Privacy Policy

Your employer (the organization that created the workspace) is the Data Controller. They decide what data to collect from employees and why. Headcount acts as a Data Processor — we process data on your employer's behalf, following their instructions, to provide the Service.

If you are an employee using Headcount because your employer set it up, questions about how your data is used should first be directed to your employer. We will assist your employer in responding to your requests.

• •Account registration data of individuals who sign up directly (workspace creators)
• •Billing and payment data
• •Data collected through our marketing website (headcounthq.xyz)
• •Communications you send directly to us (support requests, emails)

Slack Integration

When a workspace admin connects Slack, we access:

• •User profiles: Email, display name, avatar, timezone (to link Slack users to Headcount accounts)
• •Bot interactions: Messages sent directly to the Headcount bot in DMs and messages where the bot is @mentioned in channels
• •Slash command inputs: Data entered through /off, /praise, /hc-feedback, and /1on1 commands
• •OAuth tokens: Bot token and signing credentials (stored encrypted, used only for authorized API calls)

What we do NOT access through Slack: We do not read or monitor private channels, group DMs, or any messages where the bot is not directly mentioned or messaged. We do not scrape, index, or bulk-export message history. We do not access files shared in Slack channels. We do not monitor employee activity, keystrokes, or screen content.

Google Calendar Integration

When a user connects Google Calendar, we access:

• •Calendar event metadata: Event title, start/end time, and attendees — used only for scheduling and managing 1:1 meetings
• •OAuth tokens: Stored encrypted, used only for calendar read/write operations

We do not access email content, Google Drive files, or any Google data beyond calendar events. Headcount's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• •AI Agent conversations: The user's message and relevant context (team data, recent leave requests, pulse trends, 1:1 history) to generate a helpful response
• •Burnout detection: Aggregated signals including PTO patterns, workload self-reports, pulse survey trends, and feedback patterns
• •Team health analysis: Aggregated team metrics from pulse surveys, workload, and time-off data
• •Manager insights: A manager's team data to generate actionable recommendations
• •Recognition suggestions: Team activity data to identify recognition opportunities
• •1:1 preparation: 1:1 history, action items, recent feedback, and pulse data to generate meeting briefs
• •Knowledge base queries: Uploaded document content to answer policy-related questions

• •Anthropic (Claude) — Primary provider
• •OpenAI — Fallback provider
• •Google Vertex AI — Fallback provider

We access these providers exclusively through their enterprise/API interfaces. Under their current API terms:

• •Anthropic: Does not use API inputs to train models. Data is not retained after processing.
• •OpenAI: Does not use API inputs to train models (default policy since March 2023). Data retained for up to 30 days for abuse monitoring, then deleted.
• •Google Vertex AI: Customer data is not used for model training. Governed by Google Cloud's data processing terms.

AI features in Headcount are advisory only. They produce recommendations, scores, and insights for managers to review. No employment decisions — including hiring, firing, promotion, compensation, or disciplinary action — are made solely or automatically by AI.

Managers and administrators exercise independent judgment when acting on AI-generated insights. The Service is not a substitute for professional HR, legal, or medical advice.

• •Access: Request a copy of the personal data we hold about you
• •Correction: Request correction of inaccurate or incomplete data
• •Deletion: Request deletion of your personal data
• •Data Export: Request your data in a portable, machine-readable format

• •Restrict Processing: Request that we limit how your data is used
• •Object to Processing: Object to processing based on legitimate interest
• •Withdraw Consent: Withdraw consent at any time without affecting prior processing
• •Automated Decision-Making: Right not to be subject to solely automated decisions with legal effects (our AI features are advisory — see Section 8)
• •Lodge a Complaint: File a complaint with your local data protection authority

• •Right to Know: Request categories and specific pieces of personal information collected
• •Right to Delete: Request deletion of personal information
• •Right to Opt-Out of Sale: We do not sell personal information
• •Right to Non-Discrimination: We will not discriminate for exercising your rights

• •Right to information about processing of your personal data
• •Right to correction and erasure of inaccurate or unnecessary data
• •Right to grievance redressal regarding data processing
• •Right to nominate a person to exercise rights on your behalf

If you are an employee using Headcount because your employer set it up: Please contact your employer (the workspace administrator) first. As the Data Controller, your employer is primarily responsible for fulfilling your data rights requests. We will assist your employer in responding.

If you are a workspace administrator or signed up directly: Contact us at [email protected].

Response timeline: We will acknowledge your request within 7 days and respond substantively within 30 days (or 45 days for CCPA requests). If we need additional time, we will notify you of the extension and reason.

• •We rely on the EU-U.S. Data Privacy Framework (DPF) where our sub-processors are certified participants
• •Where DPF certification is not available, we use Standard Contractual Clauses (SCCs) approved by the European Commission
• •We assess the data protection laws of the destination country and implement supplementary measures where necessary

The Digital Personal Data Protection Act, 2023 permits transfers to countries not restricted by the Central Government. As of this policy's effective date, no restriction list has been published, and transfers to the United States are permitted.

• •Encryption in transit (TLS/HTTPS for all connections)
• •Encryption at rest (database and file storage encryption via AWS)
• •Passwords stored using bcrypt cryptographic hashing
• •JWT-based authentication with token expiration
• •Role-based access control (admin, manager, member) enforced at the API level
• •Parameterized database queries (preventing SQL injection)

• •Access to production systems is restricted to authorized personnel
• •Principle of least privilege for system access
• •Regular security reviews of code and infrastructure
• •Automated daily database backups with encrypted offsite storage

• •We will notify workspace administrators by email at least 30 days before the changes take effect
• •We will display a notice within the Service
• •The updated policy will be posted at this URL with a revised date

Clarifications and formatting updates will be reflected with an updated “Last Updated” date without separate notification.

We request only the Slack OAuth scopes necessary to provide our features. These include permissions to: post messages (bot DMs and channel messages where invited), read user profiles, manage the App Home tab, receive slash commands, and receive events for @mentions and direct messages to the bot.

• •Responds to slash commands (/off, /praise, /hc-feedback, /1on1)
• •Sends notifications via DM (leave request updates, pulse survey reminders, workload check-ins, recognition alerts)
• •Renders an interactive App Home tab with team dashboards
• •Responds to @mentions in channels and DMs with AI-powered answers
• •Detects @mentions of users who are on approved leave (out-of-office alerts)

Slack OAuth tokens (bot tokens) are stored encrypted in our database. Each workspace's token is stored separately and used only for API calls to that workspace. Tokens are never logged, exposed in URLs, or shared with third parties.

• •All Slack OAuth tokens for that workspace are permanently deleted
• •The bot stops sending messages and responding to commands
• •Data previously collected through Slack interactions (pulse responses, feedback, etc.) is retained as part of the workspace data and subject to the retention periods in Section 7

• •Calendar event metadata (title, start/end time, attendees) for the connected user's calendar
• •User profile information (email address) during the OAuth flow

Solely for creating, reading, updating, and deleting 1:1 meeting events in Google Calendar. We do not use Google data for advertising, marketing, or any purpose unrelated to 1:1 scheduling.

Headcount's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not allow humans to read Google user data except where: (a) we have the user's affirmative consent, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) our use is limited to internal operations and the data has been aggregated and anonymized.

• •You can disconnect Google Calendar at any time from Settings > Integrations in the Headcount dashboard, or by removing Headcount from your Google Account permissions
• •When access is revoked, we delete all stored Google OAuth tokens for your account
• •Calendar events previously created by Headcount remain on your Google Calendar; Headcount will no longer be able to read or modify them