Privacy Policy
Last updated: 21 March 2026
1. Data controller
The data controller is Harbix. Contact: bookkeep@harbix.app.
2. What we collect
Account data: e.g. email address and login identifiers (via Supabase Auth, etc.).
Business data you enter: e.g. ledger names, transactions, categories, amounts, currencies, notes.
Files you upload: e.g. receipt images (stored in Supabase Storage).
Technical data: e.g. IP, device type, browsing logs (depends on hosting/analytics setup; keep MVP minimal).
Payment data: card details are handled directly by Stripe; we do not store full card numbers on our servers; we may receive subscription status and customer IDs from Stripe.
3. Why we collect it
To provide, maintain, and improve bookkeeping features; to handle subscriptions and trials; to send service emails (e.g. email verification / password reset, trial/subscription reminders, day-30 reminder after trial end); for fraud prevention, security, and legal compliance; to respond to enquiries from forms (via a transactional email provider, using bookkeep@harbix.app for related notifications).
4. Legal basis (practical wording, Hong Kong PDPO context)
We process data to perform our contract with you, with your consent where required, or for legitimate interests (e.g. security). You may contact us to exercise access, correction, or other rights allowed by law.
5. Third-party processors
We use (or may use) services that may process data outside Hong Kong, including Stripe (payments), Supabase (database, auth, file storage), a transactional email provider (e.g. Resend), Vercel (hosting), and others. Each has its own privacy policy.
6. Retention (including after trial)
During normal use: we retain data as needed to provide the service.
If trial ends (T0) and you do not subscribe:
T+30: we email the address you provided (e.g. to export data or subscribe).
T+60: if you still have not subscribed, we may delete your account and related business data in the primary database (implementation may use soft delete first).
T+90: we may purge remaining backups or object storage (e.g. receipts). If all copies were already removed at T+60, a separate T+90 step may not be needed—follow actual system design and policy updates.
Paid users who cancel or are read-only: retention depends on terms, your deletion requests, and law; generally until you request account deletion or similar conditions apply.
Legal or disputes: if law requires longer retention, we follow that requirement.
7. Security
We use reasonable technical and organisational measures (e.g. HTTPS, access controls, vendor security features). Transmission over the internet is not 100% secure.
8. Your rights
You may contact bookkeep@harbix.app to request access, correction, or (where law allows) deletion.
After sign-in, open the Account page to delete your account: we remove your login, business data (ledgers, transactions, categories), and uploaded receipts, and we cancel Stripe subscriptions and delete the Stripe customer record linked to this app where possible; Stripe may retain some billing records under its own policies.
9. Cookies
We use necessary cookies for sign-in and security; if we add analytics/marketing cookies later, we will update this policy and obtain consent where required.
10. Children
The service is not intended for people under 18; if we learn we collected data by mistake, contact us to delete it.
11. Policy changes
We may update this policy; material changes will be notified on the site or by email.