Privacy & Security Policy
HandoffPack, Inc. (“HandoffPack,” “we,” “our,” or “us”) is a B2B knowledge transfer platform headquartered in Salt Lake City, Utah. We help organizations capture institutional knowledge from departing employees through a structured engagement that produces a verified, executive-grade transition guide (a “Handoff Pack”).
This Privacy & Security Policy explains how we collect, use, store, share, protect, and delete information when you use our website (handoffpack.com), our application (app.handoffpack.com), and all related services (collectively, the “Service”). This document also describes our security architecture, our compliance roadmap, and your rights as a user.
Our primary data collection method is Rescue Mode: a Manager uploads a Google Takeout archive or Slack workspace export from the departing employee. The archive is processed on our secure servers and deleted immediately after extraction. No live access to Google or Slack accounts is required. We do not take the responsibility of handling years of workplace communication lightly. This policy is written in plain language because transparency is a prerequisite for trust.
1. Scope and Defined Roles
HandoffPack involves three distinct user roles. Each role has different data access rights, and this policy addresses each one specifically.
| Role | Description | Data Access | Account |
|---|---|---|---|
| Manager | Purchases the Handoff Pack and uploads the Google Takeout archive or Slack workspace export on behalf of their organization. | Final verified pack, coaching dashboard, progress emails. Never sees raw email content or raw Insider's Guide answers. | Yes |
| Hero | The departing employee whose knowledge is being captured. | Full control over their own data. Reviews, edits, verifies, or rejects every extracted item before it reaches the Successor. | Yes (email/password or Google OAuth) |
| Successor | The person inheriting the role. | Verified pack only, via time-limited Magic Link (90 days). Cannot see draft, rejected, or hidden items, nor raw source data. | No (Magic Link only) |
2. Information We Collect
2.1 Account Information
When a Manager or Hero creates an account, we collect their name, email address (provided via direct registration or Google Sign-In), organization name (if provided), and account preferences configured within the Service.
2.2 Google Takeout Archives & Slack Exports (Rescue Mode)
Our primary data collection method is Rescue Mode. The Manager uploads a Google Takeout archive (downloaded from takeout.google.com) in TGZ or ZIP format, and/or a Slack workspace export (ZIP). These archives may contain the following data types:
| Data Source | Format | What We Extract |
|---|---|---|
| Gmail | MBOX | Subject lines, senders, recipients, dates. A short evidence snippet (up to 500 characters) is stored; full email bodies are never persisted. |
| Google Calendar | ICS | Event titles, descriptions, attendees, dates, times, recurrence patterns |
| Google Chat / Hangouts | JSON | Conversation participants, timestamps, short message snippets |
| Google Keep | HTML/JSON | Note titles, content, labels |
| Google Tasks | JSON | Task titles, descriptions, due dates |
| Google Contacts | VCF | Names and email addresses (used for relationship graph only) |
| Chrome History | JSON | URLs and visit counts (used for tool and system identification only) |
| Slack Workspace Export | ZIP | Public channel messages, threaded discussions, channel metadata, user display names. Standard exports include public channels only. File attachments are not downloaded; only metadata (name, type, size) is captured. Email addresses are PII-scrubbed from evidence text. |
How archive processing works: The uploaded archive is extracted on our secure server. Each entry is parsed into a short evidence snippet (maximum 500 characters). A PII scrubber automatically removes Social Security numbers, credit card numbers, personal phone numbers, and personal email addresses before any content reaches our AI analysis engine. The archive file itself is deleted from storage immediately after extraction completes and cannot be recovered.
What is NOT stored: Full email bodies, full Slack messages, full chat transcripts, and raw archive files are never written to permanent storage. Only short evidence snippets and structured knowledge items (decisions, relationships, workflows) are retained.
2.3 Optional: Direct Google Connection (OAuth 2.0)
As an alternative to archive upload, HandoffPack may offer direct Google account connection via OAuth 2.0. This feature is optional and is not required for core Service functionality. When available, the Hero must explicitly grant permission before we access any data through the following read-only scopes:
| OAuth Scope | Data Accessed | Purpose |
|---|---|---|
| gmail.readonly | Email messages: subject lines, senders, recipients, dates, labels, body content, and attachment metadata | Analyze communication patterns, extract decisions, playbooks, and relationships |
| calendar.readonly | Calendar events: titles, descriptions, attendees, dates, times, recurrence patterns | Analyze meeting cadence, stakeholder relationships, and recurring workflows |
| userinfo.email | Google account email address | Identify the Hero's account |
| userinfo.profile | Display name and profile photo | Personalize the Hero's experience |
Read-Only Access: We request read-only OAuth scopes exclusively. HandoffPack cannot send emails, delete emails, modify emails, create or modify calendar events, or access any Google service beyond those listed above. OAuth tokens are encrypted at rest using AES-256-GCM.
2.4 Insider's Guide Responses
The Hero completes a guided questionnaire (the “Insider's Guide”) consisting of up to 18 questions covering political dynamics, unwritten rules, regretted decisions, and critical relationships. These responses are used solely to enrich the Handoff Pack and are never shown to the Manager in raw form.
2.5 Uploaded Content
The Hero may optionally upload supplemental documents, including meeting transcripts, standard operating procedures, presentation decks, code documentation, and other files. We process these files solely to enhance knowledge extraction.
2.6 Video Recordings
The Hero may record video messages directly within the Service. Video files are stored encrypted, auto-transcribed, and embedded in the final pack. The Hero controls which videos appear in the delivered pack. Videos are accessible only via signed, time-limited URLs.
2.7 Usage and Technical Data
We automatically collect browser type and version, device type and operating system, pages visited and features used within the Service, timestamps and session duration, and IP address (used for security and fraud prevention only, not behavioral tracking).
3. How We Use Your Information
3.1 Core Service Delivery
- Processing uploaded Google Takeout archives, Slack workspace exports (or, when connected, Google account data) to identify decisions, playbooks, stakeholder relationships, recurring workflows, and institutional knowledge patterns
- Running automated PII scrubbing to remove sensitive personal data before AI analysis
- Classifying evidence items and extracting structured knowledge using Anthropic Claude
- Enabling the Hero to review, edit, verify, or reject each draft item
- Assembling and delivering the final Handoff Pack
- Providing the Successor with a searchable knowledge base, auto-generated First 30 Days checklist, and scenario quiz
- Sending progress emails to the Manager (containing aggregate statistics only, never raw content)
3.2 Service Improvement
- Diagnosing technical issues and improving Service reliability
- Analyzing aggregated, anonymized usage patterns to improve product features (we never use individual email content for this purpose)
3.3 Communication
- Sending transactional notifications (extraction progress, pack delivery, account changes)
- Responding to support requests
3.4 What We Do Not Do
We do not sell, rent, or lease your personal data or Google user data to any third party. We do not use your data for advertising, retargeting, or interest-based marketing. We do not use Google user data to build user profiles for advertising purposes. We do not transfer or disclose Google user data for purposes unrelated to providing the Service. We do not store full email bodies — only short evidence snippets (up to 500 characters) are retained for knowledge extraction. We do not use your data to train our own AI models; all AI processing is done through Anthropic's API under their commercial zero-retention terms. We do not use your data to train generalized machine learning models for use by third parties.
4. Google API Services: Limited Use Disclosure
The following disclosure applies to any Google user data accessed through OAuth or processed from Google Takeout archives. Even when archive upload is the primary data collection method, this disclosure remains in effect for any data that originated from Google services.
HandoffPack's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
In compliance with Google's Limited Use requirements, we affirm:
- We limit our use of Google user data to providing and improving the user-facing features of HandoffPack that are prominent in our user interface.
- We do not transfer Google user data to third parties except (a) as necessary to provide the Service with the user's consent, (b) for security purposes such as investigating abuse, or (c) to comply with applicable law.
- We do not use Google user data for serving advertisements of any kind.
- We do not allow humans to read Google user data unless the user has given affirmative agreement to view specific data, it is necessary for security purposes, it is necessary to comply with law, or the data is aggregated and anonymized for internal operations.
- We do not sell Google user data.
- We do not use Google user data to determine creditworthiness or for lending purposes.
5. Data Storage and Retention
5.1 Where We Store Data
All application data is stored in a PostgreSQL database hosted by Supabase (a SOC 2 Type II compliant infrastructure provider) with servers located in the United States. OAuth access tokens are encrypted at rest using AES-256-GCM. Session tokens are hashed with SHA-256 before storage. Uploaded files and video recordings are stored in Supabase Storage with row-level access controls restricted to the owning workspace. Video recordings are hosted by Mux (SOC 2 Type II) with signed, time-limited playback URLs. Background job processing uses Railway-hosted Redis for queue orchestration (job metadata only, no user content). The application is hosted on Vercel (SOC 2 Type II) with serverless compute in the United States.
5.2 Retention Schedule
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Google Takeout archive files & Slack export ZIPs | Ephemeral — deleted immediately after extraction | Automatic on extraction completion |
| Evidence snippets (500-char max) | Duration of pack engagement | Pack delivery + 90 days, or on request |
| Raw email and calendar data (OAuth path) | Processed in memory only. Not written to permanent storage. | Automatic after extraction |
| Structured knowledge items | Duration of engagement or active account | Pack delivery + 90 days, or on request |
| Handoff Packs (final deliverables) | Duration of engagement | Account deletion or user request |
| Insider's Guide responses | Retained only as enrichment data within the pack | Pack delivery |
| Video recordings | Duration of engagement | Account deletion or user request |
| OAuth tokens (when connected) | While Hero's Google account is connected | Pack delivery or disconnection |
| Session tokens | 7 days (absolute timeout) | Automatic expiration or logout |
| Account information | Duration of account plus 30 days | Account deletion request |
| Anonymized usage logs | Up to 12 months | Automatic expiration |
| Audit trail (verification actions) | 7 years (compliance requirement) | Automatic expiration |
| Successor Magic Link access | 90 days from delivery | Automatic expiration |
5.3 Your Deletion Rights
You may request deletion of your data at any time by using the in-app deletion controls, disconnecting your Google account (if connected, which immediately triggers OAuth token revocation), or contacting us at privacy@handoffpack.com. Upon receiving a deletion request, we schedule permanent deletion within 30 days (with a grace period to cancel). Google Takeout archive files and Slack export ZIPs are automatically deleted after extraction and cannot be recovered. We may retain anonymized, aggregated data that cannot identify you for product improvement.
6. Security Architecture
HandoffPack is designed from the ground up with security as a foundational requirement, not an afterthought.
6.1 Encryption
- All data is encrypted in transit using TLS 1.3 (HTTPS enforced with HSTS preload across all endpoints)
- OAuth tokens are encrypted at rest using AES-256-GCM with dedicated encryption keys
- Session tokens are hashed with SHA-256 before database storage; raw tokens exist only in HttpOnly cookies
- Database encryption at rest provided by Supabase (backed by AWS infrastructure)
- Video recordings are stored with signed, time-limited URLs; direct file access is not possible
- Passwords are hashed using bcrypt with 12 rounds (NIST SP 800-63B compliant)
6.2 Access Controls
- Multi-tenant data isolation via Supabase Row-Level Security (RLS) policies on every table
- Server-side session management with session rotation on every authentication event (login, signup, password reset) to prevent session fixation
- All active sessions revoked on logout and password change (server-side invalidation)
- Sessions have a 7-day absolute timeout with IP and user-agent tracking
- Successor access is validated on every request via SHA-256 hashed Magic Links with timing-safe comparison
- Internal access to production data is restricted, logged, and requires multi-factor authentication
- Manager Privacy Firewall: raw Insider's Guide answers are never visible to the Manager
6.3 Input Validation and Data Sanitization
- Automated PII scrubber removes Social Security numbers, credit card numbers, phone numbers, and personal email addresses from all imported content before AI processing
- Noise filter removes marketing emails, auto-replies, and system notifications from the extraction pipeline
- All security-sensitive token comparisons use constant-time comparison to prevent timing attacks
- Content-Type validation on all JSON mutation endpoints
- Schema validation (Zod) on authentication and high-risk API endpoints
6.4 Application Security
- Breached password screening via HIBP (Have I Been Pwned) k-anonymity API on every signup and password change; passwords found in known data breaches are rejected
- We log only safe metadata (endpoint, status code, timestamps). We never log email content, OAuth tokens, or PII.
- All code changes require peer review before deployment
- Dependencies are monitored for known vulnerabilities
- Webhook signature verification mandatory for all external service callbacks (Mux, Stripe)
- Infrastructure providers (Vercel, Supabase) maintain SOC 2 Type II certifications
6.5 Incident Response
In the event of a data breach or security incident, we will notify affected users within 72 hours of becoming aware of the incident (consistent with GDPR requirements), provide a description of the nature of the breach and the categories of data affected, communicate the measures taken to address the breach, and report to applicable regulatory authorities as required by law.
7. Compliance Roadmap
7.1 Google OAuth Verification and CASA Assessment
When direct Google account connection (OAuth) is offered as a feature, we are required to complete Google's OAuth app verification process and undergo a Cloud Application Security Assessment (CASA) because we request access to restricted Gmail scopes. For archive-upload-only operation (Rescue Mode), CASA is not a prerequisite, but remains part of our compliance roadmap. Our CASA compliance plan includes Tier 2 assessment (Developer Tested, Lab Verified), engagement with a Google-authorized CASA assessor, and annual recertification.
7.2 SOC 2 Compliance
We are building toward formal SOC 2 Type II attestation. Our architecture is designed to SOC 2 Trust Services Criteria from day one. SOC 2 Type I is targeted for Q3 2026, and SOC 2 Type II (effectiveness assessment over a 6-12 month observation period) is targeted for Q1 2027.
7.3 Corrective and Preventive Action (CAPA) Framework
We maintain a Corrective and Preventive Action framework inspired by ISO 9001:2015 quality management principles. This includes issue capture, root cause analysis, corrective action with ownership and due dates, preventive action with risk-based thinking, effectiveness verification, and management review.
8. Service Providers (Sub-Processors)
We use a limited number of trusted third-party service providers to operate the Service. These providers process data only on our behalf, under our instructions, and subject to contractual obligations.
| Provider | Purpose | Data Processed | Compliance |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All application data (encrypted at rest) | SOC 2 Type II |
| Vercel | Application hosting and serverless compute | Request metadata only | SOC 2 Type II |
| Anthropic | AI classification and knowledge extraction | Evidence snippets sent for real-time processing. Not retained by Anthropic under commercial terms. | SOC 2 Type II |
| Stripe | Payment processing | Billing information only (credit card data never touches our servers) | PCI DSS Level 1 |
| Mux | Video recording hosting and playback | Encrypted video files. Accessible only via signed, time-limited URLs. | SOC 2 Type II |
| Resend | Transactional email delivery | Recipient email addresses and delivery metadata. No user content from archives. | SOC 2 Type II |
| Sentry | Error monitoring and diagnostics | Stack traces, anonymized request context. No PII or email content. | SOC 2 Type II |
| PostHog | Product analytics | Anonymized event data (page views, feature usage). No PII or knowledge items. | SOC 2 Type II |
| Railway | Background job processing (Redis) | Job queue metadata (IDs, status, timestamps). No user content passes through Redis. | Infrastructure |
9. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data or Google user data. We share data only in these limited circumstances:
- Service providers: As described in Section 8, solely to operate the Service.
- Legal requirements: If required by law, regulation, legal process, or governmental request. We will notify you unless prohibited by law.
- Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
- With your consent: We may share data with third parties when you have given explicit consent.
10. Your Rights and Controls
- Access: View all data associated with your account through the Service's user interface
- Export: Export your Handoff Pack in PDF and structured formats. For a full personal data export (GDPR Article 15 subject access request), contact privacy@handoffpack.com.
- Data portability: Request a machine-readable copy of your personal data for transfer to another service (GDPR Article 20)
- Correction: Edit knowledge items through the verification workflow
- Deletion: Delete your data at any time using in-app controls or by contacting us. We honor deletion requests within 30 days.
- Revoke access: Disconnect your Google account at any time (if connected) within the Service or at myaccount.google.com/permissions. For Rescue Mode users, archive files are automatically deleted after processing.
- Opt out: You are not required to connect a Google account. Rescue Mode (archive upload) is the primary method and requires no OAuth connection.
If you are a resident of the European Economic Area, United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA/CPRA. Contact privacy@handoffpack.com to exercise any additional rights.
11. Cookies and Tracking Technologies
Essential cookies: Required for authentication, session management, and security. These cannot be disabled. Session cookies are HttpOnly, Secure (in production), and SameSite=Lax.
Analytics cookies: Used to understand how you interact with the Service. We use privacy-respecting analytics tools (PostHog) and do not share this data with advertising networks.
We do not use advertising cookies, tracking pixels, or any technology that enables cross-site tracking or ad retargeting. We do not participate in any advertising exchange or data broker network.
12. Children's Privacy
HandoffPack is a B2B service designed for workplace use by professionals. Our Service is not directed at children under 13. We do not knowingly collect personal information from children. If we become aware we have collected data from a child, we will delete it promptly. Contact privacy@handoffpack.com if you believe a child has provided us with personal data.
13. International Data Transfers
HandoffPack is based in the United States and processes all data in the United States. If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States. We take appropriate safeguards to protect your data in accordance with this policy and applicable law.
14. Changes to This Policy
We may update this policy to reflect changes in our practices, technology, legal requirements, or compliance status. When we make material changes, we will update the “Last Updated” date, notify you via email or prominent notice within the Service, and if the changes affect how we use Google user data, prompt you to review and consent before continuing to access your Google data.
15. Contact Us
HandoffPack, Inc.
Email: privacy@handoffpack.com
Website: handoffpack.com
Address: Salt Lake City, Utah, United States
HandoffPack's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.