Privacy Policy

• Email address (for account creation and magic link authentication)
• Conversation content with the AI HR Advisor
• Intake notes and booking details for consultant sessions
• Payment information (processed by Stripe; we do not store card numbers)
• Consultant application information (name, bio, certifications, states)

• Contact basics (name, email, phone, LinkedIn URL, state, country)
• Professional history (role, years of experience, industries, expertise)
• Current employer and other corporate consulting clients (used to populate your matching-pool exclusion list and to manage conflicts of interest)
• Rate expectations, weekly availability, and insurance status
• Open-text answers ("Why HeHRa," "Best at," additional info, referral source)
• Uploaded credential files (PDF, JPG, PNG, or HEIC) such as certificates, licenses, and transcripts
• Consent records (scope acknowledgment, independent-contractor acknowledgment, truthfulness and Terms/Privacy consent)
• Session metadata (UTM parameters, referrer, IP address, user agent) used to understand how applicants found the page and to deter abuse

• Usage data and analytics (via Vercel Analytics)
• Device type, browser type, and IP address
• Pages visited and features used

• Provide, maintain, and improve the Service
• Process transactions and send related information (receipts, confirmations)
• Send transactional emails (booking confirmations, account notifications)
• Facilitate consultant-client connections and bookings
• Monitor and analyze usage patterns and trends
• Comply with legal obligations

• With Consultants: When you book a consultation, your intake notes and contact information are shared with the booked consultant to prepare for your session.
• With HeHRa Reviewers (Advocate applications): Advocate applications — including open-text answers, credential files, and disclosures — are shared with the HeHRa team members responsible for reviewing applications and with any third parties we engage specifically for credential or reference verification.
• Service Providers: We use Stripe and Stripe Connect (payments and advocate payouts), Supabase (database and private file storage), Anthropic (AI), Resend (email), and Vercel (hosting) to operate the Service.
• Legal Requirements: When required by law, subpoena, or to protect our rights.

• Access your personal data by logging into your account
• Delete your account and associated data by contacting us at privacy@hehra.com
• Opt out of non-essential communications

This section supplements Sections 2, 5, and 8 for HeHRa Advocate applicants and accepted Advocates.

Advocate application data is stored in our Supabase database with Row Level Security enabled. Uploaded credential files are stored in a private Supabase Storage bucket (advocate-credentials) that is not publicly accessible. Review-time access to credential files happens via short-lived signed download URLs issued to authorized HeHRa reviewers (default expiration: seven days).

• Accepted Advocates. Application data and verified credential files are retained while your Advocate account is active and for one (1) year after offboarding, after which they are deleted unless we are legally required to retain them longer.
• Declined applicants. Application data is retained for ninety (90) days after the decline decision; uploaded credential files are deleted automatically at the end of that window. Summary analytics data (without identifying information) may be retained longer to evaluate recruiting patterns.
• Pending review. While your application is in review, data is retained until a decision is made.
• Applicant-initiated deletion. You may request deletion of your application and any associated credential files at any time by emailing advocates@hehra.com. We will honor the request within thirty (30) days, except where we are legally required to retain specific records.

The employer and other-clients information you disclose is used to populate your matching-pool exclusion list. We do not publish this information on your public Advocate profile, and we do not share it with clients; it is used internally to route matches.

Advocate payouts are processed through Stripe Connect. Stripe collects and stores the identification data required by its Know-Your-Customer (KYC) obligations directly; HeHRa receives only the account status and transfer metadata it needs to operate the payout pipeline. Stripe's privacy policy governs Stripe's handling of that data.