Highwater

Privacy Policy

Last updated: 2026-05-16

This policy explains what data the Highwater Engagement Management Platform (“Highwater”, “we”, “us”) collects, why we collect it, who we share it with, and the rights you have over it. It is written in plain English; we have included internal table and feature names where they help you understand the mechanism.

1. What we collect

Account profile

Each user has a row in our user_profiles table that stores: email address, full name, avatar image URL, the role assigned by an administrator (admin / pm / staff / client), timezone, and a free-form preferences JSON object where per-user settings live (sidebar pin counts, completed product tours, notification preferences, and similar).

Authentication credentials

Authentication is handled by Supabase Auth. We never see or store your password — only the salted hash held by Supabase. If you sign in with Google, we receive your email, name, and avatar URL from Google’s OAuth response; we do not request additional scopes.

Workspace content

The substantive data you create inside the app: companies, projects, tasks, messages (full body text, including attachments and embedded mentions), files (uploaded to Google Drive on your behalf), comments, and time entries. This is the data you came to the platform to manage; we host it so your team can collaborate.

Page activity tracking

The page_activity_log table records every visit to a client-scoped page inside the protected app. Each row captures: the route path (with sensitive query parameters stripped), the browser tab id, the duration the page was open, the start and end timestamps, and a was_idle flag that marks visits where the user did not interact. This tracking applies to staff and client portal users alike. Default retention is 30 days; an administrator can configure it between 1 and 365 days. The log exists so administrators can answer “did the client see this?” without guessing.

Performance telemetry

The client_perf_log table receives Google Web Vitals (LCP, INP, CLS, TTFB) sampled from your browser, render-time markers for heavy components, navigation timing for route changes, and any uncaught JavaScript errors. Error stack traces are truncated to five lines and routes are sanitized to remove query parameters such as ?token= and URL fragments before logging.

Server query telemetry

The slow_query_log table records a fingerprint of slow database queries (statement shape + timing only). It does not include user content or query parameters — it exists so we can find indexes that need to exist before they cost you a slow page.

Internal kudos posts

The training_brags and training_brag_reactions tables hold organization-wide training broadcasts and reactions. Anything posted there is visible to every other user in your organization.

Reward events

The reward_events table records gift-card issuances (Tremendous integration). This is staff-only — client portal users are not included. When a reward is issued, we share the recipient’s email address with Tremendous so they can deliver the card.

2. Third-party processors

We share data with the following subprocessors. Each one has a narrow purpose; we do not sell your data, and none of these parties are authorized to use it for their own marketing.

  • Vercel — application hosting, blob storage for uploads in transit, Vercel Analytics, and Vercel Speed Insights. Default region: United States. Vercel Analytics and Speed Insights are cookieless.
  • Supabase — Postgres database (highwater_ops schema), Supabase Auth, Realtime channel infrastructure, and Storage. Region: AWS us-east-2 (Ohio).
  • Google — Google OAuth for sign-in plus Google Drive integration via a domain-wide-delegated service account. Drive holds the binary contents of files you upload; our database holds only the metadata pointer.
  • OpenAI — we send time-entry note text and message drafts to gpt-4o-mini for the AI cleanup/dictation feature (the “broom” and the microphone). OpenAI is instructed not to train on this data under their API terms.
  • Mistral — we send the binary contents of PDF and PSD files you upload to Mistral OCR for spell-check extraction. Mistral is instructed not to retain or train on this data under their API terms.
  • Tremendous — gift-card issuance. We share the recipient’s email address with Tremendous so they can deliver the card. Staff only — client portal users are never sent to Tremendous.
  • Resend (or configured SMTP relay) — transactional email: invitations, magic-link sign-in, password reset, daily digests. Address-book scope only.

3. Your rights

Access

Email privacy@masking.com and we will provide a copy of the data we hold about you within 30 days.

Correction

You can correct your profile in-app at /me. For changes to data inside a workspace you do not own, contact the workspace administrator.

Deletion

Email privacy@masking.com to request deletion. We will soft-delete your account immediately; hard-deletion happens 30 days later so accidental requests can be reversed.

Portability

We provide CSV exports of your time entries, tasks, messages, and files metadata on request.

Opt out of activity tracking

Client portal users can request opt-out by emailing the address above. Staff can disable their own tracking in /me?tab=settings.

Opt out of the leaderboard

A super-admin can exclude any user from the staff leaderboard at /training/admin using the leaderboard-exclusion list.

Cookies

We set only essential cookies: the Supabase auth session cookie and an admin client-preview mode cookie. We do not use third-party tracking cookies. Vercel Analytics and Vercel Speed Insights are cookieless.

4. EU / UK clauses

Lawful basis for processing

For workspace content, time tracking, and operational telemetry: legitimate interest in operating the service you contracted for. For optional features such as gift-card rewards and product tours: consent that you can withdraw at any time.

Data Protection Officer

Reach our DPO at privacy@masking.com.

Right to lodge a complaint

EU residents have the right to lodge a complaint with their local supervisory authority. UK residents may complain to the Information Commissioner’s Office (ICO).

Transfers out of the EU / UK

Our subprocessors are predominantly US-based. Transfers are covered by the European Commission’s Standard Contractual Clauses (SCCs), included as the data-transfer mechanism in each subprocessor agreement.

5. Children

The platform is not directed at users under 16 years of age and we do not knowingly collect data from them. If you believe a child has provided us with personal information, email privacy@masking.com and we will delete it.

6. Contact

Questions about this policy, requests for access/correction/ deletion, or anything else privacy-related: privacy@masking.com.

Privacy Policy · Highwater Engagement Management Platform