Humu Services Privacy Statement

Last updated: September 29, 2021

This statement (“Services Privacy Statement”) provides information about how Humu, Inc. (“Humu”) collects and uses personal data through the Humu Service. In this Services Privacy Statement, we use the following terms: 

  • Humu Service is Humu’s software-as-a-service application that supports companies, teams and employees to create better workplaces. The Humu Service combines organizational data, diagnostics, analyses, and suggestions (which we call “Nudges”) to drive positive behavioral change within organizations. As described in more detail below, the Humu Service includes Nudges, web and mobile Applications (including Microsoft Teams), and Surveys.
  • Employer is a customer of Humu that, on behalf of itself, its parent company or an affiliate, has contracted with Humu to provide the Humu Platform.
  • Employee or You is an individual who interacts with the Humu Platform as an employee, contractor, advisor or person holding a similar position with the Employer.  

Information about Humu

Humu Inc. is a third party service provider acting on behalf of your Employer. Your Employer controls which Employees are included in the Humu Service, the personal data it shares with Humu, and how such personal data is collected and used as part of the Humu Service. 

Under many data protection laws, including those in Europe, Humu is considered a “data processor” to our customers, and your Employer is considered a “data controller.” As the data controller, your Employer is responsible for complying with laws that may require notice, disclosure or consent related to the transfer of data to Humu or its use in the Humu Services. Humu enters into agreements with our customers that legally obligate Humu to protect data we receive or are directed to collect, and use it only to provide the Humu Services.

For more detailed privacy information, please reach out to your Employer directly. Humu is not responsible for the privacy or data security practices of Humu customers, which may differ from those set forth in this Privacy Statement.

Collection & Use of Personal Data

The Humu Service is aimed at assessing certain workforce characteristics, such as happiness, and supporting behavior change within your Employer’s workforce. To begin the Humu Service, your Employer shares with Humu certain information such as your name, email address, and details about your position at your Employer from its internal HR database. This information is used to enable Employees to participate in the Humu Services. Additional data may be collected and used through use of the Humu Services, as follows: 

Humu Nudges. The Humu Services may include Nudges, which are scientifically based suggestions sent to Employees (e.g., via email or messaging system), to drive positive behavioral change within organizations. Humu’s customers determine which of their Employees will receive Nudges. Nudges include options for Employees to provide feedback on the Nudges, such as indicating whether they find the Nudge relevant to their role.

Humu Applications. The Humu Services may include Humu Applications, which are web or mobile applications that present insights reports, dashboards, preference selections or configuration tools. Humu Applications include Humu for Microsoft Teams.

Humu Surveys. The Humu Services may include Humu Surveys, which are sent to Employees to solicit feedback about their experiences in their workplace or topics on which they may want to receive Nudges. Humu will process your survey responses to create insight reports based on aggregate answers, tailor the Nudges you or your team may receive, create a manager profile that is accessed by that manager through a development dashboard, or create dashboard tools for managers and human resources personnel to access data. Responding to Humu Surveys is entirely voluntary. 

Log Data. Humu receives information when you use Humu Services, which are referred to as “Log Data,” even if you have not created an account. This Log Data includes information such as your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device information (including device and application IDs), search terms, and cookie information. We also receive Log Data when you click on, view, or interact with links on our Services. We use Log Data to operate our Services and ensure their secure, reliable, and robust performance. For example, we use Log Data to protect the account security for Employees.

Recipients of the Personal Data

Access to your data processed in Humu is restricted to:

  • Humu Customers. Your Employer may provide its authorized users access to data processed in Humu for analytics and management of its use of the Humu Services. More information about how the customer may access or use the data is typically included in the communications provided to Employees when the Humu program is launched. If you have further questions about how your Employer may access data collected by Humu, please contact your Employer. 
  • Humu Staff. Authorized Humu staff may also have access to your personal data when carrying out data analysis, providing support in response to user requests, or performing technical maintenance on the Services. Access is provided to Humu staff only as needed, using secure role-based authentication, and under security policies, procedures, and controls certified under ISO 27001:2013 and SOC 2 Type 2. 
  • Service Providers. A small number of service providers that may perform some tasks as part of providing the Humu Services; not all providers are used for all Employers. The types of services include:
  • Cloud hosting: Our data, processing, and service are hosted in the cloud.
  • Email delivery: We use a service to send you email, such as invitations to take the Humu Survey and Nudges.
  • Support tickets: We use services to route and handle trouble tickets that you file.
  • Log analysis: We use a service to analyze a limited amount of site traffic and weblog data (e.g. to alert engineers when a server isn’t working correctly, to plan when we should buy more server capacity) and debug issues.

Humu Does Not Sell Your Data

Humu does not sell your data. When we provide the Humu Service, we do not process personal data for any commercial purpose other than providing our clients the products and services they have purchased, or retain, use or disclose personal data outside of the scope of the agreements we have with our customers. We may also use aggregated or deidentified usage data for the purposes of improving the Humu product and services.


The Humu Services collect certain data using cookies.  For more information about the cookies that we use and the choices available to you, please see our Cookie Notice. The Humu Services also may automatically collect certain device and usage information when you interact with our emails. We collect this information by using pixel tags, for the purpose of tracking certain activity, such as when an email is opened. 

The Humu Services may, from time to time, contain links to the websites of associated providers. If you follow a link to any of these websites, please note that these websites have their own privacy and cookie policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you use the websites and submit any personal information to these websites.

Transfer of the Personal Data outside of your country or region

Humu Services are available globally and our servers may be located outside of your region. Humu is based in the United States of America. If your data is transferred internationally, your  Employer has ensured that such transfer is subject to appropriate safeguards by, for example, putting in place the Standard Contractual Clauses adopted by the European Commission.

Retention Period

Your Humu responses, as well as any associated personal data held by the Humu service, will be deleted from Humu’s primary storage systems after a period no longer than thirty (30) days after the termination of your Employer’s contract with Humu, unless your Employer requests for it to be removed at an earlier stage, and thereafter retained only in Humu’s backup systems until automatically deleted in accordance with our retention policy and legal obligations.


Humu maintains a comprehensive security program with appropriate organizational and technical security practices measures to protect data we collect. We are an ISO 27001:2013 and SOC 2 Type 2 certified provider whose Information Security Management System (ISMS) has received third party accreditation. While we follow generally accepted standards to protect data, no method of storage or transmission is 100% secure. You are solely responsible for protecting your password, limiting access to your devices and signing out of websites after your sessions.

Rights of Access, Rectification and Erasure

To exercise your rights of access, rectification, erasure and any other rights relating to your personal data that you are entitled to, refer to the privacy communications of your Employer. 

If you are in a country with a national or regional data protection authority, you also have the right to lodge a complaint with your data protection supervisory authority. If your Employer has an EU-approved complaint resolution mechanism under its Binding Corporate Rules, you should consult those.

Disclosure of Data for Legal Obligations 

Humu will provide data discussed in this policy to any competent law enforcement body, regulatory, government agency, court or other third party where necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Humu’s legal rights, or (iiii) to protect the vital interests of our Customers and their Employees, or those of any other person. When requested by legal authorities to disclose personal data, Humu will inform the court of various factors justifying confidentiality and Customer or Employee anonymity. Humu will communicate with the affected Employer as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale 

If Humu is involved in a merger, acquisition or sale of all or a portion of its assets, Humu may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.


We review this Services Privacy Statement regularly and may modify it from time to time. This Services Privacy Statement was last updated September 29, 2021.

Contact us

If you have any questions or comments about this Statement or the practices of this website, or unresolved privacy and data use concerns, or if you wish to lodge a complaint about our privacy practices, please contact Humu by emailing, faxing (650) 321-3156, calling (650) 321-3000, or writing Attention: Privacy, Humu, Inc., 548 Market St, PMB 65781, San Francisco, CA 94104