Privacy Policy

Last updated: April 29, 2026

Hello Nomad ("we", "our", or "us") operates the leave management platform available at hellonomad.work (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you register or are invited to a workspace, we collect:

• Name and email address
• Password (stored as a one-way cryptographic hash; we never store your plain-text password)
• Profile picture / avatar URL
• Job title, phone number, and team assignment (if provided)

1.2 Leave and Attendance Data

When you use the Service, we collect:

• Leave requests (dates, leave type, reason, coverer assignment)
• Leave balances, quotas, and approval history
• Team calendar and scheduling information

1.3 Third-Party Authentication

If you choose to sign in or register using a third-party provider, we receive:

• Google: Name, email address, profile picture, and Google user ID. If you connect Google Calendar, we also receive a refresh token to create and manage calendar events on your behalf.
• Slack: Name, email address, profile picture, Slack user ID, and workspace ID. If your organization connects Slack, we receive a bot token and optionally a user token to enable slash commands, notifications, and status updates.

1.4 Automatically Collected Information

When you access the Service, our servers automatically log:

• IP address and browser user-agent
• Pages visited and actions taken
• Cookies necessary for authentication and session management
• Timezone and locale (used to configure your workspace location)

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process and track leave requests and approvals
• Send notifications about leave requests, approvals, and reminders (via email, Slack, or in-app)
• Create and manage Google Calendar events for approved leave (when connected)
• Update your Slack status during approved leave (when connected)
• Authenticate your identity and secure your account
• Respond to support requests and communicate with you
• Improve and develop new features for the Service

2.5 AI and third-party processors

Hello Nomad uses Google Gemini for absence-pattern detection on internal leave records only. We do not send Slack message content, channel names, or user identifiers to AI providers. We do not train or fine-tune any AI model on your data.

3. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Within your workspace: Your name, team, leave status, and calendar are visible to other members of your organization's workspace as configured by your administrator.
• Third-party integrations: When you or your administrator connects Slack or Google, data flows to those platforms as described in Section 1.3, governed by their respective privacy policies.
• Service providers: We use trusted third-party services for hosting and infrastructure. These providers process data on our behalf and are contractually obligated to protect it.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.

4. Data Security

We implement industry-standard security measures to protect your data:

• All data is transmitted over HTTPS (TLS encryption in transit)
• Passwords are hashed using bcrypt with a high work factor
• Third-party tokens (Slack, Google) are encrypted at rest using AES-256-GCM authenticated encryption
• Authentication uses short-lived JWT access tokens (15 minutes) with secure, httpOnly refresh token rotation
• OAuth state parameters are encrypted to prevent CSRF attacks
• Each organization's data is isolated in a separate database schema (multi-tenant isolation)

5. Data Retention

• Account data: Retained for the duration of your account. When an account is deactivated, personal data is soft-deleted and retained for up to 90 days before permanent deletion.
• Leave records: Retained for the duration of the workspace subscription for compliance and record-keeping purposes.
• Authentication tokens: Refresh tokens expire after 7 days. One-time login tokens expire after 5 minutes. Password reset tokens expire after 1 hour.
• Server logs: Retained for up to 30 days for debugging and security monitoring.

5.1 Slack data deletion

When the Slack integration is uninstalled by your workspace administrator, all Slack OAuth tokens are immediately revoked and deleted from our database. We retain user-Slack ID mappings for 30 days for audit purposes, then permanently delete them.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your personal data ("right to be forgotten")
• Export your data in a portable format
• Withdraw consent for optional data processing (e.g., disconnect Google Calendar or Slack)
• Object to certain types of data processing

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

7. Cookies

We use strictly necessary cookies for:

• Authentication: access_token and refresh_token cookies maintain your session. These are httpOnly and secure (not accessible to JavaScript).
• OAuth flow: Temporary cookies during Slack and Google sign-in flows (automatically cleared after use).

We do not use analytics, advertising, or tracking cookies.

8. Third-Party Services

The Service integrates with the following third-party platforms. Their use of your data is governed by their own privacy policies:

• Google Privacy Policy (Sign-in, Calendar)
• Slack Privacy Policy (Workspace integration)

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.