Command Center Playbook Decision Stack Execution Trail Security & Governance For Operations For Engineering For Founders Templates Integrations Blog Documentation Pricing
Log in Deploy Your Workspace

Privacy Policy

Effective Date: from 2026.05.26.

This Privacy Policy (“Policy”) explains how Southern Vector Limited (NZBN 9429052764448) of 26 Applefield Court, Northwood, Christchurch, 8051, New Zealand (“Hubson”, “we”, “our”, “us”) collects, uses, discloses, and protects Personal Information (PII) when you use Hubson AI Platform or it’s related services (collectively, the “Service”) that augment productivity and automate complex workflows for professional businesses.

We are committed to comply with the New Zealand Privacy Act 2020 (including the Information Privacy Principles (“IPPs”), the Privacy Regulations 2020, the Unsolicited Electronic Messages Act 2007 (“UEM Act”), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the 'GDPR') and all other applicable privacy laws. If you do not agree with this Policy, please do not use the Service.

___________________________________________________

DEFINITIONS

────────────────────────────────────────

“Account” means the registered profile enabling a Customer and its Users to access the Service.

MCP” means any Model Context Protocol server, interface, webhook, or similar endpoint made available by Hubson

“API” means any application-programming interface, webhook or similar endpoint made available by Hubson.

“Customer” (“you”, “your”) means (i) the business or other legal entity that registers for the Service, (ii) its authorised Users, and (iii) any person or entity acting on its behalf.

“Customer Data” means all data, content, files, Personal Information, or material submitted to, stored on, or processed via the Services by or on behalf of a Customer (most of the cases this Privacy Policy does not apply to any input or output generated on our online platform, or documents uploaded to our platform. We process this data on behalf of Customers whose are Controllers in these cases.)

“Personal Information” means personally identifiable information, including about you and your employees, officers agents, and any natural person acting on your behalf. If you cannot be identified (for example, when personal information has been aggregated and anonymised) then certain parts of this Policy may not apply to that information.

“Sub-processor” means any third party authorised to process Personal Information for or on behalf of Hubson in connection with the Service, as may be provided to you from time to time in accordance with clause 7.

Words such as “including”, “for example” and similar expressions are illustrative and do not limit the sense of the words preceding them.

──────────────────────────────────────

  1. WHO WE ARE & CONTACT DETAILS

──────────────────────────────────────

●      Controller (for Hubson’s own data-processing): Southern Vector Limited

●      Address: 26 Applefield Court, Northwood, Christchurch, 8051, New Zealand

●      E-mail: [email protected]

●      Privacy Officer: Tamas Ham-Szabo / director

If you are an end-user of an organisation that is our customer, Hubson acts as an agent of the customer in respect of any data held for or on behalf of that customer organisation —please contact the relevant organisation (the “Controller”) first.

EU representative of the Controller:

●      GBD Software as a Service Private Limited Company, GBD Ltd.

●      Address: 6065 Lakitelek, Szikra tanya 93. 1021, Hungary

●      E-mail: [email protected]

●      Data Protection Officer: Gergely Hajnal, dr.

──────────────────────────────────────

  1. WHAT INFORMATION WE COLLECT

──────────────────────────────────────

The ways we may collect your Personal Information can be categorised into:

·       Information you provide to us directly.

·       Information which is collected automatically.

·       Information we collect from third parties.

 

If you choose not to provide us with your Personal Information, then some functions and features of our Services may not be available to you

2.1 Information you provide directly may include:

●      Account details – name, business email, account credentials, company, address, GST/Tax ID, password, profile photo, transaction history.

●      Communication Information – If you communicate with us, (for example when you contact us about the Services, when you interact with our Website, or when you request support) we collect your name, email address, the way you interact with the Services, and the contents of any messages you send

●      Customer Data – any data or content (files, chat messages, lists, custom fields, etc.) you or your users upload or import.

●      Inputs and Suggestions: Special kind of Customer Data. The Service allows you to submit content ("Inputs"), which generate responses ("Suggestions") based on your Inputs. If you include personal data or reference external content in your Inputs, we will collect that information and it may be reproduced in the Suggestions we provide.

●      Voice Recording and/or Audio Data, e.g., audio recorded when you opt to use Hubson’s voice transcription (speech to text) features. Our voice recording feature is entirely optional and only activates when you explicitly initiate it. We do not record audio in the background or without your knowledge. We process voice recordings solely for the purpose of transcribing speech to text, and your audio data is processed to generate text transcriptions that you can use within the Services.

 

2.2 Information automatically collected may include:

●      Device & usage – IP address, browser/OS, device type, referrer, approximate geo-location (IP-derived, if enabled), language.

●      Event & activity logs – pages viewed, clicks, feature use, session timing, UTM parameters, cookies/pixels, session-replay, audit trails.

●      Service usage data: When you interact with the Services, metadata is generated that provides additional context about your use of the Services. This includes your email address, account identifiers, data about how often you visit the Website, how you interact with the Services, the amount of time spent engaging with the Services, the volume of queries you submit, the type of queries you submit, the features interacted with, and how those features performed during your interactions (collectively “Usage Data”).

●      Cookies & Similar Technologies. We and our service providers utilize cookies, pixels, scripts, or similar technologies to operate and manage the Service and improve your experience. These technologies help us to recognize you, customize or personalize your experience, market additional products or services to you, and analyze and optimize your use of the Service, for example to help maintain your preferences.2.3 Information from third parties may include:

●      Payment processors (Stripe) — tokenised payment details and invoice status.

●      Integrations you enable

Where you provide us with any Personal Information about a third party, you must have that third party's consent to do so. By providing us any third party Personal Information, you warrant that you have that third party's permission to provide that information to us.

2.3 Information we collect from third parties:

●      Marketing vendors who provide us with information about potential customers of our services, such as contact details, company’s name, email address, physical address, and phone number, and information about professional affiliations and employment.

●      Google Sign-In Services: If you choose to sign into the Service using Google sign-in services, then Google shares with us certain information, such as your full name, language preference, nickname, e-mail address and picture. 

 

2.4 Sensitive (“special-category”) data

We do not intentionally collect special-category data (health, union, race, biometric, etc.) and instruct customers not to upload such data unless strictly necessary and all legal requirements are met. If you choose to upload such data you are solely responsible for obtaining the required consents or authorisations and notifying us if additional safeguards are needed.

2.5 Unique identifiers (IPP 13)

We assign only those unique identifiers that are strictly necessary for authentication or account security (e.g., workspace ID, user ID).

──────────────────────────────────────

  1. HOW WE USE YOUR INFORMATION

──────────────────────────────────────

We primarily process Personal Information for the purposes listed below or as otherwise set out in these terms or permitted by law:

  1. Provide, operate, maintain, and improve the Services.
  2. Provide voice transcription services when you use our voice transcription feature.
  3. Authenticate users, administer accounts, and enforce workspace permissions.
  4. Manage your account and access to different functionalities.
  5. Personalise your use of our Services, applications, or platforms
  6. Process transactions and issue invoices.
  7. Communicate with you about the Service (service notices, security alerts, updates).
  8. Send marketing material to you – only with your consent or where otherwise lawful (Section 5).
  9. Conduct analytics, diagnostics, debugging, and product development.
  10. Ensure security, fraud-prevention and service integrity.
  11. Comply with legal obligations or respond to lawful requests and disputes.

 

 

──────────────────────────────────────

  1. LEGAL BASES FOR PROCESSING

──────────────────────────────────────

We may also process Personal Information as required to:

●      deliver the Service you request.

●      send you marketing emails, access data stored in non-essential cookies.

●      secure and improve the Service

●      comply with our internal tax, record-keeping, and fraud detection processes.

──────────────────────────────────────

  1. MARKETING COMMUNICATIONS & UEM ACT

──────────────────────────────────────

●      We send electronic marketing messages only with valid consent, an applicable business-to-business exemption, or another lawful basis as permitted by the Unsolicited Electronic Messages Act 2007 and comparable overseas laws.

●      All marketing e-mails include our contact details and a functional unsubscribe link.

●      You may withdraw consent for us to send electronic marketing messages at any time by clicking the unsubscribe link, changing in-app settings, or emailing us.

●      If you use our Marketing, Inbox or Lead to Deal Modules to message third parties, You assume full and exclusive responsibility for obtaining and recording the necessary consents, having functional unsubscribe facilities,  honouring all opt-out requests, and otherwise complying with the UEM Act and other applicable laws.

──────────────────────────────────────

  1. COOKIES & TRACKING TECHNOLOGIES

──────────────────────────────────────

We use first- and third-party cookies, pixels, and similar technologies for analytics, personalisation, and advertising.

●      Essential cookies (including those used for security and authentication) are strictly necessary for the operation of the Service and remain active at all times, based on our legitimate interest in ensuring the security and functionality of the Application.

●      Full details of each cookie/tool, purpose, expiry, and how to change preferences are set out in Cookies and non-essential cookies are set only with your consent, recorded via our CookieYes banner & preference centre.

●      You may configure your web browser to not accept cookies, however you may experience a loss of functionality as a result.

──────────────────────────────────────

  1. DATA SHARING & DISCLOSURE

──────────────────────────────────────

7.1 No Sale of Personal Information

We do not sell Personal Information.

7.2 Sub-processors & Service Providers

We share information with trusted third-party service providers ("Sub-processors") who help us provide, secure, and improve the Service (including hosting, payment processing, analytics, customer support, and AI inference).

All Sub-processors are vetted for security and legally bound by written agreements that require:

●      Confidentiality and strict compliance with our instructions;

●      Implementation of 'comparable safeguards' to those required by the Privacy Act 2020 or GDPR standards as applicable;

●      Notification in the event of a notifiable data breach;

●      Use of data only as instructed by us; and

●      Audit / monitoring rights.

You can ask for our current sub-processor list at ???????.  If you have any objection to a sub-processor please contact us at the contact details set out in clause 1 or with our Privacy Officer’s contact details set out in clause 16.

By choosing to use third-party integrations, you direct us to share and consent to us sharing Customer or other data with those third-party services. Other than to the extent required by the Privacy Act 2020, we are not responsible for the privacy practices or security of those third-party services once the data leaves our systems. Our linking or integrating with a third party does not imply endorsement or affiliation.

7.3 International Transfers (IPP 12)

Some data may be processed in or accessed from countries outside New Zealand (e.g., Australia, EU, US, Canada). To the extent this is considered a disclosure to a third party under the Privacy Act 2020, we will ensure recipients in those countries are subject to safeguards comparable to those required by the Privacy Act 2020 by:

  1. Putting in place written data-processing agreements with comparable safeguards to those in the Privacy Act 2020  or EU Standard Contractual Clauses; and/or
  2. Selecting providers subject to the Privacy Act 2020 or in jurisdictions recognised as having equivalent privacy protections.

7.4 Law Enforcement & Business Transfers

We may disclose Personal Information where legally required, or in connection with a merger, acquisition, or sale of assets.

7.5. With Your Consent

We may disclose personal data when you give us permission to do so, including through features of the Services that are designed to share information.

──────────────────────────────────────

8.     DATA SECURITY

──────────────────────────────────────

Our company operates in compliance with the ISO 27001:2022 standard regarding information security requirements and technology. We implement reasonable technical and organisational measures, including:

●      Encryption in transit (TLS 1.2+) and at rest (server-level AES-256 for all new databases).

●      Successfully implemented Information Security Management System with among other things annual penetration testing, vulnerability scanning, and mandatory staff security training.

●      Role-based access, two-factor authentication (2FA) rollout across all internal systems.

●      Audit logs for user access and configuration changes.

●      Payments handled by PCI-DSS level 1 provider (Stripe); Hubson never stores full card numbers.

However, please remember that no method of transmission over the Internet or method of electronic storage is completely 100% secure. You are responsible for keeping your passwords and devices secure.

You should use caution when deciding what information to share with the Service. We are not responsible for any circumvention of privacy settings or security features on the Service or on third-party websites linked through the Service.

──────────────────────────────────────

9.     DATA BREACH NOTIFICATION

──────────────────────────────────────

If we become aware of a notifiable privacy breach (as defined in the Privacy Act 2020) we will comply with the notification and other requirements under the Privacy Act 2020.

 

 

──────────────────────────────────────

10.  DATA RETENTION & DESTRUCTION (IPP 9)

──────────────────────────────────────

We keep Personal Information only as long as necessary for the purposes set out in this Policy or to comply with legal requirements, resolve disputes, enforce legal agreements and policies. We review retention schedules annually. We comply with data minimization rules, when data is no longer required or serves no particular purpose we securely delete or irreversibly anonymize it.

When you use our voice transcription feature, your audio is temporarily processed by our systems to generate the text transcription. By default, we do not retain your audio recordings after transcription is complete. Hubson will also retain Usage Data for internal analysis purposes as stated above. When you interact with the AI-powered chat feature on our Site, your chat messages and any information you provide are processed and retained by the third-party service provider for the duration of our service relationship with such provider and as reasonably necessary to provide the chat service, respond to your inquiries, improve Site functionality, and comply with applicable legal obligations.

──────────────────────────────────────

11.  YOUR RIGHTS (IPPs 6–8; 12)

──────────────────────────────────────

Under the Privacy Act, you have certain rights in connection with your Personal Information, including rights to request access to, and correction of, your Personal Information.

These rights are subject to certain limitations and exceptions as set out in the Privacy Act.

If you wish to exercise any of your rights described above, please contact our privacy officer as set out under clause 16 of this Policy.

 

 

──────────────────────────────────────

12.  CLIENT / END-USER DATA (PROCESSOR ROLE)

──────────────────────────────────────

When a customer uploads or generates data about their end-users, the customer is the Controller and Hubson is only a Processor as stated above. We:

●      Process that data only on the customer’s documented instructions;

●      Provide technical and organisational measures to protect it;

●      Assist the customer with privacy requests and audits;

●      Enter into a Data Processing Addendum (DPA)

●      End-users should direct privacy enquiries to the relevant customer.

──────────────────────────────────────

13.  CHILDREN’S PRIVACY

──────────────────────────────────────

The Service is intended for customers with users aged 18 or older. We do not knowingly collect information from minors. If you believe a child has provided us with Personal Information, please contact us for deletion.

──────────────────────────────────────

14.  CHANGES TO THIS POLICY

──────────────────────────────────────

We may update this Policy at any time. Material changes will be announced by e-mail or an in-app banner and will take effect 30 days after notice unless required sooner by law.

──────────────────────────────────────

15.  QUERIES, CONCERNS & COMPLAINTS

──────────────────────────────────────

Please contact our Privacy Officer at [email protected] or the postal address above. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner (www.privacy.org.nz).