v0.9 — draft of 2026-07-05 — under counsel review
This is a working draft published for transparency during early access. It has not yet been finalized by counsel and will be versioned when it is.
1. Who this covers
This policy covers personal data processed through the PoPayOne platform: data about the staff of businesses using PoPayOne, and data those businesses and their workers submit — worker records, eligibility documents, insurance and immigration materials. For business customers, the Data Processing Addendum governs our role as a processor of their workers' data.
2. What we collect
- Account and contact data. Name, email address, role, and the sign-in events tied to your account (we use password-free email links via Supabase Auth).
- Business and verification (KYB) data. Legal name, state, registration ID, registered agent and officers (from registry lookups), the verification documents you upload, and the consent attestations described in section 8.
- Worker employment data. Records your employer or you create: assignments, timesheets, pay and bill records, immigration case status — and worker-owned identity and work-authorization documents (passport, EAD card, visa, I-9 supporting documents), which workers upload and choose to share.
- Voice audio. Only if you use voice with Gyani: the audio you record is transcribed by our speech-to-text subprocessor. Voice features are off unless enabled for the deployment.
- Usage and telemetry. Request metadata (IP address, user agent), security and audit logs of actions taken in the product, and abuse-prevention signals on public pages.
3. Why we process it
- to provide the Service: running back-office workflows you and your business initiate;
- to verify businesses before granting them operational access (fraud and abuse prevention);
- to power Gyani: your conversation and relevant workspace context are sent to our AI subprocessor to generate responses — we do not use your data to train AI models;
- to keep tamper-evident audit and security logs of consequential actions;
- to meet legal obligations, such as employment-eligibility record retention.
We do not sell personal data, and we do not use Customer Data for advertising.
4. Subprocessors
These are the third parties that can process data on our behalf, and exactly when. Several are off by default and only run when explicitly enabled for a deployment — the platform falls back to offline mocks or simulations otherwise.
| Provider | What it does | Data it touches | When |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All application data, account data, uploaded documents | Always |
| Vercel | Application hosting and delivery | Request metadata (IP address, user agent), application traffic | Always |
| Anthropic | AI model processing for Gyani | Conversation text and the workspace context you give Gyani | Only when AI processing is enabled; a deterministic offline mock runs otherwise |
| Voyage AI | Text embeddings for AI retrieval | Text snippets submitted for indexing | Only when enabled |
| Deepgram | Voice speech-to-text | Voice audio you record while talking to Gyani | Only when voice input is enabled |
| ElevenLabs | Voice synthesis (Gyani speaking aloud) | Gyani's reply text | Only when studio voice is enabled |
| Cloudflare Turnstile | Bot and abuse check on public onboarding | Browser challenge signals, IP address | Only when enabled |
| OpenCorporates | Business-registry (KYB) lookups | The company name and state you enter for verification | Only when live KYB is enabled; a clearly labelled simulation runs otherwise |
| Google Fonts | Font delivery (fonts.googleapis.com) | Your browser's font request (IP address, user agent) | Always, requested directly by your browser |
5. How long we keep it
Documents carry a retention class enforced in the database itself. The schedule below is provisional pending counsel sign-off and may only lengthen, not silently shorten (retention clocks cannot be rewound).
| Class | Covers | Retain (months) | Legal hold by default | Notes |
|---|---|---|---|---|
| identity | Identity / work-authorization | 60 | Yes | USCIS / I-9 point-in-time evidence. Verified copies are retained to the later of 3 years from verification or 1 year after the engagement ends. |
| insurance | Insurance certificate (COI) | 84 | Yes | Coverage-period proof plus tail. |
| contract | Executed contract / MSA | 84 | Yes | Each signatory retains its executed copy. |
| employment | Employment record | 48 | No | Offers, verifications, approvals. |
| none | No mandated retention | 0 | No | Ordinary documents. |
A note on eligibility documents: when an employer verifies a version of a worker's document, that exact copy is placed under a legal hold for the employer's compliance records — it is retained through the schedule above even if the worker later replaces the document or revokes sharing. Newer versions remain under the worker's control.
Account and workspace data is deleted or anonymized after account closure, subject to the holds above and to security/audit logs kept for a limited period.
6. Your rights
You can request access to, a machine-readable export of, or deletion of your personal data by contacting support@popayapp.com. Erasure requests are tracked in-platform with a GDPR or CCPA basis and are honored except where a legal hold or statutory retention duty applies — in that case we mask and restrict the data, then purge it when the hold expires. If you are a worker whose employer uses PoPayOne, you can also direct requests to your employer (the data controller); we assist them in responding.
We do not discriminate against you for exercising these rights.
7. Security
Every business is an isolated tenant enforced by database row-level security; money-class actions require single-use, resource-bound confirmations with capability checks and dual approval, and are written to a tamper-evident, hash-chained audit log — enforced now. MFA step-up is enforced in real-money mode. The platform is built to SOC 2 controls; certification is on the roadmap. Full detail: Security overview.
8. How consent is recorded
When someone attests to something consequential — for example, that they are authorized to act for a business during verification — we store a durable attestation record: the statement, who made it, and the timestamp, IP address, and browser user-agent captured server-side. These records exist so that authorization is provable later; they are visible to your own organization and to PoPayOne platform administrators.
9. Changes to this policy
Each version of this policy is dated and numbered at the top of the page. Material changes — a new subprocessor, a new data category, a changed retention rule — will be notified to account owners before they take effect.
10. Contact
Privacy questions or requests: support@popayapp.com.