Effective Date: May 13, 2026 Last Updated: May 13, 2026
Right Desk Reports ("we", "us", "our") is operated by The Marketing Millennial You can contact us at info@themarketingmillennial.com
This Privacy Policy explains how the Right Desk Reports mobile application ("the App") collects, uses, and protects your personal information.
Data you enter directly:
Workplace incident descriptions, dates, locations
Names of individuals involved in incidents (colleagues, managers)
Your name, employee ID, department, company name (optional — only if you enter it)
Voice recordings converted to text via your device's microphone
Data collected automatically:
App version and device type (for crash reporting only)
No tracking, no advertising identifiers, no analytics
What we do NOT collect:
Your location
Contacts
Photos stored on your device (only photos you explicitly attach to incidents)
Any data without your direct action
On your device (local storage only): All incident records, notes, and saved reports are stored exclusively on your device using encrypted local storage (Hive database). We do not operate servers that store your personal incident data.
Sent to our AI report generation service: When you tap Generate AI Report, the incident details you have selected are sent over an encrypted HTTPS connection to our secure server hosted on Railway (railway.app), which immediately forwards them to OpenAI (openai.com) to generate your report. The report text is returned to your device and saved locally.
We do not retain your incident data on our servers. The data is processed in real time and not stored after your report is generated.
Purpose
Legal Basis (GDPR)
Storing your incident records locally on your device
Performance of contract / Your consent
Generating your AI HR report via OpenAI
Your explicit consent (you initiate the action)
Improving app stability
Legitimate interests
We do not use your data for advertising, profiling, or sale to third parties.
OpenAI (openai.com) When you generate a report, your incident data is processed by OpenAI's API. OpenAI acts as a data processor on our behalf. OpenAI's privacy policy is available at: https://openai.com/privacy
Railway (railway.app) Our report generation server is hosted on Railway. Railway processes data in transit but does not store your personal data. Railway's privacy policy: https://railway.app/legal/privacy
The App requests access to your device microphone solely to enable voice-to-text input for completing incident forms. Voice is processed entirely on your device using your device's built-in speech recognition. We do not transmit, record, or store raw audio files.
You can deny microphone permission at any time in your device settings. The app remains fully functional without it — voice input is optional.
Incident records may contain sensitive personal data including descriptions of harassment, discrimination, and details about third parties (colleagues, managers). This data:
Is stored only on your device
Is only sent off-device when you explicitly tap Generate AI Report
Is never shared with any party other than OpenAI (for report generation) at your direction
Should not be shared with unauthorised parties
If you are located in the EU or EEA, you have the following rights:
Right
How to exercise it
Right of access
Email us — we will confirm what data we hold (note: most data is on your device only)
Right to deletion
Delete the app — all local data is permanently removed. Email us to confirm no server-side data exists
Right to rectification
Edit your incident records directly in the app
Right to portability
Your report text can be exported as PDF at any time
Right to object
You can stop using report generation at any time
Right to withdraw consent
Uninstall the app at any time
To exercise any right, contact us at: [YOUR EMAIL ADDRESS] We will respond within 30 days.
On your device: Data is retained until you delete it within the app or uninstall the app.
On our servers: We do not retain your personal data after report generation is complete. Server logs (which do not contain your incident content) are retained for up to 30 days for security monitoring.
Right Desk Reports is intended for adults in employment. We do not knowingly collect data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us immediately.
We implement the following security measures:
All data transmission is encrypted via HTTPS/TLS
Local data is stored using device-level encrypted storage
Our server uses bearer token authentication
No incident data is logged or retained on our servers
If you are located in the EU/EEA, your data (when you generate a report) is transferred to servers in the United States (Railway, OpenAI). This transfer is made on the basis of your explicit consent when you initiate report generation. OpenAI participates in the EU-US Data Privacy Framework.
We may update this Privacy Policy from time to time. We will notify you of significant changes via an in-app notice. The "Last Updated" date at the top of this policy will always reflect the most recent version.
For any privacy questions, data requests, or concerns:
Sarai / The Marketing Millennial Email: sarai@themarketingmillennial.com
For EU/EEA users: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.