Privacy Policy

Effective June 10, 2026 · Early-access draft

Who we are

CapyHR ("we," "us") is operated by [CAPYHR LLC / OPERATOR NAME], based in Omaha, Nebraska. CapyHR is a hosted personal command center: we set up and run a private instance of the software for you on infrastructure we manage. Unlike self-hosted software, your data lives on servers we operate — this policy explains what that means.

The data we handle for you

CapyHR's entire purpose is processing your personal information on your behalf, at your direction. When you connect accounts, your instance reads and stores:

• Email — message content and metadata from accounts you connect (iCloud, Gmail, Outlook), classification results, and a lifecycle log of what the system did with each message.
• Contacts and calendars — from the accounts you choose to sync, read-only.
• Tasks, notes, and your bills ledger — what you create in the dashboard or provide for bill verification.
• Account data — your name, email, username, passkey public keys (never anything that lets us impersonate your devices), session records, and the OAuth tokens / app passwords needed to read your connected accounts. Tokens are stored with restricted file permissions, are never logged, and are used only to operate your instance. We never store passwords — there are none; sign-in is passkeys.

How we use it

For exactly four purposes: to operate your instance (triage your mail, verify your bills, build your rundown), to deliver the notifications you enable, to keep the service secure, and to troubleshoot when you ask for help. We improve CapyHR using operational signals — error logs, service health — never by mining the content of your mail.

Where it lives

Each customer gets an isolated instance: your own database and files, never shared or commingled with any other customer's. Instances run on servers we lease in the United States (currently Hostinger), behind Cloudflare for network security and encryption in transit.

Who else touches it (subprocessors)

• Hostinger — server hosting.
• Cloudflare — DNS, TLS, network protection.
• Apple, Google, Microsoft — only the providers you connect, accessed with the credentials you authorize, revocable by you at any time.
• OpenRouter (AI processing) — only if you enable AI features. Before any content is sent for AI formatting or review, personal identifiers are substituted with anonymous codes; the AI provider sees the codes, not your details. AI features are optional and the service works without them.

What we never do

• No selling or sharing your data. No advertising. Ever.
• No training AI models on your data.
• No browsing your content. Operators access an instance's data only to provide support you've asked for, or as required to keep the service running, and we'll tell you when that happens.

Retention and deletion

• Email lifecycle records are pruned on a rolling ~90-day window.
• You can disconnect any account at any time; new reads stop immediately.
• If you leave CapyHR, we delete your entire instance — database, files, credentials — within [30] days, and offer an export first.

Security

Per-instance isolation, passkey (Face ID / WebAuthn) sign-in with hashed session tokens, TLS everywhere, secrets kept out of code and logs. No system is perfect: if a breach affects your data we will notify you without undue delay and within [72 hours] of confirming it.

Your choices and rights

Most controls are self-service in your dashboard: connect or disconnect accounts, tune notifications and quiet hours, turn AI features on or off, and manage everything you've created. Beyond that, ask us anytime to access, export, correct, or delete your data — it's yours. Contact [CONTACT EMAIL]. We respond to every request personally; there's no form maze.

Children

CapyHR is not directed to children under 16 and we don't knowingly host their data.

Changes

If this policy changes materially, we'll notify you in your dashboard and by email before the change takes effect.