Privacy Policy - Asia Payroll Hub

At Asia Payroll Hub ("we," "our," or "us"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our payroll outsourcing services, HR technology platform, and related services (collectively, the "Services").

0. Understanding Our Services

Asia Payroll Hub offers two primary service models, and the information we collect and how we process it may vary depending on which services you use:

0.1 HR Technology Platform Users

If you use our HR Technology Platform, you have direct access to our cloud-based software platform where you can:

Manage employee data and records
Process payroll through the platform
Track attendance and leave
Generate reports and analytics
Access self-service features
Integrate with other systems via API

For Platform Users: We collect information about your account usage, platform interactions, and system access patterns in addition to the payroll and employee data you input into the platform.

0.2 Payroll Outsourcing Clients

If you use our Payroll Outsourcing Services without direct platform access, we process payroll on your behalf where you:

Provide employee and payroll data to us (via secure portals, email, API, or other methods)
We process payroll calculations and handle statutory compliance
We disburse payments and generate payslips on your behalf
We submit statutory reports to government authorities

For Outsourcing Clients: We primarily collect and process the employee and payroll data you provide to us for processing purposes. We may provide you with limited portal access for data submission and report viewing, but you may not have full platform access.

0.3 Combined Services

Some clients use both our HR Technology Platform and Payroll Outsourcing Services. In such cases, the information collection and processing practices described in this Privacy Policy apply to both service components.

0.4 Data Controller vs. Data Processor

Our role in processing your information depends on the service model:

HR Technology Platform: When you use our platform, you act as the data controller for your employee data, and we act as a data processor. You control what data is entered and how it is used within the platform.
Payroll Outsourcing: When you engage our outsourcing services, you remain the data controller, and we act as a data processor, processing data according to your instructions and our service agreement.
Account and Usage Data: For account information, platform usage data, and billing information, we act as the data controller.

This distinction is important for understanding your rights and our obligations under applicable data protection laws.

0.5 Data Access and Control

The level of data access and control you have differs by service model:

0.5.1 HR Technology Platform Users

Direct Data Management: You have direct access to enter, view, edit, and manage employee data through the platform
Real-Time Access: Access to real-time data, reports, and analytics through the platform dashboard
Self-Service Features: Employees may have self-service access to view their own data, payslips, and leave balances
API Access: Ability to integrate with other systems and automate data flows
Full Platform Features: Access to all HR modules including attendance, leave, benefits, and reporting

0.5.2 Payroll Outsourcing Clients

Data Submission: You provide data to us through secure methods (portal upload, email, API, Excel templates, or other agreed methods)
Limited Portal Access: You may have access to a secure portal for data submission and report retrieval, but not full platform features
Report Access: Access to processed payroll reports, payslips, and compliance reports through secure delivery methods
No Direct Data Editing: You typically cannot directly edit data in our systems; changes are made through data resubmission or requests to our team
Dedicated Support: Our team handles data processing, calculations, and submissions on your behalf

0.6 Data Submission Methods (Outsourcing Clients)

For Payroll Outsourcing clients, we accept data through various secure methods:

Secure Web Portal: Upload data files through encrypted web portals
Secure Email: Encrypted email transmission for data files
API Integration: Automated data submission through secure API connections
Excel Templates: Standardized Excel templates for data submission
SFTP/Secure File Transfer: Secure file transfer protocols for bulk data
Direct Data Entry: Our team may enter data on your behalf based on your instructions

All data submission methods are secured with encryption and access controls to protect your information.

1. Information We Collect

We collect various types of information to provide and improve our Services. The information we collect depends on how you interact with our Services and what services you use.

1.1 Information You Provide Directly

We collect information that you provide directly to us. The specific information collected depends on which services you use:

1.1.1 Business and Account Information

For HR Technology Platform Users: We collect comprehensive account information including login credentials, user preferences, and platform configuration settings.

For Payroll Outsourcing Clients: We collect business information and contact details necessary to provide outsourcing services. You may have limited account access for data submission and report retrieval.

Company Details: Legal company name, business registration number, incorporation date, business address, and registered office address
Tax and Regulatory Information: Tax identification numbers (TIN), GST/VAT registration numbers, business licenses, and regulatory permits
Contact Information: Business phone numbers, email addresses, mailing addresses, and contact person details
Account Credentials: Username, password (encrypted), security questions, and two-factor authentication details
Billing Information: Billing address, payment method details (credit card, bank account), invoice preferences, and billing contact information
Service Preferences: Service packages selected, feature preferences, notification settings, and communication preferences

1.1.2 Employee and Payroll Data

As part of our payroll processing services (whether through the platform or outsourcing), we collect comprehensive employee information. The method of collection differs:

For HR Technology Platform Users: You input employee data directly into the platform, and we process it according to your instructions and platform configurations.

For Payroll Outsourcing Clients: You provide employee data to us through secure data submission methods (portal, email, API, Excel templates, etc.), and we process it according to your instructions and our service agreement.

The types of employee information we collect include:

Personal Identification: Full name, date of birth, gender, national identification number (NRIC, passport number, etc.), nationality, and immigration status
Contact Details: Home address, mailing address, phone numbers (mobile, home, work), email addresses, and emergency contact information
Employment Information: Employee ID, job title, department, employment start date, employment type (full-time, part-time, contract), work location, reporting manager, and employment status
Compensation Data: Base salary, allowances, bonuses, commissions, overtime rates, shift differentials, and other compensation components
Tax Information: Tax filing status, tax identification numbers, tax exemptions, dependents information, and tax declaration forms
Banking Information: Bank account numbers, bank name, branch details, and payment preferences for salary disbursement
Statutory Contributions: Social security numbers, provident fund details, insurance information, and other statutory contribution details
Leave and Attendance: Leave balances, leave applications, attendance records, time tracking data, and work schedule information
Benefits Information: Health insurance details, life insurance, retirement plans, stock options, and other employee benefits
Performance and Development: Performance reviews, training records, certifications, and professional development information
Disciplinary Records: Disciplinary actions, warnings, and related documentation (where applicable and legally permitted)

1.1.3 Financial and Transaction Data

Payment Information: Credit card details (tokenized), bank account information for direct debit, payment history, and transaction records
Invoice and Billing: Invoice details, payment terms, outstanding balances, and billing correspondence
Financial Reports: Payroll summaries, tax reports, statutory contribution reports, and financial statements

1.1.4 Communication and Support Data

Correspondence: Emails, chat messages, support tickets, and other communications with our team
Feedback and Surveys: Customer feedback, survey responses, testimonials, and reviews
Training and Documentation: Training materials accessed, documentation downloads, and help center interactions

1.2 Information We Collect Automatically

The information we collect automatically depends on which services you use:

1.2.1 Usage and Analytics Data

For HR Technology Platform Users: We collect detailed usage data including pages visited, features used, time spent, click patterns, and navigation paths within the platform.

For Payroll Outsourcing Clients: We collect limited usage data related to data submission portals, report access, and communication channels. We do not track detailed platform usage as you may not have full platform access.

Platform Usage: Pages visited, features accessed, time spent on each page, click patterns, navigation paths, and user workflows
Feature Utilization: Which features are used most frequently, feature adoption rates, and user engagement metrics
Performance Metrics: Response times, page load speeds, error rates, and system performance indicators
Search Queries: Search terms used within the platform, search results clicked, and search patterns

1.2.2 Technical and Device Information

Device Identifiers: Device type (desktop, mobile, tablet), device model, operating system version, and unique device identifiers
Browser Information: Browser type and version, browser language, screen resolution, and browser plugins
Network Information: IP address, internet service provider (ISP), connection type, and network quality metrics
Location Data: General geographic location based on IP address (country, region, city level, not precise GPS coordinates unless explicitly provided for GPS attendance features)

1.2.3 Log and System Data

Access Logs: Login times, logout times, session duration, and access patterns
Error Logs: System errors, application errors, and error frequency
Security Logs: Failed login attempts, suspicious activities, security events, and access control violations
System Logs: Server logs, application logs, database query logs, and system performance logs

1.2.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar technologies to collect information. For detailed information about our use of cookies, please see Section 9 below.

1.3 Information We Receive from Third Parties

We may receive information about you from third-party sources, including:

Business Partners: Information from partners who refer you to our Services or with whom we have integration agreements
Service Providers: Information from third-party service providers who assist us in providing our Services
Government Authorities: Information from tax authorities, labor departments, and other regulatory bodies (where legally permitted)
Public Sources: Information from publicly available sources, such as business registries and public directories
Social Media Platforms: If you interact with us through social media, we may receive information from those platforms (subject to their privacy policies)

1.4 Sensitive Personal Information

Some of the information we collect may be considered "sensitive" under applicable data protection laws, including:

National identification numbers and passport information
Financial information (bank account details, salary information)
Health information (for insurance and benefits purposes)
Biometric data (if you use biometric attendance systems)
Information about trade union membership (where applicable)

We only collect and process sensitive personal information when:

It is necessary for the performance of our Services
We have your explicit consent
It is required by law or regulatory obligations
It is necessary for the establishment, exercise, or defense of legal claims

2. How We Use Your Information

We use the information we collect for various purposes related to providing, maintaining, and improving our Services. Below is a detailed explanation of how we use your information:

2.1 Service Delivery and Operations

The specific uses of your information depend on which services you use:

2.1.1 Payroll Processing (Both Service Models)

Payroll Calculations: Calculate gross and net pay, process salary payments, handle bonuses and allowances, manage overtime calculations, and generate payslips
Tax Management: Calculate income tax deductions, prepare tax forms and declarations, submit tax returns to authorities, and manage tax compliance
Statutory Compliance: Calculate statutory contributions (CPF, EPF, Social Security, etc.), submit statutory reports to government authorities, maintain compliance records, and handle statutory audits
Payment Processing: Process salary disbursements, handle payment reconciliations, manage payment methods, and generate payment reports

2.1.2 HR Technology Platform Specific Uses

For Platform Users Only:

HR Management: Manage employee records, process leave applications, track attendance, handle employee onboarding and offboarding, and manage organizational structures through the platform
Platform Functionality: Enable platform features, maintain user accounts, manage user permissions, customize platform settings, and ensure system functionality
Self-Service Features: Enable employee self-service portals, mobile app access, and direct employee interactions with the platform
Integration Management: Manage API integrations, third-party system connections, and data synchronization

2.1.3 Payroll Outsourcing Specific Uses

For Outsourcing Clients Only:

Data Processing: Process data you provide through secure submission methods according to your instructions
Limited Portal Access: Provide secure portal access for data submission, report viewing, and basic account management (without full platform features)
Manual Processing Support: Handle data processing that may not require full platform access

2.1.4 Reporting and Analytics

For Platform Users: Generate payroll reports, create compliance reports, provide interactive analytics dashboards, and deliver custom reports through the platform
For Outsourcing Clients: Generate payroll reports, create compliance reports, and deliver reports through secure portals or email

2.2 Communication and Support

Customer Support: Respond to inquiries, resolve technical issues, provide assistance with platform usage, and handle support tickets
Service Updates: Send important service notifications, inform about system maintenance, communicate policy changes, and provide service announcements
Account Management: Send account-related communications, provide billing information, deliver invoices, and manage account settings
Training and Education: Provide training materials, send educational content, offer webinars and workshops, and share best practices

2.3 Legal and Regulatory Compliance

Legal Obligations: Comply with applicable laws and regulations, respond to legal requests, comply with court orders, and meet regulatory requirements
Tax Compliance: Fulfill tax reporting obligations, comply with tax authority requirements, maintain tax records, and assist with tax audits
Labor Law Compliance: Comply with employment laws, meet labor department requirements, maintain employment records, and handle labor disputes
Data Protection Compliance: Comply with data protection laws, respond to data subject requests, maintain data processing records, and conduct privacy impact assessments

2.4 Security and Fraud Prevention

Security Monitoring: Detect and prevent unauthorized access, monitor for security threats, identify suspicious activities, and protect against cyberattacks
Fraud Prevention: Detect fraudulent transactions, prevent identity theft, verify user identities, and protect against financial fraud
Risk Management: Assess security risks, implement security controls, conduct security audits, and manage incident response
Access Control: Manage user authentication, enforce access controls, monitor access patterns, and prevent unauthorized data access

2.5 Service Improvement and Development

Analytics and Insights: Analyze usage patterns, understand user behavior, identify trends, and generate insights
Product Development: Develop new features, improve existing features, conduct user research, and test new functionalities
Quality Assurance: Test system performance, identify bugs and issues, improve system reliability, and enhance user experience
Performance Optimization: Optimize system performance, improve response times, enhance scalability, and reduce system downtime

2.6 Marketing and Business Development

With your consent where required by law, we may use your information for:

Marketing Communications: Send promotional emails, share product updates, provide special offers, and inform about new services
Business Development: Identify potential business opportunities, develop business relationships, and expand our services
Customer Engagement: Conduct customer surveys, gather feedback, organize events, and build customer relationships
Analytics and Research: Conduct market research, analyze market trends, and understand customer needs

Opt-Out: You can opt-out of marketing communications at any time by clicking the unsubscribe link in our emails or contacting us directly.

2.7 Legal Basis for Processing

We process your personal information based on the following legal grounds:

Contract Performance: Processing necessary to perform our contract with you and provide our Services
Legal Obligation: Processing required to comply with applicable laws and regulations
Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services and ensuring security
Consent: Processing based on your explicit consent, which you can withdraw at any time
Vital Interests: Processing necessary to protect vital interests of individuals
Public Interest: Processing necessary for tasks carried out in the public interest

3. Information Sharing and Disclosure

We understand the importance of protecting your personal information. We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information only in the limited circumstances described below:

3.1 Service Providers and Business Partners

We may share your information with trusted third-party service providers who assist us in operating our platform and delivering our Services. These service providers are contractually obligated to:

Use your information only for the purposes we specify
Maintain appropriate security measures
Comply with applicable data protection laws
Not use your information for their own purposes

Categories of service providers we work with include:

Cloud Infrastructure Providers: Hosting services, data storage, and cloud computing services
Payment Processors: Payment gateway providers, banking partners, and financial institutions for salary disbursement
Communication Services: Email service providers, SMS gateways, and notification services
Analytics Providers: Analytics tools and services to help us understand platform usage
Security Services: Security monitoring, threat detection, and cybersecurity services
Customer Support Tools: Help desk software, chat services, and support ticketing systems
Integration Partners: Third-party software providers with whom we integrate (e.g., accounting software, HRIS systems)
Professional Services: Legal advisors, auditors, consultants, and other professional service providers

3.2 Government Authorities and Regulatory Bodies

We may disclose your information to government authorities and regulatory bodies when:

Required by Law: When disclosure is required by applicable laws, regulations, or legal processes
Tax Authorities: To comply with tax reporting obligations, respond to tax audits, and fulfill tax compliance requirements
Labor Departments: To comply with labor law requirements, submit statutory reports, and respond to labor department inquiries
Social Security Agencies: To submit statutory contribution reports and comply with social security requirements
Law Enforcement: In response to valid legal requests, court orders, subpoenas, or warrants
Regulatory Compliance: To comply with regulatory requirements and respond to regulatory inquiries

We will only disclose information to government authorities when legally required and will notify you of such disclosures when permitted by law.

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or other business transfer, we may transfer your information to the acquiring entity or successor. We will:

Notify you of any such transfer
Ensure the acquiring entity agrees to protect your information in accordance with this Privacy Policy
Provide you with the option to opt-out if legally required

3.4 With Your Explicit Consent

We may share your information with third parties when you have explicitly authorized us to do so. For example:

When you request integration with a third-party service
When you authorize sharing with business partners
When you consent to participate in joint marketing activities

You can withdraw your consent at any time by contacting us.

3.5 Legal Protection and Safety

We may disclose your information when we believe it is necessary to:

Protect our rights, property, or safety
Protect the rights, property, or safety of our users or others
Investigate potential violations of our Terms of Service
Detect, prevent, or address fraud, security, or technical issues
Enforce our agreements and policies
Respond to legal claims or disputes

3.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This information may be used for:

Industry research and analysis
Statistical purposes
Business intelligence
Market analysis

This aggregated data does not contain any personally identifiable information.

3.7 International Data Sharing

As a regional service provider, we may need to share information across borders. When we share information internationally, we ensure appropriate safeguards are in place, as described in Section 7 below.

4. Data Security

We take data security seriously and implement comprehensive security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. Our security program is based on industry best practices and international standards.

4.1 Technical Security Measures

4.1.1 Encryption

Data in Transit: All data transmitted between your devices and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher protocols
Data at Rest: Sensitive data stored in our databases is encrypted using industry-standard encryption algorithms (AES-256)
Database Encryption: Database-level encryption for sensitive fields and full database encryption where applicable
Backup Encryption: All backups are encrypted to prevent unauthorized access
Key Management: Encryption keys are managed using secure key management systems and are never stored with the encrypted data

4.1.2 Access Controls

Authentication: Multi-factor authentication (MFA) for all user accounts, strong password requirements, and password complexity rules
Authorization: Role-based access control (RBAC) ensuring users only have access to information necessary for their role
Principle of Least Privilege: Users are granted minimum necessary access rights
Access Logging: All access to sensitive data is logged and monitored
Session Management: Secure session management with automatic timeout and session invalidation
Single Sign-On (SSO): Support for enterprise SSO solutions for enhanced security

4.1.3 Network Security

Firewalls: Multi-layered firewall protection to prevent unauthorized network access
Intrusion Detection and Prevention: Advanced intrusion detection and prevention systems (IDS/IPS) to detect and block threats
DDoS Protection: Distributed Denial of Service (DDoS) protection to ensure service availability
Network Segmentation: Network segmentation to isolate sensitive systems and data
VPN and Secure Connections: Secure VPN access for remote employees and encrypted connections for all communications

4.1.4 Application Security

Secure Development: Secure coding practices, code reviews, and security testing throughout the development lifecycle
Vulnerability Management: Regular vulnerability scanning, penetration testing, and security assessments
Dependency Management: Regular updates of software dependencies and libraries to address security vulnerabilities
Input Validation: Comprehensive input validation and sanitization to prevent injection attacks
Output Encoding: Proper output encoding to prevent cross-site scripting (XSS) attacks

4.2 Physical Security

Data Centers: Our data is hosted in Tier III+ data centers with redundant power, cooling, and network connectivity
Access Controls: Physical access to data centers is restricted to authorized personnel only, with biometric authentication and 24/7 security monitoring
Environmental Controls: Climate control, fire suppression systems, and backup power generators
Surveillance: 24/7 video surveillance and security monitoring
Hardware Security: Secure disposal of hardware and media containing sensitive data

4.3 Organizational Security

Employee Screening: Background checks for all employees with access to sensitive data
Security Training: Regular security awareness training for all employees
Confidentiality Agreements: All employees sign confidentiality and non-disclosure agreements
Access Reviews: Regular reviews of user access rights and permissions
Incident Response Team: Dedicated security incident response team available 24/7
Security Policies: Comprehensive information security policies and procedures

4.4 Compliance and Certifications

ISO 27001: Certified Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013
SOC 2 Type II: Annual SOC 2 Type II audits demonstrating our commitment to security, availability, and confidentiality
Regular Audits: Annual third-party security audits and assessments
Compliance Monitoring: Continuous monitoring of compliance with security standards and regulations

4.5 Incident Response and Breach Notification

Incident Response Plan: Comprehensive incident response plan with defined procedures for detecting, responding to, and recovering from security incidents
Breach Notification: Procedures for notifying affected individuals and regulatory authorities in the event of a data breach, in accordance with applicable laws
Forensic Capabilities: Ability to conduct forensic investigations to determine the cause and scope of security incidents
Recovery Procedures: Documented procedures for recovering from security incidents and restoring services

4.6 Third-Party Security

Vendor Assessments: Security assessments of all third-party service providers
Contractual Requirements: Security requirements in contracts with service providers
Ongoing Monitoring: Ongoing monitoring of third-party security practices

4.7 Security Limitations

While we implement comprehensive security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to:

Using industry-standard security practices
Continuously improving our security measures
Responding promptly to security threats
Notifying you of security incidents as required by law

You also play an important role in security. Please:

Use strong, unique passwords
Enable multi-factor authentication
Keep your account credentials confidential
Report any suspicious activities immediately
Keep your devices and software updated

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our data retention practices are designed to balance your privacy rights with our legal and business obligations.

5.1 Retention Periods

5.1.1 Active Account Data

Account Information: Retained for the duration of your account and for a period after account closure as required by law (typically 7 years for tax and accounting purposes)
Employee Payroll Data: Retained for the duration of employment and for statutory retention periods (varies by country, typically 5-7 years)
Transaction Records: Retained for 7 years from the date of the transaction for tax and accounting compliance

5.1.2 Legal and Regulatory Requirements

We retain information as required by applicable laws and regulations, which may vary by jurisdiction:

Tax Records: Typically 5-7 years from the end of the tax year, as required by tax authorities
Employment Records: Typically 3-7 years after employment termination, as required by labor laws
Financial Records: Typically 7 years for accounting and audit purposes
Statutory Contribution Records: Retained as required by social security and provident fund authorities (typically 5-7 years)
Legal Disputes: Retained until disputes are resolved and any applicable appeal periods have expired

5.1.3 Marketing and Communication Data

Marketing Preferences: Retained until you opt-out or withdraw consent
Communication Records: Retained for 3 years for customer service and support purposes
Analytics Data: Aggregated and anonymized data may be retained indefinitely for statistical purposes

5.2 Data Deletion and Anonymization

When we no longer need your personal information, we will:

Secure Deletion: Permanently delete personal information using secure deletion methods that prevent recovery
Anonymization: Anonymize data that may be useful for statistical or research purposes
Backup Deletion: Delete information from all backups in accordance with our backup retention policies
Third-Party Deletion: Request deletion of your information from third-party service providers where applicable

5.3 Exceptions to Deletion

We may retain certain information even after you request deletion if:

Retention is required by law or regulatory obligations
Retention is necessary for the establishment, exercise, or defense of legal claims
Retention is necessary for legitimate business purposes (e.g., fraud prevention)
The information has been anonymized and cannot be used to identify you

5.4 Backup Retention

Information stored in backups may be retained for a longer period due to technical constraints. However, we ensure that:

Backups are encrypted and securely stored
Backups are not used for active processing after the retention period
Backups are deleted in accordance with our retention policies

6. Your Rights and Choices

Depending on your jurisdiction and the applicable data protection laws, you have various rights regarding your personal information. We are committed to helping you exercise these rights.

6.1 Right of Access

You have the right to request access to the personal information we hold about you. This includes:

Confirmation of whether we process your personal information
Categories of personal information we process
Purposes of processing
Categories of recipients with whom we share your information
Retention periods
Your rights regarding your information
A copy of your personal information in a commonly used format

How to Exercise: Submit a written request to our Data Protection Officer. We will respond within 30 days (or as required by applicable law).

6.2 Right to Rectification (Correction)

You have the right to request correction of inaccurate or incomplete personal information. We will:

Correct inaccurate information promptly
Complete incomplete information where possible
Notify third parties of corrections where required
Update information across all our systems

How to Exercise: You can update some information directly through your account, or contact us to request corrections.

6.3 Right to Erasure (Deletion)

You have the right to request deletion of your personal information in certain circumstances, including when:

The information is no longer necessary for the purposes for which it was collected
You withdraw consent and there is no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
The information has been unlawfully processed
Deletion is required to comply with legal obligations

Limitations: We may not be able to delete information if:

Retention is required by law or regulatory obligations
Retention is necessary for legal claims
Deletion would affect the rights and freedoms of others

6.4 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that information to another controller. This right applies to:

Information you provided to us
Information processed based on your consent or contract
Information processed by automated means

Format: We will provide your data in commonly used formats such as CSV, JSON, or PDF.

6.5 Right to Object

You have the right to object to processing of your personal information in certain circumstances, including:

Direct Marketing: You can object to processing for direct marketing purposes at any time
Legitimate Interests: You can object to processing based on legitimate interests if you have grounds relating to your particular situation
Profiling: You can object to automated decision-making and profiling

If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

6.6 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, including when:

You contest the accuracy of the information
Processing is unlawful and you prefer restriction to deletion
We no longer need the information but you need it for legal claims
You have objected to processing pending verification of our legitimate grounds

When processing is restricted, we will only process the information (except for storage) with your consent or for legal claims.

6.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent:

Does not affect the lawfulness of processing before withdrawal
May affect our ability to provide certain services
Will be processed promptly upon receipt

How to Withdraw: Contact us or use the opt-out mechanisms in our communications.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have violated data protection laws. Contact information for relevant authorities:

Singapore: Personal Data Protection Commission (PDPC)
Malaysia: Personal Data Protection Department (PDPD)
Thailand: Personal Data Protection Committee (PDPC)
Philippines: National Privacy Commission (NPC)
Indonesia: Ministry of Communication and Informatics
Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD)
EU: Your local data protection authority

6.9 How to Exercise Your Rights

To exercise any of your rights, please:

Submit a written request to our Data Protection Officer
Include sufficient information to identify you and your request
Specify which right(s) you wish to exercise
Provide any additional information we may reasonably require

Response Time: We will respond to your request within 30 days (or as required by applicable law). We may extend this period by an additional 60 days for complex requests, and we will notify you of any extension.

Verification: We may need to verify your identity before processing your request to protect your privacy and security.

Fees: We do not charge fees for exercising your rights, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse the request.

6.10 Automated Decision-Making and Profiling

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not use automated decision-making for such purposes. If we do in the future, we will:

Inform you of such processing
Provide meaningful information about the logic involved
Give you the right to human intervention
Allow you to express your point of view and contest the decision

7. International Data Transfers

As a regional service provider, we may transfer your information across borders to provide our Services. When we transfer information internationally, we implement appropriate safeguards, including:

Standard contractual clauses approved by relevant data protection authorities
Compliance with applicable data protection laws in each jurisdiction
Ensuring that recipients provide adequate protection for your information

8. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

9. Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies (collectively, "Cookies") to collect and store information about how you use our Services. This section explains what Cookies we use, why we use them, and how you can control them.

9.1 What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently and provide information to website owners.

9.2 Types of Cookies We Use

Note: Cookie usage varies by service model. HR Technology Platform users will encounter more cookies due to platform functionality, while Payroll Outsourcing clients using limited portal access will encounter fewer cookies.

9.2.1 Essential Cookies

These cookies are necessary for the website/platform to function and cannot be switched off. They include:

Authentication Cookies: Remember your login status and session information (for both platform users and portal access)
Security Cookies: Help detect and prevent security threats
Load Balancing Cookies: Distribute traffic across servers
Preferences Cookies: Remember your language and region preferences
Session Management: Maintain your session while using the platform or portal

9.2.2 Functional Cookies

These cookies enable enhanced functionality and personalization:

User Preferences: Remember your settings and preferences
Feature Preferences: Remember which features you use most
Localization: Remember your language and timezone settings

9.2.3 Analytics Cookies

These cookies help us understand how visitors use our services:

Platform Usage Analytics (Platform Users): Track platform features used, pages visited, time spent, and user interactions within the HR Technology Platform
Portal Usage Analytics (Outsourcing Clients): Track portal access, data submission patterns, and report access (limited compared to platform users)
Website Analytics: Track website visits, page views, and general website usage
Performance Monitoring: Monitor platform/portal performance and identify issues
User Behavior: Understand user flows and navigation patterns (more detailed for platform users)

We use analytics services such as Google Analytics (with anonymization) to collect this information. Platform users will have more detailed analytics tracking due to platform functionality.

9.2.4 Marketing Cookies

These cookies are used to deliver relevant advertisements and track campaign effectiveness:

Advertising: Deliver targeted advertisements
Campaign Tracking: Measure the effectiveness of marketing campaigns
Retargeting: Show you relevant content based on your interests

We only use marketing cookies with your consent.

9.3 Third-Party Cookies

Some cookies are placed by third-party services that appear on our website. These include:

Analytics Providers: Google Analytics and similar services
Social Media Platforms: If you interact with social media features
Advertising Networks: Third-party advertising services (with consent)

These third parties may use cookies to collect information about your online activities across different websites. We do not control these third-party cookies.

9.4 Cookie Duration

Session Cookies: Temporary cookies that expire when you close your browser
Persistent Cookies: Remain on your device for a set period or until you delete them

9.5 How to Control Cookies

You have several options to control or limit how cookies are used:

9.5.1 Browser Settings

Most browsers allow you to:

View what cookies are stored on your device
Delete cookies
Block cookies from specific websites
Block all cookies
Delete all cookies when you close your browser

Please note that blocking or deleting cookies may affect the functionality of our Services.

9.5.2 Cookie Consent

When you first visit our website, we will ask for your consent to use non-essential cookies. You can:

Accept all cookies
Reject non-essential cookies
Customize your cookie preferences
Change your preferences at any time through our cookie settings

9.5.3 Opt-Out Tools

You can opt-out of certain third-party cookies using:

Google Analytics: Google Analytics Opt-out Browser Add-on
Network Advertising Initiative: NAI Opt-Out Page
Digital Advertising Alliance: DAA Opt-Out Page

9.6 Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Currently, there is no standard for how DNT signals should be interpreted. We do not currently respond to DNT signals, but we respect your privacy choices through our cookie consent mechanism.

9.7 Mobile Device Identifiers

When you use our mobile applications, we may use mobile device identifiers (such as advertising IDs) similar to cookies. You can control these through your device settings:

iOS: Settings > Privacy > Advertising > Limit Ad Tracking
Android: Settings > Google > Ads > Opt out of Ads Personalization

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

Posting the updated policy on our website
Sending you an email notification (for significant changes)
Displaying a notice on our platform

The "Last Updated" date at the top of this policy indicates when it was last revised.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Asia Payroll Hub

Email: privacy@asiapayrollhub.com

Website: Contact Us

12. Regional Compliance

We comply with applicable data protection laws in all jurisdictions where we operate. Below is detailed information about our compliance with specific regional regulations:

12.1 Singapore - Personal Data Protection Act (PDPA)

Compliance with PDPA 2012 and its amendments
Appointment of Data Protection Officer (DPO)
Consent management in accordance with PDPA requirements
Data breach notification to Personal Data Protection Commission (PDPC) within 3 days
Right to access and correction of personal data
Do Not Call (DNC) Registry compliance for marketing communications

12.2 Malaysia - Personal Data Protection Act 2010 (PDPA)

Registration with Personal Data Protection Department (PDPD) where required
Compliance with seven data protection principles
Consent requirements for processing personal data
Data subject rights including access, correction, and withdrawal of consent
Data retention in accordance with Malaysian law

12.3 Thailand - Personal Data Protection Act (PDPA)

Compliance with PDPA B.E. 2562 (2019)
Appointment of Data Protection Officer where required
Consent management and lawful basis for processing
Data breach notification requirements
Cross-border data transfer restrictions and safeguards
Data subject rights including access, portability, erasure, and objection

12.4 Philippines - Data Privacy Act of 2012

Registration with National Privacy Commission (NPC)
Compliance with data privacy principles
Appointment of Data Protection Officer
Privacy Impact Assessments for high-risk processing
Data breach notification to NPC within 72 hours
Data subject rights and complaint procedures

12.5 Indonesia - Law No. 27 of 2022 on Personal Data Protection

Compliance with Indonesia's Personal Data Protection Law
Registration requirements with relevant authorities
Consent requirements and lawful basis for processing
Data localization requirements where applicable
Data breach notification obligations
Data subject rights and remedies

12.6 Hong Kong - Personal Data (Privacy) Ordinance (PDPO)

Compliance with PDPO Cap. 486
Six data protection principles
Direct marketing opt-out requirements
Data subject access requests
Cross-border data transfer restrictions
Notification to Privacy Commissioner for Personal Data (PCPD) of data breaches

12.7 India - Digital Personal Data Protection Act, 2023

Compliance with DPDPA 2023
Consent management and notice requirements
Data fiduciary obligations
Data subject rights including access, correction, erasure, and grievance redressal
Data breach notification requirements
Cross-border data transfer regulations

12.8 China - Personal Information Protection Law (PIPL)

Compliance with PIPL effective November 1, 2021
Consent requirements and separate consent for sensitive information
Data localization requirements for certain data types
Cross-border data transfer security assessments
Data subject rights including access, correction, deletion, and portability
Appointment of Personal Information Protection Officer

12.9 Japan - Act on the Protection of Personal Information (APPI)

Compliance with APPI and its amendments
Personal Information Protection Commission (PPC) guidelines
Consent requirements and opt-out mechanisms
Data breach notification to PPC and affected individuals
Data subject rights including disclosure, correction, and suspension of use

12.10 South Korea - Personal Information Protection Act (PIPA)

Compliance with PIPA and enforcement decrees
Consent requirements for collection and use
Data localization requirements
Data breach notification to Personal Information Protection Commission (PIPC) and affected individuals
Data subject rights including access, correction, deletion, and suspension of processing

12.11 European Union - General Data Protection Regulation (GDPR)

For clients subject to GDPR, we comply with all GDPR requirements, including:

Lawful basis for processing
Data subject rights (access, rectification, erasure, portability, objection, restriction)
Data Protection Impact Assessments (DPIA) for high-risk processing
Data breach notification to supervisory authority within 72 hours
Records of processing activities
Data Protection Officer appointment where required
Standard Contractual Clauses for international transfers
Binding Corporate Rules where applicable

12.12 Other Jurisdictions

We also comply with data protection laws in other jurisdictions where we operate, including but not limited to:

Vietnam: Law on Cybersecurity and Personal Data Protection
Taiwan: Personal Data Protection Act
Myanmar: Data Protection regulations (as they develop)
Cambodia: Data Protection regulations (as they develop)
Bangladesh: Digital Security Act and related regulations

13. Data Processing Agreements

When we act as a data processor on behalf of our clients (data controllers), we enter into Data Processing Agreements (DPAs) that:

Define the scope and purpose of processing
Specify our obligations as a processor
Outline security measures and safeguards
Establish procedures for handling data subject requests
Define data breach notification procedures
Specify data retention and deletion requirements
Address sub-processor relationships
Include audit rights and compliance verification

Our standard DPA is available upon request and can be customized to meet specific requirements.

14. Sub-Processors

We may engage sub-processors to assist in providing our Services. Our sub-processors are carefully selected and contractually bound to:

Process data only as instructed by us
Implement appropriate security measures
Comply with applicable data protection laws
Not engage additional sub-processors without our consent
Assist us in responding to data subject requests
Notify us of data breaches

We maintain a list of our sub-processors, which is available upon request. We will notify you of any changes to our sub-processors and provide you with the opportunity to object to such changes.

15. Data Breach Procedures

15.1 Breach Detection and Assessment

24/7 security monitoring and threat detection
Automated alerts for suspicious activities
Incident response team activation procedures
Rapid assessment of breach scope and impact

15.2 Breach Response

Immediate containment of the breach
Investigation to determine cause and scope
Remediation to prevent further unauthorized access
Documentation of the incident

15.3 Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify Regulatory Authorities: Within the timeframes required by applicable law (e.g., 72 hours under GDPR, 3 days under Singapore PDPA)
Notify Affected Individuals: Without undue delay when the breach is likely to result in a high risk to your rights and freedoms
Provide Information: Details about the nature of the breach, likely consequences, and measures taken or proposed to address it

16. Children's Privacy

Our Services are designed for business use and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.

In jurisdictions where the age of majority differs, we comply with local age requirements for data collection.

17. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

When you use third-party integrations through our platform, you may be subject to the privacy policies of those third parties. We recommend reviewing their privacy policies before enabling integrations.

18. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in:

Our data practices
Legal and regulatory requirements
Industry standards and best practices
Our Services and features

When we make material changes to this Privacy Policy, we will:

Update the "Last Updated" date at the top of this policy
Post the updated policy on our website
Send you an email notification (for significant changes)
Display a prominent notice on our platform
Obtain your consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy, except where your consent is required by law.

19. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with applicable data protection laws. You can contact our DPO for:

Questions about this Privacy Policy
Exercising your data protection rights
Reporting privacy concerns or complaints
Requesting information about our data processing activities

Data Protection Officer

Asia Payroll Hub

Email: dpo@asiapayrollhub.com

Website: Contact Us

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Asia Payroll Hub

Privacy Inquiries:

Email: privacy@asiapayrollhub.com

Data Protection Officer:

Email: dpo@asiapayrollhub.com

General Inquiries:

Website: Contact Us

Response Time: We aim to respond to all inquiries within 30 days, or as required by applicable law.