Personal Data Protection & Privacy Policy
Introduction
Hero Plus (“Hero Plus”, ”we”, ”us”, ”our”) is committed to protecting and respecting your privacy.
We are committed to the protection of the personal data we process in line with the data protection principles set out in the EU General Data Protection Regulation (EU Regulation 2016/679) (“EU GDPR”) (together referred to herein as the “GDPR”); the Hong Kong Personal Data (Privacy) Ordinance (Cap.486) as amended in 2012 (“PDPO”); Personal Data Protection Act, B.E. 2562 (2019) and its subordinate regulations (“PDPA”). We have aligned our data protection compliance programme to the core requirements of the GDPR, as this is considered as the global “gold standard” of data protection regulation.
This privacy notice (“Notice”) explains how we treat personal information processed on our bespoke platform, Hero Plus, what we collect when you visit our website, contact us by email, phone or through one of our social channels, or through other communications. It also explains what information we collect automatically when you visit our website and the information we collect when you use our services. Without prejudice to any of the foregoing, if you provide the personal data of any other third party to us, you warrant you are duly authorized to disclose such third party’s personal data to us and the purposes which you disclosed to the third party on collection of his personal data permit us to use this personal data as set out in this Privacy Policy. Please also be aware that our clients may have their own privacy notices on their respective websites.
As a technology business, we place great importance on ensuring the quality, confidentiality, integrity and availability of the data we hold and in meeting our data protection obligations when processing personal data. We are committed to protecting the security of your personal data. We use a variety of technical and organizational measures to help protect your personal data from unauthorized access, use or disclosure. We update this Notice from time to time in response to changes in applicable laws and regulations, to our processing practices, and to the products and services we offer. When changes are made, we will update the date at the top of this document. Please review this Notice periodically to check for updates.
Version updated: 20 October 2023
Collection of Personal Data
Information provided by our clients
The categories of personal data processed by us varies between clients, but may include: Name, Job Title, Business address, Business email address, Business telephone number(s), Business financial information, Business type, Business size, Location data.
Information provided to us via our website and mobile app
We process all information you provide to us via our website and mobile app (“our site” ; “our app”), by telephone, email or otherwise. This includes information you provide when you register for our services as a client, enquire about a product or service, use one of the social media functions linked to our website, or when you report a problem with our website. The categories of personal data processed by us varies between clients, but may include: (Name, Job Title, Email address, Telephone number, Device and browser information, Location data, Details about how you browse our websites and mobile app).
If you integrate third-party marketplace(s), such as Shopify, WooCommerce store(s) into Hero Plus, the additional categories of data Hero Plus collects and/or processes may include: (Inventory information, Order information, Customer information). If you use Hero Plus payment solutions, we may collect more specific information from you about your business, including but not limited to the following categories: (Payment information, Ecommerce platform).
Use of Cookies
Cookies are small data files which are placed on a data subject’s device when the data subject visits Hero Plus’s website and Hero Plus Mobile App, or clicks on Hero Plus’s online advertisements. Cookies or similar technologies are used for the following purposes:
- statistical analysis of your on-site behavior such as number of visits to our site, page views, length of time spent on each page. These are aggregated and therefore anonymous.
- provide enhanced user experience, remember your preference within our website, enable easy navigation between the public section and member owner section of our web property.
- promote personalized products using your visited pages, and the website links you have followed to:
- make Hero Plus’s website and Hero Plus Mobile App more relevant to your interests;
- provide online advertisements or offers on Hero Plus’s website and Hero Plus Mobile App or third-party websites which are most likely to interest you;
- evaluate the effectiveness of Hero Plus’s online marketing and advertising programs.
The above cookies may be placed on a data subject’s device by Hero Plus or by third parties on Hero Plus’s behalf (for example, advertising networks and providers of external services like web traffic analysis services). Information recorded through the use of cookies by third parties are aggregated and then shared with Hero Plus as anonymous aggregated research data. No personal contact information about data subjects is collected or shared by third parties with Hero Plus as a result of the use of cookies
Most web browsers are initially set up to accept cookies. Should you wish not to be tracked by this kind of technology, you can choose to ‘not accept’ cookies by changing the settings on your web browser. However, if you block all cookies, including strictly necessary cookies, you may not be able to use the Hero Plus website or and Hero Plus Mobile App.
Security of Personal Data
- Security of your personal data is important to us. We take appropriate action to protect personal data from loss, misuse, unauthorized access or disclosure, alteration or destruction using the same safeguards as we use for our own proprietary information. All information you provide to us is stored on secure servers and any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website(s) or website/IT portal(s)/mobile application(s), you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
- We will put in place measures such that your personal data in our possession or under our control is destroyed and anonymized as soon as it is reasonable to assume that (a) the purpose for which that personal data was collected is no longer being served by the retention of such personal data; and (b) retention is no longer necessary for any other legal or business purposes.
- If we outsource and entrust your personal data with data processors, we will use contractual and other means to monitor the data processors’ compliance with this Privacy Policy.
- The transmission of information through the internet is not completely secure. Although we use security measures to secure your personal data, we cannot guarantee the security of your personal data transmitted through the internet and any transmission is at your own risk.
Retention of Personal Data
- We will keep your personal data for as long as your account registered with us is being accessed.
- If your account registered with us has not been accessed over a period of [three years] or we have closed your account upon your request (“End Date”), your personal data will be retained by us for seven years after the End Date. We may retain your personal data for a longer period if it is necessary for us to do so to comply with our contractual or legal obligations, or you have consented to our continued retention of it.
- At the end of the retention period, we will ensure that your personal data, all app-related data and account-related information will be deleted. For any physical documents containing your personal data, the documents will be shredded or otherwise destroyed by means that ensure the confidential and secure destruction of the documents.
- We will ensure that our data processor who we transfer your personal data to in compliance to this Privacy Policy only retain your personal data for as long as is necessary for the fulfillment of the Purposes for which your personal data has been disclosed to them and will delete personal data held if personal data is no longer required for those Purposes unless any deletion is prohibited under law or it is in the public interest for the personal data to not be deleted.
Use of Personal Data
- Responding to correspondence from you: It is in our legitimate interest to respond to enquiries made through our website, by telephone, email, through our social channels or any other means.
- Processing data to facilitate client service requirements: We process personal data under written instruction, bound by the contract between us and our client.
- Business management, forecasting and statistical purposes: It is in our legitimate interest to identify areas for managing current business relationships, developing our services and conducting reasonable forecasts for our business.
- Improving our website and the overall website visitor and user experience: It is in our legitimate interest to allow analytics and search engine optimization to help improve and optimize our website. We use cookies on our website with your consent.
- Prevention and detection of crime including money laundering, fraud or other crimes: It is in our legitimate interest to identify areas for managing current business relationships, developing our services and conducting reasonable forecasts for our business.
- Responding to suggestions and complaints in order to continually improve the services we provide: It is in our legitimate interest to provide the best service to users of our website and to increase features in order to continually improve and expand the services we provide.
- Analyze and track use of our website for reporting and analytical purposes: It is in our legitimate interest to monitor our website usage in order to continually improve user experience.
- Meeting obligations, requirements and arrangements, of Hero Plus whether compulsory or voluntary, to comply with or in connection with any law, regulation, judgment, court order, voluntary code, sanctions regime applicable to Hero Plus existing currently or in the future.
- Any guidelines, guidance, rules or codes of practice or requests given, published or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, relevant stock exchange, self-regulatory or industry bodies or associations of financial service providers within or outside Hong Kong existing currently or in the future.
- Any present or future contractual or other commitment with legal, regulatory, judicial, administrative, public or law enforcement body, or governmental, tax, revenue, monetary, court or other authorities, relevant stock exchange, self-regulatory or industry bodies or associations of financial service providers or any of their agents that is assumed by, imposed on or applicable to Hero Plus.
- Complying with any obligations, requirements, policies, procedures, measures or arrangements of Hero Plus for the use of data and information for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities.
- Enabling an actual or proposed assignee or transferee of all or any part of Hero Plus’s business and/or assets, or participant or sub-participant of Hero Plus’s rights in respect of payment facilities relating to data subjects, to evaluate the transaction intended to be the subject of the assignment, transfer, participation or sub-participation and enabling the actual assignee or transferee to use such data in the operation of the business or rights assigned.
Sharing your information
All personal data held by Hero Plus will be kept confidential but Hero Plus may disclose or transfer such information to the following parties for the purposes set out in Use of Personal Data above:
- Any agent, contractor, sub-contractor or associates of Hero Plus (including its employees, officers, agents, contractors, service providers and professional advisers).
- Any third-party service provider who provides administrative, professional, advisory, telecommunication, information service, computer, payment, data processing or other services to Hero Plus in connection with the operation or maintenance of its business.
- Any other person who is under a duty of confidentiality to Hero Plus and has undertaken to keep such information confidential.
- Business partners or co-branding partners of Hero Plus, together with whom Hero Plus provides products or services to data subjects.
- Third party financial institutions, insurers, credit card companies, securities, commodities and investment services providers, third-party membership programme providers or our co-branding partners
- External service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies).
- If sharing your personal data becomes necessary for the purposes of providing our services to you, we will only share it where appropriate safeguards are in place, such as the EU Standard Contractual Clauses (“SCCs”) with supplementary measures, to ensure your personal data is protected to the same standard expected under the GDPR.
- We may, on occasion, engage the services of a third-party sub-processor. Any such third party will act under our written instructions and will adhere to strict data protection obligations, including the implementation of appropriate technical and organizational measures which meet the processing requirements of the GDPR.
- We also use a third party for hosting infrastructure, website performance and management, error monitoring, support and other functionality. The written contract in place between us and this third party provides for the maintenance of confidentiality, security, and integrity of the information we share with them.
- Our website includes links to social media platforms (Facebook, Instagram, LinkedIn). Once you navigate away from our site via one of the links, the site may collect your IP address and may set cookies on your device. When you use one of these links, you are sharing information to another website or service and this Notice will no longer apply. Please read the privacy notices provided by the particular service website you are directed to, before posting any personal information using these links.
Direct Marketing
- Hero Plus intends to use a data subject’s data to conduct direct marketing of products or services and requires the data subject’s consent (which includes an indication of no objection) for that purpose. In this connection, please note that:
- The name, contact details, products and other service portfolio information, transaction pattern and behavior, financial background and demographic data of data subjects held by Hero Plus from time to time may be used by Hero Plus in direct marketing.
- The classes of services, products and subjects which may be marketed includes payment facilities and other financial services and products, membership programmes and related products and services, products and services offered by our co-branding partners.
- The above services, products and subjects may be provided by Hero Plus, third party financial institutions, insurers, securities and investment services providers, third-party membership programme providers or our co-branding partners.
- To market, promote, and drive engagement of our products and services, we use data about you to send promotional communications that may be of specific interest to you. These communications are to drive your engagement and maximize the value of our services to you. Occasionally, we will use your name and address for marketing and promotional communications via written email, phone calls, postal mail and text messages through platforms like SMS, WhatsApp and more.
- If you do not wish Hero Plus to use or provide to the other person your data for use in direct marketing as described above, you may exercise your opt-out right by notifying us:
Data Protection Officer
Hero Plus Group Limited
8/F, MW Tower, 111 Bonham Strand
Sheung Wan, Hong Kong
Email: cs@heroplusgroup.com
Your Rights
The GDPR provides you with certain rights in relation to the processing of your personal data, including to: Request access to personal data about you (a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully.
- Request rectification, correction, or updating of any personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request personal data provided by you to be transferred in a structured, commonly used and machine-readable format.
- Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g., if you want us to establish its accuracy or the reason for processing it).
- Object to the processing of your personal data in certain circumstances. This right may apply where the processing of your personal data is based on the legitimate interests of Hero Plus.
Some of these rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation, laws, and regulations to which we are subject. If at any time you would like to exercise any of your rights as set out above, you can contact us at cs@heroplusgroup.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
In terms of direct marketing communications, your personal data is stored for marketing purposes as long as you have not objected to such marketing communication and/or the subscription to the email newsletter is active, as the case may be. Similarly, You can opt-out of receiving our direct marketing communications at any time through our unsubscribe or opt-out mechanisms provided, or by contacting us at cs@heroplusgroup.com.
If an opt-out request is received, you may still receive communications from us for up to ten (10) business days as we process the opt-out request. We reserve the right to continue sending out communications regarding service announcements, administrative messages, and accounts administration relating to Hero Plus that are necessary to our relationship with you. All data will be processed in accordance with this Privacy Policy.