- 01HR Doesn’t Have a Technology Problem
- 02Should This Even Become Software?
- 03The HR Builder Mindset
- 04Finding Products Worth Building
- 05The Modern Stack, Through HR Analogies
- 06Prompting Claude Code
- 07Build With Me
- 08Mistakes Every HR Builder Makes
- 09Security: The Chapter You Shouldn’t Skip
- 10Twenty HR Products Worth Building
- 11A 14-Day Starter Plan
- 12About HR Success Centre
The HR Builder’s Guide
Stop waiting for IT. Start vibe coding the tools you actually need.
HR Doesn’t Have a Technology Problem. It Has a Builder Problem.
There’s a version of this story at every company, and it usually starts the same way.
There’s a version of this story at every company, and it usually starts the same way. Someone in HR — a TA partner, a People Ops manager, an HRBP who’s been doing this for a decade — notices the same problem coming up over and over. Employees asking the same leave question. Hiring managers writing interview guides from scratch every single time. A policy document that answers 80% of questions but nobody reads because it’s twelve pages of legalese.
They know exactly what would fix it. They could describe the solution in two sentences. They’ve watched the problem happen fifty times; they understand it better than anyone in the building.
Then they do the thing HR has always done next: they open a ticket.
Six weeks later, someone from IT schedules a discovery call. Eight weeks after that, there’s a scoping document. By the time anything ships — if anything ships — the original problem has changed shape, the person who requested it has moved teams, and the tool that gets built solves last quarter’s version of the issue.
This isn’t a story about IT being slow. IT is usually understaffed, juggling priorities that have nothing to do with HR, and rationally putting “build a tool for the leave calculator problem” behind “keep the payroll system from falling over.” The bottleneck was never effort or intelligence. It was access. HR has always had more understanding of its own problems than anyone else in the company — and, until recently, zero ability to act on that understanding without going through someone else.
That’s the part that changed. Not “AI got smarter.” Something more specific: the distance between understanding a problem and building the fix for it collapsed. A few years ago, closing that gap required years of training, a computer science degree, or a very patient friend who owed you a favor. Today it requires being able to describe, in plain language, what you want a piece of software to do — and having the judgment to know if what comes back is actually right.
That second part isn’t small. It’s the entire reason this guide exists.
The mindset shift, stated plainly
Historically, HR consumed software. Someone else decided what the ATS could do, what fields the HRIS tracked, what the onboarding portal looked like. HR’s job was to work within those decisions — to file the ticket, request the feature, wait, and adapt.
Today, HR can create software. Not “HR can now use AI tools better.” Create. A calculator, a generator, a structured process — built by the person who understands the problem, without a procurement cycle in between.
This is not a small upgrade to how HR uses technology. It’s a different relationship to it entirely. And most HR professionals haven’t been told this is available to them yet, which is a strange thing to sit with, because it’s not a secret — it’s just new enough that permission hasn’t caught up to capability.
If your instinct reading this is “that’s not really my job” — notice that instinct, and hold onto it loosely. It’s the same instinct that used to say building a spreadsheet model wasn’t your job, before every HR professional had one. The job description didn’t change first. The capability did.
- HR’s constraint was never insight. It was the distance between having an idea and being able to act on it.
- AI didn’t make software engineers unnecessary. It made the gap between “understanding a problem” and “building the fix” small enough for the person who understands the problem to close it themselves.
- The shift that matters isn’t technical. It’s a change in identity — from someone who requests software to someone who builds it.
Should This Even Become Software?
Before this guide teaches you how to build anything, it needs to talk you out of building some things.
Before this guide teaches you how to build anything, it needs to talk you out of building some things. This is the chapter most guides skip, because “here’s how powerful this tool is” sells better than “here’s when you shouldn’t use it.” But the HR builders who last are the ones who ask this question first, every time.
Here’s a test that holds up well in practice: build software for problems that are recurring, structured, and annoying. Don’t build software for problems that are rare, judgment-heavy, or better solved by a conversation.
Walk through it with a real example. Say employees keep asking about parental leave. Is this a good candidate for software?
- Recurring? Yes — it comes up every month, from different people, with the same underlying questions.
- Structured? Yes — the inputs are consistent (tenure, province, salary) and the logic, while detailed, is rule-based rather than judgment-based.
- Better solved by a conversation? No — a calculator gives a consistent, accurate answer faster than a conversation would, and it doesn’t require someone’s emotional bandwidth every time.
Now try a different one: a manager wants software to help decide whether to terminate an underperforming employee. Recurring? Sort of. Structured? Not really — every situation has context that doesn’t reduce to inputs and outputs. Better solved by a conversation? Absolutely — this is exactly the kind of decision that needs a human with full context, not a tool that outputs a recommendation with false confidence.
The second example is not a hypothetical worry. It’s the most common mistake in this entire space, common enough that it gets its own heading in Chapter 8: automating judgment that was never meant to be automated.
A decision framework you can actually use
| Ask this | If the answer points toward “build it” | If the answer points toward “don’t” |
|---|---|---|
| How often does this come up? | Weekly or monthly, from different people | Rarely, or only from one person |
| Is the logic consistent, or does it depend on context every time? | The inputs and rules are the same each time | Every case genuinely needs individual judgment |
| What happens if the tool is confidently wrong? | Mildly annoying — someone double-checks | Someone gets hurt, disciplined, or makes a bad decision based on it |
| Would a well-written document solve 80% of this? | No — people don’t read documents, they need an interactive answer | Yes — you might just need better documentation |
| Is there already a human relationship this depends on? | No — this is transactional, not relational | Yes — this is where empathy and context matter more than speed |
Notice that “is this technically possible to build” isn’t on the list. Almost everything is technically possible to build now. That’s exactly why this question matters more than it used to — the constraint used to be capability, and now it’s judgment.
A useful gut check, before you open Claude Code: could you explain this tool’s entire logic to a new hire in under two minutes, with no exceptions you’d have to hedge? If you can’t, that’s not a reason to build a more sophisticated tool. It’s a sign the problem isn’t ready to become software yet.
Think of the last three things you wished you could automate. For each one, run it through the table above. Notice how many fail the “is the logic consistent” test — and notice that this isn’t a failure of the idea, it’s useful information about what kind of solution it actually needs.
- Build for problems that are recurring, structured, and low-stakes if the tool is wrong. Don’t build for problems that need judgment, context, or a relationship.
- “Technically possible” was the old constraint. “Should this be a tool at all” is the one that matters now.
- The clearest sign a problem isn’t ready to become software: you can’t explain its logic in two minutes without hedging.
The HR Builder Mindset
Builders — good ones, the kind who ship things that last — see problems differently than the rest of us.
Builders — good ones, the kind who ship things that last — see problems differently than the rest of us. It’s worth naming the difference explicitly, because it’s learnable, and because HR professionals already have more of it than they usually give themselves credit for.
Builders think in systems, not incidents. When a hiring manager complains about a bad candidate experience, most people hear a complaint about one candidate. A builder hears: what’s the underlying process that produced this, and how many other candidates hit the same thing without complaining? That’s not coincidentally how good HR process design already works — you’ve been doing this all along, just without calling it “systems thinking.”
Builders separate “what should happen” from “how it happens.” This is the single most useful mental habit in this entire guide. Before you describe a tool to an AI builder, you need to be able to describe what it should do completely separately from how it will do it technically. “When someone submits a leave request, check their tenure against the policy table and show them their eligible weeks” is a “what.” You don’t need to know how a database query works to specify that clearly — and specifying it clearly is 80% of the actual job.
Builders expect to be wrong on the first try, and build for that. The urge to get it perfect before showing anyone kills more first projects than any technical limitation does. A builder ships something rough to three people, watches where they get confused, and treats that confusion as the most valuable data in the whole project — more valuable than anything they could have guessed sitting alone.
Builders know the difference between a demo and a dependency. Anyone can make something look finished in an afternoon. The judgment is in knowing the difference between “this is ready to show someone” and “this is ready for someone to actually rely on” — and not confusing the two, especially under deadline pressure. We’ll come back to this distinction constantly through this guide, because it’s the one that actually protects people.
How engineers think vs. how product managers think — and why you need both hats
If you’ve ever worked with a development team, you’ve probably noticed the two rhythms in the room. Engineers ask: what happens in the edge case? What if this field is empty? What if two people submit at the same time? Product managers ask: does this solve the actual problem? Is this the right thing to build at all, before we worry about how?
As an HR builder, you don’t get to hand either of these off. You are the product manager by default — you understand the actual problem better than any tool does. But you also need enough of the engineer’s instinct to ask “what happens when this goes wrong” before you ship something, because nobody else in the room is going to ask it for you the way a trained engineer would.
The good news: you don’t need to become an engineer to borrow that instinct. You need one habit — before you consider anything “done,” ask what happens when someone gives it bad input, uses it from a different province, or clicks the button twice. That single habit closes most of the gap.
- Builders think in systems, separate “what” from “how,” expect the first version to be wrong, and know the difference between a demo and something people depend on.
- Specifying what a tool should do, clearly and completely, matters more than understanding the technical “how” behind it.
- Borrow the engineer’s habit of asking “what happens when this goes wrong” — that one habit does most of the protective work.
Finding Products Worth Building
The best HR-built tools rarely start with “I want to build something.”
The best HR-built tools rarely start with “I want to build something.” They start with a much smaller, more annoying feeling: I’ve explained this exact thing for the fifth time this month.
That feeling is the raw material. Most HR professionals sit on years of it without noticing, because it’s disguised as normal work rather than as an opportunity. Here’s how to go looking for it deliberately.
Look at what you repeat, not what you’re proud of. The instinct is to build the impressive thing — a sophisticated performance review system, a comprehensive career framework. The better first project is almost always the boring, repeated thing: the same three questions in every offboarding conversation, the same eligibility check, the same “let me pull up the policy” moment. Boring and repeated beats impressive and rare, every time, for a first build.
Notice what only lives in your head. If the honest answer to “where’s the documentation for this” is “it’s kind of just in my head,” that’s not a documentation gap. That’s a product opportunity. The Parental Leave Builder, for instance, didn’t start as an ambitious product vision — it started as knowledge that existed in one person’s head, repeated one conversation at a time, that was worth turning into something anyone could use without booking time on a calendar.
Watch what breaks under scale, not what breaks under stress. A process that works fine for a team of ten often quietly breaks at fifty, not because anything dramatic happened, but because the informal, verbal version of the process — “just ask Sarah” — stops working once there’s no longer one Sarah who knows everyone. That’s usually the moment a good tool idea becomes obvious.
Ask what a new hire would find insane. People who’ve been at a company for years stop noticing its weird workarounds. Someone three weeks in still sees them clearly. If you can, ask a recent hire what part of the HR process confused them most — the answer is usually a better product brief than anything you’d come up with alone.
Resist the urge to start with the tool that would impress your leadership team the most. Start with the one you’d be relieved to never explain again. The impressive one can come later, once you’ve actually shipped something and know what “done” feels like.
Write down the last question a candidate or employee asked you that you’ve answered more than five times. Don’t design anything yet — just notice it. That question is probably a better first project than anything on a roadmap.
- The best first projects are boring, repeated, and slightly annoying — not impressive.
- Knowledge that exists only in your head is a product opportunity in disguise.
- Ask what breaks at scale and what a new hire finds strange; both are shortcuts to real product ideas.
The Modern Stack, Through HR Analogies
You don’t need to understand any of this the way an engineer does.
You don’t need to understand any of this the way an engineer does. You need to understand it well enough to have an informed conversation about what you’re building — the same way you don’t need to understand payroll tax law to know that Payroll needs to be involved before you change a compensation structure.
Here’s the stack, translated.
Claude Code — your senior engineer. This is the tool that actually writes and maintains the code. You describe what you want in plain language — “add a section that asks qualifying questions before the main interview starts” — and it plans the work, writes it, and tests it. Think of it the way you’d think of a strong senior hire: you don’t need to check their syntax, but you absolutely still need to review their work, ask clarifying questions, and catch it when it’s confidently gone in the wrong direction. A great senior engineer still needs a manager. This is that relationship.
Supabase — your filing cabinet and HRIS, combined. This is where the actual data lives — candidate submissions, saved calculator results, policy answers. Think of it as a filing cabinet with a very important lock on the drawer. The lock is the part that matters: Supabase includes a setting called Row Level Security that decides who is allowed to open which drawer. Leave that lock unset, and every drawer is effectively unlocked for anyone who finds the cabinet — which is a bigger deal here than it would be with an actual filing cabinet, because “anyone who finds it” means anyone on the internet, not just anyone who walks into the room. We’ll come back to exactly why this matters in Chapter 9.
GitHub — your version history. Every HR system worth its salt keeps a record of what changed and when — an audit trail for policy documents, a version history for the handbook. GitHub is that, for code. Every change is saved, timestamped, and reversible. If Claude Code makes a change that breaks something, GitHub is how you (or it) can go back to the version that worked.
Vercel — your operations team. Once something is built, it needs to actually run somewhere people can reach it — reliably, quickly, without falling over the moment more than one person uses it at once. Vercel is the team that keeps the lights on: it takes the code, puts it on the internet at a real address, and — usefully — gives you a separate “preview” version every time you make a change, so you can test something before it replaces what your whole team is currently using. That preview-versus-live distinction is the same instinct as testing a policy change with one department before rolling it out company-wide.
Clerk — your reception desk. Somebody needs to check who’s allowed in before they get to the data. Clerk (and tools like it) handles logins, passwords, and “is this actually who they say they are” — the reception desk of your application, so you don’t have to build that from scratch.
Resend — your mailroom. When your tool needs to send an email — a confirmation, a notification, a policy summary — Resend (or a similar service) is the mailroom that actually delivers it, reliably, without ending up in spam.
PostHog — your HR analytics dashboard. Once a tool is live, you’ll want to know if people are actually using it, where they get stuck, and what they click before giving up. PostHog is the equivalent of the reporting dashboard you already use to track time-to-fill or offer-acceptance rate — except it’s tracking how people move through the tool you built.
Stripe — your payroll system. If you ever charge for something you’ve built (a paid tier of a tool, a subscription), Stripe is the infrastructure that actually moves the money safely, the same way payroll infrastructure moves salary payments without you needing to understand the banking rails underneath.
None of these tools require you to understand their internals. They require you to understand what job each one does, well enough to ask a good question when something’s not working — the same relationship you already have with your benefits broker or your payroll provider.
- You don’t need engineering knowledge to build well. You need a working mental model of what each piece of the stack is responsible for.
- Claude Code is the engineer; Supabase is where the data — and its lock — lives; Vercel is what keeps it running; the rest are specialized services doing one job each, the way a good vendor does.
- The lock on the filing cabinet (Row Level Security) is the single detail in this whole chapter worth remembering even if you forget everything else.
Prompting Claude Code: How to Brief an Engineer Who Never Sleeps
The quality of what you build depends less on the tool than on how well you brief it.
This chapter deserves its own space, because the quality of what you build depends less on the tool than on how well you brief it — the same way the quality of work from a great new hire depends heavily on how clearly you set expectations in their first week.
The difference between a bad prompt and a good one
A bad prompt describes a feeling. A good prompt describes a decision.
This tells Claude Code that something is wrong without telling it what “better” means, what a phone screen currently lacks, or what a good outcome looks like. It will guess — and it will guess based on generic assumptions, not your actual process.
Notice what the second version does that the first doesn’t: it names the exact feature, where it lives in the existing tool, what the two parts are and why they’re different, and — critically — it flags the exact trap (hardcoded jurisdiction) before Claude Code has a chance to fall into it. You’re not just describing the feature. You’re describing the mistake you don’t want, because you already know where the mistake tends to happen.
A repeatable structure for briefing a build
- State the goal in one sentence. What should exist after this that doesn’t exist now?
- Describe the “what,” not the “how.” What should the tool do, from the perspective of the person using it? Leave the technical implementation to Claude Code.
- Name the edge cases you already know about. Different provinces, different countries, missing information, someone submitting twice. If you know a trap exists, say so — don’t wait to discover it after launch.
- Say what “done” looks like. How will you know this is working correctly? What would you test first?
- Iterate by describing what’s wrong, not by re-explaining from scratch. If the first attempt gets 80% there, say specifically what’s off — “the eligibility calculation is right, but the output should show weeks, not days” — rather than starting the whole prompt over.
Claude Code’s Plan Mode — where it lays out its intended approach before writing any code — is worth using deliberately for anything beyond a small tweak. Read the plan before it builds. This is the single fastest way to catch a misunderstanding before it becomes an afternoon of wasted work.
A great example
Here’s a realistic first prompt for building a small piece of the Parental Leave Builder:
Notice the last line. Building that instruction into the brief, every time, is a habit worth having before you ever need Chapter 9’s warnings to sink in the hard way.
- A good prompt describes a decision, not a feeling — what it should do, what edge cases matter, and what “done” looks like.
- Naming the trap you already know about (hardcoded jurisdiction, missing data) before Claude Code builds is far more effective than catching it after.
- Iterate by describing what’s specifically wrong, not by starting over — and read the plan before it builds anything non-trivial.
Build With Me
Theory only goes so far. Here’s what building three real tools actually looked like.
Theory only goes so far. Here’s what building three real tools actually looked like — what each one solves, the decisions behind how it was built, and what actually shipped.
The Parental Leave Builder
A free, Canadian employer-facing tool built around three parts: a Cost Calculator that shows what a leave actually costs an employee, a Policy Builder that helps an employer draft their own leave policy, and a Policy Advisor that answers specific questions as they come up.
The calculator runs on structured, editable logic — ESA minimums, federal EI top-up rules, and province-specific tables — rather than an AI model reasoning through legal entitlements fresh on every request. That distinction matters: it means the rules get checked once and trusted every time after, instead of a wrong answer looking exactly as confident as a right one.
What shipped is a full React application with all three tabs live, a serverless function powering the AI Q&A in the Policy Advisor, and a lead-generation flow tied into email capture — a free tool that solves a real problem, and doubles as one of the better marketing assets an HR-focused business can build.
InterviewIQ
InterviewIQ turns a job description and a candidate’s resume into a complete, role-specific interview guide — behavioral questions, resume-specific probes, green and red flag signals, and a scorecard, generated in under 60 seconds. Rather than generic questions pulled from a template, it runs a deep analysis of the actual resume against the role first, so the same job description produces a different guide for every different candidate. It also includes a dedicated Phone Screen mode built for fast, structured first-round calls.
AlignHQ
A hiring-alignment tool built to solve a specific, recurring frustration: a hiring manager and a recruiter believe they’ve agreed on what a role needs, and then discover mid-search that they hadn’t, once real resumes start showing up.
The product forces that disagreement to happen early, on paper, before sourcing begins — role requirements and success criteria defined jointly, rather than assumed. A three-tier billing structure (Free, Starter, Pro), gated by role count, makes it approachable for a solo recruiter while scaling naturally for a larger team. A lightweight requisition-authorization step keeps hiring managers and recruiters accountable to what they signed off on.
What shipped is a full hiring-alignment product with InterviewIQ built natively into it, a rebuilt Help section, and a real billing structure supporting teams of every size — a tool that turns a vague verbal agreement into something both sides can point back to.
- A free tool that solves one real, narrow problem well can double as a company’s best marketing asset — the Parental Leave Builder and AlignHQ’s free tier both do double duty this way.
- Letting the AI construct a tool with clear, checkable rules — rather than asking it to freshly reason through legal or financial logic live — is the difference between a calculator you can trust and one you can’t.
- Products earn their way into bigger products. InterviewIQ started standalone and became a feature. Start focused.
Mistakes Every HR Builder Makes
Some of these will feel obvious once named. That’s the point.
Some of these will feel obvious once named. That’s the point — most mistakes in this space aren’t complicated, they’re just invisible until someone points at them.
The instinct is to build the comprehensive version — every edge case handled, every jurisdiction covered, every feature request anticipated — before showing it to anyone. This is almost always the wrong order. A rough version that three colleagues actually use will teach you more in a week than a comprehensive version built alone will teach you in a month.
Chapter 2’s whole point, worth repeating here: a tool that outputs “recommend termination” or “this candidate is a strong hire” with false confidence is worse than no tool at all, because it launders a judgment call to look like a calculation.
This is a subtler version of the mistake above. Legal eligibility math, compliance thresholds, and policy rules should be built as clear, checkable logic — the kind you could hand to an auditor — not as something an AI model freshly generates on each use. Use AI to build the calculator. Don’t use AI as the calculator.
Security is not a final step you bolt on before shipping. It’s a question you ask on day one — specifically, “what happens if someone finds this tool’s web address without a login” — and Chapter 9 exists because this mistake is common enough, and consequential enough, to deserve its own chapter rather than a bullet point.
You already know how your tool is supposed to be used, which means you’re the worst possible person to find where it breaks. Someone who didn’t build it will click the wrong thing, enter an unexpected value, or misunderstand a label within the first two minutes — and that’s the most valuable two minutes of the entire project.
A tool with no one responsible for it six months from now is a tool that’s one policy change, one new province of hires, or one reported bug away from quietly being wrong, with nobody positioned to notice.
By now this should feel familiar. Any time a build assumes one province, one country, one department, or one type of employee, that assumption needs to live as a setting, not as a fixed value buried in the logic — because the day someone outside that assumption uses the tool, it won’t fail loudly. It’ll just be quietly wrong, which is worse.
Full stop. Use fake names, fake dates, fake salaries until the access controls are actually verified. This is the cheapest possible insurance policy in this entire guide, and it costs nothing but a moment of discipline.
- Most mistakes in this space aren’t technical — they’re about order of operations (test too late, secure too late) or scope (build too much, assume too narrowly).
- The single most protective habit across every mistake on this list: show it to someone who didn’t build it before you consider it done.
- If you only take one thing from this chapter: never let real employee or candidate data touch a tool before its access controls are actually confirmed.
Security: The Chapter You Shouldn’t Skip
This chapter is not here to scare you out of building.
This chapter is not here to scare you out of building. It’s here because the data an HR tool touches — names, salaries, immigration status, health-related leave details — is exactly the kind of information that has, repeatedly and publicly, ended up exposed by AI-built applications that worked perfectly well from the outside. The goal here is the same as any good HR training: understand exactly what goes wrong and why, so you can prevent it, not just feel generally cautious about it.
What actually happened, documented
Independent security researchers have tracked this pattern closely through 2025 and 2026, and it’s worth understanding the specifics rather than a vague sense that “AI-built apps can be risky.”
A widely used AI app-building platform had a documented, publicly tracked vulnerability where applications it generated connected to a database with a critical security setting — Row Level Security — left off by default. Row Level Security is the setting that decides which rows of a database a given user is actually allowed to see. Without it, the “key” that a web application uses to talk to its own database is often visible in the app’s public code — which is normally fine, because Row Level Security is supposed to be the actual gatekeeper. When that gatekeeper isn’t configured, that visible key becomes a master key. Security researchers identified well over 170 live, public applications exposing their full user databases this way — real names, emails, and in some cases far more sensitive information — to anyone who found the app’s web address, no password required.
A separate, well-documented case involved an application built almost entirely through AI prompts, whose founder stated publicly that he hadn’t written a single line of code himself. Within three days of the app going live, security researchers found its production database exposed — including authentication tokens and tens of thousands of email addresses. The root cause was the same missing setting.
In another documented case, a platform that asked users to upload a selfie and a government ID at signup stored those uploads in cloud storage that anyone could read without logging in. Tens of thousands of images — including a meaningful number of driver’s licenses and passports — were pulled from that storage and posted publicly before anyone at the company noticed.
Why this keeps happening. In every one of these cases, the application worked exactly as intended for its actual users. The setting that would have prevented all three incidents is invisible unless you specifically go looking for it. Fast-building AI tools are optimized to get you a working demo quickly, and security configuration is exactly the kind of step that’s easy to skip when nothing in the interface is flashing a warning at you.
How HR builders actually avoid this
None of the following requires you to become a security expert. It requires a short, repeatable checklist, run every time before real data goes anywhere near a tool you’ve built.
- Confirm access rules are actually turned on, not just assumed. If you’re using Supabase, this means checking that Row Level Security is enabled and that its rules genuinely restrict data to the right person — not just confirming that a login screen exists. A login screen tells you who someone claims to be. Row Level Security is what actually decides what they’re allowed to see once they’re in.
- Test it like an outsider, before anyone else does. Try to reach the tool’s data using nothing but its public web address, without logging in. If you can see anything you shouldn’t, it isn’t ready — regardless of how polished the interface looks.
- Never let real data touch a tool that’s still being tested. Use invented names, invented dates, invented salaries until the check above is done. This is, by a wide margin, the most commonly skipped step, and the cheapest one to actually follow.
- Keep credentials out of the code itself. If a key or password ends up written directly into a file Claude Code produces rather than into a separate, protected settings location, that’s a fix to make before anything goes live, not an acceptable shortcut under deadline pressure.
- Have a named owner after launch. Someone needs to be the person who’d notice if a new jurisdiction needed adding, a reported bug needed fixing, or a security setting needed revisiting after a platform update. “Whoever happens to still be around” is not an ownership plan.
If none of this is something you can check yourself with confidence, that’s a completely reasonable place to be — and the right response isn’t to skip the check, it’s to ask someone who can (a developer, a technical co-founder, even a knowledgeable colleague) to spend twenty minutes confirming it before real data goes near the tool. Twenty minutes of someone else’s time is a small cost next to what these incidents actually looked like once they happened.
- Every major documented incident in this space came from the same root cause: a default security setting, invisible unless you go looking for it, that was never turned on.
- The tool worked fine for real users in every one of these cases — which is exactly why “it seems to be working” is not the same thing as “it’s safe.”
- A short, repeatable checklist — confirm access rules, test like an outsider, never use real data while testing, keep credentials out of the code, name an owner — closes almost all of this risk, and none of it requires becoming a security expert.
Twenty HR Products Worth Building
Not a roadmap. A source of ideas.
Not a roadmap. A source of ideas — a reminder of the range of things “HR builder” can actually mean.
Hiring & Talent Acquisition (5)
Inconsistent, unstructured phone screens.
Stack: Claude Code + Supabase · Angle: feature inside a larger hiring product
Inconsistent hiring-panel feedback.
Stack: Claude Code, simple form + database · Angle: feature inside a hiring-alignment product
Recruiters rebuilding search strings from scratch.
Stack: Lovable/Bolt · Angle: free tool, strong lead-gen candidate
Inconsistent, sometimes biased postings.
Stack: Lovable/Bolt → Claude Code · Angle: free tool or ATS-adjacent feature
Generic, low-signal reference checks.
Stack: Lovable/Bolt · Angle: free tool
Onboarding, Policy & Employee Experience (9)
Repeated manual leave-policy questions.
Stack: Lovable/Bolt → Claude Code once real data’s involved · Angle: free lead-gen tool or paid HRIS add-on
Slow, error-prone offer creation.
Stack: Claude Code, template-driven · Angle: internal tool or small SaaS
Scattered first-week information.
Stack: Claude Code + Supabase + Vercel · Angle: internal tool, high retention value
Manual tracking across a growing team.
Stack: Claude Code + Supabase · Angle: niche SaaS for companies too small for a full HRIS
Nobody reads the handbook.
Stack: Claude Code + a structured knowledge base · Angle: paid add-on to an existing tool
Same handbook questions, every new hire.
Stack: Claude Code + a structured knowledge base · Angle: paid SaaS, especially for multi-location employers
First-time managers with no structured support.
Stack: Claude Code + Supabase · Angle: internal, or licensable to other employers
Inconsistent support after extended leave.
Stack: Claude Code + Supabase · Angle: internal tool with strong retention story
Internal candidates overlooked for open roles.
Stack: Claude Code + Supabase · Angle: internal tool, strong retention story
Compensation, Compliance & High-Stakes Builds (6)
Vague, inconsistent leveling criteria.
Stack: Claude Code + Supabase · Angle: consulting-adjacent SaaS
Generic, uninspired review prompts.
Stack: Lovable/Bolt for speed · Angle: free tool, content marketing value
Exit feedback that never gets acted on.
Stack: Claude Code + Supabase, light AI summarization · Angle: internal tool or small analytics product
Managers unsure if an offer is in-band.
Stack: Claude Code + Supabase — sensitive data, full security pass required · Angle: internal tool only, unless heavily anonymized
Missed steps in a legally sensitive process.
Stack: Claude Code + Supabase · Angle: internal only — high stakes, low tolerance for error
Recurring, jurisdiction-specific classification questions.
Stack: Claude Code, deterministic logic only — no live AI reasoning on the legal call itself · Angle: internal tool or licensed compliance product
A pattern worth noticing across these cards: the ones tagged in coral — flagged “careful security,” “high care,” or “rule-based only” — are exactly where Chapter 8’s warning about automating judgment applies most directly. Keep that distinction in mind before you pick your next project, not after.
- The range of things worth building is much wider than “AI chatbot for HR questions” — most of the best ideas are small, specific, and unglamorous.
- Difficulty and business opportunity don’t always move together — some of the simplest tools to build have the clearest path to being useful beyond your own company.
- The products that touch compensation, termination, or legal classification deserve the most caution on this entire list, regardless of how simple they look to build.
A 14-Day Starter Plan
Fourteen days is enough time to go from idea to a real, safely-tested first version.
Find the recurring annoyance. Not the most impressive idea — the one you’ve explained more than once this month. Revisit Chapter 4 if nothing comes to mind immediately; it usually does once you go looking.
Prototype fast, with fake data only. Use a browser-based tool to get something clickable in front of two or three colleagues. Watch where they hesitate before you explain anything — that hesitation is more useful than anything they’ll say out loud.
Decide if it needs to graduate. If real names, comp, or health-related details are involved, move the build into Claude Code before another real person’s data touches it. If it’s staying low-stakes, keep refining where you are.
Brief Claude Code the way Chapter 6 describes. State the goal, describe the “what,” name the edge cases you already know about, and say what “done” looks like.
The security pass. Confirm access rules. Test it like an outsider. Do this even when the deadline says you don’t have time — especially then.
Someone who didn’t build it tries to break it. Weird inputs, wrong jurisdiction, double-clicks, missing fields.
Ship to a small group first. Watch for a week before it becomes the tool everyone depends on.
- Fourteen days is enough time to go from idea to a real, safely-tested first version — if you resist the urge to make day one’s idea more ambitious than it needs to be.
- The security pass and the second-pair-of-eyes step aren’t optional extensions of the timeline. They’re what the timeline is for.
- Small rollout first, always — the goal of day fourteen is a handful of real users, not a company-wide announcement.
HR Success Centre exists because of everything in this guide, not as an afterthought to it.
We write guides like this one because most of what’s genuinely useful in HR never makes it past someone’s own notes — and everything else we build starts from the same instinct: understand the problem first, then close the distance between understanding it and fixing it.
If this guide changed how you think about what’s possible, that’s the whole point of it existing. The next tool worth building is probably a question you’ve already answered five times this month. Until you build it, here’s where to start:
See Chapter 7 in action — a free calculator, policy builder, and advisor for Canadian parental leave.
HR Success Centre →The consultancy behind this guide, and everything else we build for lean HR teams.
More HR Builder Resources →Join the waitlist for the next guide, plus free tools as they ship.
Published by HR Success Centre, 2026. This guide is intended for educational purposes and should not be considered legal, compliance, or security advice.