>Privacy Notice

VibePreneurs Limited (“VibePreneurs”, “we”, “us”) operates Autolee HR. This Privacy Notice explains what personal data we collect, why we collect it, how we use and share it, and the rights available to you. We act as data controller for account, billing, and product-usage data. For HR and payroll content that a customer uploads about its employees, the customer is the data controller and we act as a data processor on the customer’s behalf under a data-processing agreement.

1. Personal data we collect

• Account data — name, business email, login credentials, employer, and operator role.
• Customer HR & payroll content — employee records, compensation, attendance, and statutory identifiers (e.g. HKID, MPF member number) uploaded by your organisation to operate payroll. You remain controller of this content; we process it on your behalf under our terms.
• Support communications — the messages you send us and our replies.
• Usage and telemetry — pages visited, commands executed, feature usage, device identifiers, IP address, and log timestamps.
• Billing identifiers — the Paddle customer reference and subscription state. Card details are collected and stored by Paddle and are not retained by us.

2. Purposes and legal basis

• Service delivery (performance of contract) — authenticate users, run payroll engines, generate and store artefacts, surface statutory filings.
• Security and fraud prevention (legitimate interests) — detect abuse, protect accounts, and maintain the integrity of our audit spine.
• Product improvement (legitimate interests) — analyse aggregated, de-identified usage. We do not train AI models on Customer HR or payroll content.
• Customer support (performance of contract) — respond to and resolve your requests.
• Legal compliance (legal obligation) — respond to lawful requests and meet tax and accounting requirements.
• Marketing (consent) — only where you have opted in; you may withdraw consent at any time.

3. Sharing

• Subprocessors — cloud hosting (Supabase, Cloudflare), database, observability, AI model providers (used solely for intent parsing — never on raw payroll content), and transactional email providers, each engaged under a written contract.
• Paddle.com Market Limited — our Merchant of Record. Paddle handles checkout, payments, subscription management, tax compliance, invoicing, and refund processing on our behalf. See Paddle’s privacy policy.
• Professional advisers — legal, accounting, and audit firms bound by professional confidentiality.
• Public authorities — where required by applicable law.

We do not sell personal data, and we do not engage in cross-context behavioural advertising.

4. Retention

Account and billing records are retained for the duration of your subscription and for any period required by applicable tax and accounting law. Payroll artefacts generated through the Service are retained according to your tenant’s configuration (default: seven (7) years, consistent with Inland Revenue Department recordkeeping expectations). Logs and telemetry are retained for up to eighteen (18) months and are then deleted or anonymised.

5. International transfers

Personal data may be processed by subprocessors located outside Hong Kong. Where data is transferred from a jurisdiction with cross-border transfer restrictions (e.g. the EEA, the United Kingdom, or the Republic of Korea), we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms recognised under applicable law.

6. Security

We implement appropriate technical and organisational measures, including TLS encryption in transit, encryption at rest, tenant-scoped row-level security, role-based access controls, comprehensive audit logging, least-privilege production access, and regular review of vendor security posture.

7. Your rights

Subject to applicable law — including the Hong Kong Personal Data (Privacy) Ordinance (PDPO), and, where applicable, the EU and UK GDPR, the Korean Personal Information Protection Act (PIPA), and the California CCPA/CPRA — you may request access, rectification, erasure, restriction, portability, or object to processing, and may withdraw consent at any time. You also have the right to lodge a complaint with your local supervisory authority (e.g. the Privacy Commissioner for Personal Data (PCPD) in Hong Kong, the Personal Information Protection Commission (PIPC) in Korea). We aim to respond to verified requests within thirty (30) days.

8. Cookies

We use strictly necessary cookies to keep you signed in and a limited set of analytics cookies to understand product usage. You can manage cookie preferences through your browser settings.

9. Children

The Service is not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal data from children.

10. Changes and contact

We may update this Notice from time to time; material changes will be communicated through the Service or by email. For privacy enquiries or to exercise your rights, contact our privacy team at contact@vibe-preneurs.com.