ClickedHK | Your Digital Success One Click Away

Privacy Policy

ClickedHK (“we”, “us”, or “our”) is a digital marketing agency based in Hong Kong. We are committed to protecting your personal data and privacy. This Privacy Policy explains what information we collect from you, how we use and safeguard it, and your rights. It is designed to comply with Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) and its six Data Protection Principles (DPPs) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). By using our website (the “Site”) or providing us with your information, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Site or submit personal data.

Scope: This policy applies to personal data collected through our website, including through contact forms, email newsletter sign-ups, and analytics tools. Note that our Site does not offer user accounts or login/registration functionality at this time. We currently serve users in Hong Kong, but we may serve international clients in the future – this policy covers current practices and our approach to future international data considerations.

Updates: We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Updated versions will be posted on this page with a new effective date. We encourage you to review this Policy periodically. Your continued use of the Site after any changes signifies your acceptance of the updated Policy. If changes are significant, we may provide additional notice (e.g. via email if we have your contact details).

What Personal Data We Collect

We only collect personal data that is relevant and necessary for the purposes stated in this Policy (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). The types of information we collect fall into two categories: (1) information you voluntarily provide to us, and (2) information collected automatically through technology (cookies and analytics).

1. Information You Provide to Us

You may choose to provide personal data directly in various situations, including:

Contact Forms: If you fill out a contact or inquiry form on our Site, we collect the information you provide. This typically includes your name, email address, phone number, company/organization, and the content of your message or inquiry. We use this data to respond to your requests or questions. Providing this information is voluntary, but if you do not provide the required fields (marked on the form), we may be unable to contact you or fulfill your specific request (for example, we need your email address to respond to an inquiry) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)).
Email Newsletter Sign-Up: If you subscribe to our newsletter or marketing emails, we collect your email address (and possibly your name). This allows us to send you updates, marketing materials, or news about our services. Subscribing is entirely voluntary, and you can unsubscribe at any time (see Your Rights below for how to opt out). We use a third-party email service (such as Mailchimp) to manage our mailing list, so your email address will be stored with that provider (see Third-Party Services below for details).
Other Voluntary Submissions: If you contact us via email, phone, or other means (outside the website), or if you provide information during our business interactions (e.g. giving us your business card or emailing us an inquiry), we may keep a record of that correspondence which could include your name, contact details, and any other information you choose to share. We will treat such information in accordance with this Privacy Policy.

We do not intentionally collect sensitive personal data (such as ID numbers, financial information, health information, etc.) via our Site, and we ask that you do not provide such data in the contact forms or email sign-ups. The personal data we collect is generally limited to contact information and any details relevant to your business inquiries.

2. Information Collected Automatically (Cookies & Analytics)

When you visit our Site, certain information is collected automatically from your device, browser, and usage of the Site. This data helps us understand how our site is used and improve its performance and security. The information collected automatically may include:

Device and Browser Data: Your IP address (which may identify your general location), browser type and version, device type (e.g. mobile or desktop), operating system, language settings, and screen resolution. Our web server may log this information when you visit the Site (Privacy Policy Statement).
Usage Data: The pages or content you view, the time and duration of your visit, referral URL (the page you came from), and clickstream data (actions you take on our Site). This usage information is generally collected in aggregate and is not used by us to identify you by name. We use it for statistical analysis of site performance and user engagement (for example, to see which pages are most visited (Privacy Policy Statement)).
Cookies and Similar Technologies: We use cookies and similar tracking technologies (like web beacons or pixels) on our Site. Cookies are small text files stored on your browser that allow us or third parties to recognize your device. On our Site, cookies may be set by us or by third-party services (described below under Third-Party Services). These cookies may collect information about your browsing behavior and preferences. For example, we use cookies to remember your preferences and settings, to facilitate certain features, and to analyze site traffic. Our cookies by themselves do not collect information that personally identifies you (they typically collect device identifiers and usage data). However, some cookies (especially third-party analytics or advertising cookies) may be able to tag or identify you across multiple sites over time. We provide more detail on cookie use in Cookies and Tracking Technologies below, including how you can manage or block cookies.

3. Third-Party Embedded Content

Our Site may include embedded content or functionalities provided by third parties. Examples include:

Analytics and Advertisements: We use third-party analytics services (like Google Analytics) and advertising pixels (like Facebook Pixel) which are embedded in our pages. These tools set cookies and collect data (such as IP address and browsing activity) from visitors for purposes of analytics and online advertising. They may combine this information with data they hold from your use of other sites. This means that, for example, Google or Facebook might recognize you as a visitor to our Site and understand your browsing behavior. We do not receive personally identifying information from these analytics and advertising tools — we only see aggregated reports. However, the third-party providers do process personal data for their own purposes. Please refer to Third-Party Services below for more on how these services work and how you can opt out.
Embedded Videos or Social Media Content: Occasionally, we might embed content from other platforms (for example, a YouTube video, a Google Map, or social media feed). Viewing or interacting with this embedded content is the same as visiting the third-party website directly. Those third parties may collect data about you, use cookies, or require you to log in to their service to interact. We do not control the data collected by these third-party embeds. For instance, if we embed a YouTube video, YouTube may set cookies that track your viewing; if we embed a social media post (like an Instagram photo or a Twitter feed), those platforms may receive information about your visit. We encourage you to review the privacy policies of any third-party services from which content is embedded on our Site.

Important: Any information collected by third-party services via our Site is subject to those third parties’ own privacy policies. We do not have direct control over how they handle the data they collect through their widgets or scripts. We list the third-party services we use in the next section and provide information on how you can learn more about their practices or opt out.

How We Use Your Personal Data

We use personal data collected from you for purposes that are clear, necessary, and directly related to our business functions and your requests (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). We will not use your personal data for any new purpose that is unrelated to the original reasons you provided it, unless we obtain your “prescribed consent” (i.e., express voluntary consent) in advance (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). Below are the specific purposes for which we collect and use data:

To Respond to Inquiries and Provide Services: When you contact us via a form, email, or phone, we use your provided information to communicate with you and address your inquiry. For example, if you ask about our marketing services, we will use your contact details and message information to respond with the requested information.
To Send Newsletters and Marketing Communications: With your consent, we use your email address to send our newsletter or promotional emails about our services, events, or updates. You will receive such communications only if you have opted in (for example, by subscribing on our Site or requesting such information). We comply with Hong Kong’s direct marketing requirements: we will always obtain your consent before using your personal data (e.g., your email) for marketing, unless an exemption applies. You have the right to opt out of marketing emails at any time (see Your Rights below). Every marketing email from us will include an “unsubscribe” link or instructions to opt out.
For Analytics and Site Improvement: We use data collected through cookies and tools like Google Analytics to understand how users interact with our Site, which pages are visited, how long users stay, and other usage patterns (Privacy Policy Statement). This helps us improve the website content, layout, and performance. For instance, aggregate analytics might tell us that a certain page is frequently visited or that users drop off at a certain point, guiding us to improve that area. These analytics are performed on an aggregate basis – we look at trends and statistics, and do not use analytics data to single out individual users.
For Advertising and Remarketing: We use the Facebook Pixel (and similar advertising cookies) to help us with our digital marketing on social media and other websites. The Pixel enables us to show relevant advertisements on Facebook or Instagram to people who have visited our Site, or to measure the effectiveness of our Facebook ads. For example, if you visit our Site, you might later see an ad from us on Facebook. The data used for this is pseudonymous (we do not know exactly which individual sees the ad, but Facebook may use your browsing behavior to categorize and display ads). We will not use such tracking unless you have permitted cookies via your browser or device settings. You can also control this via the cookie preferences (see Cookies and Tracking Technologies below).
To Maintain Site Security and Prevent Misuse: We may use data (like IP addresses and cookie data) to protect the security of our Site, our servers, and our users. This includes using spam detection services or CAPTCHA tools to prevent abusive submissions (for example, automated spam through our contact form) and detecting and mitigating malicious activities. For instance, if several failed form submissions or suspicious activities from a particular IP address are detected, we might block that IP for security. We also log access to our Site to monitor for potential threats. Such processing is necessary to keep our website safe and functional.
To Comply with Legal Obligations: If we are required by Hong Kong law or other applicable laws to collect, use, or disclose personal data, we will do so. For example, we may retain certain transaction records if needed for tax or accounting regulations, or disclose information to government authorities if we are compelled by law or court order. We will only disclose the minimum necessary data in such cases (see Data Sharing below for more).
Other Purposes Directly Related to the Above: We may use your data in ways that are directly related to the original purpose for which it was collected. For example, if you provided your information to inquire about our services, we may also use it to follow up with you afterwards to see if you need further assistance or to send you a satisfaction survey. We will always ensure any such use is in line with what you would reasonably expect and compliant with PDPO’s requirements.

Legal Basis (PDPO Compliance): Our collection and use of personal data is done in accordance with the PDPO’s Data Protection Principles. This means we collect data for purposes related to our functions or activities and not in an excessive manner (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). In practice, when you voluntarily provide information to us (e.g., submitting a form or subscribing to emails), we interpret that as your consent to use the data for the stated purpose. In cases where PDPO or other laws require explicit consent (for instance, using your data for direct marketing when it was collected for another purpose), we will obtain your express consent. We also ensure that we inform you of the purpose of collection and the classes of persons your data may be transferred to, at or before the time of collection, as required by law (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). We do not use your data for any other purposes unless permitted by law or with your consent.

Cookies and Tracking Technologies

Cookies and similar tracking technologies play a vital role in how we and our partners collect information automatically. Here we explain how we use them and how you can manage your preferences:

Types of Cookies We Use: Our Site uses both first-party cookies (set by our domain) and third-party cookies (set by external services). They can be categorized as:
- Necessary Cookies: These are essential for the website’s core functionality. For example, if our site has a form protected by a CAPTCHA, a cookie might be used to validate that the form submission is by a human. We may also use a cookie to remember your cookie consent choices (so that the site knows whether you have allowed analytics cookies or not). Necessary cookies are generally enabled by default, and the site may not function properly without them (for instance, as PCPD notes, if you disable certain cookies, online forms may not work (Privacy Policy Statement)).
- Analytics Cookies: These cookies collect information about how visitors use our Site. We use Google Analytics cookies to gather data on site usage (e.g., pages visited, time spent, traffic sources). Google Analytics may use cookies such as _ga, _gid, etc., to distinguish users and throttle request rates. The information generated by these cookies (including your IP address in anonymized form, if we have enabled IP anonymization) will be transmitted to and stored by Google on servers outside Hong Kong (likely in the United States or other countries). We use these analytics to improve our services – for example, understanding which pages are popular, or detecting site navigation issues. We do not use analytics cookies to personally identify you, and we do not obtain personal details like your name from Google Analytics. Google’s ability to use and share information collected by Google Analytics about your visits to our Site is governed by Google’s privacy policies.
- Advertising and Social Media Cookies: These cookies are set by third parties like Facebook when you visit our Site. The Facebook Pixel, for instance, sets cookies (such as fr or *_fbp) that help track your activity for advertising purposes. These cookies allow us to later show you ads on Facebook or measure ad performance. They also enable features like social sharing or “like” buttons if present. Such cookies can track your browser across other sites that use the same third-party service. We only implement these cookies to enhance our marketing and connect with our audience on other platforms.
- Preference Cookies: If applicable, these cookies remember your choices and preferences (e.g., if our Site offers options like text size or language selection, a cookie might save that). Currently, our website is primarily English and does not have complex preference settings for users, so this is minimal (perhaps limited to remembering if you’ve seen a notification banner or similar).
Cookie Consent: When you first visit our Site, you may see a banner or notice about cookies. By continuing to use the Site, you are agreeing to our use of cookies as described. You can choose to reject or delete cookies at any time (see below), but note that certain essential features might not work if cookies are disabled. Hong Kong law does not currently require explicit cookie consent for regular use, but we aim to be transparent about our cookie practices. If you prefer not to be tracked by analytics or advertising cookies, see the “Managing Cookies” section below for your options.
Managing Cookies: You have the right to accept or reject cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer. You can also delete cookies that have already been set. Check your browser’s help documentation for how to manage cookies settings (for example, in Chrome, Firefox, Safari, Edge, etc.). Additionally:
- For Google Analytics: Google provides an opt-out browser add-on that you can install to prevent your data from being used by Google Analytics on any website.
- For Facebook and other Ads: You can adjust your ad preferences on platforms like Facebook to control whether you see targeted ads. Also, services like the Digital Advertising Alliance offer tools to opt-out of behavior-based advertising from participating companies.
- Note that opting out of advertising cookies doesn’t mean you will no longer see any ads; it means the ads will not be personalized using information collected through tracking cookies.
Do Not Track Signals: Some browsers have a “Do Not Track” (DNT) feature that sends a signal to websites indicating you do not wish to be tracked. Currently, our Site does not respond to DNT signals in a differentiated way. Given the standard is not yet uniform, we treat visitors equally, but we provide the controls as described above for cookie management. We will reevaluate this as standards evolve.
Third-Party Cookies Disclaimer: As mentioned, cookies set by third parties (like Google or Facebook) are controlled by those parties. We do not have direct access to the information these third-party cookies collect (though we may receive aggregated reports from them). Those third parties may be able to identify you across other sites and services due to these cookies. Please refer to their privacy policies for details on what data they collect and how it’s used. We have provided links or references in the section below for some key third-party services we use. By using our Site, you understand that your personal data may be processed by these external providers as described. If you do not consent to that, you should adjust your browser settings or opt-out as described, or refrain from using our Site.

Third-Party Services and Links

In operating our website and providing our services, we rely on a number of trusted third-party service providers. This section explains who these third parties are, what services they provide for us, and what data might be shared with or collected by them. We also address external links on our Site. We take care to engage reputable providers and we only share or allow access to personal data to the extent necessary for them to perform their functions. However, these third parties have their own privacy practices which we do not control.

1. Analytics – Google Analytics: We use Google Analytics, a web analytics service provided by Google LLC (headquartered in the United States). Google Analytics uses cookies and similar technologies to collect information about site usage (as detailed in Cookies above). Google processes this information to compile reports for us on website activity and usage. This helps us understand user behavior and improve our Site. The data typically shared with Google Analytics includes: your IP address (which Google may truncate/anonymize in some cases), browser/device info, and actions on our Site. We have configured Google Analytics to not collect any direct identifiers such as your name or email. Google acts as a data processor for us, but it may use the data for its own analytics purposes as well. All information collected via Google Analytics is subject to Google’s Privacy Policy. You can opt out of Google Analytics tracking as described in Cookies. We do not share any of the personal data you provide (like form submissions) with Google Analytics.

2. Advertising – Facebook Pixel: Our Site uses the Facebook Pixel, a piece of code from Meta Platforms, Inc. (Facebook) which allows us to track conversions from Facebook ads and to serve targeted advertisements to users on the Facebook platform (including Instagram, which is owned by Meta). The Pixel collects data such as page URLs, your Facebook cookie ID, and some technical information about your browser. Facebook matches this data with its registered users (if you have a Facebook/Instagram account and are logged in or have their cookies) and provides us with anonymized insights, such as how many users who saw our Facebook ad later visited our Site or took a certain action. This helps us measure our advertising ROI and reach people likely to be interested in our services. We do not receive personal information like your name or profile from the Pixel; we just get aggregate data. However, Facebook does process personal data through the Pixel for its own ad targeting system. For information on how Facebook uses data collected via the Pixel, please see Facebook’s Data Policy on their website. If you want to opt out of Facebook Pixel tracking, you can use browser tools or ad blockers that block Facebook scripts, or adjust your ad settings in your Facebook account (e.g., use the Facebook provided opt-out settings or industry opt-out tools).

3. Email Marketing – Mailchimp: We use Mailchimp (operated by The Rocket Science Group LLC, based in the USA) to manage our email newsletter and mailing list. If you subscribe to our newsletter, the information you provide (e.g. your name and email address) will be stored on Mailchimp’s servers. We use Mailchimp to design and send out emails to our subscribers. Mailchimp provides statistics on email open rates, link clicks, etc., which help us gauge engagement. When you unsubscribe from our emails, Mailchimp will record that to ensure you no longer receive messages. Mailchimp may also track whether an email was delivered or whether you interacted with it (through tiny images called beacons in the email). We have a data processing agreement with Mailchimp to ensure they protect your data, and they have committed to compliance with applicable data protection laws. Your personal data (email, name) is only used for sending you emails you signed up for and for no other purpose. You can review Mailchimp’s privacy policy on their website for more information on how they handle subscriber data. If you wish to unsubscribe, you can click the “unsubscribe” link at the bottom of any of our newsletters or contact us directly.

4. Spam Detection and Site Security – reCAPTCHA / Akismet: To protect our Site from spam and abuse, we may use tools such as Google reCAPTCHA or Akismet (for form submissions or comments, if any). reCAPTCHA (by Google) helps verify that a human is submitting our contact form and not a bot, by collecting hardware and software information (like device and application data) and sending it to Google for analysis. This may include sending your IP address and possibly other behavioral data (mouse movements, time spent) to Google. Akismet (by Automattic) is used primarily on blogs to detect spam comments; if our site has a blog comment feature, information like your comment text, name, email, IP address, etc., could be sent to Akismet’s servers to check if it’s spam. These services process data solely to determine whether a submission is likely spam or abusive. We implement them to ensure our systems remain secure and usable. Data submitted for spam checking is not used for marketing or any other purpose. By using our forms, you acknowledge that such anti-spam tools may be in operation and that the data you submit will be processed by these providers for spam prevention. Both Google and Automattic have their own privacy policies covering this processing.

5. Embedded Third-Party Content: As noted earlier, our Site might embed content (videos, maps, feeds) from third-party platforms like YouTube, Vimeo, Facebook, Instagram, Twitter, Google Maps, etc. When you interact with embedded content, those third parties may collect data about you (such as your IP address, browser info, and any interactions). For example, watching an embedded YouTube video on our page is subject to YouTube/Google’s data collection (they might record that your IP watched the video). We do not share any data directly with these providers beyond the fact that you are loading their content through our Site. If you are logged into those services (e.g., your Google account or Facebook account), the embedded content might be associated with your profile on those platforms. We recommend reviewing the privacy settings and policies of any platform you interact with. We are not responsible for how these third parties handle data; we simply make use of their embedding features for your convenience or better user experience.

6. Other Service Providers: In addition to the above, we may employ other third-party companies and individuals to facilitate our website operations or deliver services on our behalf. Examples include website hosting providers, IT support, and data storage/backup services. These third parties may have incidental access to personal data (e.g., a support technician could see data while troubleshooting an issue, or our hosting provider stores data on their servers). In all such cases, we ensure through contracts that these providers are bound to confidentiality and must protect personal data in compliance with PDPO and this Policy (Privacy Policy Statement). They are not permitted to use your data for any purpose other than providing the contracted service to us.

7. External Links: Our website may contain links to external websites that are not operated by ClickedHK. For example, we might link to an article of interest or to our social media pages. If you click on a third-party link, you will be directed to that third party’s site. This Privacy Policy applies only to our Site, so we strongly advise you to review the privacy policy of any external site you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. Clicking on those links is at your discretion, and providing data to those external sites is your choice. We cannot be responsible for how they collect or use your data.

No Selling of Personal Data: We want to emphasize that we do not sell or rent your personal information to any third parties for their own marketing or other independent use. Any sharing of data with third parties is strictly limited to the service providers and circumstances outlined above, and always for purposes consistent with those for which the data was collected.

Data Sharing and Disclosure

We treat your personal data with care and confidentiality. We do not disclose your personal data to third parties except as described in this Policy, or as permitted/required by law. Here are the circumstances under which we may share data and with whom:

Service Providers (Data Processors): As described in the Third-Party Services section, we share data with vendors who provide services on our behalf (such as our analytics, email distribution, hosting, and security service providers). These companies process data only under our instructions and for the purposes we’ve described. We ensure they are under contractual obligations to safeguard your data and use it only for the agreed-upon services (Privacy Policy Statement). For example, our email marketing provider holds your email address to send you our newsletters (and not for their own purposes), and our IT hosting provider stores data on secure servers and will not access or disclose it without authorization.
Within Our Corporate Group: If ClickedHK is part of a group of related companies (e.g., subsidiaries or affiliates), we may share data with those affiliated entities if necessary for internal administrative purposes or to provide our services to you. (At present, ClickedHK primarily operates as a single entity in Hong Kong. Should that change, we will update this section.) Any intra-group sharing would still comply with PDPO and this Policy.
Legal Requirements and Safety: We may disclose personal data if we believe in good faith that such disclosure is necessary to: comply with any applicable law, regulation, legal process, or governmental request (e.g., to comply with a court order or a request from law enforcement or regulatory authority); protect our rights, property, or safety, or those of our clients, users, or others; investigate or assist in preventing any violation of law or this Privacy Policy, including potential fraud or security issues. For instance, if required by the Hong Kong authorities to produce certain records for an investigation, we will comply after verifying the request’s validity. We will endeavor to notify you if your data is being requested by law enforcement, unless legally prohibited from doing so.
Business Transfers: If ClickedHK undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or a portion of our assets, personal data held by us may be among the assets transferred to the buyer or new company. We would ensure that any such transfer is subject to confidentiality and that your personal data remains protected. If a transfer results in a material change in the handling of your personal data, we will notify you (e.g., via a prominent notice on our Site or via email) and give you any choices your data protection rights allow.
With Your Consent: Apart from the cases above, if there is any situation where we would like to share your personal data with a third party for a new purpose (for example, if a partner company would like to offer you a product or service and we think it may interest you), we will only do so with your explicit consent. You have the right to refuse such sharing. We currently do not have such data-sharing arrangements in place, so any new initiative of this kind would involve reaching out to you for permission.

Disclosure of Non-Personal Data: We may share aggregate or anonymized information that cannot personally identify you, for any legitimate business purpose. For instance, we might share statistics about overall website traffic or the number of inquiries received, without revealing any individuals’ identities.

We want you to rest assured that we do not indiscriminately disclose your information. Any third party that receives personal data from us must have a legitimate need and, except as required by law or described, will be acting on our behalf as a service provider. We also ensure that the classes of persons to whom data may be transferred (e.g., our service providers, authorities, etc.) have been communicated to you either in this Policy or at the point of data collection, fulfilling our notification obligations under PDPO (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)).

International Data Transfers

As a Hong Kong-based company, we primarily store and process personal data in Hong Kong. However, some of our third-party service providers are located in other jurisdictions (for example, the United States, where Google, Mailchimp, and Facebook are based). This means the personal data we collect might be transferred to or accessed from countries outside of Hong Kong. For instance:

Data collected through Google Analytics and Facebook Pixel is transmitted to Google’s and Facebook’s servers which may reside outside Hong Kong (often in the U.S. or other locations).
If you subscribe to our newsletter, your email data is stored on Mailchimp’s servers in the U.S.
Any other cloud or IT service we use may involve storage in data centers outside Hong Kong.

Hong Kong’s PDPO includes provisions (notably Section 33) intended to regulate cross-border data transfers, ensuring that personal data is afforded protection comparable to that under the PDPO before it is sent outside Hong Kong (Data Protected Hong Kong | Insights | Linklaters) (Data Protected Hong Kong | Insights | Linklaters). While Section 33 is not yet in force as law, we follow its spirit as a best practice. This means that whenever we transfer personal data overseas, we take steps to ensure your data is safeguarded. These steps include:

Equivalent Protection: We will only transfer data to jurisdictions that are officially deemed to have comparable data protection laws to Hong Kong, or ensure the recipient provides a standard of protection similar to the PDPO. For example, our contracts with service providers (like Mailchimp) include clauses to protect your data, aligning with Hong Kong’s requirements. The Privacy Commissioner in Hong Kong has issued recommended model contractual clauses for cross-border transfers (Data Protected Hong Kong | Insights | Linklaters), which we use as applicable to contractually require that your data is handled with care and security.
Your Consent for International Transfers: In cases where we might need to transfer your data to a third party or jurisdiction not offering comparable protection, we will seek your consent. By using our Site and providing information, you are deemed to consent to the transfer of your data outside Hong Kong in the situations described, but we will explicitly inform you and obtain consent if any transfer goes beyond what is outlined here.
Secure Transfer: We use encrypted connections (HTTPS) for our website, which means that data you submit to us is encrypted in transit from your browser to our servers. For transfers between us and our service providers, we also rely on secure protocols. This helps protect your data as it crosses borders over the internet.

If you reside in a country outside Hong Kong, please note that we will handle your personal data as described in this policy and in accordance with PDPO. We recognize that other jurisdictions (for example, those in the European Union, or mainland China) have their own data protection laws. Should we begin serving a significant number of users from other jurisdictions, we will ensure compliance with any additional applicable requirements (and update this policy accordingly). Our aim is to maintain a high standard of privacy protection globally. If you have questions about our data transfer practices, feel free to contact us.

Data Retention

We will not keep your personal data longer than is necessary for the purposes for which it was collected (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)), unless a longer retention period is required or permitted by law. In practice, this means:

Inquiry Data: If you contact us with a question or request, we will retain your contact information and correspondence for as long as it is needed to respond to you and carry out any follow-ups. Typically, we may keep inquiry records for a certain period (e.g., 1 year) after resolving your request, in case you have additional questions or for our own administrative records. If an inquiry leads to a business relationship or contract, we may retain the information as part of our client records (which may be kept for several years, depending on legal requirements like contract limitation periods). If no further contact or business occurs, we will delete or anonymize the inquiry data after a reasonable period.
Newsletter/Marketing Subscribers: We retain your email address and any other info you provided for the newsletter for as long as you remain subscribed. If you unsubscribe or opt out, we will promptly remove you from the active mailing list. We may however keep your email on a suppression list (a record that you opted out) to ensure we don’t accidentally send you emails in the future, as required by anti-spam best practices. This suppression record will be maintained indefinitely or as required to honor your opt-out request. If you want your data fully erased from our mailing records, you can contact us (but note we may keep a minimal record like your email to avoid re-adding it inadvertently).
Analytics Data: Data collected via Google Analytics is retained per Google’s data retention settings. We have set our Google Analytics to retain user-level and event-level data for a limited period (for example, 14 months) after which it is deleted automatically from Analytics’ servers. The reports we see are aggregated and do not include identifiable personal data. We do not separately store personal data from analytics beyond this. Any aggregated analytics reports may be kept longer for historical analysis, but those do not identify individuals.
Server Logs: Our web servers and security systems may keep logs of visits, which include IP addresses and visit timestamps. These logs are generally kept for a short period (typically a few months) for performance tuning, security monitoring, and troubleshooting purposes. Unless they are needed for an investigation of malicious activity, we purge or anonymize logs regularly.
Client Data (if any): In the event we collect or process personal data as part of delivering services to clients (for example, if a client provides us with a mailing list to run a campaign), our retention of that data will be governed by our agreement with the client and the expectation set when the data was collected. We will not retain such data longer than instructed by our client or necessary for the service. (This mostly applies to our role as a data processor for clients; as of now, our Site itself doesn’t collect such data directly from individuals aside from what’s already described.)
Legal and Regulatory Requirements: We may need to retain certain data for longer periods if required to comply with law or regulatory obligations, or for resolving disputes. For example, if a law requires we keep records of transactions or communications for a certain time (e.g., financial records for 7 years for tax purposes), we will retain the data for that period. Additionally, if any legal claim or complaint is anticipated, we may retain relevant data until the issue is resolved. PDPO Section 26 also requires that we erase personal data once we have no legitimate need to keep it (The Personal Data (Privacy) Ordinance - PCPD), so we are careful not to keep data indefinitely without purpose.

After the retention period expires, or upon your request (where applicable), we will either securely delete your personal data, anonymize it (so it can no longer be associated with you), or isolate it (put it beyond active use) if deletion is not immediately feasible. For example, deletion might not be immediate if data is stored in backups; in such cases, we will ensure it is not used and delete it when backups are cycled.

Data Security

We take appropriate security measures to safeguard the personal data we hold, as required by PDPO’s Principle 4 (security of personal data) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). We understand the importance of your data’s safety. However, please be aware that no method of transmission over the Internet, or method of electronic storage, is completely secure. We strive to protect your personal data, but we cannot guarantee 100% security (Privacy Policy - William Select) (Privacy Policy - William Select). In particular, ordinary email communications or web forms are not encrypted from end to end, so take care in deciding what information you send us.

Security Measures We Implement:

Encryption: Our Site is protected by HTTPS encryption. This means any data you submit via our website (such as form details) is encrypted in transit between your browser and our server. We also employ encryption for data at rest where feasible, especially for sensitive information. For example, if we were to store passwords (not applicable now since no user accounts on our Site), they would be hashed/encrypted.
Access Controls: Personal data collected is stored in secure systems to which only authorized personnel have access. For instance, access to our email subscriber list or contact inquiry list is limited to staff who need to manage those functions (e.g., marketing team for newsletters, sales/client service team for inquiries). Each authorized person is trained on confidentiality and bound by privacy obligations. We enforce the principle of least privilege (people only access what they truly need).
Firewalls and Network Security: Our servers are protected by firewalls and monitoring systems to prevent unauthorized external access. We keep our systems updated with security patches to protect against vulnerabilities. We also use anti-malware and intrusion detection systems to guard against cyber attacks.
Third-Party Data Security: When we use third-party services (like those listed above), we choose providers that are reputed for strong security practices. We also review their security measures and certifications where applicable. For example, Mailchimp and Google have robust security in place and comply with industry standards. We ensure by contract that any data shared is kept secure and confidential by the provider (Privacy Policy Statement).
Physical Security: To the extent any personal data is stored or accessed at our physical office (e.g., via secure laptops or in paper form), we have measures to prevent unauthorized physical access. Offices are secured, and paper records (if any) are kept in locked cabinets with restricted access.
Periodic Reviews: We periodically review our security procedures and update them in line with technological advancements and emerging threats. Our privacy team or data protection officer (if appointed) monitors compliance with our security policies. In case of any identified risk, we take prompt action to mitigate it.

Despite all our efforts, it’s important for you to recognize your role in protecting your own data. We advise that you use strong, unique passwords for your email and any online accounts, be cautious about phishing attacks, and do not share sensitive personal data in unprotected forms or emails. If you have particular concerns about the security of your personal data, you may choose not to send certain information over the internet (Privacy Policy - William Select).

Data Breach Procedures: In the unlikely event of a data breach (for example, unauthorized access to our systems or a mistaken disclosure), we will act swiftly to contain and investigate the breach. We will notify affected individuals and the Hong Kong Privacy Commissioner (PCPD) as required by applicable laws or guidance. Although PDPO currently does not mandate breach notifications by law, it is considered a good practice; we will follow the latest guidance from PCPD in this regard. We will also take steps to prevent similar incidents in the future.

Your Rights Under PDPO

As a user of our Site and as a data subject in Hong Kong, you have certain rights regarding your personal data under the Personal Data (Privacy) Ordinance. We are committed to honoring your rights and facilitating your exercise of them. These rights include:

Right to Access Your Data: You have the right to request confirmation of whether we hold any personal data about you, and to request a copy of such data (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). This is known as a Data Access Request (DAR). Upon request and after verifying your identity, we will provide you with the personal data we have about you, within the timeframe required by law (usually within 40 days) (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). We will also give you information about how the data has been used, if you ask.
Right to Correct or Update Your Data: If any of your personal data we hold is inaccurate or outdated, you have the right to request correction or update of that data (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). Upon your request, we will rectify any wrong or incomplete information, and if appropriate, notify any third parties who have received the inaccurate data so they can correct their records as well.
Right to Opt-Out of Direct Marketing: Hong Kong law gives you the right to opt out of having your personal data used for direct marketing purposes. If at any time you prefer not to receive marketing or promotional emails from us, you can opt out by clicking the unsubscribe link in those emails or contacting us directly with your request. Once you opt out, we will cease using your data for direct marketing. There is no fee for opting out of marketing – we will process your request as soon as possible.
Right to Withdraw Consent (where consent was given): In cases where we rely on your consent to process data (for example, if you consented to receive newsletters or allowed optional cookies), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing done before your withdrawal, but it means we will stop the specific processing going forward. For instance, if you withdraw consent for newsletters, we will stop sending them. If you withdraw consent for analytics cookies, you should adjust your browser settings as described in Cookies, and we will honor that choice.
Right to Request Data Erasure: PDPO does not explicitly grant a broad “right to be forgotten” as in some other jurisdictions, but because we will not keep data longer than necessary (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)), you effectively have the ability to request deletion of data that is no longer needed. If you believe we are retaining certain data about you without a justified purpose, you may request us to delete it. We will evaluate such requests in line with PDPO’s requirements. If the data is still needed for the stated purposes or we are legally required to keep it, we will inform you; otherwise, we will proceed to erase it. For example, if you simply no longer want us to have your contact info on file and there’s no ongoing need, we will delete it upon confirmation.
Right to be Informed: You have the right to be informed about why we collect your data and how we use it, at the time of collection. We fulfill this through this Privacy Policy and the notices on our forms, ensuring transparency as required by PDPO DPP1 (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). If you have any questions about our data practices beyond what’s in this Policy, you have the right to ask us for further information, and we will gladly provide it.
Right to Object or Limit Processing: While PDPO doesn’t explicitly enumerate a right to object to processing as GDPR does, you can still express any concerns to us about how we are handling your data. For example, if you are uncomfortable with a particular use, you can let us know and we will consider if we can accommodate your request (if, for instance, it’s a use not integral to our service). We value your privacy and will try to be flexible where possible.

To exercise any of the above rights, please contact us (see Contact Us section below). For data access or correction requests, it is helpful (but not required) to use the PCPD’s Data Access Request Form (Form OPS003), which is a standard form to ensure we have enough information to process your request (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). We may need to verify your identity (to ensure we don’t give your data to someone else), and clarify your request if it’s not specific.

Response Time: We will acknowledge and act on your request as soon as possible. Under PDPO, we are required to respond to data access and correction requests within 40 days (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)). Our goal is to respond much sooner. If for some reason we cannot fully comply within 40 days, we will inform you in writing of the reason and the timeframe by which we will respond (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)).

Fees: The PDPO allows organisations to charge a reasonable fee for processing a Data Access Request (for example, to cover photocopying or administrative costs) (Privacy Policy - William Select). To date, ClickedHK has not charged fees for routine requests. However, we reserve the right to charge a reasonable fee for excessive or repetitive access requests, or where allowed by law (Privacy Policy - William Select). We will inform you in advance of any fee and obtain confirmation to proceed. There is no fee for correction requests or for requests to opt out of marketing.

We will do our utmost to honor your rights and ensure your personal data is accurate and secure. If you exercise any of these rights, we will not discriminate against you or refuse you our services (however, do understand that deleting or restricting data might affect our ability to serve you).

Children’s Privacy

Our services and Site are not directed to individuals under the age of 18. We do not knowingly collect personal data from children or minors. If you are under 18, please do not use our Site or provide any personal data to us. In the event we discover that we have inadvertently collected personal information from a child, we will delete that information promptly. If you are a parent or guardian and believe we might have any information from or about a minor, please contact us so we can take appropriate action.

Changes to this Privacy Policy

We may modify or update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or for other operational reasons. When we make changes, we will revise the “Last Updated” date at the top of this Policy. If changes are significant, we will provide a more prominent notice (such as posting a banner on our Site or sending an email notification for those affected, if we have your email). We encourage you to review this page periodically to stay informed about how we are protecting your information.

Your continued use of our Site or services after any changes to this Privacy Policy constitutes your acceptance of the updated terms, to the extent permitted by law (Privacy Policy - William Select) (Privacy Policy - William Select). If you do not agree to the changes, you should stop using the Site and contact us if you wish to have your data removed. We will not reduce your rights under this Privacy Policy without your consent, and any changes will be in compliance with PDPO and other applicable privacy laws.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please reach out to us:

Email: connect@clickedhk.com

When you contact us about your personal data, please provide sufficient information for us to verify your identity (to ensure we don’t disclose data to the wrong person) and to process your request. For example, if you are requesting data access, specify what data or interaction (e.g., “newsletter subscription under email ___”) your request pertains to. We will respond as soon as possible, and certainly within the timeframes required by law (The meaning of "personal data" and the six data protection principles | Community Legal Information Centre (CLIC)).

We hope this Privacy Policy provides a clear understanding of how your personal data is handled at ClickedHK. We take your privacy seriously and are dedicated to protecting it in compliance with Hong Kong PDPO and applicable standards. If you feel that we have not addressed your questions or you have a complaint, please contact us and we will do our best to resolve it. In Hong Kong, you also have the right to contact the Office of the Privacy Commissioner for Personal Data (PCPD) for assistance or to lodge a complaint. However, we encourage you to contact us first so we can address your concerns directly.

Thank you for trusting ClickedHK with your personal data. We value your engagement and will continue to safeguard your privacy with care and transparency.