Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how NAHC Limited, a company incorporated in Hong Kong, operating the platform FlowHire (the "Service," "we," "us," "our," or "Company"), collects, uses, discloses, and protects Personal Information about our users ("Clients" or "Client Users").

We are committed to protecting the privacy, confidentiality, and security of the personal data entrusted to us and have implemented robust technical and organizational safeguards to ensure compliance with the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong.

2. Scope and Applicability

This Policy applies to all Personal Information processed by FlowHire in two distinct capacities:

As a Data Controller: When we process Client User Data (information about personnel at recruitment agencies), we determine the purposes and means of processing in accordance with the PDPO and other applicable laws.

As a Data Processor: When we process Candidate Data on behalf of our Clients (recruitment agencies), we do so strictly according to our Clients' documented instructions, as specified in our Data Processing Agreements, in compliance with the PDPO and other applicable laws.

Jurisdictional Application: This Policy complies primarily with the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong. If you are a resident of another jurisdiction with privacy rights, please contact us at info@flowhire.ai to learn about your specific rights.

This Policy does not apply to information collected by third-party websites, applications, or services that may link to or be linked from FlowHire. We encourage you to review the privacy policies of any third parties before providing them with your information.

3. Information We Collect

We collect Personal Information in the following categories:

A. Client User Data (As Data Controller)

Information provided by or about users using FlowHire:

Contact Information:

• Full name, job title, company name
• Work email address and phone number
• Business address and location

Account Information:

• User IDs, encrypted passwords, and authentication credentials
• Account type, subscription level, and billing information
• Account activity history and login records

Communication & Support Data:

• Records of communications with our support team (emails, chat transcripts, support tickets)
• Feedback, surveys, and user preferences
• Information about support requests and resolutions

Subscription & Billing Data:

• Subscription plan details and payment history
• Billing address and payment method (processed securely by third-party payment providers)
• Usage metrics and service tier information

B. Candidate Data (As Data Processor)

Information uploaded or entered by Clients for record keeping, recruitment and placement purposes:

Candidate Profile Data, including but not limited to:

• Resume, CV, and employment history
• Educational background and qualifications
• Technical and professional skills
• Contact information (name, email, phone, address)
• Work authorization status and visa sponsorship requirements
• Salary expectations and employment preferences
• Professional certifications and licenses

Evaluation & Assessment Data, including but not limited to:

• Interview notes, transcripts, and recordings (with appropriate consent)
• Internal communications about candidates
• Data used for interviewer performance evaluation

Anonymized & Redacted Data, including but not limited to:

• Information with names and contact details temporarily or permanently redacted
• Coded or pseudonymized candidate records

C. Usage Data and Automatically Collected Information

Technical Data, including but not limited to:

• Internet Protocol (IP) address and device identifiers (IMEI, MAC address)
• Browser type, version, and user agent string
• Operating system and device type
• Device memory and processing capabilities
• Geographic location data (based on IP address)
• Unique device identifiers and cookies/tracking identifiers

Activity Data, including but not limited to:

• Pages viewed and features accessed
• Links clicked and content interacted with
• Time spent on the Service and session duration
• Navigation patterns and user flow
• Search queries and filter selections
• Account settings changes and preferences
• File uploads and downloads
• Errors encountered and technical issues

Cookies and Tracking Technologies, including but not limited to:

• Session cookies for maintaining login status
• Persistent cookies for remembering preferences
• Analytics cookies for measuring user engagement
• Functional cookies for personalization
• Third-party tracking pixels for remarketing

Log Data, including but not limited to:

• Timestamp of access and transactions
• Request and response information
• Error logs and system status information
• Performance metrics and latency data

4. How We Use Your Information

A. Client User Data (As Data Controller)

Service Provision & Account Management, including but not limited to:

• Setting up and maintaining your account
• Processing subscription and billing transactions
• Providing access to Service features and functionality
• Managing user authentication and account security
• Delivering customer support and technical assistance

Improvement & Personalization, including but not limited to:

• Analyzing usage patterns to enhance user experience
• Diagnosing technical problems and monitoring system performance
• Identifying areas for user training and product improvement
• A/B testing new features and optimizing workflows
• Generating product usage reports and analytics

Communication, including but not limited to:

• Sending service updates, feature announcements, and product changes
• Notifying of security alerts, suspicious activity, or breaches
• Responding to support inquiries and requests for assistance
• Sending billing notifications and payment reminders
• Requesting feedback through surveys and user research

Security & Compliance, including but not limited to:

• Protecting against fraud, abuse, and unauthorized access
• Preventing malicious activity and security threats
• Enforcing our Terms of Service and contractual obligations
• Complying with legal obligations and regulatory requirements
• Conducting audits and ensuring data integrity

Legal & Legitimate Business Interests, including but not limited to:

• Aggregating usage statistics for business metrics
• Improving our platform's security and reliability
• Understanding market trends and user preferences
• Defending against legal claims and disputes

B. Candidate Data (As Data Processor)

Fulfilling Client Instructions, including but not limited to:

• Processing Candidate Data strictly in accordance with documented instructions from our Clients
• Providing the agreed-upon meeting conversational data processing services
• Facilitating candidate searching and management

Enabling Core Platform Functionality, including but not limited to:

• Generating internal reports and comparative analysis
• Providing analytics for interviewer performance assessment and training
• Tracking candidate meeting status
• Generating post-meeting reports and documents

Quality Assurance, including but not limited to:

• Evaluating effectiveness of recruiter workflow
• Improving processing time and user experience

5. Legal Basis for Processing

For Client User Data (where we act as Data Controller):

• Contractual Necessity: Processing necessary to perform our obligations under the Service Agreement
• Consent: Where you have explicitly consented to processing (e.g., marketing communications)
• Legal Obligation: Processing required by applicable law or regulatory requirements
• Legitimate Interests: Processing pursued for our legitimate business interests, such as improving our Service, fraud prevention, and security

For Candidate Data (where we act as Data Processor):

• Client Instructions: Processing is based solely on instructions from our Client (the Recruitment Agency), who is the Data Controller and possesses the lawful basis for processing

6. Disclosure and Sharing of Information

A. With Client Direction

Candidate Data: We share Candidate Data with third parties only when explicitly instructed and authorized by our Client (the recruitment agency). We require written authorization for all such disclosures and maintain records of these instructions.

B. Service Providers & Sub-processors

We engage third-party companies to perform services on our behalf. These service providers are contractually obligated to the following, including but not limited to:

• Process Personal Information only as necessary to provide services to us
• Implement appropriate security safeguards
• Not use Personal Information for their own purposes
• Comply with applicable privacy laws and our instructions

Categories of Service Providers:

• Cloud Infrastructure & Hosting: Secure servers, databases, and storage services
• Payment Processing: Payment gateways and billing providers
• Analytics & Monitoring: Service performance monitoring and usage analytics
• Email & Communications: Email delivery and notification services
• Security & Compliance: Security auditing, vulnerability scanning, and compliance monitoring
• Customer Support: Helpdesk and support ticket management platforms

For a current list of our sub-processors and their privacy policies, please contact us at info@flowhire.ai.

C. Legal Requirements & Regulatory Compliance

We may disclose Personal Information without notice if required to do so by law or if we have a good faith belief that such disclosure is necessary to:

• Comply with applicable laws, regulations, or court orders
• Comply with legal process, including subpoenas or warrants
• Protect the rights, property, or safety of NAHC Limited, our users, or the public
• Prevent or investigate possible wrongdoing
• Enforce our Terms of Service or other agreements

D. Business Transfers

If NAHC Limited or our Service is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your Personal Information may be transferred as part of that transaction. We will provide notice (via email or prominent notice on our website) of any such change in ownership or control of your Personal Information.

E. Aggregated & Anonymized Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, and other purposes without restriction.

F. With Your Consent

We may share your Personal Information with third parties when you explicitly consent to such sharing, as indicated at the point of collection.

7. Data Security & Retention

A. Data Security

We implement comprehensive technical and organizational security measures to protect Personal Information against unauthorized access, alteration, disclosure, and destruction:

Technical Safeguards:

• Encryption of Personal Information in transit (TLS/SSL) and at rest (AES-256 or equivalent)
• Secure authentication mechanisms
• Access controls and role-based permission management

Limitations: We cannot guarantee absolute security. The transmission of information via the internet carries inherent risks. While we implement appropriate safeguards, you use our Service at your own risk. Any transmission of Personal Information is at your own risk.

B. Data Retention

Client User Data:

• We retain Client User Data for as long as your account is active or as needed to provide you with the Service
• Upon account termination or deletion request, we retain data only as required by law (e.g., tax records, legal holds) or for legitimate business purposes
• Retention periods do not exceed 7 years from account termination unless legally required

Candidate Data:

• We retain Candidate Data according to the documented instructions and retention policies of our Clients (the Data Controllers)
• Upon termination of a Client agreement, we will delete or return Candidate Data as contractually required, typically within 30 calendar days
• We may retain minimal data (anonymized or aggregated) for system backup, audit, and legal compliance purposes

Usage Data & Log Data:

• Technical logs and activity data are typically retained for 12 months for security and system monitoring purposes
• Older log data is securely deleted or anonymized
• We may retain aggregated usage statistics indefinitely

8. Your Data Rights & Choices

Your privacy rights depend on your location and whether you are a Client User or a Candidate.

A. Hong Kong Residents (PDPO)

The Personal Data (Privacy) Ordinance (PDPO) of Hong Kong provides you with the following rights:

Right to Access (Section 18, PDPO):

• You have the right to request access to personal data we hold about you
• We will provide a copy of your data in a commonly used format within 40 calendar days
• We may charge a reasonable fee for providing access
• To request access, contact us at info@flowhire.ai with "PDPO Access Request" in the subject line

Right to Correction (Section 22, PDPO):

• You have the right to request correction of inaccurate personal data
• We will correct the data and notify any third parties we've disclosed it to
• You can also request that we add a note of correction to your file if we cannot verify the correction
• Contact us at info@flowhire.ai with "PDPO Correction Request" in the subject line

Right to Erasure/Deletion:

• While the PDPO does not explicitly provide a "right to be forgotten", you can request deletion of your personal data where it is no longer necessary for the purpose it was collected
• We will delete data upon your request unless legal or business reasons require retention
• Contact us at info@flowhire.ai with "Data Deletion Request" in the subject line

Right to Opt-Out:

• You can request not to receive notifications and updates from us
• Marketing communications can be easily disabled in your account settings

Exercising Your Rights:

• To exercise any PDPO rights, contact us at info@flowhire.ai
• We will verify your identity before responding
• We will respond within 40 calendar days or inform you of reasons for delay
• Reasonable access requests are typically processed at no charge

B. Client Users (General Rights)

Beyond PDPO rights, you have the following rights regarding your Personal Information:

Right to Review and Update:

• You can access, view, and download your account information through your account dashboard
• You can update and correct your information at any time

Right to Deletion:

• You can request deletion of your account and associated Personal Information
• Deletion is subject to applicable legal and regulatory retention requirements
• Some data may be retained for legal, financial, or accounting purposes

Right to Data Portability:

• You can request a copy of your Personal Information in a portable, machine-readable format
• You can transmit this data to another service provider

Right to Withdraw Consent:

• Where processing is based on your consent, you can withdraw this consent at any time
• This will not affect the lawfulness of processing before withdrawal

C. Candidates

As a Candidate, your Personal Information is controlled by the Recruitment Agency that submitted your data to FlowHire. We process Candidate data as a Data Processor on behalf of this Recruitment Agency.

To Exercise Your Rights:

• You must contact the Recruitment Agency directly to request access, correction, deletion, or other rights regarding your information
• If you provide us with the name of the Recruitment Agency, we will refer your request to them and assist them in responding to your request
• We will support our Clients in fulfilling your data rights requests

9. Third-Party Links & Services

FlowHire may contain links to third-party websites, applications, and services that we do not control or operate. This includes links in search results, content recommendations, and marketing materials.

Our Policy Does Not Apply to the following, including but not limited to:

• This Privacy Policy does not apply to third-party websites, services, or content
• We are not responsible for the privacy practices of third parties
• Third parties may have different privacy policies and may collect different types of information

Your Responsibility:

• We encourage you to review the privacy policies of any third parties before providing them with your information
• Your use of third-party services is governed by their terms and policies, not ours

10. Children & Minors

FlowHire is not intended for users under 18 years of age, and we do not knowingly collect Personal Information from children under 18.

11. Cookies & Tracking Technologies

A. What Are Cookies?

Cookies are small files containing letters and numbers that we store on your browser or device. They allow us to recognize your device and remember your preferences.

B. Types of Cookies We Use

We are using the following types of cookies, including but not limited to:

Strictly Necessary Cookies:

• Required for the Service to function properly
• Enable login, session persistence, and account security
• Cannot be disabled without affecting Service functionality

Functional Cookies:

• Enhance user experience and remember preferences
• Remember language settings, display preferences, and saved filters
• Enable features like "remember me" functionality

Analytics Cookies:

• Measure how you use FlowHire
• Track page views, features used, and user engagement
• Help us understand usage patterns and identify improvements

Marketing/Tracking Cookies:

• Used by us and our partners to track your behavior across websites
• Enable personalized advertising and remarketing
• Allow us to measure advertising effectiveness

Third-Party Cookies:

• Set by third-party partners (e.g., analytics providers, advertising networks)
• Used to track your behavior across multiple websites
• Subject to third parties' privacy policies

C. Cookie Management

Your Choices:

• You can block or delete cookies through your browser settings
• Most browsers allow you to refuse cookies or alert you when cookies are being set
• You can visit www.allaboutcookies.org for instructions on your specific browser
• Note: Disabling strictly necessary cookies may impair Service functionality

Do Not Track Signals:

• Some browsers include a "Do Not Track" feature
• We do not respond to Do Not Track signals, but you can control cookies through your browser settings

12. Data Breach Notification

In the event of a confirmed data breach affecting your Personal Information, we will:

Notification:

• Notify affected individuals as quickly as possible
• Provide a clear explanation of the breach, the types of information affected, and measures taken
• Notify regulatory authorities as required by law

Timing:

• Notify individuals within 72 hours of discovering the breach or as required by law

Method:

• We will notify you by email, phone, or mail to your last known contact information
• We may also post notices on our website or in-app

Support:

• We will provide information on steps you can take to protect yourself
• We may offer credit monitoring or other protective services where appropriate

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

• We will notify you of material changes by updating the "Effective Date" and "Last Updated" date at the top of this Policy
• For significant changes, we may provide additional notice (e.g., email notification, prominent notice on our website)
• Continued use of FlowHire after changes become effective constitutes your acceptance of the updated Policy

Your Rights:

• If you do not agree with the updated Policy, you should stop using FlowHire
• If you are a Client with a subscription, material changes may entitle you to terminate your agreement

14. Data Retention Summary Table

Data Type	Retention Period	Reason
Client User Data (Active)	Account Active + 30 calendar days	Service provision & legal hold
Client User Data (Deleted Account)	7 years maximum	Legal & tax compliance
Candidate Data	Client Instructions	Data Controller directive
Usage & Activity Logs	12 months	Security & system monitoring
System Backups	30 calendar days	Disaster recovery
Anonymized / Aggregated Data	Indefinite	Business Analytics

15. Contact Information

A. Privacy Inquiries & Requests

B. Response Times

We aim to respond to privacy inquiries and requests within the following timeframes:

• General inquiries: 14 calendar days
• Data rights requests: 30 calendar days (potential extension applies)
• Security incidents: 24 hours (acknowledgment)

16. Regulatory Compliance

A. Hong Kong (PDPO)

We comply with the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong, which is the primary privacy legislation governing our processing of personal information. As a Hong Kong-based company, we adhere to the six PDPO principles:

1. Collection: We collect personal data only for lawful purposes directly related to our functions or activities
2. Use: We use personal data only for the purpose(s) for which it was collected, or for a directly related purpose
3. Accuracy & Duration: We take reasonable steps to ensure personal data is accurate and retained only as long as necessary
4. Information Security: We implement security measures to protect against unauthorized or accidental access, processing, erasure, loss, or use
5. Openness: We provide individuals with information about our personal data policies and practices
6. Individual Access & Correction: We provide individuals with the right to access and correct their personal data

17. Definitions

Personal Information: Any information relating to an identified or identifiable natural person.

Data Controller: The entity that determines the purposes and means of processing Personal Information.

Data Processor: An entity that processes Personal Information on behalf of and according to the instructions of a Data Controller.

Processing: Any operation performed on Personal Information, including collection, use, storage, deletion, etc.

Candidate Data: Personal Information about job candidates submitted by Recruitment Agencies for recruitment and placement purposes.

Client User Data: Personal Information about personnel at Recruitment Agencies using FlowHire.

18. Acknowledgment & Consent

By accessing and using FlowHire, you acknowledge that you have read this Privacy Policy and understand our privacy practices. You consent to the collection, use, and disclosure of your Personal Information as described in this Policy.

If you do not agree with this Policy, please do not use FlowHire.