Privacy policy

LiteHQ.com (operated by NZWE Limited, a New Zealand company) provides a multi-tenant platform for operators of coworking, hybrid, and shared workplaces. This policy describes the personal data we collect when you use the platform — whether you’re an operator, a tenant company admin, an individual member, or a visitor — and what we do with it.

The terms operator (host), tenant (company), and member used below match the data model in our product. If a section applies to only one of those roles, we call that out explicitly.

We collect three categories of data. Each category is collected only for the purposes described in the next section.

• Account data. Name, email, role, workspace, and (for operators and tenant admins) billing contact details. Collected at signup and updated when you change a setting.
• Usage data. Pages visited, bookings created, audit log entries, performance traces, error reports. Collected automatically while you use the product.
• Payment metadata. The last four digits and brand of cards used (so you can tell which card was charged), payment intent IDs, invoice amounts, and timestamps. We do not store full card numbers — those go directly to Stripe.

We use the data above for three purposes only:

• Operating the service. Authenticating you, showing you the bookings/members/invoices that belong to your workspace, routing notifications, and powering the audit log so operators can investigate what happened.
• Billing. Computing what we owe each other (operator subscription invoices) and what tenants owe their operator (per-booking and recurring charges). Sending receipts and dunning notices.
• Security. Detecting suspicious sign-in patterns, rate limiting abusive requests, and meeting our obligations under breach-notification law.

We do not sell personal data, and we do not run advertising or data-broker integrations against it.

We share data with three categories of sub-processor, and only for the purpose listed below. We do not share data with anyone else without your explicit consent or a binding legal order.

• Stripe — payment processing and Connect onboarding. Card data is collected by Stripe directly; we only receive the metadata described above. See Stripe’s privacy policy.
• Supabase — hosted Postgres and authentication. Account and usage data are stored here with row-level security so a tenant can only see its own data. See Supabase’s privacy policy.
• Xero — accounting reconciliation, only for operators who opt their workspace into Xero sync. We push the invoices we generate; we do not export tenant or member contact data without your consent.

Hosting infrastructure (Netlify for the frontend, Sentry for error reporting) processes service metadata only — no personal data is sent to these systems beyond what’s strictly necessary to render or debug the platform.

Primary storage is Supabase, which runs in regional Postgres clusters. Our production database is currently hosted in the closest available region to our largest operator footprint. We’re actively evaluating EU-region replicas for operators with EU data-residency requirements; if you need that today, contact us.

Backups are taken daily by Supabase and retained for the windows documented on the Supabase Pro plan. Deleted records are kept in point-in-time recovery snapshots until those snapshots roll off; after that they are unrecoverable.

In transit, everything is TLS 1.2+ (we redirect to HTTPS on the apex and on every tenant subdomain). At rest, Postgres data and storage buckets are AES-256 encrypted by the cloud provider.

Under GDPR (if you’re in the EU/UK), the New Zealand Privacy Act 2020, and a number of US state privacy regimes (CCPA/CPRA in California, VCDPA in Virginia, and similar), you have the following rights over the personal data we hold about you:

• Access. Ask for a copy of the data we have about you.
• Correction. Tell us a record is wrong and have it fixed.
• Deletion.Ask us to delete your data — subject to legal retention obligations (e.g. invoices we’re required to keep for tax purposes).
• Portability. Receive your data in a machine-readable format so you can take it elsewhere.
• Restriction & objection. Restrict how we process your data, or object to specific processing.

You can exercise these rights from within the product on the data-rights page (when available in your workspace), or by emailing privacy@litehq.com. We aim to respond within 30 days; if we need longer, we’ll tell you why.

Today we set only essential cookies: the Supabase auth session cookie (so you stay signed in), a CSRF token, and a small preferences cookie that remembers whether you’ve dismissed the cookie acknowledgement banner. We do not run analytics or marketing trackers in v2 preview.

When we introduce analytics later, we’ll update the banner copy to mention them and gate the script loading on your explicit consent. You’ll be able to revisit your choice at any time on the cookies page.

LiteHQ is operated from New Zealand. When personal data crosses borders — for example, when an EU member signs up to a workspace whose operator is in NZ — we rely on the contractual safeguards built into our sub-processor agreements (Standard Contractual Clauses where required, the UK addendum where applicable, and the NZ Privacy Act’s Principle 12 for outbound transfers).

Privacy and data-rights questions: privacy@litehq.com. Security disclosures: security@litehq.com (see the security page for our disclosure window).

Postal: NZWE Limited, New Zealand. Replace with the registered office address before this page goes public.

If you’re unhappy with how we’ve handled your request, you can complain to the New Zealand Office of the Privacy Commissioner, or to the supervisory authority in your country of residence.