Privacy Policy

• Email address (for account creation and magic link authentication)
• Conversation content with the AI HR Advisor
• Intake notes and booking details for consultant sessions
• Payment information (processed by Stripe; we do not store card numbers)
• Consultant application information (name, bio, certifications, states)

• Contact basics (name, email, phone, LinkedIn URL, state, country)
• Professional history (role, years of experience, industries, expertise)
• Current employer and other corporate consulting clients (used to populate your matching-pool exclusion list and to manage conflicts of interest)
• Rate expectations, weekly availability, and insurance status
• Open-text answers ("Why HeHRa," "Best at," additional info, referral source)
• Uploaded credential files (PDF, JPG, PNG, or HEIC) such as certificates, licenses, and transcripts
• Consent records (scope acknowledgment, independent-contractor acknowledgment, truthfulness and Terms/Privacy consent)
• Session metadata (UTM parameters, referrer, IP address, user agent) used to understand how applicants found the page and to deter abuse

• Usage data and analytics (via Vercel Analytics and product analytics)
• Device type, browser type, and IP address
• Pages visited and features used

• Provide, maintain, and improve the Service
• Process transactions and send related information (receipts, confirmations)
• Send transactional emails (booking confirmations, account notifications)
• Facilitate consultant-client connections and bookings
• Monitor and analyze usage patterns and trends
• Comply with legal obligations

• With Consultants: When you book a consultation, your intake notes and contact information are shared with the booked consultant to prepare for your session.
• With HeHRa Reviewers (Advocate applications): Advocate applications — including open-text answers, credential files, and disclosures — are shared with the HeHRa team members responsible for reviewing applications and with any third parties we engage specifically for credential or reference verification.
• Service Providers: We use Stripe and Stripe Connect (payments and advocate payouts), Supabase (database and private file storage), Anthropic (AI), Resend (email), and Vercel (hosting and analytics) to operate the Service.
• Legal Requirements: When required by law, subpoena, or to protect our rights.

• Access your personal data by logging into your account
• Delete your account and associated data by contacting us at privacy@hehra.com
• Opt out of non-essential communications

If you are a resident of a US state with a comprehensive consumer privacy law — currently including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia — you may have some or all of the following rights regarding your personal information. These rights are not absolute and may be limited by applicable law.

• Right to know whether we are processing your personal information, and to access it
• Right to correct inaccuracies in your personal information
• Right to delete your personal information
• Right to obtain a copy of the personal information you previously provided, in a portable format
• Right to opt out of the sale of personal information, targeted advertising, or profiling that produces legal or similarly significant effects
• Right to limit the use and disclosure of sensitive personal information
• Right to non-discrimination for exercising any of these rights

We do not sell your personal information, we do not share it for cross-context behavioral or targeted advertising, and we do not use it for profiling that produces legal or similarly significant effects about you.

The AI HR Advisor lets you enter free-text information, which may include sensitive details about your employment situation. We process this information only to provide the Service and only with your consent or as otherwise permitted by law. We do not use sensitive personal information to infer characteristics about you.

Email privacy@hehra.com with the request you would like to make. You may also use an authorized agent to submit a request on your behalf; we may require the agent to provide proof of your written authorization and may still ask you to verify your own identity directly.

To protect your information, we will take reasonable steps to verify your identity before acting on a request. We use the information you provide in a request only to verify identity and to respond to the request.

If we decline to act on your request and your state's law provides an appeal right, you may appeal by emailing privacy@hehra.com with "Privacy Appeal" in the subject line. We will respond in writing with our decision and the reasons for it. If your appeal is denied, you may contact your state attorney general.

This section supplements Sections 2, 5, and 9 for HeHRa Advocate applicants and accepted Advocates.

Advocate application data is stored in our Supabase database with Row Level Security enabled. Uploaded credential files are stored in a private Supabase Storage bucket (advocate-credentials) that is not publicly accessible. Review-time access to credential files happens via short-lived signed download URLs issued to authorized HeHRa reviewers (default expiration: seven days).

• Accepted Advocates. Application data and verified credential files are retained while your Advocate account is active and for one (1) year after offboarding, after which they are deleted unless we are legally required to retain them longer.
• Declined applicants. Application data is retained for ninety (90) days after the decline decision; uploaded credential files are deleted automatically at the end of that window. Summary analytics data (without identifying information) may be retained longer to evaluate recruiting patterns.
• Pending review. While your application is in review, data is retained until a decision is made.
• Applicant-initiated deletion. You may request deletion of your application and any associated credential files at any time by emailing advocates@hehra.com. We will honor the request within thirty (30) days, except where we are legally required to retain specific records.

The employer and other-clients information you disclose is used to populate your matching-pool exclusion list. We do not publish this information on your public Advocate profile, and we do not share it with clients; it is used internally to route matches.

Advocate payouts are processed through Stripe Connect. Stripe collects and stores the identification data required by its Know-Your-Customer (KYC) obligations directly; HeHRa receives only the account status and transfer metadata it needs to operate the payout pipeline. Stripe's privacy policy governs Stripe's handling of that data.