Is Personio safe with your data?

Personio

Personio SE

58/100

Partial disclosure · medium confidence

Personio earns a C (58/100) because it discloses its data practices only in part.

#111

of 177 apps ranked

score · HR & recruiting avg 65

-7

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

Personio's notice is a GDPR-based privacy policy for its website and marketing. It grants data subject rights, names international transfer safeguards including Standard Contractual Clauses and the EU-U.S., UK and Swiss Data Privacy Frameworks with a U.S. Department of Commerce certification, commits not to sell or share data without consent, and gives numeric retention periods. Its main limitation is scope: the policy expressly excludes the Personio HR product and subscriber data, and says nothing about AI training, output ownership or named security controls. The notice also states that Personio does not profile users or make automated decisions using artificial intelligence, so no inputs are described as feeding model training.

What Personio's privacy policy says about your data

States it does not use AI or automated decisions

The notice says "We do not profile you or make decisions based on automated processes such as artificial intelligence," so no user inputs are described as training any model.

Named international transfer safeguards

Transfers rely on adequacy decisions, "Standard Contractual Clauses" and the EU-U.S., UK and Swiss Data Privacy Frameworks, with Personio Corp. certified to the U.S. Department of Commerce.

Full data subject rights with a route to exercise them

Access, rectification, erasure, restriction, portability ("obtain a copy of the data"), objection and consent withdrawal are all granted, exercised through a named form and the appointed external DPO Bitkom Servicegesellschaft mbH.

Does not sell, with numeric retention periods

Personio states it "will not disclose your personal data to third parties for purposes other than those specified... without your explicit consent" and gives concrete retention such as "up to 30 days" for web data and "2 years" for marketing data.

What the policy is silent or vague on

Not stated: a way to opt out of training
Not stated: whether training use differs by plan
Not stated: your ownership of generated outputs
Not stated: breach notification

Personio privacy rating

Training-data use1 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inDisclosed

Names a way to opt out of or into trainingSilent

Says whether training use differs by plan or tierSilent

Lets the user keep ownership of generated outputsSilent

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion1 of 3 disclosed

States a retention period for your dataPartial

States a deletion timeline after closure or requestPartial

Sets a shorter retention for AI conversation logsNot applicable

Commits to collecting only the data it needsDisclosed

Third-party sharing4 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementDisclosed

Does not sell or share data for advertising, or offers opt-outDisclosed

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessPartial

Transparency3 of 4 disclosed

Discloses that you are interacting with AIDisclosed

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticePartial

Sensitive data and children2 of 2 disclosed

Discloses automated decisions and a human-review pathNot applicable

Limits the use of special-category dataDisclosed

Governs biometric data specificallyNot applicable

States protections for children's dataDisclosed

Security and accountability1 of 3 disclosed

Describes its security safeguardsPartial

Commits to breach notificationSilent

Names a certification or a privacy contactDisclosed

DisclosedPartialSilentAdverseNot applicable

Details

Category: HR & recruiting
Modalities: text
Processes biometrics: No
Policy last updated: 2025-10-01
Region scored: Global / US-default
Assessed: 2026-06-20

Read Personio's privacy policy

Other hr & recruiting apps

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.