Privacy Policy

1. Who we are

HavaHR ("we", "our", or "us") provides cloud HR and payroll tools for organisations, including optional mobile apps for administrators and employees. This Privacy Policy explains how we handle personal data when you use the Service.

If you use HavaHR on behalf of a company, that company is typically the data user (controller) for employee and payroll data it enters or instructs us to process. We act as a data processor for that organisation content, and also process certain account and technical data as controller to run, secure, and improve the Service.

2. Information we collect

Account and contact

• Name, email address, and authentication identifiers
• Organisation or workspace name and billing details (where applicable)
• Communications you send us (support requests, feedback)

HR, payroll, and workspace content

Depending on how your organisation uses HavaHR, the Service may process:

• Employee profiles (e.g. name, identification numbers, job details, bank details)
• Payroll, statutory, and tax-related data you or your organisation enters
• Leave, attendance, expense claims, performance, and document data you upload
• Optional biometric or image data where your organisation enables face verification for attendance (processed to verify a match; retention follows your organisation's settings and applicable law)

Mobile app and device

• Location — when you use attendance features that rely on location or geofencing, we process location as needed for that feature and as configured by your organisation.
• Camera — used when you capture attendance verification images or receipt photos; images are uploaded only when you choose to use those flows.
• Photo library — used when you attach existing images (e.g. expense receipts) from your device.
• Push notifications — we store device push tokens to deliver alerts you or your organisation have opted into (e.g. approvals, reminders).
• Device type, OS version, and app version may be included with support or crash reports to diagnose issues.

Technical and usage

• IP address, browser or app user agent, and approximate region from network data
• Logs and security signals (e.g. failed sign-in attempts, abuse prevention)
• On public marketing pages of our website only, we may use cookies and similar technologies with analytics or advertising partners as described in section 6. Authenticated app areas (e.g. /app) are not loaded with those marketing scripts.

3. How we use information

• Provide, operate, and secure the Service (authentication, hosting, backups)
• Process payroll, leave, attendance, expenses, and related workflows you configure
• Send service-related messages (e.g. security, billing, product notices)
• Improve reliability and develop features (including aggregated or de-identified metrics)
• Comply with law, respond to lawful requests, and enforce our Terms of Service
• Where you use optional AI-assisted document features, we send the relevant content you submit to our AI provider to generate output; do not paste data you are not permitted to share externally.

4. Legal bases (summary)

For personal data subject to the Personal Data Protection Act 2010 (PDPA), we rely on appropriate grounds such as: performance of a contract with you or your organisation; legitimate interests that are not overridden by your rights (e.g. security, product improvement); consent where required (e.g. certain marketing cookies or optional features); and legal obligation where applicable.

Employees whose data appears in an organisation's workspace should contact their employer for workplace privacy notices and to exercise rights relating to employment records; we will assist the organisation as required.

5. Sharing and subprocessors

We share data with service providers who help us run the Service, under contracts and safeguards appropriate to the data. Examples include:

• Supabase — database, authentication, and related infrastructure
• Stripe — payment processing for subscriptions
• Vercel — hosting and deployment of our web application and APIs
• OpenAI — optional AI document generation when that feature is used
• Google (e.g. Google Analytics / Ads tags) — limited to our marketing site where loaded
• Sentry — error and crash diagnostics in production builds when enabled
• Expo / push delivery infrastructure — delivering mobile push notifications

Some providers may process data in countries outside Malaysia. Where we transfer data internationally, we implement appropriate measures consistent with applicable law and our agreements.

6. Cookies and marketing technologies

Our authenticated product experiences are designed not to load third-party marketing analytics scripts. Public pages may use cookies or pixels to measure traffic and campaigns. You can control cookies through your browser settings; blocking cookies may affect marketing site functionality only, not core HR features after sign-in.

7. Retention

We retain information for as long as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Payroll and employment-related records may be kept for periods your organisation selects and as required by Malaysian record-keeping expectations (often several years). When an account ends, we delete or anonymise data according to our retention schedule and your organisation's export or deletion requests, subject to legal holds.

8. Security

We use administrative, technical, and organisational measures intended to protect personal data, including encryption in transit (TLS), access controls, and monitoring. No method of transmission or storage is completely secure; we encourage strong passwords and safeguarding of your devices.

9. Your rights

Under the PDPA and where applicable, you may have rights to access, correct, limit, or object to certain processing, and to withdraw consent for processing based on consent. To exercise rights relating to data held in your employer's workspace, contact your employer first; they can coordinate with us. For data we hold as controller (e.g. your account with us), contact us using the details below.

10. Children

The Service is not intended for children under 16 for personal use. Organisations may process employee data relating to minors only where lawful for employment or similar purposes.

11. Changes

We may update this Privacy Policy from time to time. We will post the revised version here and update the "Last updated" date. Where changes are material, we will provide additional notice as appropriate (e.g. email or in-app notice).

12. Contact

Questions about this Privacy Policy or requests regarding your personal data: privacy@havahr.com