Privacy Policy

Introduction

High Fives (“High Fives,” “we,” “us,” or “our”) is a workplace directory, peer recognition, and team game product operated by Capital Thought, LLC, a Texas limited liability company headquartered at 701 Brazos Street, Suite 100, Austin, TX 78701, United States. This Privacy Policy explains what information we collect, how we use it, and the choices you have. If you have questions about this policy, email privacy@highfives.app.

What data we collect

We collect only what we need to operate the service for your organization. Specifically:

• Google OAuth identity.When you sign in with Google, we receive your email address, display name, and profile photo URL from Google’s OAuth identity response.
• Google Workspace directory data obtained via the https://www.googleapis.com/auth/directory.readonly scope. This includes, for people within your own Google Workspace organization: names, job titles, department, manager relationships, work phone numbers, building and office locations, profile photos, and birthdays (day and month only) where those fields are published in the organization’s directory.
• Application data you create in High Fives.This includes high fives (peer recognitions) you send or receive, reactions to recognitions, Who’s Who game scores and streaks, and any high-five drafts you save.
• Anonymous reports. If a member of your organization submits a report through the anonymous reporting channel, we store the encrypted report body and the category the reporter selected. We do notlog the reporter’s IP address, email, user ID, device fingerprint, or any other identifier that could re-identify them.
• Session cookies issued by Supabase Auth so that you stay signed in. These are first-party, HTTP-only cookies used solely for authentication.

We do not collect: IP addresses or device information for anonymous reporters, analytics cookies, advertising or cross-site tracking identifiers, keystroke or session-replay data, or location data beyond the office building field your organization has already published in its Google Workspace directory.

How we use the Google directory.readonly scope

High Fives requests the Google OAuth scope https://www.googleapis.com/auth/directory.readonly in order to populate the in-app employee directory, org chart, and Who’s Who face-matching game within your own organization. We call the Google People API method people.listDirectoryPeople on a scheduled basis (nightly) and on demand, cache the response in our database scoped to your organization, and render it to authenticated members of that same organization. We do not use this data for any other purpose.

Google Limited Use disclosure. We access Google Workspace directory data with the directory.readonly scope for the sole purpose of displaying employee profiles and relationships inside the customer’s own workspace of the product. Data is not combined with other customers’ data, sold, used for advertising, or used to train generalized AI/ML models.

Limited Use — Google User Data

High Fives’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Concretely:

• We use Google user data only to provide and improve user-facing features of High Fives that are prominent in the application’s user interface (directory, org chart, Who’s Who, peer recognition).
• We do not transfer Google user data to third parties except as necessary to provide the service (see “Data sharing” below) or to comply with applicable law.
• We do not use Google user data for serving advertisements, and we do not sell Google user data.
• We do not allow humans to read Google user data except (a) with the affected user’s explicit consent, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
• We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models.

Data retention

• Directory data is refreshed nightly from Google and overwritten in place. If a person is removed from your Google Workspace directory, their profile is removed from High Fives on the next sync.
• Anonymous reportsare retained for 7 years by default to align with Sarbanes-Oxley and standard employment-records retention windows. An organization’s Trust & Safety admin may request earlier deletion of a specific report; deletions are audit-logged.
• High fives and game dataare retained for the life of the organization’s account so that recognitions and history remain visible to members.
• Account and identity data is deleted within 30 days of an organization closing its High Fives account. Individual members may request earlier deletion of their own account data.

Data sharing

We do not sell your data and we do not share it with third parties for advertising. We do share data with the following sub-processors that are necessary to run the service:

• Supabase — managed Postgres database and authentication (data storage, row-level security, OAuth session issuance).
• Vercel — application hosting and edge delivery for the Next.js frontend and API routes.
• Cloudflare — DNS for highfives.app and Turnstile CAPTCHA on the anonymous reporting endpoint.
• Postmark— transactional email delivery (login links, digest emails, report notifications to Trust & Safety admins).
• Slack — optional per-organization integration for posting recognitions to a team channel. Only activated if your organization explicitly installs it.

Each sub-processor is bound by its own privacy obligations and processes data only on our instructions to provide the High Fives service.

User rights

• Access and export. You can download a full machine-readable export of your personal data at /me/portability while signed in.
• Deletion. Organization owners can close the organization and trigger deletion of all organization data by going to Settings → Close org. Individual members who want their own data deleted while their organization remains active can email privacy@highfives.app and we will process the request within 30 days.
• Correction. Directory information mirrors your Google Workspace directory. To correct it, update it in Google Workspace and it will refresh on the next sync.
• Revoking access.You can revoke High Fives’s access to your Google account at any time by visiting myaccount.google.com/permissions.

Children’s privacy

High Fives is a workplace tool intended for adult employees of Google Workspace organizations. It is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact privacy@highfives.app and we will delete it.

Security

We take security seriously and apply SOC-2-adjacent engineering practices:

• Per-organization isolation.Every table is protected by Postgres row-level security policies keyed to the requesting organization. No organization can query another organization’s data, even with direct database access.
• Encryption at restfor sensitive fields using Supabase’s pgsodium extension, with keys managed in Supabase Vault. Google OAuth refresh tokens are encrypted before being stored and are accessed only through a SECURITY DEFINER function during scheduled directory sync.
• Encryption in transit via TLS 1.2+ for all connections to highfives.app and sub-processors.
• No shared secrets between tenants.Each organization’s OAuth credentials, cron tokens, and database rows are siloed.
• Passwordless authentication. High Fives has no user-chosen passwords. Authentication is handled entirely through Google OAuth, reducing the attack surface from credential stuffing and phishing.
• Authenticated cron endpoints. Scheduled jobs such as the nightly directory sync are gated by a shared CRON_SECRET and cannot be triggered externally.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify organization owners by email at the address on file at least 30 days before the change takes effect. Continued use of High Fives after the effective date constitutes acceptance of the updated policy.

Contact

Privacy questions: privacy@highfives.app
Capital Thought, LLC
701 Brazos Street, Suite 100
Austin, TX 78701
United States

Mailing address:
9450 SW Gemini Dr, Suite 70468
Beaverton, OR 97008