Privacy Policy
Effective Date: April 2026 · Cnnex Limited Company
This Privacy Policy describes how Cnnex Limited Company ("Company," "we," "us," or "our") collects, uses, and protects your information when you use Micro-Payroll and its related services (collectively, the "Service"). We are committed to transparency and handling your data responsibly.
1. Information We Collect
We collect information that is necessary to provide and improve the Service. The categories of personal data we may collect include:
| Category | Description | Source |
|---|---|---|
| Account Details | Name, email address, and hashed password used to create and maintain your account. | Directly from you at registration, or via OAuth provider (Google, Apple, Microsoft). |
| Company Name | The name of your company, used to associate your account with your locally stored payroll data. Employee records, payroll calculations, and tax filing history are never uploaded to our servers — they remain exclusively in your browser's local storage. | Directly from you when you set up your company profile. |
| Usage Data | IP address, browser type, operating system, pages viewed, and timestamps of interactions. | Automatically collected via server logs. |
| Authentication Tokens | Session tokens used to keep you securely signed in. | Generated by our servers and stored as encrypted cookies. |
2. How We Use Your Data
We use the collected data only for legitimate purposes directly related to operating the Service:
| Purpose | Legal Basis |
|---|---|
| Service Delivery — operate your account, store your company name, and maintain your authenticated session. Payroll calculations and employee data remain in your browser only. | Performance of contract / your use of the Service. |
| Authentication — verify your identity on each login via email/password or OAuth. | Legitimate interest (account security). |
| Email Notifications — send verification codes, password resets, and service updates. | Legitimate interest / your explicit request. |
| Service Improvement — analyse aggregate, anonymised usage patterns to improve features. | Legitimate interest. |
| Security & Fraud Prevention — detect and investigate abuse, unauthorised access, or technical issues. | Legitimate interest / legal obligation. |
3. Data Storage & Security
Your data is stored in a private, encrypted PostgreSQL database hosted on a dedicated server. We do not use shared public cloud infrastructure for payroll data storage. We implement the following safeguards:
- All data in transit is encrypted using TLS 1.2 or higher.
- Passwords are hashed and salted using bcrypt — we never store plaintext passwords.
- Session tokens are stored in HttpOnly, Secure, SameSite cookies to prevent XSS and CSRF attacks.
- Server access is restricted to authorised personnel via SSH key authentication only.
- Regular automated backups are maintained with point-in-time recovery.
No security system is impenetrable. In the event of a data breach affecting your personal data, we will notify you in accordance with applicable law.
4. Data Sharing
We do not sell, rent, or trade your personal data to third parties for marketing purposes. We may share data only in the following limited circumstances:
OAuth Providers
If you sign in via Google, Apple, or Microsoft, your identity is verified through their systems. We only receive your name and email address; we do not have access to your provider account or password.
Email Service
We use an SMTP mail service to send verification codes and transactional emails. Only your email address is shared for delivery purposes.
Legal Compliance
We may disclose data if required by law, court order, or government authority, or if necessary to protect the rights and safety of our users.
Business Transfer
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is subject to a different privacy policy.
5. Cookies & Session Storage
We use only strictly necessary cookies. We do not use third-party advertising or tracking cookies.
- Session cookie — keeps you authenticated during a browser session (HttpOnly, Secure).
- Locale preference cookie — remembers your language selection (en or zh-TW).
- OAuth state cookie — a short-lived security token used during the sign-in flow to prevent CSRF attacks.
6. Data Retention
We retain only the data stored on our servers — your account information (email, name, hashed password, OAuth identifiers) and your company name — for as long as your account remains active or as necessary to provide the Service.
All payroll data (employee records, calculations, tax filing history) is stored exclusively in your browser's local storage and is never transmitted to our servers. We have no access to this data and therefore no retention obligation over it. If you delete your account, your server-side personal data will be removed within 30 days.
7. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- ✓Access — request a copy of the personal data we hold about you.
- ✓Correction — request that we correct inaccurate or incomplete data.
- ✓Deletion — request that we delete your account and associated personal data.
- ✓Portability — request an export of your payroll data in a machine-readable format.
- ✓Objection — object to processing based on legitimate interests.
- ✓Withdrawal of Consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Children's Privacy
The Service is intended for use by business operators and is not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page and, where appropriate, notify you by email or an in-app notice. Your continued use of the Service after any change constitutes your acceptance of the revised policy.
10. Contact Us
If you have any questions or concerns about this Privacy Policy or the handling of your personal data, please contact:
Cnnex Limited Company
Email: [email protected]
Not affiliated with the IRS, WA State EAMS, CA EDD, NY DTF, or TX TWC.