01Overview
We are committed to protecting your personal information and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access or use KopoTeam or the Kopo Mail mobile application.
We operate across multiple jurisdictions — including Nigeria, the United States, Pakistan, and Bangladesh — and comply with applicable data protection law in each region, including the Nigeria Data Protection Act (NDPA) 2023, applicable US state privacy laws, Pakistan's Personal Data Protection Bill, and Bangladesh's Digital Security Act.
02Who We Are
KopoTeam is an enterprise employee management platform that organisations use to manage their workforce. Kopo Mail is the companion mobile application (available on iOS and Android) that gives employees access to their workplace communications and KopoTeam features on the go.
Data Controller: We are the primary data controller for all personal data processed through the Services. Where your employer has deployed KopoTeam under a corporate account, your employer may also act as a data controller for your employment data, and we act as a data processor on their behalf.
03Data We Collect
3.1 Account & Identity Information
- Full name, work email address, employee ID, and job title
- Department, office location, and reporting manager
- Profile photo (if uploaded)
- Phone number and personal bio (if provided in your profile)
- Password — stored in encrypted form; we never store your password in readable form
3.2 Employment & HR Data
- Leave requests, approval status, and leave balances
- Performance reviews, goals, and OKRs
- Payslip records including earnings (base pay, overtime, bonuses) and deductions (tax, health insurance, retirement contributions)
- Expense reports and reimbursement records — amounts, currencies, categories, and supporting receipts
- Onboarding and offboarding task completion records
- Learning and development course enrolments and progress
- Survey responses (anonymous survey responses are stored without personal linkage; named responses are linked to your account)
- Recognition and kudos given and received
- IT help desk tickets submitted
3.3 Communications Data
- Workplace email messages sent and received through Kopo Mail
- Email suppression status (if your address is on a suppression list)
- In-app and push notification delivery records
- AI HR Assistant conversation history — messages you send to the built-in assistant
3.4 Device & Technical Data
- Device type, operating system, and app version (Kopo Mail)
- Device identifiers used to deliver push notifications
- Login session credentials
- IP address and approximate geolocation derived from IP
- Browser type and user agent string
- Log data: access times, pages visited, and error reports
3.5 Documents & Files
- Documents, attachments, and files you upload to the Document Center or attach to expense reports
- Payslip PDFs generated on your behalf
3.6 Data We Do Not Collect
We do not collect precise GPS location, contacts from your device address book, microphone or camera data, biometric data, or payment card information unless a feature requiring such data is explicitly activated and disclosed to you at the point of collection. Kopo Mail does not access your device contacts, media gallery, call logs, or SMS.
04How We Use Your Data
4.1 Service Delivery
- Authenticating your identity and maintaining your session
- Providing all KopoTeam features: leave management, payslips, directory, org chart, performance, expenses, learning, and more
- Sending and receiving workplace emails through Kopo Mail
- Delivering push notifications for leave approvals, ticket updates, and announcements
- Generating payslip PDFs and document exports
4.2 Employment Administration
- Processing leave requests and routing approvals to managers
- Displaying payroll information provided by your employer
- Managing onboarding and offboarding checklists
- Supporting performance review cycles and goal tracking
- Processing and routing expense reimbursement requests
4.3 Communication & Notifications
- Sending system notifications: leave status updates, ticket updates, survey invitations
- Delivering company announcements and calendar events
- Managing email delivery, bounce handling, and suppression
4.4 Analytics & Improvement
- Generating aggregated workforce analytics reports for administrators
- Monitoring system performance, identifying bugs, and improving reliability
- Understanding feature usage to guide product improvements
4.5 Legal Compliance
- Complying with employment law, tax obligations, and regulatory requirements across all operating jurisdictions
- Responding to lawful requests from government authorities
4.6 AI HR Assistant
When you use the AI HR Assistant, your messages are sent to a third-party language model API for processing. Conversation history is kept to provide context within your session. We do not use your conversations to train AI models without your explicit consent. Do not enter sensitive personal information — such as passwords, full financial account numbers, or health details — into the assistant.
05Data Sharing
We do not sell your personal data. We share it only in the circumstances below.
5.1 Within Your Organisation
Your employer has access to employee data entered into KopoTeam. Managers can view leave requests and performance data for their direct reports. HR Admins and System Admins have broader access as required to administer the platform. Your payslip data is visible only to you and designated HR/Admin roles.
5.2 Service Providers (Sub-processors)
| Category | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure provider | Hosting, file storage, and email delivery | Documents, email events, system logs |
| Push notification provider | Delivering push notifications to your device | Device notification identifiers |
| AI service provider | Powering the AI HR Assistant | Messages you send to the assistant |
| Infrastructure provider | Secure data storage | All structured platform data |
All sub-processors are contractually bound to process data only on our instructions and to maintain appropriate security standards.
5.3 Legal Requirements
We may disclose personal data when required by law, court order, or government authority, or when necessary to protect the rights, property, or safety of our users or the public.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may transfer to the acquiring entity. We will notify affected users in advance.
06Data Storage & Security
All data is stored on encrypted servers. We apply the following measures:
- Passwords are encrypted and never stored in readable form
- All data is encrypted in transit between your device and our servers
- Uploaded files and documents are encrypted at rest
- Login sessions expire automatically and are regularly renewed
- Mobile sessions use secure credentials that refresh automatically
- Role-based access control ensures you can only see data appropriate to your role
- New accounts require administrator approval before access is granted
- Sensitive operations are logged for security purposes
While we take reasonable technical and organisational measures, no method of electronic storage is 100% secure. Use a strong, unique password and report any suspected security issues to us immediately.
07Kopo Mail Mobile App
Kopo Mail is our iOS and Android mobile application. The following disclosures apply specifically to the mobile app.
7.1 Permissions Requested
- Push Notifications: To deliver workplace alerts — leave approvals, ticket updates, announcements. You can disable this in your device settings at any time.
- Internet Access: Required to connect to our servers.
We do not request access to your camera, microphone, contacts, GPS location, or media gallery. If a future version requires any such permission, this policy will be updated and you will be explicitly prompted on the device.
7.2 Authentication on Mobile
Kopo Mail uses secure login credentials that remain active for up to 90 days, refreshing automatically as you use the app. Logging out ends your session immediately. If your device is lost or stolen, contact your HR administrator to revoke access.
7.3 Data Stored on Device
The app stores your login credentials securely on your device. Email messages and portal data are loaded from our servers as needed and are not stored persistently on your device beyond your active session.
7.4 Third-Party Services
We use third-party services to deliver push notifications to your device. These providers may collect device identifiers in accordance with their own privacy policies. We do not share any personally identifiable information with them beyond what is necessary to deliver your notifications.
08Data Retention
We retain personal data for as long as your account is active or as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.
- Active employee accounts: Data retained for the duration of employment plus 7 years for payroll and tax compliance.
- Offboarded employees: Core employment records retained per applicable labour law — minimum 5–7 years depending on jurisdiction.
- Leave and expense records: Retained for 7 years.
- AI Assistant chat logs: Retained for 90 days, then automatically deleted.
- Push notification identifiers: Removed when you log out or uninstall the app.
- Deleted accounts: Personal data purged within 30 days of a verified deletion request, except where retention is legally required.
09Your Rights
Depending on your jurisdiction, you may have the following rights over your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request that inaccurate or incomplete data be corrected. You can update many details directly on your Profile page.
- Deletion: Request deletion of your personal data, subject to legal retention requirements.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
To exercise your rights, email privacy@kopoteam.com. We will respond within 30 days. Some rights are limited where we are required by law to retain data or where the request relates to data controlled by your employer.
9.1 Nigeria (NDPA 2023)
Nigerian residents may file a complaint with the Nigeria Data Protection Commission (NDPC) if they believe their data rights have been violated.
9.2 United States
Residents of California (CCPA/CPRA), Virginia (VCDPA), and other US states with enacted privacy laws have additional rights under those laws. We do not sell personal information as defined under the CCPA.
11Children's Privacy
The Services are intended solely for adults in a professional employment context. We do not knowingly collect personal information from individuals under the age of 16. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.
12International Data Transfers
We operate globally. Your data may be processed in countries other than where you reside, including the United States where our primary cloud infrastructure is hosted. When transferring data across borders we apply appropriate safeguards — including standard contractual clauses — and ensure sub-processors maintain equivalent levels of data protection.
13Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the "Last Updated" date above and, where appropriate, send an in-app notification or email. Continued use of the Services after the effective date constitutes acceptance of the revised policy.
14Contact Us
For questions, concerns, or requests about this Privacy Policy or our data practices:
KopoTeam — Data Privacy Team
Email: privacy@kopoteam.com
Subject line: Privacy Request – [Your Name]
For urgent security concerns, email security@kopoteam.com.