Privacy policy

LiteHQ.com (operated by NZWE Limited, a New Zealand company) provides a multi-tenant platform for operators of coworking, hybrid, and shared workplaces. This policy describes the personal data we collect when you use the platform — whether you’re an operator, a tenant company admin, an individual member, or a visitor — and what we do with it.

The terms operator (host), tenant (company), and member used below match the data model in our product. If a section applies to only one of those roles, we call that out explicitly.

We collect three categories of data. Each category is collected only for the purposes described in the next section.

• Account data. Name, email, role, workspace, and (for operators and tenant admins) billing contact details. Collected at signup and updated when you change a setting.
• Usage data. Pages visited, bookings created, audit log entries, performance traces, error reports. Collected automatically while you use the product.
• Payment metadata. The last four digits and brand of cards used (so you can tell which card was charged), payment intent IDs, invoice amounts, and timestamps. We do not store full card numbers — those go directly to Stripe.

We use the data above for the following purposes:

• Operating the service. Authenticating you, showing you the bookings/members/invoices that belong to your workspace, routing notifications, and powering the audit log so operators can investigate what happened.
• Billing. Computing what we owe each other (operator subscription invoices) and what tenants owe their operator (per-booking and recurring charges). Sending receipts and dunning notices.
• Security. Detecting suspicious sign-in patterns, rate limiting abusive requests, and meeting our obligations under breach-notification law.

With your consent, we additionally use Google Analytics to understand aggregate site usage — see the Cookies section below.

We do not sell personal data, and we do not run advertising or data-broker integrations against it.

We share data with the sub-processors below, and only for the purpose listed. We do not share data with anyone else without your explicit consent or a binding legal order.

• Stripe — payment processing and Connect onboarding. Card data is collected by Stripe directly; we only receive the metadata described above. See Stripe’s privacy policy.
• Supabase — hosted Postgres, authentication, and file storage, running in AWS ap-southeast-2 (Sydney, Australia). Account and usage data are stored here with row-level security so a tenant can only see its own data. See Supabase’s privacy policy.
• Xero — accounting reconciliation, only for operators who opt their workspace into Xero sync. We push the invoices we generate; we do not export tenant or member contact data without your consent.
• Netlify — hosts the web frontend; processes request metadata (such as IP addresses) needed to serve the site.
• Sentry — error reporting and performance monitoring; receives technical error context, scrubbed of payment data.
• Resend — transactional email delivery (booking confirmations, invoices, invitations); receives recipient name and email address.
• Google — consent-gated analytics (see Cookies below), address autocomplete via Google Maps, and Google Calendar sync for operators who connect a calendar.
• ezeep — print management, only for operators who enable the ezeep integration; receives member name/email to provision print access.
• Salto — door access control, only for operators who enable the Salto KS integration; receives the access events needed to unlock mapped doors.

Primary storage is Supabase. Our production database is hosted in AWS ap-southeast-2 (Sydney, Australia). If you have data-residency requirements in another region, contact us before signing up.

Backups are taken daily by Supabase and retained for the windows documented on the Supabase Pro plan. Deleted records are kept in point-in-time recovery snapshots until those snapshots roll off; after that they are unrecoverable.

In transit, everything is TLS 1.2+ (we redirect to HTTPS on the apex and on every tenant subdomain). At rest, Postgres data and storage buckets are AES-256 encrypted by the cloud provider.

Under GDPR (if you’re in the EU/UK), the New Zealand Privacy Act 2020, and a number of US state privacy regimes (CCPA/CPRA in California, VCDPA in Virginia, and similar), you have the following rights over the personal data we hold about you:

• Access. Ask for a copy of the data we have about you.
• Correction. Tell us a record is wrong and have it fixed.
• Deletion.Ask us to delete your data — subject to legal retention obligations (e.g. invoices we’re required to keep for tax purposes).
• Portability. Receive your data in a machine-readable format so you can take it elsewhere.
• Restriction & objection. Restrict how we process your data, or object to specific processing.

You can exercise these rights from within the product on the data-rights page (when available in your workspace), or by emailing privacy@litehq.com. We aim to respond within 30 days; if we need longer, we’ll tell you why.

By default we set only essential cookies: the Supabase auth session cookie (so you stay signed in), security tokens, and a small preferences cookie that remembers your choice in the cookie banner.

With your consent(choosing “Accept all” in the banner) we also use Google Analytics to understand how the site is used. If you choose essential-only, no analytics scripts load. You can revisit your choice at any time on the cookies page, which lists every cookie we set.

LiteHQ is operated from New Zealand. When personal data crosses borders — for example, when an EU member signs up to a workspace whose operator is in NZ — we rely on the contractual safeguards built into our sub-processor agreements (Standard Contractual Clauses where required, the UK addendum where applicable, and the NZ Privacy Act’s Principle 12 for outbound transfers).

Privacy and data-rights questions: privacy@litehq.com. Security disclosures: security@litehq.com (see the security page for our disclosure window).

Postal: NZWE Limited, New Zealand.

If you’re unhappy with how we’ve handled your request, you can complain to the New Zealand Office of the Privacy Commissioner, or to the supervisory authority in your country of residence.