Privacy Notice

HelloHR is a human-resources information system (HRIS) operated by Velora, Inc. We are a “service provider” under CCPA / CPRA and a “Business Associate” under HIPAA when our customers (employers) use HelloHR to process Protected Health Information for their group health plans. We are a “processor” under GDPR for personal data controlled by our customers.

What this means:employees and applicants whose data is in HelloHR primarily exercise their privacy rights through their employer (the data controller). We support those requests through our customer's HR team.

We collect the categories of personal information enumerated in Cal. Civ. Code § 1798.140(v) and equivalent state statutes, including:

• Identifiers: name, address, email, phone, IP address, government-issued IDs (SSN, ITIN, EIN, passport), employee number, date of birth.
• Customer records (Cal. Civ. Code § 1798.80(e)): employment history, compensation, tax-withholding elections, direct-deposit account numbers, emergency contacts.
• Protected classifications: race, ethnicity, gender, age, marital status, disability status, veteran status — collected only to satisfy mandatory reporting (EEO-1, VETS-4212, ACA 1094/1095, OFCCP) or accommodation workflows.
• Commercial information: benefit elections, plan-tier choices, dependent demographics.
• Biometric information: only when an employer opts into biometric clock-in; stored as one-way template hashes (never as raw biometric scans).
• Internet / network activity: log lines, audit trail entries, request metadata (IP, user agent, route).
• Geolocation: coarse IP-derived location for security review; precise location only when an employer enables geofenced clock-in.
• Professional information: job title, manager, department, performance review content, training records, disciplinary records, separation reason.
• Education information: degrees, certifications.
• Health information (HIPAA-regulated): medical elections, FMLA medical certifications, ADA accommodation requests, drug-test results.
• Inferences: attrition-risk scores, anomaly indicators, AI-suggested compliance risk levels — always accompanied by the underlying data so you can verify them.

We receive personal information from three sources:

• Directly from you — sign-up, profile edits, uploads, electronic signatures, voice interactions with the AI assistant.
• From your employer — bulk import on implementation, ongoing payroll runs, manager-entered performance and time data, IT-provisioning events.
• From third parties on your employer's behalf — payroll providers (Check HQ, Finch), benefit carriers (via velora-edi feeds), background-check vendors (Checkr), identity providers (Okta, Azure AD, Google Workspace via SCIM), insurance brokers (via Ben AI), accounting systems (QuickBooks, Xero, NetSuite).

We use personal information to provide the HRIS service to your employer and for the purposes enumerated below. We do not use personal information for purposes incompatible with the original collection purpose without separate notice.

• Operate and maintain the HelloHR platform.
• Process pay, benefits, time, leave, and tax filings.
• Generate compliance reports and notices (EEO-1, VETS-4212, ACA 1094/1095-C, OSHA 300/300A, FMLA, COBRA, state pay-data reports, wage-and-hour audits).
• Detect fraud, abuse, and security incidents.
• Respond to subject access, deletion, correction, and portability requests.
• Improve product features through aggregated, de-identified analytics. We do not train AI models on your personal data without your employer's contractual authorization, and we never train on PHI.

We share personal information only with:

• Your employer (the controller of your data).
• Subprocessors who help us provide the service — hosting (Vercel, Inc.), database (Neon, Inc.), payments processing (Stripe, Inc.), error monitoring (Sentry, Inc.), email delivery (Resend, Inc.), AI inference (Anthropic PBC for Claude; ElevenLabs Inc. and Vapi, Inc. for voice). Each subprocessor signs a data-processing addendum and (for HIPAA workloads) a Business Associate Agreement.
• Government authorities when required by law (subpoena, court order, regulatory request). We notify your employer of such requests where lawfully permitted.
• A successor entity in the event of merger, acquisition, or asset sale, subject to the same privacy commitments.

Retention varies by data category and is configurable per customer. Defaults align with the longest applicable statutory retention:

• Audit logs: 7 years (HIPAA Security Rule §164.316(b)(2)).
• Payroll records: 4 years (IRS Publication 15) + state additions where stricter.
• I-9 verifications: 3 years after hire or 1 year after termination, whichever is later (8 CFR § 274a.2).
• OSHA injury and illness records: 5 years (29 CFR § 1904.33).
• Benefit-plan records: 6 years (ERISA § 107).
• Active employee profiles: for the duration of employment + applicable post-termination period.

On a verified deletion request, we permanently remove data not subject to legal retention and anonymize the rest by replacing personally-identifying fields with [DELETED] markers while keeping the records intact for audit traceability.

HelloHR maintains administrative, physical, and technical safeguards aligned with the HIPAA Security Rule, SOC 2 Trust Service Criteria, and NIST 800-53 control families. Highlights:

• Field-level AES-256-GCM encryption for SSN, alien number, direct-deposit account numbers, and other sensitive identifiers.
• TLS 1.2+ for every external connection.
• Multi-factor authentication enforceable per organization; IP-allowlist controls for sensitive customers.
• Role-based access control with per-row organization isolation; within-org PHI access guarded by a person-access helper that prevents URL-id tampering.
• Tamper-evident audit log with hash-chain integrity verification. Every customer can verify and export their own audit evidence from /admin/audit.
• Continuous regulatory monitoring (the W.15 Continuous Law Updates feature) — when a federal or state agency changes a rule HelloHR enforces, the change is flagged in the customer's admin UI within hours rather than at the next quarterly content refresh.

Depending on your jurisdiction you may have the right to:

• Know what categories of personal information we hold about you and the sources, purposes, and recipients.
• Access your specific data via a Subject Access Request.
• Correct inaccurate personal information.
• Delete your personal information, subject to statutory-retention exceptions.
• Port your data to a different service in a machine-readable format.
• Limit the use of sensitive personal information (CPRA).
• Opt out of automated decision-making that produces legal or similarly significant effects (where applicable).
• Not be retaliated against for exercising any of these rights.

Submit requests through your employer's HR contact. If your employer has not provided a route, email privacy@hellovelora.com and we will route the request to the appropriate controller. We verify identity before disclosing any personal information; for employees, verification typically uses the employer-issued email on file.

We respond within 45 days for CCPA/CPRA requests, 30 days for HIPAA right-of-access requests, and 30 days for GDPR requests (extensions where statutorily permitted).

HelloHR does not sell personal information,and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. We have never sold personal information and have no commercial program to do so.

CPRA-defined sensitive personal information (SSN, government IDs, account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, communications content, genetic data, biometric identifiers, health information, sexual orientation) is used solely for the purposes described above — we do not use it for inferences about character, propensities, preferences, intelligence, behavior, or aptitudes.

HelloHR is intended for adult employees and applicants. We do not knowingly collect personal information from children under 13. Dependent demographic data (DOB, name, relationship) on benefit elections is collected from the employee, not from the child directly, and is governed by the same retention and deletion controls as the employee record.

HelloHR servers are located in the United States. When personal information is transferred from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses (Module 3 — processor to processor) plus supplementary measures aligned with EDPB Recommendations 01/2020.

When HelloHR processes Protected Health Information on behalf of a HIPAA Covered Entity (typically your employer's group health plan), we act as a Business Associate. Our use and disclosure of PHI is constrained to what the Business Associate Agreement and 45 CFR Part 164 permit. Individuals retain HIPAA rights of access, amendment, accounting of disclosures, and restriction request through their plan administrator.

Our customer is the data controller for employee personal data; HelloHR is the processor. The lawful bases your employer relies on typically include performance of the employment contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), and legitimate interests (Art. 6(1)(f)) for benefits and operational data, with explicit consent (Art. 9(2)(a)) or employment-and-social-security- law authorization (Art. 9(2)(b)) for special categories.

You have the right to lodge a complaint with your local supervisory authority. For UK data subjects this is the Information Commissioner's Office (ICO).

We will update this notice when our privacy practices change. The effective date at the top reflects the latest revision. Material changes are notified to administrators via the in-app announcement channel and to email contacts on file at least 14 days before they take effect.

privacy@hellovelora.com

Velora, Inc. — privacy office.