Privacy Policy

This Privacy Policy explains how OutrightHR, LLC (“OutrightHR,” “we,” or “us”) collects, uses, and protects information in connection with the OutrightHR client portal (the “Portal”) available at portal.outrighthr.com. The Portal is an invite-only service for employers (“Clients”) and their employees. We use the Portal to deliver the HR consulting services our Clients engage us to provide.

1. Who this policy applies to

This policy covers two groups of users:

• Client administrators invited by their employer or by OutrightHR to manage their organization inside the Portal.
• Employees of Client organizations who sign in to view documents, complete training, or submit incident reports.

The Portal is not directed to the general public and is not intended for individuals under 16. We do not knowingly collect personal information from children.

2. Information we collect

We collect only what we need to deliver the Portal and the underlying HR consulting service.

From Clients and their administrators

• Organization details (company name, address, primary contact).
• Administrator name, work email, and role inside the Portal.
• Employee roster data the Client uploads or enters directly: name, work email, job title, hire date, employee group, and similar employment-record fields.
• Documents the Client publishes to their employees and any accompanying metadata (audience, categories, acknowledgment requirements).

From Employees

• Sign-in email and authentication events.
• Training completions and any certificates employees upload.
• Incident reports employees choose to submit — including the narrative, category, and any attachments. Employees may submit a report on behalf of themselves, another person, or anonymously; anonymous submissions do not capture employee identity on the report itself.
• Document acknowledgments (who acknowledged what, and when).

Automatically

• Limited server logs (IP address, user agent, timestamps, request path) retained for security and troubleshooting.
• A secure session cookie to keep users signed in and a CSRF token to protect form submissions. We do not run analytics, advertising, or cross-site tracking inside the Portal.

3. How we use information

• Operate, secure, and support the Portal.
• Deliver the HR consulting services Clients have engaged us to provide, including advising on incidents, training programs, and document publication.
• Send transactional emails — sign-in links, invitation confirmations, incident notifications, and operational updates. We do not send marketing emails to end users through the Portal.
• Investigate security events, prevent abuse, and comply with legal obligations.

4. Roles: controller vs. processor

For Client employee data (rosters, training, incidents, document acknowledgments), the Client is the data controller and OutrightHR acts as a processor on the Client's behalf, per the terms of the applicable engagement or service agreement. The Client determines what employee data is uploaded and how it is used within their tenant. For information about OutrightHR's own relationship with its Clients (for example, Client administrator contact details), OutrightHR is the controller.

5. How we share information

We do not sell personal information. We share information only as needed to run the Portal:

• Service providers. We use a small set of processors under written contract:
  • Supabase — managed Postgres database, authentication, and file storage.
  • Vercel — web application hosting.
  • Resend — transactional email delivery.
• Within a Client tenant. Client administrators see the roster and activity for their own organization. OutrightHR consultants see Client data they are working on to deliver the contracted service. Data is never shared with other Clients.
• Legal process and safety. We may disclose information if required by law or to protect the rights, property, or safety of OutrightHR, our Clients, or the public.
• Business transfers. If OutrightHR is acquired or reorganized, information may transfer as part of that transaction. We would notify affected Clients.

6. Retention

We retain Client and employee information for as long as the Client's engagement with OutrightHR is active. After an engagement ends, we retain data only as long as needed to meet legal, tax, or operational obligations, or as otherwise agreed in writing. Clients may request earlier deletion of their tenant data in accordance with the applicable service agreement.

7. Security

The Portal enforces tenant isolation through row-level security at the database layer. Authentication is managed through Supabase Auth with magic-link sign-in. Data in transit is protected with TLS; data at rest is encrypted by our infrastructure providers. No online service is perfectly secure, and users are responsible for keeping their email accounts and devices protected.

8. Your choices and rights

Because most data in the Portal is held on behalf of a Client employer, requests to access, correct, export, or delete employee information should generally go to that employer. We will support our Clients in responding to those requests.

Users may also contact us directly using the details below and we will either respond or route the request to the appropriate Client.

9. California residents

The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act, gives California residents certain rights regarding their personal information, including rights to know, delete, correct, and limit the use of sensitive personal information. As noted above, OutrightHR generally handles employee information on behalf of a Client employer; California residents should direct requests first to their employer. OutrightHR will assist as the employer directs. We do not sell or share personal information for cross-context behavioral advertising.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date above and, where appropriate, notify Client administrators through the Portal.

11. Contact

Questions about this Privacy Policy or our data practices can be sent to: