Privacy Policy

This policy applies to operators (our customers — the businesses that subscribe to BlackKite to manage their co-working spaces), tenants (end users who interact with operators through BlackKite — booking rooms, signing contracts, paying rent), brokers, and visitors to our public website.

Operators are independent data controllers for the tenant data they upload to BlackKite. BlackKite acts as a data processor on their behalf, except for the data we collect directly (account, billing, usage telemetry).

Account data: name, email address, phone number, password (hashed), role.

Operator data: business name, location addresses, billing details.

Tenant data uploaded by operators: tenant names, contact info, contract terms, payment records, IC/HKID identifiers (only when operators choose to record them).

Usage data: pages visited, features used, IP address, device/browser metadata, timestamps.

Payment matching data: bank statement metadata you upload for FPS reconciliation.

Communications: emails and notifications we send, plus messages you send us via support channels.

To provide the BlackKite service: authentication, room/tenant management, billing, reconciliation, reminders.

To send transactional notifications (renewals, invoices, receipts, security alerts).

To prevent abuse, fraud, and unauthorised access.

To improve the product (aggregated analytics — never to sell your data).

To meet legal and regulatory obligations.

Supabase (PostgreSQL, authentication, storage) — primary data backend.

Vercel — application hosting and edge delivery.

Google — OAuth sign-in only (we receive your email and name from Google when you choose to sign in with Google; we do not receive your password).

GitHub — OAuth sign-in only (same scope as Google).

Email delivery providers (Supabase SMTP, and where applicable Google Workspace SMTP relay).

Where the operator opts in to messaging integrations (e.g., WhatsApp via Wassenger or GHL), the operator is responsible for that processor relationship.

Primary storage is hosted in our Supabase project region (typically Asia Pacific). Some sub-processors (e.g., Google for OAuth) operate globally and may process limited data outside Hong Kong, governed by their own privacy practices.

Account and operator data: for the lifetime of the subscription, plus a reasonable retention period after cancellation to handle disputes and legal obligations.

Tenant data: as long as the operator keeps it in their workspace; deletion requests by tenants should be made through the operator first.

Usage logs and audit logs: typically up to 24 months.

Backups: rolling encrypted snapshots, retained per Supabase backup policy.

We use cookies for authentication sessions, language preference (NEXT_LOCALE), and impersonation context (super-admin support only). We do not use third-party advertising trackers.

You may request access to, or correction of, the personal data we hold about you.

You may withdraw consent for any processing that relies on consent.

You may request deletion of your account; we will delete or anonymise data unless a legal hold applies.

For tenant data held by an operator, please contact the operator first; we will assist the operator with your request.

BlackKite is not intended for individuals under 18. We do not knowingly collect data from minors.

We use industry-standard encryption in transit (TLS) and at rest. Access is least-privilege. We log administrative actions for audit. No system is perfect, however — please use a strong, unique password and enable multi-factor authentication where available.

We may update this policy from time to time. Material changes will be communicated by email or in-app notice before they take effect.

For privacy questions or to exercise your PDPO rights, email privacy@blackkite.app. We aim to respond within 30 days.