Is BambooHR safe with your data?

BambooHR

BambooHR LLC

64/100

Partial disclosure · high confidence

BambooHR earns a C (64/100) because it discloses its data practices only in part.

#74

of 177 apps ranked

score · HR & recruiting avg 65

-1

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

BambooHR's September 2025 privacy notice grants named data-subject rights and lists its international-transfer safeguards, but says nothing about AI model training or breach notification, which places it in the middle of the C band. The transfer mechanisms (EU SCCs, UK IDTA, adequacy, and EU-U.S. Data Privacy Framework certification) are quoted verbatim in the snapshot, so the supporting evidence is genuine and no dealbreaker right is reserved.

What BambooHR's privacy policy says about your data

Full GDPR rights with named channels

The notice grants access, deletion, portability, rectification, restriction, objection, and consent withdrawal. Users can exercise them through a dedicated request form, a toll-free number, and individualrights@bamboohr.com.

Named transfer safeguards

International transfers rely on EU Standard Contractual Clauses or the UK International Data Transfer Agreement, adequacy decisions, and certified participation in the EU-U.S. Data Privacy Framework.

Silent on AI training and breach notice

The policy never states whether customer or user data trains AI models, and it gives no data-breach notification commitment or timeframe. Both indicators score zero because the policy is silent on them, not because it makes an adverse commitment.

Retention anchored to a long, vague standard

Retention is described as as long as necessary to fulfill the purpose, with payroll data kept for at least ten years. This is a vague standard, and the policy gives no defined deletion timeline.

What the policy is silent or vague on

Not stated: keeping user inputs out of model training
Not stated: a way to opt out of training
Not stated: whether training use differs by plan
Not stated: your ownership of generated outputs

BambooHR privacy rating

Training-data use0 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inSilent

Names a way to opt out of or into trainingSilent

Says whether training use differs by plan or tierSilent

Lets the user keep ownership of generated outputsSilent

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion0 of 3 disclosed

States a retention period for your dataPartial

States a deletion timeline after closure or requestPartial

Sets a shorter retention for AI conversation logsNot applicable

Commits to collecting only the data it needsPartial

Third-party sharing3 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementPartial

Does not sell or share data for advertising, or offers opt-outPartial

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessDisclosed

Transparency3 of 3 disclosed

Discloses that you are interacting with AINot applicable

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticeDisclosed

Sensitive data and children1 of 2 disclosed

Discloses automated decisions and a human-review pathNot applicable

Limits the use of special-category dataPartial

Governs biometric data specificallyNot applicable

States protections for children's dataDisclosed

Security and accountability2 of 3 disclosed

Describes its security safeguardsDisclosed

Commits to breach notificationSilent

Names a certification or a privacy contactDisclosed

DisclosedPartialSilentAdverseNot applicable

Details

Category: HR & recruiting
Modalities: text
Processes biometrics: No
Policy last updated: 2025-09-01
Region scored: Global / US-default
Assessed: 2026-06-20

Read BambooHR's privacy policy

Other hr & recruiting apps

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.