Privacy Policy

At Wibby, we respect your privacy and are committed to protecting your personal data. This policy explains how we collect, use, and safeguard your information.

Wibby Privacy Policy

Last Updated: 12th August 2025

1. Who we are and scope

Katikn Pvt. Ltd. ("Katikn," "we," "us," "our") provides Wibby, an AI-powered leave management and HR assistant platform available via wibby.co, web application, APIs, and integrations (e.g., Slack, Google Calendar, Microsoft Teams) (collectively, the "Platform").

This Privacy Policy describes how we collect, use, disclose, and safeguard Personal Data when you or your organization use the Platform or visit our websites.

  • Controller (GDPR): Katikn Pvt. Ltd., 13-F, Sui Gas Society, Lahore, Pakistan
  • Privacy contact: hello@wibby.co
  • B2B role clarity: For customer HR data you put into Wibby, we act as a processor and your organization is the controller. For our own website/app telemetry, account, support, and billing admin data, we act as controller.
  • Children: The Platform is not intended for persons under 18.

We draft globally to comply with GDPR, CCPA/CPRA, LGPD (Brazil), Australian Privacy Act, and analogous frameworks.

2. Changes to this Privacy Policy

We may update this Policy. We'll post changes here with a new "Last Updated" date and, where material, notify admins in-app or by email.

3. Key definitions

  • Personal Data: information relating to an identified or identifiable person (GDPR/CCPA).
  • Processing: any operation performed on Personal Data.
  • Controller / Processor / Sub-processor: as defined under GDPR.
  • Service Provider: a third party processing data for us under contract.
  • Usage Data: telemetry like IP, device/browser, events, timestamps.
  • AI Features: Wibby functionality powered in part by OpenAI, LLC.
  • Customer: an organization using Wibby; Users: individuals accessing on a Customer's account.

4. What we collect

4.1 Data you provide to us

  • Account & organization: name, business email, hashed password, company name, role, phone (optional).
  • Workplace/HR content (Customer content): leave requests, approvals, balances, policies, departments/locations, comments, attachments you upload.
  • Support: messages, attachments, feedback.
  • Billing admin: billing contact name/email and tax/VAT/GST numbers (if provided for invoicing). (We don't collect card/bank details; see §13.)

4.2 Data collected automatically (Usage Data)

IP address, device and browser info, OS/app version, pages/events, referring URLs, timestamps, crash logs, coarse geolocation (city/country from IP), cookie identifiers. See Cookies & Similar Technologies (§16).

4.3 Data from integrations (you authorize)

Limited metadata and content from connected services: Slack, Google Calendar, Microsoft Teams, SSO/IdP, HRIS/payroll (e.g., user profiles/IDs, workspace/team identifiers, calendar availability or event metadata, messages relevant to leave actions), strictly as configured by your admin.

4.4 AI-processed input

Prompts and the minimum necessary contextual fields submitted to AI Features for generating responses or analytics (see §12).

5. Why we process data & GDPR legal bases

PurposeExamplesLegal Basis (GDPR)
Provide & operate Platformauthentication, leave workflows, calendars, approvalsContract necessity
Product analytics & improvementfeature usage, performance, diagnosticsLegitimate interests
AI assistanceleave via chat, policy Q&A, analytics summariesLegitimate interests and/or Consent (where required)
Security & abuse preventionlogging, anomaly detection, fraud preventionLegitimate interests; Legal obligation
Billing & invoicinginvoices, account management, taxesContract necessity; Legal obligation
Support & service commstickets, incident notices, operational updatesContract necessity; Legitimate interests
B2B marketingupdates, newsletters (opt-out at any time)Consent or Legitimate interests
Compliancelawful requests, auditsLegal obligation

Customer responsibility: As controller for employee data you upload, your organization must have a lawful basis and provide employee notices. We process that data only under your instructions and our Data Processing Addendum (DPA).

6. How we share data (we do not sell)

We do not sell Personal Data. We disclose only to:

  • Service Providers / Sub-processors (hosting, analytics, email, support, AI, billing) under binding contracts and confidentiality.
  • Integration partners you connect (Slack, Google, Microsoft, etc.), pursuant to your authorization.
  • Corporate transactions (merger/acquisition) subject to continued protections.
  • Legal: where required by law, valid process, or to protect rights/safety.

We maintain an up-to-date sub-processor list via hello@wibby.co

7. Role detail: controller vs processor

  • Processor: Customer HR data (leave entries, approvals, balances, policy configs, employee lists). We process on your behalf per DPA.
  • Controller: our website cookies, telemetry, account metadata, support tickets, and billing admin contacts.

8. Data minimization & sensitive data

We collect only data necessary for the stated purposes. We do not intentionally collect special categories of data (e.g., health, union membership) unless you submit such data in free-text fields; if you do, you are responsible for ensuring a lawful basis and appropriate notices.

9. Product analytics

We use analytics to understand feature usage and improve performance.

  • Website analytics: page views, events, device/browser, approximate location (city/country from IP).
  • In-app/product analytics: pseudonymous user ID, feature events, performance metrics.

Legal bases: Legitimate interests; consent where required (we display a consent banner in relevant jurisdictions).

Opt-out: GA browser add-on and cookie preferences (see §16).

10. Session replay & UX diagnostics (e.g., FullStory) (if enabled)

For troubleshooting and UX research, we may use session replay (e.g., FullStory). We configure masking to exclude passwords and sensitive fields. Data may include clicks, scrolls, UI errors, device, and event timelines.

Basis: Legitimate interests; consent where required.

Opt-out: request via hello@wibby.co and manage cookie preferences (§16).

11. Error monitoring & logging

We maintain application/security logs and may use error monitoring providers to ensure uptime and protect against abuse. We redact secrets and limit data in traces.

Basis: Legitimate interests; Legal obligation (security).

12. AI processing

What & why

Wibby's AI Features (powered in part by OpenAI, LLC) help automate leave requests, answer policy questions, and produce analytics summaries.

Data handling

  • We transmit only the minimally necessary input to OpenAI.
  • We anonymize/pseudonymize prompts where feasible and avoid direct identifiers unless strictly necessary for the user-requested output.
  • We do not permit OpenAI to train on your data unless you (or your org admin) explicitly consent.

Legal & transfers

  • Bases: Legitimate interests and/or Consent (where required).
  • Cross-border: safeguarded by Standard Contractual Clauses (SCCs) or equivalent mechanisms.
  • Limits: AI outputs are recommendations, not legal or HR advice. You are responsible for verifying outputs before acting.

13. Payments & billing (Lemon Squeezy)

We do not collect or store payment card or bank details.

All payments are processed by Lemon Squeezy (merchant of record/payment processor). Lemon Squeezy collects and processes payment information under its own terms and privacy policy.

We receive limited billing metadata from Lemon Squeezy (e.g., plan, status, invoice amounts, transaction IDs, billing contact and tax/VAT numbers if provided) to manage your subscription.

Legal bases: Contract necessity; Legal obligation (tax).

For details on their data practices, please refer to Lemon Squeezy's Privacy Policy (linked from their website).

14. Email marketing & product communications

  • Transactional/service emails: account verification, security alerts, system updates, approvals, invoices—essential to service; you cannot opt out while your account is active.
  • Product updates & newsletters (B2B): you can unsubscribe at any time via the footer link or preferences.
  • Providers: reputable email platforms
  • Data processed: name, email, org, subscription status, engagement metrics (opens/clicks).
  • Legal bases: Consent or Legitimate interests (with opt-out).

15. Customer support, CRM, and chat

We may use help desk/chat and CRM tools to manage tickets and communications. Data processed: contact details, ticket content, attachments, metadata (timestamps, status).

Basis: Contract necessity; Legitimate interests.

Retention: per §22.

16. Cookies & similar technologies

Types we use

  • Strictly necessary: login/session, security, load balancing.
  • Functional: preferences, UI settings.
  • Analytics: performance and product analytics.
  • (Optional) Marketing/remarketing: only if enabled and consented.

Controls

You can manage cookies in your browser and via our cookie banner (where required). Blocking some cookies may impact functionality.

We honor regional consent requirements and record preferences.

17. International data transfers

Your data may be transferred to and processed in countries outside your own (including Pakistan, the EU, the UK, and the United States). We rely on lawful transfer mechanisms such as SCCs, adequacy decisions, and processor contractual commitments.

18. Security

We implement industry-standard safeguards, including:

  • Encryption in transit and at rest where appropriate
  • Role-based access controls and MFA for staff with elevated access
  • Network segmentation, least-privilege, and secure SDLC
  • Logging/monitoring, vulnerability management, and periodic testing

No system is 100% secure; we cannot guarantee absolute security.

19. Data subject rights

If you are in the EEA/UK (GDPR)

You have the right to access, rectify, erase, restrict, port, and object, and to withdraw consent at any time (without affecting prior lawful processing). You may also lodge a complaint with a supervisory authority.

If you are in California (CCPA/CPRA)

You have the right to know, access, delete, correct, opt out of "sale"/"sharing" (we do not sell), and the right to non-discrimination for exercising your rights.

How to exercise

Email hello@wibby.co. We will verify your identity (and authority, if you're an agent) before acting on a request. If your data is controlled by your employer (our Customer), we may refer your request to them.

20. "Do Not Track" (DNT)

Some browsers send DNT signals. There's no common standard—our services don't respond to DNT. You can control cookies/trackers via your browser and our cookie banner (where applicable).

21. Automated decision-making

We do not engage in automated decision-making that produces legal or similarly significant effects without human review. AI outputs are advisory and require user validation.

22. Retention schedule (how long we keep data)

Data CategoryTypical Retention
Account & org profileFor the life of the account + up to 24 months (audit/legal)
HR/leave Customer content (processor)As instructed by Customer; deletion upon contract end per DPA
Usage logs & security logs12–18 months (security/compliance), then archived/aggregated
Support tickets24 months after resolution (unless required longer by law)
Email marketing preferencesUntil you unsubscribe or account deletion
Billing & invoices7–10 years (tax/accounting laws)
BackupsEncrypted; rotated and expired on a fixed schedule (typically ≤ 90 days)

We may retain anonymized or aggregated data for analytics beyond the periods above.

23. Data location & hosting

We host on reputable cloud providers (e.g., AWS/GCP). Data location can vary by region and service architecture. Enterprise customers may request data residency options (subject to availability and agreement).

24. Third-party links

Our sites/apps may link to third-party websites. We are not responsible for their privacy practices. Review their policies before providing them with Personal Data.

25. Data breaches & incident response

We maintain an incident response program. Where legally required (e.g., under GDPR), we will notify the relevant supervisory authority within the statutory timeframe (e.g., 72 hours) and affected customers/users without undue delay.

26. Your organization's responsibilities

If you are a Customer admin/controller, you are responsible for:

  • Providing legally sufficient employee privacy notices
  • Configuring retention and access within Wibby
  • Managing integration scopes and consent
  • Responding to data subject requests related to your employee data

27. Data Processing Addendum (DPA)

When we act as a processor, our DPA (including SCCs, where applicable) governs processing on your behalf. Contact hello@wibby.co to obtain or execute our latest DPA.

28. Region-specific disclosures

EEA/UK

  • Lawful basis: see §5.
  • Transfers: SCCs and equivalent safeguards.
  • Complaints: You may contact your local supervisory authority.

California (CCPA/CPRA)

  • We do not sell or share Personal Data as defined by CPRA.
  • We honor opt-out preferences for marketing cookies/trackers (if used).
  • Verified consumer requests: see §19 (timelines per CPRA).

Brazil (LGPD)

  • We process data under LGPD legal bases analogous to GDPR.
  • You may exercise LGPD rights via hello@wibby.co.

Australia

  • We comply with the Australian Privacy Principles (APPs).
  • Cross-border transfers use contractual safeguards comparable to SCCs.

Contact us

Katikn Pvt. Ltd.

13-F, Sui Gas Society

Lahore, Pakistan

hello@wibby.co

Last updated: 8/26/2025