Legal · Privacy

Privacy Policy

Under the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act · Last updated 8 June 2026

General information. This Privacy Policy explains how The Human-First Shift processes personal data. It is written to align with the GDPR and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus). It is general information, not legal advice. Please complete your registered company details and review the text before relying on it.

1. Who we are (Controller)

The controller responsible for personal data processed via this website, within the meaning of Article 4(7) GDPR, is The Human-First Shift, a brand and service operated by The Talent Seed OÜ (registry code 17070921), Ahtri tn 12, 15551 Tallinn, Estonia. You can contact us at team@thehumanfirstshift.com. Full company details are in our Imprint.

2. Data Protection Officer

We appoint a Data Protection Officer where this is required under Article 37 GDPR. For any privacy matter you can always reach us at team@thehumanfirstshift.com.

3. The personal data we process

a. Visitors to this website

Technical data your browser transmits automatically (e.g. IP address, date and time, page requested, referrer, browser and device type), processed to deliver and secure the website.
Information you submit through our contact or enquiry form (e.g. name, work email, organisation, message).

b. Customers and platform users

Account, contact and billing details and usage data needed to provide the service.

c. Employee data (our role as processor)

When a customer uses our platform, we process personal data about their employees on the customer's behalf and on their documented instructions. In that context the customer is the controller and we act as a processor under Article 28 GDPR, governed by a data processing agreement. Diagnostic responses are aggregated (minimum group size) and pseudonymised; reports are not designed to identify individuals.

4. Purposes and legal bases

Operating, securing and improving the website — our legitimate interests, Article 6(1)(f) GDPR.
Responding to your enquiries — pre-contractual steps or contract, Article 6(1)(b), and/or your consent, Article 6(1)(a).
Providing the platform under a subscription — contract, Article 6(1)(b).
Meeting legal obligations (e.g. accounting, tax) — Article 6(1)(c).
Processing employee data for a customer — on the customer's legal basis, under our processor agreement.

5. Hosting and storage

Our website and platform run on infrastructure located in the European Union / European Economic Area, under data processing agreements with our providers. EU/EEA data residency options are available for customer data.

6. Cookies

We use strictly necessary cookies to operate the site. Any non-essential cookies (e.g. analytics) are set only with your prior consent, in line with the Estonian Electronic Communications Act and the GDPR. You can withdraw consent at any time through your browser or our cookie settings where provided.

7. Recipients and processors

We do not sell personal data. We share it only with service providers that process it on our behalf under Article 28 GDPR (e.g. hosting, email and form providers), each bound by a data processing agreement. A current list of processors is available on request.

8. International transfers

Where personal data is transferred outside the EEA, we rely on an adequacy decision or appropriate safeguards such as the European Commission's Standard Contractual Clauses, with supplementary measures where required.

9. Retention

We keep personal data only as long as necessary for the purposes described above or as required by law (e.g. accounting and tax retention periods under Estonian law). Configurable retention controls are available for customer and employee data.

10. Your rights

Subject to the conditions in the GDPR, you have the right to: access your data (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction (Art. 18); data portability (Art. 20); object to processing based on legitimate interests (Art. 21); and withdraw consent at any time without affecting prior lawful processing (Art. 7(3)). To exercise these rights, contact team@thehumanfirstshift.com. Where we process employee data as a processor, please direct requests to your employer (the controller); we will assist them in responding.

11. Right to lodge a complaint

If you believe our processing infringes data-protection law, you may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia — www.aki.ee — or with the supervisory authority in your country of residence or work.

12. How we protect personal data

We apply appropriate technical and organisational measures, including encryption in transit and at rest, role-based access controls, audit logging, and regular review of our security practices. No method of transmission or storage is entirely secure, but we work to protect personal data using recognised, industry-standard safeguards.

13. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or in the law. The current version is always available on this page with its effective date.

14. Contact

For any question about this policy or your personal data, contact us at team@thehumanfirstshift.com.