Users may request deletion of their personal data at any time.
Data may be deleted by:
- Deleting their account within the Service;
- Disconnecting a Facebook integration within the application settings; or
- Sending a verified deletion request to support@hcapp.ee.
Upon verified request, HCApp will delete or anonymize relevant personal data in accordance with applicable laws and contractual obligations.
14) Data Retention
HCApp retains customer communication data and related records only for as long as necessary to provide services to its users or as required by applicable law.
15) Complaints (Estonia)
You can lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): https://www.aki.ee.
16) Children
The Service is not intended for children under 16. We do not knowingly collect personal data from children.
17) Changes
We may update this Privacy Policy from time to time by posting a new version on this page.