Atome Personal Data Protection and Privacy Policy (Hong Kong)

1.        Introduction

1.1        Atome HK Limited (“Atome” or “we” or “our” or “us”) recognises and undertakes its responsibilities under applicable privacy laws. We recognize the importance of the personal data you have entrusted to us and believe that it is our responsibility and commitment to properly manage, protect and process your personal data.

1.2        Please read this Personal Data Protection and Privacy Policy (“Privacy Policy”) to understand what personal data is collected or processed by us, and for what purposes it is used for, how we handle, collect, use, disclose and process personal data about you that you give us, or that is in our possession.

1.3        Without prejudice to any of the foregoing, if you provide the personal data of any other third party to us, you warrant you are duly authorised to disclose such third party’s personal data to us and the purposes which you disclosed to the third party on collection of his personal data permit us to use this personal data as set out in this Privacy Policy.

2.        Definition of Data Protection and Privacy Terms

2.1        “Data” means any representation of information (including an expression of opinion) in any document, and includes a personal identifier.

2.2        Data processor means a person who (i) processes personal data on behalf of another person; and (ii) does not process the data for any of the person’s own purposes.

2.3        Personal data means any data (i) relating directly or indirectly to a living individual; (ii) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (iii) which are in a form in which access to or processing of the data is practicable. Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a product review). It can include an e-mail address, particularly if used in conjunction with other identifiers. It is important that the information has the data subject as its focus and affects the individual’s privacy in some way.

2.4        Processing, in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise.

        

3.        Types of Personal Data We Collect

3.1        We collect information about you when you register an account with us and use our website(s), website/IT portal(s)/mobile application(s), forms, surveys, and other channels and throughout other interactions, communications and services you have with us.

3.2        Personal data which we may collect include:

a.         your personal information such as your name, national identity card number, passport number, date of birth, marital status, gender;

b.        your contact information such as residential or postal addresses, email addresses, telephone, mobile phone and fax numbers;

c.        your past and present employment information such as organisation name, organisation type, industry sector, job function and responsibilities, designation, business telephone and fax numbers, business email addresses;

d.         (for corporate users) beneficial owner information, authorised signatory information, business telephone and fax numbers, business email address;

e.        your billing and payment information, including name of the credit/debit cardholder, credit/debit card number, security code and expiry date; or

f.        proof of income and financial details, photographs, videos and/or audio recordings collected from us through online (websites, emails, apps, etc.) or offline platforms (events, surveys, phone calls, etc).

        Personal data collected in Section 3.2(a) through (e) above are mandatory. We may not be able to provide you with our services, or the level of our services may be adversely affected if you do not provide the personal data we consider mandatory.

        

3.3        We may collect and store certain information automatically when you visit our website(s) or use our website(s)/IT portal(s)/mobile application(s). Examples include:

a.        the internet protocol (IP) address used to connect your computer or device to the Internet;

        b.        connection information such as browser type and version;

        c.        your operating system and platform;

        d.        a unique reference number linked to the data you enter on our system;

        e.        login details;

        f.        the full URL clickstream to, through and from the website(s) or website/IT portal(s)/mobile application(s) (including date and time);

        g.        cookie identifier, and

        h.        your activity on our website(s) or website/IT portal(s)/mobile application(s), including the pages you visited, the searches you made and, if relevant, the services you purchase.

3.4        We may receive information about you from third parties if you use any websites or social media platforms operated by third parties (for example, Facebook, Instagram, Twitter etc.) and, if such functionality is available, you have chosen to link your profile on our website(s) or website/IT portal(s)/mobile application(s) with your profile on those other websites or social media platforms.

3.5        We only collect personal data that we reasonably need for use in connection with the purposes stated in paragraph 5 of this Privacy Policy in order to provide our services. We do not collect personal data that is unnecessary or excessive.

3.5        In respect of voluntary personal data provided to us, we:

a.        will only use the personal data provided for the purposes stated in paragraph 5 of this Privacy Policy;

b.        will disregard any personal data provided that is irrelevant for the purposes stated in paragraph 5 of this Privacy Policy; and

c.        will not use the personal data for any other purposes unless you have given your prescribed consent to the use for the relevant other purposes.

4.        Cookies

4.1        A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer or device.

4.2        We use cookies to:

a.        identify you from other users on our website(s) or website/IT portal(s)/mobile application(s);

b.        remember your preferences on language, font size, colour scheme, so that the look and feel of our website is kept for your future visits;

c.        analyse how you navigate our website and applications to help us optimise its design; and

d.        track your behaviour and preferences so we can assess the kind of information and services you may be interested in from us.

4.3        You can block or deactivate cookies in your browser settings.

4.4        We use log-in cookies to remember you when you have logged in for a seamless experience.

4.5        We use session cookies to track your movements from page to page and in order to store your selected inputs so you are not constantly asked for the same information.

4.6        By continuing to use our website(s) or website/IT portal(s)/mobile application(s), you are agreeing to the use of cookies on the site as outlined above. However, please note that we have no control over the cookies used by third parties.

4.7        For further information on types of cookies and how they work, visit www.allaboutcookies.org.

5.        Purposes for which the Personal Data is Collected, Used and Disclosed

5.1        We will/may collect, use, disclose and process your personal data for one or more of the following purposes:

a.        To consider and process your application to be our customer/user and to process your account with us;

b.        To facilitate, process, deal with and administer your account with us;

c.        For the supply of any goods and services which we may offer to you or that you may request, obtain or purchase from us or through our website;

d.        To deal with, process and administer your use of the online services at any of our website(s), website/IT portal(s)/mobile application(s) and through other digital or telecommunication channels;

e.        For identification and verification purposes in connection with any of the goods and services that may be supplied to you by us or that you may request from us;

f.        To carry out your instructions, respond to any enquiry or deal with any feedback given by (or purported to be given by) you or on your behalf, including contacting you via phone/voice call, text message or fax, email and postal mail regarding your instructions, enquiries and feedback;

g.        To conduct research, analysis and development activities (including but not limited to data analytics, surveys, focus groups and/or profiling) to improve our services and facilities for your benefit, or to improve any of our marketing programmes or events;

h.        To deal with, process and administer marketing campaigns conducted by us or on our behalf which you have consented to participate in;

i.        To contact you or communicate with you via various modes of communication such as phone/voice call, text message or fax message, forms, email and postal mail for the purposes of administering, dealing with and/or managing your account with us. You acknowledge and agree that such communication by us could be by way of the mailing of correspondence, documents or notices to you, which could involve disclosure of certain personal data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages;

j.        To carry out due diligence or other screening activities (including security and background checks) in accordance with legal or regulatory obligations or our risk management procedures that may be required by law or that may have been put in place by us;

k.        To prevent or investigate any fraud, unlawful activity or omission or misconduct, whether or not there is any suspicion of the aforementioned; dealing with and investigating complaints;

l.        To comply with or as required by any applicable law, governmental or regulatory requirements of any jurisdiction applicable to us or our associated companies, including meeting the requirements to make disclosure under the requirements of any law binding on us or our associated companies, or for the purposes of any guidelines issued by regulatory or other authorities of competent jurisdiction, with which we or our affiliates/associated companies are expected to comply;

m.        To comply with or as required by any request or direction of any governmental authority;

n.        For direct marketing (see Clause 8 below);

o.        To facilitate and deal with payment for goods and services provided by us or our subsidiaries, and a third party on our behalf including verification of credit card details with third parties and additionally, using the personal data you provide to conduct matching procedures against databases of known fraudulent transactions (maintained by us or third parties);

        

p.        To deal with, handle and conduct disciplinary, security and quality assurance processes, matters and arrangements;

q.        To perform internal administrative, operational and technology tasks to facilitate, administer or manage your account with us;

r.        To produce statistics and research for internal and/or statutory reporting or record-keeping requirements and performing our policy/process reviews;

s.        To disclose to a third party to comply with any law, legal requirements, orders, directions or requests from any court, authority or government body of any competent jurisdiction;

t.        To help us improve our services to you;

u.         To offer our services of Instalment Payment Structure (as defined in our terms of service at https://www.atome.hk/en-hk/terms-of-service) to you, including collecting Instalment Payments from you;

v.        If necessary, to process or receive payments from or to you; or

w.        To store, host, back up (whether for disaster recovery or otherwise) of your personal data including in a jurisdiction other than your location.

(collectively, referred to as the “Purposes”)

5.2        We may need to disclose your personal data to third parties, including to banks, payment service providers, other payment gateways or data processors, including to third parties in jurisdictions other than your location, for one or more of the above Purposes, as such third parties would be processing or using your personal data in connection with one or more of the above Purposes. You hereby acknowledge, agree and consent that we are permitted to disclose your personal data to such third parties (including to third parties in jurisdictions other than your location) for one or more of the above Purposes and for the said third parties to subsequently collect, use, disclose or process your personal data for one or more of the above Purposes. Such third parties include:

a.        our associated companies;

b.        any of our suppliers, collaborative partners, agents, contractors or third party service providers including;

i.        IT service and software suppliers;

ii.        payment processors and facilitators;

iii.        cloud platform service providers;

iv.         cloud storage providers;

v.        data analytics providers;

vi.        research partners;

vii.        marketing and advertising agencies who create our advertisements and promotions;

viii.        background check and identity verification providers; and

ix.        vendors that assist us to enhance the safety and security of our website and Applications; and

c.        our lawyers, accountants, auditors, insurers, bankers, and other similar professionals.

5.3        We will ensure non-Hong Kong third parties which we share your personal data to are under similar contractual obligations as those imposed under Hong Kong privacy law before we share your personal data with the third parties set out in paragraph 5.2 of this Privacy Policy.

5.4        We will not collect, use, disclose or process your personal data for other purposes that do not appear above unless we have your prescribed consent.

5.5        We may also collect from sources other than yourself, personal data about you, for one or more of the above Purposes, and thereafter using, disclosing and/or processing such personal data for one or more of the above Purposes. We may combine information we receive from other sources with information you give to us and information we collect about you. We may use this information and the combined information for the Purposes set out above (depending on the types of information we receive).

5.6        We may share your personal data with anyone other than as described in paragraph 5.2 of this Privacy Policy if we notify you and receive your consent beforehand.

6.        Security and retention of Personal Data

6.1        Security of your personal data is important to us. We take appropriate action to protect personal data from loss, misuse, unauthorised access or disclosure, alteration or destruction using the same safeguards as we use for our own proprietary information. All information you provide to us is stored on secure servers and any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website(s) or website/IT portal(s)/mobile application(s), you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

6.2        We will put in place measures such that your personal data in our possession or under our control is destroyed and anonymized as soon as it is reasonable to assume that (a) the purpose for which that personal data was collected is no longer being served by the retention of such personal data; and (b) retention is no longer necessary for any other legal or business purposes.

6.3        If we outsource and entrust your personal data with data processors, we will use contractual and other means to monitor the data processors’ compliance with this Privacy Policy.

6.4        The transmission of information through the internet is not completely secure. Although we use security measures to secure your personal data, we cannot guarantee the security of your personal data transmitted through the internet and any transmission is at your own risk.

        7.        Retention of personal data

7.1        We will keep your personal data for as long as your account registered with us is being accessed.  

7.2        If your account registered with us has not been accessed over a period of [three years] or we have closed your account upon your request (“End Date”), your personal data will be retained by us for seven years after the End Date. We may retain your personal data for a longer period if it is necessary for us to do so to comply with our contractual or legal obligations, or you have consented to our continued retention of it.  

7.3        At the end of the retention period, we will ensure that your personal data, all app-related data and account-related information will be deleted. For any physical documents containing your personal data, the documents will be shredded or otherwise destroyed by means that ensure the confidential and secure destruction of the documents.

7.4        We will ensure that our data processor who we transfer your personal data to in compliance to this Privacy Policy only retain your personal data for as long as is necessary for the fulfillment of the Purposes for which your personal data has been disclosed to them and will delete personal data held if personal data is no longer required for those Purposes unless any deletion is prohibited under law or it is in the public interest for the personal data to not be deleted.

8.        Data Access and Correction

8.1        You have the right to access and/or correct any personal data that we hold about you, subject to the requirements of the applicable laws. If you would like to request for a copy of your personal data being held by us (such right being subject to applicable exemptions), or to update and correct the personal data which you have previously provided to us, please email or write to our Data Protection Officer.

8.2        We will need enough information from you in order to ascertain your identity as well as the nature of your request, so as to be able to deal with your request. We reserve the right, or may, charge a reasonable fee for the processing of any data access request.

8.3        For a request to access personal data, once we have sufficient information from you to deal with the request, we will seek to provide you with the relevant personal data within 40 days. Where we are unable to respond to you within the said 40 days, we will notify you of the soonest possible time within which we can provide you with the information requested.

8.4        In the event that we refuse to comply with a data access request under certain circumstances prescribed by the applicable privacy law, we will give you written notice and provide reasons within 40 days from receiving the request.

8.5        For a request to correct personal data, once we have sufficient information from you to deal with the request, we will correct your personal data within 40 days. Where we are unable to do so within the said 40 days, we will notify you of the soonest practicable time within which we can make the correction.

8.6        We may refuse to correct the personal data under prescribed circumstances including when we are satisfied that the personal data is accurate or the proposed correction is inaccurate. Then, we will inform you in writing of the refusal and the reasons for it.

9.        Link to Other Websites

9.1        Our website(s), website/IT portal(s)/mobile application(s) and other digital and telecommunication channels may contain links to other sites that are operated by third party companies with different privacy practices. You should remain alert and read the privacy statements of other sites. We have no control over personal data that you submit to or receive from these third parties. We take no responsibility or liability for the content and activities of these third party linked websites or their products and services.

10.        Direct Marketing

10.1        If we provide our services or interact with you in the course of engagement with a company or business entity, we intend to directly market our website and services to you in that capacity and for the use of that company or business entity.

10.2        The type of personal data we use for direct marketing purposes are:

  • your name

  • your email address

  • your telephone number

  • your home address

        

10.3        The direct marketing activities we conduct using your personal data are:

  • newsletters and our blog updates

  • promotions of our website, services or applications

  • competitions or contests held by us

  • updates in respect our website, services or applications

  • surveys in respect of our website, services or applications

  • event invitations

  • festive greetings

  • advertisements of our website, services or applications

        

10.4        If you do not expressly indicate your consent, then we may not use the types of personal data for the direct marketing activities described in this paragraph 10 of this Privacy Policy.

10.5        You may request us to cease using your personal data for direct marketing purposes at any time by emailing or writing to our Data Protection Officer, or if applicable, using the unsubscribe facility contained in the marketing message.

11.        Changes to our Privacy Policy

11.1        We may occasionally change all or part of this Privacy Policy.

11.2        Any changes will be effective immediately upon our posting of the updated Privacy Policy.

11.3        If we make any changes to this Privacy Policy, we will notify you of the changes through our website, applications or through other means such as e-mail.

11.4        If we make changes to the purposes for collecting your personal data and who we may share your personal data with or how we may use your personal data, we will notify you in advance of such changes through our applications, website or through other means such as e-mail and request your consent.

11.5        If you revoke your consent to our amendment under Clause 11.4 above, we may not be able to provide you access to our applications or provide our services to you.

12.        Complaint Process

12.1        If you have any complaint or grievance regarding about how we are handling your personal data or about how we are complying with the applicable privacy law, we welcome you to contact us with your complaint or grievance by writing to our Data Protection Officer.

12.2        Where you are sending an email in which you are submitting a complaint, your indication at the subject header that it is a privacy complaint would assist us in attending to your complaint speedily by passing it on to the relevant staff in our organisation to handle. For example, you could insert the subject header as “Privacy Complaint”.

12.3        We will certainly strive to deal with any complaint or grievance that you may have speedily and fairly.

13.        General

13.1        If applicable personal data privacy laws permit an organisation such as us to collect, use or disclose your personal data without your consent, such permission granted by the law shall continue to apply.

14.         Enquiries

14.1        For any enquiries on our privacy policy, please write to:

The Data Protection Officer can be reached at DPO@atome.hk.