Trust Center

How BurnoutZero protects employee data. Last updated 6/17/2026.

Enforced privacy guarantees

  • k-anonymity floor: a manager never sees a team aggregate computed from fewer than the configured minimum of consenting members.
  • Consent as the join key: only data from employees who opted in is ever included in any aggregate.
  • Differencing protection: aggregates are withheld when comparing two cohorts could re-identify an individual.
  • No individual burnout score, check-in, or activity ever reaches a manager or admin — only privacy-protected aggregates.
  • Single sign-on (OIDC/SAML) and SCIM provisioning run on our own infrastructure — no third-party identity broker.

Employee data rights

  • Self-service data export: any employee can download a complete JSON copy of their own data at any time.
  • Right to erasure: any employee can permanently delete their account and data themselves.
  • Configurable retention: each organization sets how long reports and health snapshots are kept (1–60 months).
  • Legal hold: organizations can suspend deletion for litigation or audit.

Hosting & sub-processors

Primary application and database hosting is in the EU (Hetzner, Finland/Germany).

Sub-processorPurposeLocation
Hetzner Online GmbH

Application & database hosting

EU (Finland / Germany)
OpenAI

AI insight generation (no individual data used for training)

USA
Stripe

Subscription billing

USA / EU
Google

Calendar integration (only when an employee connects it)

USA / EU

Compliance

GDPR

Compliant — data rights, retention, works-council attestation built in

SOC 2 Type II

Readiness program in progress

Trust resources

Employee Bill of Rights — our binding commitments to every employeeTransparency — what we collect and how k-anonymity works, in plain languageWorks-council enablement kit — talking points, DPIA outline, co-determination FAQ

Security questions or to report a vulnerability: security@burnoutzero.com