Privacy Policy

The data controller is UpDoc, Inc., a Maryland corporation, with its principal place of business at 9200 Old Annapolis Road, Columbia, MD 21045.

Questions about this policy, data subject requests, or privacy complaints can be sent to gene@updocmedia.com or by mail to the address above, attention: Privacy.

Hiyer distinguishes between two categories of data, and that distinction is enforced at the database schema, not only in our application code.

We process personal data for the following purposes:

• To operate the Service: authenticate you, keep you signed in, enforce tenant isolation, show you your organization's data.
• To bill you: deliver invoices, handle subscription events, send dunning email on failed payments.
• To communicate with you: sign-in links, welcome email, survey invitations on your behalf, at-risk alert notifications, cycle summary reports.
• To generate AI-narrated insight text for customers on Signal and Enterprise plans. The data sent to our AI subprocessor is aggregate scores, not raw responses. See Section 6.
• To keep Hiyer secure: rate-limit abuse, detect suspicious sign-ins, record an audit trail for SOC 2 evidence.
• To meet our legal obligations: tax, anti-fraud, law-enforcement requests that are validly served.

For individuals in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following Article 6 bases:

• Contract. To provide Hiyer to you and the organization you belong to.
• Legitimate interests. Operating the Service securely, preventing fraud, improving the Service in ways that do not materially change respondent anonymity.
• Legal obligation. Billing records, audit trail retention, responding to valid legal process.
• Consent. For any optional marketing email. Account and Service messages are not marketing and are not consent-based.

Your data is seen by the smallest set of parties we can practically involve:

• Other members of your organization at the role their owner granted. Role-based access is enforced at the database layer through Postgres row-level security, not in application code.
• UpDoc staff, and only in narrow circumstances: responding to a support request you raised, investigating a security incident, or providing onboarding with your consent. Access is audited.
• Subprocessors we engage to run the Service. Current list and each one's role, region, and retention at hiyer.updocmedia.com/legal/subprocessors.
• Authorities that serve us with a valid subpoena, court order, or equivalent legal process. We do not volunteer customer data to law enforcement without process, except when we are required to by law.

Hiyer is hosted in the United States. The Supabase Postgres instance and all subprocessors we currently engage are US-based. If you are in the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States. Where required, we execute Standard Contractual Clauses with subprocessors and rely on the UK Addendum / Swiss IDTA equivalents.

We do not currently offer EU data residency. If that changes, we will update this policy and the subprocessor page.

Personal data is retained while your organization's subscription is active and for a reasonable period after termination for dispute resolution, tax and compliance, and backup rotation. Specifically:

• Account records are retained while the subscription is active. When you close your account, we delete or de-identify personal data within 90 days, except where we must keep it for billing records (7 years) or audit evidence (append-only and retained while the audit_log table exists).
• Email delivery logs at Postmark are retained for 45 days.
• Hosting request logs at Vercel are retained for 30 days.
• Benchmark data derived from aggregated, de-identified responses is retained indefinitely. It does not identify any person.

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to our processing of your personal data. You may also have a right to not be discriminated against for exercising those rights.

To exercise a right, email gene@updocmedia.com from the account associated with the request, or by mail to the Columbia, MD address above. We will verify your identity before acting on a request. We respond within 45 days and will tell you if we need more time.

EU, UK, and Swiss residents may also lodge a complaint with their local supervisory authority.

Security controls built into Hiyer, enforced at the schema layer, are documented at hiyer.updocmedia.com/legal/security. In brief: structural anonymity on the responses table, Postgres row-level security for tenant isolation, an append-only audit log, bcrypt-hashed PINs with HMAC lookup indexes, encryption in transit via TLS 1.2+, and encryption at rest via Supabase's platform encryption.

SOC 2 Type I is in progress. Until the attestation completes, we will not claim SOC 2 certification.

Hiyer is a workforce product sold to businesses. It is not intended for individuals under 18 and we do not knowingly collect data from children. If you believe a child has provided us personal data, contact gene@updocmedia.com and we will delete it.

Hiyer is not a HIPAA covered entity or business associate. The Service is not designed to collect Protected Health Information, and by the structural anonymity of the response schema (Section 2) survey responses cannot identify an individual. We do not sign Business Associate Agreements for Hiyer, and customers must not use the Service to transmit PHI.

If you are a resident of a US state with a comprehensive privacy law, you have substantially the same rights described in Section 8. We do not sell personal data and we do not process personal data for targeted advertising. Survey responses fall outside the definition of personal information under each of these laws (see Section 2).

Hiyer uses strictly necessary cookies only: an authentication cookie so you stay signed in, and an organization-selection cookie for users who belong to more than one organization. We do not use advertising or analytics cookies on the authenticated product. The marketing site uses the same strictly-necessary set.

We will update this policy when the Service or our data practices change materially. The last-updated date at the top reflects the most recent change. For material changes we will email active owners and administrators at least 14 days before the change takes effect.

Privacy and data-subject matters: gene@updocmedia.com
Mail: UpDoc, Inc., Attn: Privacy, 9200 Old Annapolis Rd, Columbia MD 21045, USA.