Privacy Policy

1. What we collect

Identity (Auth0 sub, email, optional display name), employment record fields you or your HR administrator enter (name, address, role, hours, status), uploaded artifacts (training certificates, policy documents), workforce activity (schedules, time-off, tasks, training verifications), and anonymized policy-bot queries. Payment-card data is intentionally not collected.

Time clock data.When your organization uses HRDepth's Time Clock module, each clock-in / clock-out captures the IP address of the device used and (when you grant permission via the browser's standard prompt) the device's approximate latitude / longitude and GPS accuracy radius. We use this to flag punches that appear to be outside your worksite or off your organization's allowlisted network — capture-and-flag for manager review only; we never block or auto-correct a punch on geo or IP grounds. Denying the geolocation prompt does not prevent you from clocking in.

2. How we use it

To run the workforce-management service you and your organization signed up for. We do not sell your data. We do not use your data to train external AI models; policy-chatbot embeddings stay scoped to your organization’s active documents.

3. Where it lives

Postgres on Railway (US region). Cloudflare R2 for uploaded files. Auth0 for credentials and SSO. Resend for transactional email. We do not transfer data outside these processors during the Pilot.

4. Retention

Active employment records are retained for the lifetime of your organization’s HRDepth use plus a compliance window after termination. Anonymized policy-bot queries are purged after 90 days. Audit log entries are retained as long as the organization is active.

5. Your rights

Utah UCPA: Utah residents may request access to, deletion of, and a portable copy of personal data we hold about them. Requests are processed within 45 days. California CCPA (best-effort): California residents may exercise equivalent rights via the same intake.

6. How to make a request

Email the Privacy Contact below with your verified account email. We’ll respond within 5 business days and complete the request within 45 days. We may require additional verification for sensitive actions (deletion, export of another person’s data).

7. Breach notification

If we identify a personal-data breach, we’ll notify affected accounts and applicable regulators within 72 hours of confirmation, per our Breach Runbook.

8. Sub-processors

HRDepth engages the following third-party services to deliver the workforce-management product. Each operates under its own published privacy policy; we contract on confidentiality and data-handling terms before any customer data is shared. We will notify customers prominently before adding a new sub-processor.

• Auth0 (Okta)

  Privacy policy

  Authentication, SSO, password / MFA management.

  Location: United States

• Railway

  Privacy policy

  Application hosting and Postgres database hosting.

  Location: United States

• Cloudflare (R2)

  Privacy policy

  Encrypted file storage for uploaded artifacts (training certificates, policy documents).

  Location: United States (data plane)

• Resend

  Privacy policy

  Transactional email delivery (notifications, invitations, reminders).

  Location: United States

• OpenAI

  Privacy policy

  Embeddings and language-model inference for the policy chatbot. Inputs are not used to train OpenAI models.

  Location: United States

• Anthropic

  Privacy policy

  Optional language-model inference provider for the policy chatbot when configured. Inputs are not used to train Anthropic models.

  Location: United States

• StripePending engagement

  Privacy policy

  Subscription billing and tax collection. Engaged at Y0 launch (D16).

  Location: United States

• Independent security audit vendorPending engagement

  Privacy policy

  Annual paid security audit. Specific vendor named once engaged (founder Phase 2).

  Location: TBD