teamhatcher Privacy Policy
Last updated: July 1, 2026
This Privacy Policy explains how TEAMHATCHER LLC, an Arizona limited liability company ("teamhatcher", "we", "us"), collects, uses, and shares personal data in connection with https://www.teamhatcher.com and the teamhatcher platform (the "Services"). Contact us at legal@teamhatcher.com.
1. Two roles: when we are a controller, and when we are a processor
teamhatcher handles personal data in two distinct capacities:
(a) teamhatcher as a controller (or "business" under U.S. state laws). We decide how and why to process data about our own customers and site visitors: account and login details, billing contacts, support communications, marketing preferences, and product usage analytics. This Policy governs that processing.
(b) teamhatcher as a processor (or "service provider"). When a business (our "Customer") runs its workspace, the Customer decides what data about its employees, contractors, and hires ("Members") goes into teamhatcher, and we process that data on the Customer's behalf and instructions. For that data, the Customer is the controller, and our Data Processing Addendum (https://www.teamhatcher.com/legal/dpa) governs. If you are a Member, direct privacy questions and requests (access, correction, deletion) to your employer or the business that invited you; we will assist them as required by the DPA. Where this Policy describes workspace content below, it is for transparency about what the platform handles.
2. What we collect and why
Data you or your business provide:
- Account and profile data (controller): name, work email, company name, time zone, role, password or single sign-on identifiers. Used to create and secure accounts and operate the Services.
- Billing data (controller): billing contact details, plan, transaction history. Payment card data is collected and stored solely by Stripe; we never store card numbers.
- Workspace content (processor): SOP content; screen recordings and their transcripts; voice recordings and notes used to generate SOPs; Member personal information the Customer enters (names, emails, time zones, roles); paperwork and e-signed documents, which may include home addresses and, in some documents such as offer letters, Social Security numbers or tax IDs; chat messages and file attachments; task, knowledge check, onboarding, and time-tracking records. Used to provide the features the Customer invokes.
- Support communications (controller): messages you send to support@teamhatcher.com or legal@teamhatcher.com. Used to help you and keep records of the interaction.
Data collected automatically:
- Usage and log data (controller): technical records generated as you use the Services, such as requests, timestamps, browser and device type, and IP address, collected through server and hosting logs. Used to operate and secure the Services, diagnose problems, and understand aggregate usage. Cookies are described in our Cookie and Tracking Notice (https://www.teamhatcher.com/legal/cookies).
- Error and performance data (controller): crash reports and diagnostics via Sentry, which may include account identifiers and technical context. Used to detect and fix defects.
- E-signature audit data (processor): signer email, timestamps, and IP addresses captured to create signature audit trails.
We do not collect data for advertising, and we do not sell personal data.
3. AI processing
Some features send workspace content to third-party AI providers to produce results: Anthropic (Claude models) generates and updates SOP drafts and answers ask-your-SOPs questions; OpenAI transcribes audio (Whisper) and creates text embeddings that power search and Q&A. Processing happens to deliver the feature invoked, on our instructions as processor for the Customer. AI output can be inaccurate or incomplete and requires human review; it is not legal, HR, medical, financial, or other professional advice. We do not use workspace content to train models of our own, and under our current agreements our AI providers do not use content submitted through our API integrations to train their models.
4. A note on sensitive data in uploaded paperwork
Offer letters and onboarding paperwork uploaded or signed through the Services may contain sensitive identifiers such as Social Security numbers, tax IDs, and home addresses. We treat all workspace content as confidential and apply the safeguards in Section 8, and we restrict access to signed documents through role-based permissions. We use sensitive identifiers only to provide the Services, never for analytics, profiling, or marketing. Customers should upload sensitive documents only when necessary, limit who in their workspace can view them, and retain their own copies as required by law. Sensitive data may trigger heightened legal obligations for the Customer as controller (for example, state Social Security number protection laws and breach notification statutes); the DPA describes how we assist.
5. How we use personal data
We use personal data (as controller) to: provide, secure, and maintain the Services; authenticate users and prevent fraud and abuse; process subscriptions and payments through Stripe; provide support; send transactional messages (receipts, security alerts, service notices) via Resend; send limited product news to business contacts, with an easy opt-out; analyze usage to improve the product; enforce our Terms and Acceptable Use Policy; and comply with law. As processor, we use workspace content only on the Customer's instructions to deliver the Services, as detailed in the DPA.
6. How we share personal data
We share personal data only with:
- Subprocessors and service providers that help us run the Services, under contracts limiting their use of the data: Supabase (database, authentication, file storage), Vercel (application hosting), Anthropic (AI SOP generation and Q&A), OpenAI (audio transcription and text embeddings), Stripe (billing and payments), Resend (transactional email), Documenso (e-signature processing and storage of signed documents), and Sentry (error monitoring). The current list, purposes, and locations are maintained at https://www.teamhatcher.com/subprocessors.
- The Customer that controls your workspace. Workspace owners and admins can access content and records within their workspace consistent with the product's role-based permissions.
- Legal and safety recipients, where required by law, subpoena, or legal process, or where reasonably necessary to protect rights, safety, or the integrity of the Services. Where legally permitted, we will notify the affected Customer before disclosing workspace content.
- A successor in a merger, acquisition, financing, or sale of assets, under confidentiality protections and with notice.
We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.
7. Cookies
We use strictly necessary cookies for sign-in and session security. We currently use no analytics cookies and no third-party advertising cookies. Details, durations, and your controls are in the Cookie and Tracking Notice at https://www.teamhatcher.com/legal/cookies.
8. Security
We apply technical and organizational safeguards appropriate to the data we handle, including encryption in transit (TLS) and at rest, row-level tenant isolation in the database, role-based access controls in the product, least-privilege internal access with multi-factor authentication, logging and error monitoring, vendor due diligence, and an incident response process. No system is perfectly secure; if we learn of a breach affecting personal data, we will notify affected Customers and regulators as required by law and the DPA.
9. Data retention and deletion
- Workspace content (processor): retained while the Customer's account is active and controlled by the Customer, who can edit and delete content in-product. After a subscription ends or an account is closed, the Customer has a 30-day export window; we then delete or de-identify workspace content within 60 days and purge backups within a further 90 days, except where law requires longer retention.
- Account and billing records (controller): retained for the life of the account and then as needed for legal, tax, and accounting purposes (typically 7 years for financial records).
- Support communications: typically 24 months after the matter closes.
- Server logs and diagnostics: typically 12 months.
- Inactive Free workspaces: may be deleted after 12 months of inactivity, following at least 30 days' notice.
10. International transfers
We are based in the United States, and the Services are hosted and supported there; our subprocessors may also process data in the United States and other countries. Where we receive personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (and the UK Addendum), as incorporated in our DPA. You may request a copy of relevant safeguards at legal@teamhatcher.com.
11. Children
The Services are for businesses and their teams. They are not directed to consumers or to anyone under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact legal@teamhatcher.com and we will delete it.
12. Your rights
If you are in the EEA, the UK, or Switzerland: you may have rights to access, correct, delete, or receive a copy of your personal data, to restrict or object to processing (including processing based on legitimate interests), and to withdraw consent where processing is based on consent. Our legal bases are: performance of a contract (providing the Services), legitimate interests (securing and improving the Services, business communications), consent (optional cookies), and legal obligation (tax and accounting). You may also lodge a complaint with your supervisory authority, though we would welcome the chance to address concerns first.
If you are a resident of California or another U.S. state with a privacy law (for example Colorado, Connecticut, Texas, Utah, or Virginia): you may have rights to know or access, correct, and delete personal data, to obtain a portable copy, to opt out of sale, sharing, or targeted advertising (we do none of these), to limit use of sensitive personal information (we use it only to provide the Services), and to non-discrimination for exercising rights. Some states provide a right to appeal a refusal; reply to our decision email to appeal and we will respond as the law requires. We honor Global Privacy Control signals where required; because we do not sell or share personal data, such signals do not change our processing. You may use an authorized agent where the law allows; we will verify the request and the agent's authority.
How to exercise rights: email legal@teamhatcher.com from the email associated with your data, or have your account admin contact us. We will verify your identity and respond within the time required by law. Members: for data in your employer's workspace, we act as processor, so we will refer your request to the Customer and assist them per the DPA.
13. Changes to this Policy
We may update this Policy from time to time. For material changes we will give notice by email or in the product before the changes take effect, and we will update the "Last updated" date above.
14. Contact
TEAMHATCHER LLC [PRIVATE], Arizona, USA legal@teamhatcher.com (privacy and legal) | support@teamhatcher.com (support)