Privacy Policy

Last updated: 9 April 2026

1. Introduction

Luna HR (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our HR management platform and website.

Luna HR is operated by A2Z Tech Ltd, registered in England and Wales. We act as a data processor on behalf of our customers (your employer) who act as the data controller.

2. Data We Collect

We collect the following categories of personal data:

  • Account information — name, email address, job title, and profile photo provided during registration or by your employer
  • Employment data — employee number, department, start date, working pattern, and role as configured by your employer
  • Leave and absence data — leave requests, balances, sick leave records, and fit notes
  • Expense data — expense reports, receipt uploads, mileage claims, and payment information
  • Training records — course completions, certifications, and CPD hours
  • Documents — files uploaded to the filing cabinet, e-signatures, and onboarding documents
  • Usage data — login times, pages visited, and feature interactions for analytics and support
  • Device information — browser type, operating system, and IP address for security purposes

3. How We Use Your Data

We use your personal data to:

  • Provide and operate the Luna HR platform as directed by your employer
  • Process leave requests, expense reports, and approval workflows
  • Send transactional notifications (approvals, reminders, status updates)
  • Generate reports and analytics for your employer's HR team
  • Provide AI-powered assistance through Luna AI (when enabled)
  • Maintain security, prevent fraud, and enforce our terms of service
  • Improve our platform through aggregated, anonymised usage analytics

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contractual necessity — to provide the services your employer has contracted us to deliver
  • Legitimate interests — to maintain platform security, prevent abuse, and improve our services
  • Legal obligation — to comply with UK employment law, HMRC requirements, and data protection regulations
  • Consent — for optional features such as AI chat, wellness surveys, and notification preferences (which you can withdraw at any time)

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Your employer — as the data controller, they have access to your employment data through the platform
  • Service providers — we use trusted third parties to operate our platform, including Convex (database), Clerk (authentication), Resend (email delivery), and Stripe (payment processing)
  • Legal authorities — when required by law, regulation, or legal proceedings

All third-party providers are bound by data processing agreements and are required to handle your data in accordance with UK GDPR.

6. Data Retention

We retain your personal data for as long as your employer maintains an active account with us. When an employee leaves, your employer controls the retention period through their data retention policy settings.

After account deletion, we retain anonymised, aggregated data for analytics purposes. Backup copies are purged within 90 days of deletion.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS 1.3) and at rest
  • Role-based access controls within the platform
  • Multi-factor authentication for user accounts
  • Regular security assessments and penetration testing
  • Incident response procedures with 72-hour breach notification

8. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data (subject to legal obligations)
  • Restriction — request limitation of processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — for consent-based processing, at any time

To exercise these rights, contact your employer (as data controller) or email us at privacy@lunahr.co.uk.

9. International Transfers

Your data is primarily processed within the United Kingdom and European Economic Area. Where data is transferred outside the UK/EEA (for example, to cloud infrastructure providers), we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the platform or by email. Your continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Luna HR (A2Z Tech Ltd)
Email: privacy@lunahr.co.uk
Website: lunahr.co.uk

Ready to modernise your HR?

Join growing UK businesses who've switched to Luna HR.

See pricing