Privacy Policy
Last updated: 6 May 2026
This Privacy Policy explains how EazyAI (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you use our service. We comply with the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) where applicable.
1. Who we are
EazyAI is operated by an independent business based in Hong Kong. For questions about this policy, contact [email protected].
2. What data we collect
Data you provide
- Account data: name, work email, organization name, role, password (hashed).
- Billing data: billing contact, payment method (handled and stored by Stripe; we receive only a token reference).
- Customer data: employee records, resumes, performance reviews, HR documents, and any other content you upload (“Customer Data”).
- Communications: support tickets, emails, and feedback you send us.
Data collected automatically
- Usage data: pages viewed, features used, timestamps, request logs.
- Device data: IP address, browser type, device type, operating system.
- Cookies: session cookies for authentication; analytics cookies (only with consent in EU/UK).
3. How we use data
- To provide, operate, and maintain the Service.
- To process payments and send billing notifications.
- To respond to your support requests.
- To detect, prevent, and address technical issues, fraud, or abuse.
- To improve the Service through aggregated, anonymized analytics.
- To send service-related announcements (security, billing, ToS changes).
- To comply with legal obligations.
We do not sell personal data, and we do not use Customer Data to train AI models.
4. Legal basis (GDPR)
Where GDPR applies, our legal basis for processing is:
- Contract: to provide the Service to you.
- Legal obligation: to comply with tax, accounting, and other regulations.
- Legitimate interest: to secure our infrastructure and improve the Service.
- Consent: for optional analytics cookies and marketing emails.
5. Sub-processors
We use the following sub-processors to operate the Service. We have data processing agreements with each:
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting and storage | Tokyo, Japan |
| Stripe, Inc. | Payment processing | USA, Ireland |
| Cloudflare, Inc. | CDN, DNS, DDoS protection | Global |
| OpenAI / Anthropic / DeepSeek | AI model inference (only redacted/minimum-necessary data) | USA / Asia |
| Postmark / SendGrid | Transactional email | USA |
An updated list is available on request to [email protected].
6. Data retention
- Account and Customer Data: retained while your subscription is active, plus 30 days after termination.
- Billing records: retained 7 years for tax compliance.
- Support emails: retained 2 years.
- Server logs: retained 90 days.
You may request earlier deletion of personal data; see Section 8.
7. International transfers
Your data may be processed in countries outside your own. We rely on the EU Standard Contractual Clauses (SCCs) and equivalent legal mechanisms to protect data in international transfers.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion (the “right to be forgotten”).
- Restrict or object to processing.
- Export your data in a portable format.
- Withdraw consent at any time.
- Lodge a complaint with your local data protection authority.
To exercise any right, email [email protected]. We respond within 30 days.
9. Security
We implement industry-standard safeguards including:
- TLS encryption for data in transit.
- AES-256 encryption for data at rest.
- Role-based access controls and audit logging.
- Regular security reviews and penetration testing.
- SOC 2 Type II controls (audit in progress).
No system is perfectly secure. We will notify affected users and authorities of any data breach in accordance with applicable law (typically within 72 hours under GDPR).
10. Children
Our Service is intended for businesses and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
11. Cookies
We use essential cookies for authentication and session management. Analytics cookies are loaded only with your consent (where required by law). You can manage cookie preferences in your browser.
12. Changes to this policy
We may update this policy. Material changes will be notified by email at least 30 days before they take effect. Older versions are available on request.
13. Contact
Privacy questions or requests:
Email: [email protected]
Mail: 207 Gough Street, Sheung Wan, Hong Kong