Legal

Privacy Policy

What PoPayOne collects, why, who processes it, how long we keep it, and the rights you have over it.

v0.9 — draft of 2026-07-05 — under counsel review

This is a working draft published for transparency during early access. It has not yet been finalized by counsel and will be versioned when it is.

1. Who this covers

This policy covers personal data processed through the PoPayOne platform: data about the staff of businesses using PoPayOne, and data those businesses and their workers submit — worker records, eligibility documents, insurance and immigration materials. For business customers, the Data Processing Addendum governs our role as a processor of their workers' data.

2. What we collect

  • Account and contact data. Name, email address, role, and the sign-in events tied to your account (we use password-free email links via Supabase Auth).
  • Business and verification (KYB) data. Legal name, state, registration ID, registered agent and officers (from registry lookups), the verification documents you upload, and the consent attestations described in section 8.
  • Worker employment data. Records your employer or you create: assignments, timesheets, pay and bill records, immigration case status — and worker-owned identity and work-authorization documents (passport, EAD card, visa, I-9 supporting documents), which workers upload and choose to share.
  • Voice audio. Only if you use voice with Gyani: the audio you record is transcribed by our speech-to-text subprocessor. Voice features are off unless enabled for the deployment.
  • Usage and telemetry. Request metadata (IP address, user agent), security and audit logs of actions taken in the product, and abuse-prevention signals on public pages.

3. Why we process it

  • to provide the Service: running back-office workflows you and your business initiate;
  • to verify businesses before granting them operational access (fraud and abuse prevention);
  • to power Gyani: your conversation and relevant workspace context are sent to our AI subprocessor to generate responses — we do not use your data to train AI models;
  • to keep tamper-evident audit and security logs of consequential actions;
  • to meet legal obligations, such as employment-eligibility record retention.

We do not sell personal data, and we do not use Customer Data for advertising.

4. Subprocessors

These are the third parties that can process data on our behalf, and exactly when. Several are off by default and only run when explicitly enabled for a deployment — the platform falls back to offline mocks or simulations otherwise.

ProviderWhat it doesData it touchesWhen
SupabaseDatabase, authentication, file storageAll application data, account data, uploaded documentsAlways
VercelApplication hosting and deliveryRequest metadata (IP address, user agent), application trafficAlways
AnthropicAI model processing for GyaniConversation text and the workspace context you give GyaniOnly when AI processing is enabled; a deterministic offline mock runs otherwise
Voyage AIText embeddings for AI retrievalText snippets submitted for indexingOnly when enabled
DeepgramVoice speech-to-textVoice audio you record while talking to GyaniOnly when voice input is enabled
ElevenLabsVoice synthesis (Gyani speaking aloud)Gyani's reply textOnly when studio voice is enabled
Cloudflare TurnstileBot and abuse check on public onboardingBrowser challenge signals, IP addressOnly when enabled
OpenCorporatesBusiness-registry (KYB) lookupsThe company name and state you enter for verificationOnly when live KYB is enabled; a clearly labelled simulation runs otherwise
Google FontsFont delivery (fonts.googleapis.com)Your browser's font request (IP address, user agent)Always, requested directly by your browser

5. How long we keep it

Documents carry a retention class enforced in the database itself. The schedule below is provisional pending counsel sign-off and may only lengthen, not silently shorten (retention clocks cannot be rewound).

ClassCoversRetain (months)Legal hold by defaultNotes
identityIdentity / work-authorization60YesUSCIS / I-9 point-in-time evidence. Verified copies are retained to the later of 3 years from verification or 1 year after the engagement ends.
insuranceInsurance certificate (COI)84YesCoverage-period proof plus tail.
contractExecuted contract / MSA84YesEach signatory retains its executed copy.
employmentEmployment record48NoOffers, verifications, approvals.
noneNo mandated retention0NoOrdinary documents.

A note on eligibility documents: when an employer verifies a version of a worker's document, that exact copy is placed under a legal hold for the employer's compliance records — it is retained through the schedule above even if the worker later replaces the document or revokes sharing. Newer versions remain under the worker's control.

Account and workspace data is deleted or anonymized after account closure, subject to the holds above and to security/audit logs kept for a limited period.

6. Your rights

You can request access to, a machine-readable export of, or deletion of your personal data by contacting support@popayapp.com. Erasure requests are tracked in-platform with a GDPR or CCPA basis and are honored except where a legal hold or statutory retention duty applies — in that case we mask and restrict the data, then purge it when the hold expires. If you are a worker whose employer uses PoPayOne, you can also direct requests to your employer (the data controller); we assist them in responding.

We do not discriminate against you for exercising these rights.

7. Security

Every business is an isolated tenant enforced by database row-level security; money-class actions require single-use, resource-bound confirmations with capability checks and dual approval, and are written to a tamper-evident, hash-chained audit log — enforced now. MFA step-up is enforced in real-money mode. The platform is built to SOC 2 controls; certification is on the roadmap. Full detail: Security overview.

8. How consent is recorded

When someone attests to something consequential — for example, that they are authorized to act for a business during verification — we store a durable attestation record: the statement, who made it, and the timestamp, IP address, and browser user-agent captured server-side. These records exist so that authorization is provable later; they are visible to your own organization and to PoPayOne platform administrators.

9. Changes to this policy

Each version of this policy is dated and numbered at the top of the page. Material changes — a new subprocessor, a new data category, a changed retention rule — will be notified to account owners before they take effect.

10. Contact

Privacy questions or requests: support@popayapp.com.