Privacy Policy

The Huckleberry Feedback Company

Effective Date: March 31, 2026

Summary

We collect the minimum data needed to provide AI coaching, 360 feedback, and your professional development.

Your coaching conversations are private. Your employer cannot see them. Huckleberry staff cannot access them.

Your Coaching Profile and 360 feedback belong to you — they travel with you between jobs.

On a company plan, coaching conversations are permanently deleted when you leave.

We use third-party AI providers to power the Service. They process your data in real time but do not retain it.

We do not sell your personal information.

You can export your data, request deletion, or exercise your privacy rights at any time.

1. Introduction

This Privacy Policy explains how The Huckleberry Feedback Company (“Huckleberry,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use our AI coaching platform and related services (the “Service”).

This policy applies to all users of the Service, including individuals on Free, Individual, Team, and Enterprise plans. It should be read alongside our Terms of Service and, for Team and Enterprise customers, our Data Processing Agreement.

By using the Service, you agree to the collection and use of your information as described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Name and email address (work email and, optionally, a personal email for account portability).
Password (stored in hashed form; we cannot read your password).
Authentication data if you sign in via Google or Microsoft OAuth.

2.2 Professional Profile

To provide contextually relevant coaching, we automatically enrich your professional profile using Apollo.io when you first log in. This enrichment uses your work email (and personal email, if provided) to retrieve publicly available professional data, including:

Career history and current role.
Education and skills.
Company information (industry, size, funding stage, technology stack).

This enrichment happens automatically upon first login. You can review and edit your professional profile in your account settings at any time.

2.3 Coaching Session Content

When you use our coaching features, we collect:

Voice transcripts generated during real-time coaching conversations.
AI-generated session summaries, including headline, core issue, context, recommendations, next steps, techniques used, and people mentioned.
Session metadata: timestamp, duration, number of exchanges, and session status.

Coaching session content is the most sensitive data we handle. See Section 5 for how we protect it.

2.4 360 Feedback

When you request or provide 360 feedback, we collect:

Voice-based feedback responses from colleagues (approximately 5-minute conversations).
AI-synthesized insights derived from feedback (strengths, growth areas, patterns).
Attribution data: feedback is named — it is attributed to the person who provided it. We do not offer anonymous feedback.

Feedback you receive is part of your Portable Data and belongs to you.

2.5 Uploaded Documents

You may upload personal or professional documents, including:

Personal assessments: StrengthsFinder, DISC Profile, Myers-Briggs, Big 5, Enneagram, Standout, and similar.
Resumes and CVs.
Company documents (Team and Enterprise plans only): competency models, culture decks, employee handbooks.

We use AI to extract structured data from these documents to enhance your coaching experience. The original documents and extracted data are stored in your account.

2.6 Integration Data (Team and Enterprise Plans)

If your organization connects Huckleberry to workplace tools, we may receive:

HRIS data: team rosters, reporting lines, organizational structure, department information (from BambooHR, HiBob, Rippling, Gusto, Deel, Workday, or similar).
Performance data: feedback, goals, engagement scores (from Lattice, Culture Amp, or similar).
Calendar data: meeting schedules and free/busy information (from Google Calendar).
Meeting notes: from connected tools (eg. Granola, Zoom).

This data is Company-Provisioned Data — it is owned by your employer and is removed from your account when you leave the Company Plan.

2.7 Usage and Analytics Data

We collect data about how you use the Service, including:

Session count, duration, and frequency.
Features used and interaction patterns.
Last active date.

This data is used to improve the Service and, on Company Plans, to provide aggregate usage reporting to administrators.

2.8 Payment Information

Payments are processed by Stripe. We do not store your credit card number, bank account details, or other financial account information on our servers. We receive from Stripe: transaction confirmations, subscription status, and billing history. Stripe’s handling of your payment data is subject to Stripe’s Privacy Policy.

2.9 Device and Technical Data

We automatically collect:

IP address, browser type and version, operating system.
Device identifiers and screen resolution.
Referring URLs and pages visited within the Service.
Error logs and performance data.

This data is used for security, troubleshooting, and service optimization.

3. How We Use Your Information

We use the information we collect to:

Provide the Service: conduct coaching sessions, generate summaries, build your Coaching Profile, collect and synthesize 360 feedback.
Maintain coaching continuity: remember previous sessions, track commitments, and provide increasingly personalized coaching.
Enrich your professional context: use your professional profile and integration data to make coaching relevant to your actual work situation.
Process payments: manage subscriptions, billing, and invoicing.
Communicate with you: send service-related notifications, session reminders, and account updates. We do not send marketing communications without your explicit consent.
Improve the Service: analyze aggregate, de-identified usage patterns to improve features, coaching quality, and user experience.
Ensure security: detect and prevent fraud, abuse, and security incidents.
Comply with law: meet legal obligations, respond to lawful requests, and enforce our Terms.

4. How We Share Your Information

4.1 AI Service Providers

The Service relies on third-party AI providers to deliver core functionality:

ElevenLabs (Real-time voice AI for coaching sessions): Voice audio, session transcripts, Not retained after session ends
Anthropic (Claude): Session summary generation, document parsingSession transcripts, uploaded documents. Not retained beyond API processing
Apollo.io (Professional profile enrichment): Work and personal email addresses. Returns publicly available professional data

These providers process data under contract with Huckleberry. ElevenLabs and Anthropic do not retain your content after processing is complete.

4.2 Infrastructure Providers

We use cloud infrastructure providers (including Supabase for database hosting and authentication) to store and serve data. These providers operate under strict contractual data protection obligations.

4.3 Payment Processor

Stripe processes all payments. Your payment information is handled directly by Stripe and is subject to their privacy policy and PCI DSS compliance.

4.4 Company Administrators (Strictly Limited)

If you are on a Team or Enterprise plan, your company administrators can see:

Aggregate usage data: session counts, frequency of use, last active date.
Billing information: active seats, subscription status.

Company administrators can never see:

Your coaching session content (transcripts, summaries, notes).
Who or what you discussed in coaching sessions.
Your Coaching Profile details.
Your 360 feedback content.
Any substantive coaching information whatsoever.

We do not build — and commit to never building — tools that allow employers to access individual coaching content.

4.5 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request. When permitted, we will:

Notify you of the request before disclosure.
Narrow the scope of disclosure to the minimum legally required.
Challenge requests we believe are overbroad or improper.

4.6 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy and provide you the opportunity to delete your account.

4.7 With Your Consent

We may share your information in other circumstances with your explicit consent.

4.8 What We Never Do

We do not sell your personal information. Not to advertisers, data brokers, or anyone else.
We do not use your Coaching Content for advertising or marketing.
We do not share your Coaching Content with your employer.
We do not provide individual-level coaching data to any third party (except as required by law).

5. Coaching Session Privacy

This is the most important section of our Privacy Policy. Your coaching relationship with Huckleberry is private.

5.1 What Is Private

All Coaching Content is private to you. This includes:

Everything discussed during coaching sessions.
Voice transcripts and AI-generated summaries.
People mentioned, recommendations given, next steps proposed.
Coaching techniques applied and patterns identified.

This information is the substance of your coaching relationship — the equivalent of notes from a session with a human executive coach.

5.2 Who Can See Your Coaching Content

Only you. Specifically:

Your employer cannot see it, even if they are paying for your subscription through a Company Plan.
Company administrators cannot see it. They receive only aggregate usage metrics.
Huckleberry employees do not access it. Our internal policies and technical access controls prohibit staff access to coaching session content.

5.3 How We Protect It

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Stored data is encrypted using industry-standard encryption.
Access controls: Internal access to coaching content is technically restricted. Our systems enforce role-based access that excludes coaching content from employee-accessible interfaces.
Policy controls: Accessing coaching content is a terminable offense under our employee policies.
End-to-end encryption (in progress): We are actively implementing end-to-end encryption where coaching content is encrypted on your device before reaching our servers, ensuring that even Huckleberry’s systems cannot decrypt it.

5.4 What Administrators Can See

On Team and Enterprise plans, company administrators can see only:

Visible to admins
- Number of coaching sessions
- Frequency of use
- Last active date
- Billing and seat information
Not visible to admins
- Session content or topics
- Who was discussed
- Coaching recommendations
- Coaching Profile details (unless shared by the user)
- 360 feedback content (unless shared by the user)

6. Data Ownership and Portability

6.1 Your Portable Data

The following data belongs to you personally, not to any employer:

Coaching Profile: The aggregated insights, growth patterns, technique preferences, and developmental themes built through your coaching relationship.
360 Feedback received: The feedback your colleagues have provided about you, including synthesized insights.

This data:

Travels with you when you change employers or switch plans.
Can be exported in a machine-readable format at any time via your account settings.
Is retained as long as your account exists, on any plan.

6.2 Company-Provisioned Data

Data provided by your employer under a Company Plan (team profiles, org structure, company documents, HRIS data, integration credentials) is owned by the Customer and is removed from your account when you leave the Company Plan.

Your raw, attributed feedback will be removed from the recipient’s view.
Synthesized insights derived from multiple feedback sources may persist in anonymized or aggregated form — for example, if five people provided feedback and the system generated a composite strength, removing one person’s raw feedback does not require deletion of the composite insight.

6.3 Coaching Content Lifecycle

On Individual or Free plans: Coaching Content is retained for the duration of your account.
On Company Plans: Coaching Content from your Company Plan tenure is permanently deleted when you depart the plan, regardless of whether you transition to an Individual plan. This protects both you and your employer — coaching sessions during employment may reference confidential company information that should not persist outside that relationship.

6.4 Feedback Giver Rights

If you have given 360 feedback about a colleague through Huckleberry, you have the right to request deletion of your attributed feedback. To exercise this right:

Email privacy@gethuckleberry.com with your request (self-service option coming soon).

7. Data Retention and Deletion

Active account: All data retained as described in this policy.
Company Plan departure: Coaching Content permanently deleted. Portable Data retained. Company Data removed.
Account closure: 30-day export window for Portable Data. After 30 days, all data permanently deleted.
Feedback withdrawal: Raw attributed feedback deleted. Aggregated insights may persist in anonymized form.
Inactive Free accounts: We may delete accounts that have been inactive for more than 12 months, with 30 days’ notice.
Encrypted backups: May persist for up to 90 days after deletion, after which they are permanently destroyed.

8. Security

We take the security of your information seriously and employ the following measures:

Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest.
Access controls: Role-based access with principle of least privilege. Coaching Content is architecturally isolated from employee-accessible systems.
Security assessments: Regular vulnerability scanning and security reviews.
Personnel: All staff with access to systems are bound by confidentiality agreements and receive security awareness training.
Incident response: We maintain a documented incident response plan with defined procedures for detection, containment, and notification.
End-to-end encryption: We are actively implementing client-side encryption so that coaching content is encrypted on your device before transmission. This will mean even our own systems cannot decrypt your coaching data.
Compliance: We are pursuing SOC 2 Type II certification and will make compliance reports available to enterprise customers upon request.

We maintain administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

9. International Data Transfers

The Service is operated from the United States. If you use the Service from outside the US, your data will be transferred to and processed in the United States.

For users in the European Economic Area (EEA) or United Kingdom:

International data transfers are governed by the European Commission’s Standard Contractual Clauses (SCCs), which provide appropriate safeguards for your data.
The UK International Data Transfer Addendum applies for transfers from the UK.
Details of these transfer mechanisms are set out in our Data Processing Agreement.

For Enterprise customers, data residency options may be available. Contact support@gethuckleberry.com for details.

10. Your Privacy Rights

10.1 All Users

Regardless of where you are located, you have the right to:

Access the personal information we hold about you.
Correct inaccurate or incomplete personal information.
Delete your personal information (subject to legal retention requirements).
Export your Portable Data in a machine-readable format.
Object to certain types of processing.
Withdraw consent where our processing is based on your consent.

10.2 European Economic Area and United Kingdom (GDPR)

If you are located in the EEA or UK, you additionally have the right to:

Restrict processing of your personal information in certain circumstances.
Data portability: receive your data in a structured, commonly used, machine-readable format.
Lodge a complaint with your local data protection supervisory authority.

Legal bases for processing: We process your personal information based on: (a) performance of our contract with you; (b) our legitimate interests in operating and improving the Service (balanced against your rights); and (c) your consent, where applicable.

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect, use, and disclose.
Delete your personal information.
Correct inaccurate personal information.
Opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising.
Non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected: Identifiers, professional information, internet/electronic activity, geolocation data (inferred from IP), and inferences drawn from the above.

We do not sell personal information. We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.

10.4 How to Exercise Your Rights

Self-service: Access your account settings at Account > Privacy for available options including data export and account deletion.
Email: Send requests to privacy@gethuckleberry.com.
Response time: We will respond to verified requests within 30 days. For complex requests, we may extend this by an additional 60 days with notice.
Verification: We may need to verify your identity before fulfilling requests to protect your privacy.

11. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from anyone under 16. If we become aware that we have collected data from a person under 16, we will take steps to delete that information promptly.

If you believe that a child under 16 has provided us with personal information, please contact us at privacy@gethuckleberry.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will:

Notify you of material changes by email at least 30 days before they take effect.
Post the updated policy on our website with a revised effective date.
Make previous versions available upon request.

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you disagree with any changes, you should stop using the Service and close your account.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal information, contact us at: