Onboarding0
Start Free Trial

Legal

Privacy Policy

Effective March 23, 2026 · Onboarding0, Inc.

At Onboarding0, Inc., we take your privacy seriously. This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Service. By using the Service, you agree to the practices described in this policy.

1 Information We Collect

1.1 Account & Registration Information

When an administrator registers, we collect:

  • Name and email address
  • Company name, size, and industry
  • Password (stored in hashed form; never in plaintext)
  • Billing information, including credit card details (processed and stored securely by Stripe — we do not store full card numbers)
  • Selected billing plan

1.2 New Team Member Information

When new members are invited to onboard, we collect information they provide during the onboarding questionnaire, including:

  • Name and email address
  • Professional background and work history
  • Skills, competencies, and areas of expertise
  • Preferred learning styles and methods
  • Onboarding progress and milestone completion data

1.3 Company Content & Knowledge Base Data

With your authorization, we index content from connected platforms to power onboarding personalization. This may include:

  • Documents and files (e.g., from Google Drive, Box, or uploaded directly)
  • Code repositories (e.g., from GitHub)
  • Project management data (e.g., Jira issues, Confluence pages, Notion databases)
  • Future integrations: CRM data (e.g., Salesforce), messaging content (e.g., Slack), and other connected service platforms

1.4 Usage Data

We automatically collect certain data about how the Service is used, including:

  • Log data (IP addresses, browser type, pages visited, timestamps)
  • Device and connection information
  • Interactions with the AI chatbot (questions asked and responses received)
  • Feature usage patterns used to improve the Service

1.5 Cookies & Tracking Technologies

We use cookies and similar technologies for the purposes described below. You can manage your cookie preferences at any time using the “Cookie Settings” link in the footer.

Essential Cookies (always active)

These cookies are strictly necessary for the Service to function and cannot be disabled.

  • Session cookie— Maintains your login session on the platform. HttpOnly, 7-day expiry.
  • OAuth state cookies— Prevents cross-site request forgery during social login flows. HttpOnly, automatically deleted after login completes.
  • CAPTCHA cookies— Set by Cloudflare Turnstile to verify you are not a bot. Essential for security.
  • Cookie consent preference— Stores your cookie preference choice. 1-year expiry.

Optional Cookies (require your consent)

  • Analytics cookies (Amplitude)— Used on our marketing website only to understand how visitors interact with the site. These cookies are not set on the platform application. You can opt in or out at any time via the cookie consent banner.

Disabling optional cookies does not affect the functionality of the Service.

2 How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Generate personalized AI-driven onboarding plans and track new hire progress
  • Power the AI chatbot to answer new team member questions
  • Index and search your organization's content via our proprietary document indexer
  • Process payments and manage billing
  • Send transactional and onboarding-related emails to invited team members
  • Communicate with you about your account, updates, and support
  • Ensure security, detect fraud, and enforce our Terms
  • Comply with legal obligations

We do not use your Customer Content to train AI models for purposes other than delivering the Service to you.

3Third-Party Integrations & Data Sharing

3.1 Connected Third-Party Services

When you connect integrations, those services transmit data to us under the permissions you grant. Current integrations include GitHub, Atlassian Jira, Atlassian Confluence, and Notion. Planned future integrations include Salesforce, Slack, Google Drive, Box, and other CRM and document management platforms. Data from these integrations is used solely to build and maintain your knowledge index and to personalize onboarding experiences.

3.2 Service Providers (Sub-Processors)

We share data with the following trusted third-party service providers who assist in operating the Service, each subject to data processing agreements and confidentiality obligations:

  • OpenAI— AI-powered onboarding plan generation, chatbot responses, document classification, and text embeddings. Customer Content processed via the API is not used to train OpenAI models.
  • Stripe— Payment processing and subscription management. Stripe is PCI-DSS Level 1 certified. We do not store full card numbers.
  • Resend— Transactional email delivery (invitations, verification emails, onboarding reminders).
  • Cloudflare— CAPTCHA verification (Turnstile) for bot protection on forms.
  • Vercel— Application hosting, edge network, and blob storage for uploaded documents.
  • Trigger.dev— Background job processing (document indexing, plan generation, integration sync).
  • Amplitude— Analytics on the marketing website only. No personal data from the platform application is shared with Amplitude.

3.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent in-app notice before your information is transferred and becomes subject to a different privacy policy.

3.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or a valid governmental request.

3.5 No Sale of Personal Data

We do not sell, rent, or lease your personal information to third parties for their marketing or other purposes.

4 Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. Upon account termination, Customer Content is available for export for 30 days, after which it is deleted from our systems. Log data and aggregated analytics may be retained longer in anonymized form. Billing records are retained as required by applicable law.

5 Security

We implement industry-standard administrative, technical, and physical safeguards to protect your information, including encryption in transit (TLS) and at rest, role-based access controls, and regular security reviews. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

6 International Data Transfers

The Service is operated from the United States. If you are located outside the U.S., your information may be transferred to and processed in the U.S. where data protection laws may differ from those in your jurisdiction. For users in the European Economic Area (EEA), we rely on appropriate transfer mechanisms such as Standard Contractual Clauses.

7Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected such information, we will take prompt steps to delete it.

8Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal information:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your personal data, subject to legal obligations
  • Portability — request a machine-readable export of your data
  • Objection / Restriction — object to or request restriction of certain processing activities
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing

To exercise these rights, please contact us at legal@onboarding0.ai. We will respond to verified requests within 30 days.

9 California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including:

  • The right to know what personal information is collected, used, shared, or sold
  • The right to delete personal information
  • The right to opt out of the sale or sharing of personal information (we do not sell personal information)
  • The right to correct inaccurate personal information
  • The right to non-discrimination for exercising these rights

To submit a verifiable consumer request, please contact us at legal@onboarding0.ai.

10 GDPR (EEA Users)

If you are in the European Economic Area, our legal bases for processing your personal data include:

  • Performance of a contract— to provide and maintain the Service as agreed in our Terms of Service
  • Legitimate interests— security, fraud prevention, service improvement, and direct communications to existing customers (with easy opt-out)
  • Consent— analytics cookies on our marketing website (which you can withdraw at any time via the cookie consent banner) and any other optional processing we specifically request your consent for
  • Compliance with legal obligations— as required by applicable EU/EEA law

Data Protection Contact

For GDPR-related inquiries, data subject access requests (DSARs), or to exercise any of your rights under the GDPR, contact our Data Protection team at legal@onboarding0.ai. We will respond to verified requests within 30 days as required by Article 12 of the GDPR.

Data Erasure

To request deletion of your personal data, email legal@onboarding0.ai with the subject line “GDPR Data Erasure Request”. Include the email address associated with your account. We will verify your identity and process the request within 30 days. Note that we may retain certain data as required by law (e.g., billing records).

Consent Withdrawal

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. For analytics cookies, use the “Cookie Settings” link in the footer. For other consent-based processing, contact us at legal@onboarding0.ai.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with Articles 33 and 34 of the GDPR.

International Transfers

When your data is transferred outside the EEA (e.g., to our U.S.-based sub-processors listed in Section 3.2), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms under Chapter V of the GDPR.

You have the right to lodge a complaint with your local supervisory authority (Data Protection Authority) if you believe we have processed your data in violation of applicable law.

11 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent in-app notice prior to the change becoming effective. The updated policy will be posted at onboarding0.ai/privacy with a revised effective date.

12 Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please reach out:

Privacy Inquiries

Onboarding0, Inc.

legal@onboarding0.aiwww.onboarding0.ai