Privacy Policy

1. Introduction

SafeReq Inc. ("SafeReq," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you access or use the SafeReq website (app.safereq.com), our compliance analysis platform, our APIs, and any related services (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including anonymous visitors who use our free analysis tool, registered account holders, organization administrators, and any person who interacts with our website or customer support. By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our Services.

SafeReq is a California corporation. Our Services are designed to help employers and human resources professionals identify potential areas of concern in job requisitions with respect to California employment law. SafeReq provides informational compliance analysis only and does not provide legal advice. You should consult a licensed California employment attorney for legal guidance regarding your specific situation.

2. Information We Collect

2.1 Personal Information You Provide

We collect the following categories of personal information that you voluntarily provide to us:

• Account Information: When you register for an account, we collect your first name, last name, email address, and a password (stored as a cryptographic hash, never in plain text). If you create or join an organization, we also collect your organization name and your role within it.
• Job Requisition Documents: When you submit job postings or requisition documents for analysis, we collect the text content of those documents. These may be uploaded as PDF, DOCX, or plain text files, or pasted directly into our platform.
• Payment Information: When you purchase analysis credits, payment is processed entirely by Stripe, our third-party payment processor. SafeReq never receives, processes, or stores your raw credit card numbers, bank account details, or other sensitive payment credentials. We receive only a transaction confirmation, the last four digits of your payment method, and billing metadata (such as the amount paid and date of transaction) from Stripe.
• Communications: When you contact our support team or respond to our emails, we collect the content of your messages, your email address, and any attachments you provide.
• Feedback and Survey Responses: If you participate in surveys, provide feedback, or submit feature requests, we collect the information you share in those interactions.

2.2 Information Generated Through Use of Services

When you use our Services, we generate and retain the following information:

• Analysis Results: Compliance findings, severity assessments, citations, and recommendations produced by our analysis engine for documents you submit.
• Credit Transactions: A record of your credit purchases, usage, and remaining balance, maintained in an append-only ledger for billing accuracy and auditability.
• Audit Logs: Records of security-relevant actions performed on your account, such as login events, password changes, and permission modifications.

2.3 Automatically Collected Information

When you access our Services, we automatically collect certain technical information, including:

• Device and Browser Information: Browser type and version, operating system, device type (desktop, tablet, mobile), and screen resolution.
• Network Information: Your IP address, internet service provider, and approximate geographic location (city/region level, not precise geolocation).
• Usage Data: Pages viewed, features used, time and date of access, referring URL, clickstream data, and session duration.
• Cookies and Similar Technologies: We use cookies, local storage, and similar technologies as described in Section 9 and our Cookie Policy.

2.4 CCPA Categories of Personal Information

Under the California Consumer Privacy Act (CCPA), the personal information we collect falls into the following statutory categories:

• Category A – Identifiers: Name, email address, IP address, account username.
• Category B – Personal Information (Cal. Civ. Code 1798.80): Name, email address, organization name.
• Category D – Commercial Information: Records of products or services purchased (credit transactions), purchase history.
• Category F – Internet or Network Activity: Browsing history, interaction with our website, usage data.
• Category K – Inferences: Analysis results and compliance findings derived from your submitted documents.

We do not collect Categories C (protected classification characteristics), E (biometric information), G (geolocation, beyond approximate city-level), H (sensory data), I (professional or employment information about you personally), or J (education information).

3. How We Use Your Information

We use the personal information we collect for the following business and commercial purposes:

3.1 Providing and Operating Our Services

• Analyzing job requisition documents you submit through our automated compliance analysis engine and, for paid plans, through manual expert review.
• Generating and delivering compliance findings, severity assessments, citations, and recommendations.
• Creating, maintaining, and authenticating your user account.
• Processing credit purchases and managing your billing ledger.
• Providing customer support and responding to your inquiries.

3.2 Improving and Developing Our Services

• Analyzing usage patterns to understand how our Services are used and to identify areas for improvement.
• Conducting internal research and development to enhance the accuracy of our compliance analysis.
• Monitoring performance, uptime, and error rates to maintain service reliability.

3.3 Security and Compliance

• Detecting, preventing, and responding to security incidents, fraud, and abuse.
• Maintaining audit logs for security-relevant account actions.
• Enforcing our Terms of Service and other agreements.
• Complying with applicable laws, regulations, and legal processes.

3.4 Communications

• Sending transactional emails related to your account (e.g., email verification, password reset, purchase confirmations, analysis completion notifications).
• Sending service announcements, including changes to our Terms of Service, Privacy Policy, or material changes to our Services.
• Sending promotional communications, where you have opted in or where otherwise permitted by law. You may opt out of promotional communications at any time.

4. Information Sharing and Disclosure

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising. We may disclose your information only in the following limited circumstances:

4.1 Service Providers

We engage trusted third-party service providers who assist us in operating our Services. These providers are contractually obligated to use your information only for the purposes of providing services to SafeReq and are bound by confidentiality obligations. Our service providers include:

• Stripe: Payment processing. Stripe receives your payment method details directly and provides us only with transaction confirmations and limited billing metadata. Stripe's use of your data is governed by Stripe's Privacy Policy.
• Cloud Infrastructure Providers: We use cloud hosting providers to store and process data. All data is stored in secure, access-controlled environments.
• Email Service Providers: We use email delivery services to send transactional and service communications to you.

4.2 Manual Reviewers

For paid analysis plans that include expert manual review, authorized SafeReq reviewers may access the text content of your submitted job requisitions and the associated automated analysis results. Reviewers are bound by confidentiality agreements and access documents only for the purpose of providing compliance review services. Reviewers do not have access to your personal account information, payment details, or other unrelated data.

4.3 Legal Requirements and Protection of Rights

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request.
• Enforce our Terms of Service or other agreements.
• Protect the rights, property, or safety of SafeReq, our users, or the public.
• Detect, prevent, or address fraud, security, or technical issues.

4.4 Business Transfers

If SafeReq is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

5. Do Not Sell or Share My Personal Information

SafeReq does not sell your personal information to third parties. We have not sold personal information in the preceding twelve (12) months. We do not share your personal information for cross-context behavioral advertising purposes.

Under the CCPA/CPRA, California residents have the right to opt out of the sale or sharing of their personal information. While we do not engage in these practices, you may still exercise this right or make inquiries by:

• Emailing us at privacy@safereq.com with the subject line "Do Not Sell or Share My Personal Information."
• Writing to us at the address provided in the Contact Us section below.

We will respond to your request within the timeframes required by applicable law. We will not discriminate against you for exercising any of your privacy rights.

6. Data Security

We implement technical, administrative, and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
• Encryption at Rest: Data stored in our databases is encrypted using AES-256 encryption.
• Authentication Security: Passwords are stored as cryptographic hashes using industry-standard algorithms. Access tokens are held in memory only, and refresh tokens are stored in HttpOnly secure cookies to prevent cross-site scripting (XSS) attacks.
• Access Controls: We enforce role-based access controls. Administrative functions require elevated privileges. All tenant-specific queries are scoped to the appropriate organization to prevent cross-tenant data access.
• Audit Logging: Security-relevant actions are recorded in an immutable audit log, including login events, privilege changes, and data access events.
• Payment Security: We never receive, process, or store raw credit card data. All payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider.
• Infrastructure Security: Our infrastructure is hosted in secure cloud environments with network isolation, firewall rules, and regular patching.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents. In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by California Civil Code 1798.82 and other applicable laws, without unreasonable delay.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our specific retention practices are as follows:

• Account Information: Retained for the duration of your active account. If you request account deletion, we will delete or anonymize your personal information within thirty (30) days, except where we are required to retain it for legal, tax, or audit purposes.
• Job Requisition Documents and Analysis Results: Retained for the duration of your active account to allow you to access your analysis history. Anonymous analysis submissions (from users who have not created an account) are subject to a 24-hour time-to-live (TTL) and are automatically purged thereafter.
• Credit and Billing Records: Retained for a minimum of seven (7) years from the date of the transaction for tax, accounting, and audit compliance purposes.
• Audit Logs: Retained for a minimum of three (3) years for security and compliance purposes.
• Automatically Collected Information: Usage logs and analytics data are retained for up to twenty-four (24) months and then aggregated or deleted.

When your information is no longer needed for the purposes outlined above, we will securely delete or anonymize it. Anonymized data that can no longer be associated with any individual may be retained indefinitely for statistical and analytical purposes.

8. Your Privacy Rights

8.1 California Residents (CCPA/CPRA Rights)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA. You may exercise these rights free of charge, and we will not discriminate against you for doing so:

• Right to Know (Access): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom we have shared it. You may make up to two (2) requests in any twelve-month period.
• Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions (e.g., where retention is required for legal compliance, completing a transaction, or security purposes).
• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
• Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. As stated above, SafeReq does not sell or share personal information in this manner.
• Right to Limit Use of Sensitive Personal Information: Where applicable, you have the right to limit the use and disclosure of your sensitive personal information to that which is necessary for us to perform our Services.
• Right to Non-Discrimination: We will not deny you goods or services, charge you different prices, provide you a different quality of service, or suggest any of the foregoing because you exercised your privacy rights.

8.2 How to Exercise Your Rights

To exercise any of the rights described above, you may submit a verifiable consumer request by:

• Emailing us at privacy@safereq.com.
• Writing to us at the mailing address provided in the Contact Us section below.

To verify your identity, we may ask you to provide information that matches the personal information we have on file for you, such as your email address and account details. If you have an account with us, we will verify your identity through your account authentication. If you do not have an account, we may request additional information to verify your identity. You may also designate an authorized agent to make a request on your behalf by providing the agent with signed written authorization and verifying your own identity with us.

We will acknowledge receipt of your request within ten (10) business days and will respond to your request within forty-five (45) calendar days. If we require additional time, we will inform you of the reason and may extend the response period by an additional forty-five (45) calendar days.

8.3 All Users

Regardless of your location, all SafeReq users have the following rights:

• Account Access and Updates: You can access and update your account information at any time through your account settings dashboard.
• Data Export: You may request a copy of your personal information in a commonly used, machine-readable format by contacting us at privacy@safereq.com.
• Cookie Preferences: You may manage your cookie preferences through our cookie consent banner or through your browser settings. See our Cookie Policy for more details.
• Marketing Opt-Out: You may unsubscribe from promotional emails at any time by clicking the "unsubscribe" link at the bottom of any promotional email, or by contacting us. Please note that you may still receive transactional communications related to your account.
• Account Deletion: You may request deletion of your account by contacting us at privacy@safereq.com. We will process your request within thirty (30) days, subject to any legal obligations to retain certain records.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Services, remember your preferences, and understand how you interact with our platform. For comprehensive information about the types of cookies we use and how to manage them, please refer to our Cookie Policy.

In summary, we use the following types of cookies:

• Strictly Necessary Cookies: Required for basic site functionality, authentication, and security. These cookies cannot be disabled.
• Functional Cookies: Remember your preferences and settings (e.g., display options, language) to enhance your experience.
• Analytics Cookies: Help us understand how visitors use our Services so we can improve functionality and content. These are only set with your consent.

We do not use advertising or targeting cookies. We do not engage in cross-site tracking or behavioral advertising. You may manage your cookie preferences at any time through our cookie consent banner or your browser settings.

10. Third-Party Services

Our Services may contain links to third-party websites, applications, or services that are not operated by SafeReq. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access. The primary third-party services integrated with SafeReq include:

• Stripe: Payment processing. When you make a purchase, you interact directly with Stripe's secure payment interface. Your payment information is governed by Stripe's Privacy Policy.
• Cloud Infrastructure: We use cloud hosting providers to run our Services. Data is stored and processed within the United States in accordance with our data processing agreements.
• Email Delivery: We use third-party email delivery services for transactional and service communications. These providers process your email address and message content solely for the purpose of delivering our emails to you.

We require all third-party service providers to process personal information in accordance with applicable law and our contractual data protection obligations.

11. Children's Privacy

Our Services are designed for business use by human resources professionals, hiring managers, and employers. They are not directed to, or intended for use by, individuals under eighteen (18) years of age. We do not knowingly collect personal information from children under 18.

If we become aware that we have inadvertently collected personal information from a person under 18, we will take steps to delete that information as promptly as possible. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at privacy@safereq.com so that we can take appropriate action.

With respect to the Children's Online Privacy Protection Act (COPPA), our Services are not directed at children under 13 and we do not knowingly collect information from children under 13. If you believe a child under 13 has provided personal information through our Services, please contact us immediately.

12. International Data Transfers

SafeReq is based in California, United States, and our Services are primarily hosted and operated within the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using our Services, you acknowledge that your information will be processed in the United States. We take appropriate measures to ensure that your personal information remains protected in accordance with this Privacy Policy regardless of where it is processed.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the "Last Updated" date and version number at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal information, we will provide you with prominent notice prior to the change becoming effective. This notice may include:

• An email notification sent to the address associated with your account.
• A prominent banner or notification displayed when you log into our Services.
• A request for you to review and accept the updated policy before continuing to use our Services.

Your continued use of our Services after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you should discontinue use of our Services and may request account deletion.

14. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, or if you wish to exercise any of your privacy rights, please contact us using the information below:

If you are a California resident and are not satisfied with our response to your privacy request, you may file a complaint with the California Attorney General's Office at oag.ca.gov.