← Legal HubVersion 1.0 — Effective April 1, 2026

Privacy Policy

HR ComplyOS — Last updated April 1, 2026

HR ComplyOS ("we", "us", or "our") operates the HR compliance tracking platform available at hrcomplyos.com. This Privacy Policy explains how we collect, use, protect, and share your information when you use our Service.

1. Information We Collect

We collect the following categories of information:

Account information: Organization name, administrator email address, password (hashed), billing information.
Employee records: Employee names, email addresses, job titles, hire dates, employment status, and compliance assignment data entered by your HR administrators.
Compliance data: Compliance item statuses, due dates, acknowledgments, audit log entries, and completion records.
Usage data: Pages visited, features used, session duration, browser type, and operating system — collected to improve the platform.
IP addresses: Collected at login, acknowledgment, and legal document acceptance for identity verification and audit purposes.
Communication data: Support requests, feedback, and correspondence with our team.

2. How We Use Your Information

Providing, operating, and maintaining the HR ComplyOS Service
Sending compliance deadline notifications, verification codes, and account alerts
Processing payments and managing subscriptions through Stripe
Improving, personalizing, and expanding the platform based on usage patterns
Detecting, preventing, and addressing security incidents and fraud
Complying with legal obligations, including HIPAA (for healthcare customers), GDPR, and CCPA
Generating anonymized aggregate statistics about compliance trends

3. How We Protect Your Information

Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
Row-Level Security: Database access controls ensure each organization can only access its own data.
Audit logs: All data access and modifications are logged with user identity, timestamp, and IP address.
Multi-factor authentication: High-stakes actions require email-based OTP verification.
Access controls: Employee access is restricted on a need-to-know basis with role-based permissions.

4. Data Retention

We retain your data for the following periods:

Active accounts: Data is retained for the lifetime of the account.
After account deletion: Data is purged 30 days after account deletion is confirmed (30-day grace period allows recovery).
Employee records: Retained for the duration of employment plus 7 years, in accordance with standard employment record retention requirements.
Audit logs: Retained for 7 years to support legal and regulatory compliance.
Billing records: Retained for 7 years per financial regulations.

5. Third-Party Services

We share data with the following third-party service providers to operate our Service:

Supabase — Database hosting and authentication. Privacy Policy
OpenAI — AI assistant features. Prompts may be processed by OpenAI's API. Privacy Policy
Resend — Transactional email delivery. Privacy Policy
Stripe — Payment processing. We do not store full credit card numbers. Privacy Policy
Vercel — Application hosting and CDN. Privacy Policy
PostHog — Product analytics (anonymized usage data). Privacy Policy

We do not sell your data to any third parties.

6. Your Rights

Depending on your location, you may have the following rights:

Right to access: Request a copy of all personal data we hold about you. Available via Settings → Data → Export All Data.
Right to correction: Request correction of inaccurate personal data by contacting us at legal@hrcomplyos.com.
Right to deletion: Request deletion of your account and all associated data. Available via Settings → Data → Request Account Deletion (30-day grace period applies).
Right to portability: Receive your data in a structured, machine-readable format (JSON) via the data export feature.
Right to restrict processing: Contact us to request restrictions on how we process your data.
CCPA rights (California): California residents have the right to know what personal information is collected, to delete it, and to opt out of sale (we do not sell data).

7. Cookies

We use session cookies to maintain your authenticated state. We do not use tracking cookies for advertising. PostHog may set analytics cookies which can be blocked via browser settings without affecting core functionality.

8. Children's Privacy

HR ComplyOS is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If we learn we have collected personal information from a child under 13, we will delete it immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by displaying a prominent notice in the platform and sending an email to your account's registered address. Your continued use after changes take effect constitutes acceptance.

10. Contact

For privacy questions, data requests, or to exercise your rights, contact us at: legal@hrcomplyos.com

HR ComplyOS
Version 1.0 — Effective April 1, 2026