Back to home

Privacy Policy

Last updated: March 14, 2026

1. Introduction

Humancloud Technologies ("we," "us," or "our") operates the WeHear platform, an AI-powered anonymous employee complaint portal. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

WeHear is designed with privacy as a foundational principle. We are committed to protecting the anonymity and confidentiality of every user who reports a workplace concern through our platform.

2. Information We Collect

2.1 Complainant (Reporter) Data

  • Email address — collected solely for OTP verification. Immediately after verification, the email is irreversibly hashed using HMAC-SHA256 with a server-side secret. The plain-text email is never stored.
  • Complaint content — the messages you share with the AI counsellor are stored encrypted at rest (AES-256) and associated with an anonymous case ID, not your identity.
  • Anonymous case ID — a randomly generated identifier with no correlation to your personal information.

2.2 What We Do NOT Collect

  • IP addresses are not logged or stored
  • Browser fingerprints and user-agent strings are stripped
  • No cookies are used for tracking
  • No metadata that could identify the reporter is retained
  • Timestamps are normalized to prevent timing correlation attacks

2.3 Administrator Data

Organization administrators authenticate via Single Sign-On (SSO) through the Humancloud auth server. We receive standard profile information (name, email, role) from the SSO provider to manage access control.

3. POSH Act Compliance (India)

For organizations operating under Indian jurisdiction, WeHear supports the Prevention of Sexual Harassment (POSH) Act, 2013. When a complaint is identified as a potential harassment case:

  • The employee is given a clear choice to file under the POSH Act (with identity disclosed to the Internal Complaints Committee only) or as a fully anonymous complaint.
  • If the employee chooses to file under POSH, their identity is encrypted using AES-256-CBC and is accessible exclusively to designated ICC members.
  • This encrypted identity is stored separately from the complaint data and is protected by additional access controls.

4. How We Use Your Information

  • To verify that you are an authorized employee of the subscribing organization (via email OTP)
  • To facilitate AI-powered complaint intake and counselling
  • To enable investigators to review and resolve cases without access to reporter identity
  • To detect crisis situations (self-harm, violence) and trigger safety protocols
  • To generate anonymized analytics and trend reports for organizations

5. Data Security

  • Encryption at rest: AES-256 for all stored data
  • Encryption in transit: TLS 1.3 for all communications
  • Email anonymization: HMAC-SHA256 with server-side secret (not plain hashing)
  • Tenant isolation: PostgreSQL Row-Level Security (RLS) ensures strict data separation between organizations
  • Zero PII logging: Application logs are scrubbed of all personally identifiable information
  • Infrastructure: Hosted on Google Cloud Platform with SOC 2 compliant infrastructure

6. Data Retention

Complaint data is retained for the duration required by applicable laws and the subscribing organization's policies. Under Indian POSH regulations, records must be maintained for a minimum of three years. Organizations may configure custom retention periods through their admin settings.

Email OTP verification codes expire within 10 minutes and are deleted immediately after use or expiration.

7. Third-Party Services

  • Google Cloud Platform (Vertex AI) — powers our AI counsellor. Conversations are processed by Gemini models. Google does not use customer data to train its models.
  • Email service provider — used solely for sending OTP verification codes.

We do not sell, trade, or share your data with any third parties for advertising or marketing purposes.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Object to processing of your data
  • Data portability

Due to the anonymized nature of complaint data, we may be unable to identify your specific records. For POSH filings where identity is stored, contact your organization's ICC for data access requests.

9. GDPR Compliance

For users in the European Economic Area (EEA), we process data under the legitimate interest basis (ensuring workplace safety) and, where applicable, with explicit consent. Our data processing practices comply with the General Data Protection Regulation (GDPR).

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify subscribing organizations of any material changes. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Email: info@humancloud.dev
  • Phone (US): +1 650-887-7006
  • Phone (India): +91 85301 16304
  • Address: 800 West El Camino Real, Suite 180, Mountain View, CA 94040, USA