Privacy policy.

Hiyer is a workforce-intelligence product. Your organization's team answers anonymous surveys, and you see aggregate results. We designed the system so individual answers cannot be tied back to the person who gave them. That is enforced in the database, not just promised in this document.

If you have questions about anything below, email ben@updocmedia.com.

Hiyer is operated by UpDoc, Inc., a Delaware corporation headquartered at 9200 Old Annapolis Rd, Columbia MD 21045. For purposes of GDPR, UpDoc, Inc. is the data controller of workforce response data submitted to Hiyer. Our customers (the organizations that buy Hiyer subscriptions) are the data controllers of their own employee rosters and membership lists.

From organizational admins (paying users): email address, name if you choose to share it, organization name, Stripe customer identifier. We store these so you can sign in, see your org's dashboard, and be billed for the service.

From survey respondents: the 17 numeric scores they submit, the cohort they were issued a PIN against, and a timestamp bucketed to the nearest 15 minutes. That is it.

What we do not collect from respondents: name, email address, IP address, device identifier, user agent, or any free-text response. The database schema does not have a column for any of these. Adding one would require a visible migration.

We make four specific architectural commitments. Each is enforced by the database, not by this document.

1. No user_id on response rows. The responses table contains no foreign key to any identity, no link to the auth user table, no session identifier. A respondent's answers cannot be traced to them because the schema offers no mechanism to do so.
2. Small-cohort suppression. Dimension scores (mean and NPS) are computed by a Postgres function that returns null whenever a cohort has fewer than five respondents. You, your admins, and we cannot see an aggregate for fewer than five people. There is no "show individual answers" button because the backend doesn't know who anyone is.
3. Bucketed timestamps. Response timestamps are rounded to the nearest 15 minutes before storage. This prevents timing-correlation attacks on small samples ("Alice was at lunch, so the 12:47 response must be her").
4. Append-only audit log. UPDATE and DELETE on the audit table are revoked at the Postgres grant level. UpDoc cannot rewrite history, which is the basis of our SOC 2 Type I work.

We also use per-submission session hashes (salted SHA-256, stored as a hex string) to link the 17 answers from one sitting so we can compute per-respondent NPS band without storing identity. The salt is a secret held by UpDoc; it is not reversible to identity in any case.

All data is stored in a managed Postgres database hosted on Supabase in the US East region. Transport is encrypted via TLS. At rest, Supabase encrypts storage with AWS KMS.

Row-level security policies gate every org-scoped table. We do not use application-level filtering as the primary tenancy boundary. If an engineer writes a buggy query, the database still refuses to return another tenant's rows.

• Supabase (supabase.com) hosts our database, authentication, and file storage.
• Vercel (vercel.com) hosts the web application.
• Postmark (postmarkapp.com) delivers transactional email.
• Anthropic (anthropic.com) powers the optional UpDoc AI feature on Signal and above. Aggregated, anonymized scores are sent to Anthropic when an admin opens an insight panel. No individual responses, no PII.
• Stripe (stripe.com) processes payments.

Each vendor above has SOC 2 Type II certification. Data-processing addenda available on request.

If you are a paying Hiyer customer or a named admin of an organization:

• You can access your account data through the dashboard.
• You can export your org's aggregate results at any time via CSV (Phase 3 feature, shipping mid-2026) or by request.
• You can delete your account by emailing ben@updocmedia.com. Within 30 days we will remove your user identity and membership records.
• Under GDPR or CCPA, you may request data portability or deletion. We will comply within 30 days of receipt.

If you are a survey respondent: since we do not know who you are, we cannot locate or delete "your" data. This is by design. Individual responses contribute to aggregate scores under the cohort you were issued a PIN against, and remain there until the cohort itself is deleted.

Aggregate response data is retained as long as your organization subscribes to Hiyer. On cancellation, your aggregate data is preserved for 90 days in case of reactivation, then deleted. The audit log and benchmark contribution data (fully aggregated, never identifiable) may be retained longer for SOC 2 evidence and industry-benchmark purposes.

If we become aware of a security incident affecting your data, we will notify you within 72 hours. We will describe what happened, what data was involved, and what steps we are taking. If the incident involves potential identification of anonymous respondents (which our architecture is designed to make impossible), we will escalate immediately.

If we make material changes to this policy, we will notify organizational admins at least 30 days before they take effect. Non-material changes (typos, reorganization) do not trigger notice.

Privacy questions: ben@updocmedia.com.
Security reports: gene@updocmedia.com.
Mailing address: 9200 Old Annapolis Rd, Columbia MD 21045.