Legal

Privacy Policy

Effective 2026-06-01 · Firstweek, Inc.

Firstweek, Inc. ("Firstweek," "we," "our," or "us") is a Delaware corporation. This Privacy Policy explains how we collect, use, and share information when you use our software platform and related services (the "Service").

By accessing or using the Service, you agree to this policy. If you are using the Service on behalf of an organization (a "Workspace"), your organization's agreement with us governs data processing, and this policy applies to the extent not superseded by that agreement.

1. Information We Collect

Account and workspace information

When you create an account or set up a workspace, we collect your name, work email address, company name, and any single sign-on (SSO) identity information provided by your identity provider. Billing contacts and payment method details are collected during subscription setup.

New-hire onboarding data

Workspace administrators submit information about new hires — including names, job titles, start dates, role context, and other onboarding-related content — to generate personalized onboarding letters. This data is provided by the workspace and is processed by Firstweek on behalf of the workspace (see Data Controller vs. Processor below).

Integration data

When a workspace administrator connects a third-party integration (such as Slack, GitHub, Notion, Atlassian, or Google Drive), we access content from those services within the scopes you authorize — for example, repository content, channel messages, or documents. This access is read-only, limited to the repositories, channels, or folders you explicitly select, and used solely to generate onboarding content. You may revoke any integration at any time from your workspace settings.

Usage and analytics data

We collect information about how you interact with the Service — including pages visited, features used, and session duration — to improve the product and diagnose issues. We use Google Analytics 4 (GA4) across the full Service, including the authenticated application (see Analytics and Cookies below). No personally identifiable information is included in URL paths within the authenticated application.

Communications

If you contact us by email or through the Service, we retain those communications to respond to your inquiry and improve support.

2. Data Controller vs. Processor

Firstweek operates as both a data controller and a data processor, depending on the data:

Controller: We are the controller of account registration data, billing information, and data we collect about how you use our marketing site.
Processor: For new-hire onboarding content and integration data submitted by workspace administrators, we act as a processor on behalf of the workspace (the controller). The workspace is responsible for ensuring it has the rights and lawful basis to submit that data to the Service.

3. How We Use Your Information

Provide, operate, and improve the Service
Generate AI-powered onboarding letters on behalf of workspace administrators
Process payments and manage subscriptions
Send transactional notifications (onboarding delivery emails, system alerts)
Respond to support requests and inquiries
Monitor for security incidents and prevent fraud
Comply with legal obligations

We do not sell, rent, license, or otherwise monetize your data or your users' data to any third party, for any reason, ever. We do not use customer data — including new-hire information, integration content, or usage data — to build data products, conduct advertising targeting, or derive insights that benefit any party other than you. We do not use your data to train AI models without your explicit prior written consent. Your data exists in our systems solely to provide the Service to your workspace.

4. AI Processing

Onboarding content is transmitted to third-party AI providers to generate personalized letters. By using AI-powered features, workspace administrators authorize this processing. Customer data is not used to train AI models without your explicit prior written consent.

Firstweek uses one or more third-party AI inference providers to power features including onboarding letter generation. When a workspace administrator initiates letter generation, the relevant onboarding content (role context, focus areas, and content retrieved from connected integrations) is transmitted to an AI provider for inference. Our current primary AI provider is Anthropic. We may engage additional AI providers for specific features as the Service evolves; any such providers will be listed on our Subprocessors page before they process customer data.

We select AI providers that operate under zero-retention or equivalent data handling commitments, meaning submitted content is not stored or used by the provider to train their models. Customer data transmitted for AI inference is used solely to generate the requested output and is not retained by the provider beyond that request.

AI-generated outputs are suggestions. The workspace administrator is responsible for reviewing generated content before delivering it to a new hire. Firstweek makes no guarantee as to the accuracy, completeness, or fitness of AI-generated content for any particular purpose.

5. Analytics and Cookies

Cookies we use

The Service uses the following types of cookies:

Essential cookies: Session and authentication cookies required for the Service to function. These cannot be disabled.
Analytics cookies: Google Analytics (GA4) sets cookies to collect usage statistics across the full Service — including the public marketing site and the authenticated application. These cookies collect page-level data only; no personally identifiable information is embedded in URL paths within the authenticated application.

Google Analytics

Firstweek uses Google Analytics 4 (GA4), operated by Google LLC, across the full Service to understand how the product is used and to guide product improvements. GA4 collects IP addresses, browser and device identifiers, pages visited, feature interactions, and session duration. This data is processed by Google subject to its own privacy policy. You can opt out of Google Analytics tracking using the Google Analytics opt-out browser add-on.

6. Third-Party Services

We share data with third-party subprocessors only to the extent necessary to provide the Service. A complete, current list of our subprocessors — including the data they process and their locations — is available at firstweek.app/subprocessors.

Key subprocessors include:

Amazon Web Services (AWS) — cloud hosting and data storage
Anthropic (and other AI providers) — AI inference for letter generation and other AI-powered features
Stripe — payment processing
Resend — transactional email delivery (processes recipient addresses and email content)
Google Analytics — product analytics across the full Service

7. Data Security

We design our systems with security as a core requirement, applying controls aligned with SOC 2 Trust Service Criteria as we work toward formal certification.

Data in transit: All communications between your browser and our servers use TLS (HTTPS). Data exchanged with third-party services and AI providers is transmitted exclusively over encrypted connections.
Data at rest: Our database is encrypted at rest. Fields containing personally identifiable information — including new-hire details, SSO configuration, and identity data — are additionally encrypted at the application layer using AES-256 before being written to the database.
Tenant isolation: All customer data is scoped to your workspace at every layer of the application. Data from one workspace is never accessible to another. Tenant boundaries are enforced at the query level on every database read and write.
Access controls: Access to production systems is restricted to authorized personnel. Administrative access is logged and audited.

If you discover a security vulnerability, please report it to [email protected].

8. Data Retention

We retain account and workspace data for as long as your subscription is active. When a workspace subscription ends and is not renewed, we retain data for 90 days to allow for reactivation, after which it is deleted from production systems. Backup purge may take up to an additional 30 days.

You may request deletion of your workspace data at any time by contacting [email protected].

9. Your Rights

Depending on your location, you may have rights regarding your personal data, including the right to access, correct, or delete the information we hold about you. To exercise any of these rights, contact us at [email protected].

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to Know: You may request a summary of the personal information we have collected about you and why we collected it.
Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a California privacy request, contact [email protected]. We will respond within 45 days.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice in the application. Continued use of the Service after a change constitutes your acceptance of the updated policy.

11. Contact

Questions about this policy or your data:

Email: [email protected]
Security disclosures: [email protected]

Firstweek, Inc., a Delaware corporation