We want you to understand why and how we collects, uses, discloses, and/or processes your Personal Data (as defined below) under Hong Kong’s Personal Data Privacy Ordinance (Cap. 486) (the “PDPO”) and the European General Data Protection Regulation (the “GDPR”).
This Privacy Policy (“Policy”) applies to you and all individuals (as defined below) who provide us with their personal data or whose personal data we collect, use, process, store, and/or disclose in connection with our operations.
This Policy supplements but does not supersede or replace any prior consent you may have provided to us. It also does not impact any legal rights we may have concerning the collection, use, processing, and/or disclosure of any individual's Personal Data.
We may occasionally update this Policy to ensure it aligns with our business needs or reflects changes in applicable laws or regulations. All updates to this Policy will be published online at www.bontiss.com (the "Website", and/or "Our Website"). Notifications of any significant revisions will also be posted on the Website. You will be deemed to have accepted the Policy as amended by continuing your relationship with us after any amendments have been published on our Website.
This Policy is part of the terms and conditions governing your specific relationship with us (“Website Terms”) and should be read alongside the Website Terms. In the event of any conflict or inconsistency between this Policy and the Website Terms, the provisions of the Website Terms shall prevail to the fullest extent permissible by law.
For the purposes of this Policy, “Bontiss DPO” and/or "DPO" shall refer to the Data Protection Officer based in Hong Kong. He can be contacted at the following address:
Email: info@bontiss.com

Our approach to protecting Personal Data is based on three key principles that are central to all our actions concerning Personal Data.

• User Sovereignty: You have control over your data and can make necessary changes.
• Transparency: We adopt a human-centered approach to processing personal data, being open, honest, and transparent.
• Security: We use industry-leading methods to protect the personal data entrusted to us.

We will only collect, use, and disclose personal data from or related to an individual that is reasonably deemed necessary for the relevant purposes of such collection, use, or disclosure. This may include, but is not limited to, the following:

• Facilitating the provision of our products and services that you utilize, along with periodically sending newsletters, marketing or promotional materials, and any other pertinent information,
• Communicating with you to assist with your inquiries,
• Managing administrative matters related to the products and/or services you have purchased and/or subscribed to,
• Conducting market research and customer satisfaction surveys,
• We will inform you of any additional purposes at the time of obtaining consent (collectively known as the “Purposes”).

If you visit our website without registering or providing us with information, we only collect data that your browser transmits to our server, known as "server log files." When you access our website, we gather the following data, which is technically necessary for displaying the individual web pages to you:

• The specific pages of our website (URL)
• Date and time of access
• Amount of data sent in bytes
• Source/reference from which you came to the page
• Browser used
• Operating system used
• IP address used (possibly in anonymized form)

Processing is carried out in accordance with Article 6(1)(f) GDPR, based on our legitimate interest in enhancing the stability and functionality of our website. However, we reserve the right to review the server log files if there are concrete indications of illegal use. Non-anonymized server log files will be automatically deleted after a maximum of seven days.
Our website is hosted by a service provider that offers infrastructure and platform services, computing capacity, storage space, database services, security services, and technical maintenance. We have a contract with them for data processing, which is conducted to ensure the operational readiness of our website, and we have a legitimate interest in this. In this regard, we'd like to refer to Article 6(1)(f) of the GDPR. Furthermore, third parties may also collect data from server log files.

Generally, we may collect personal data from you in one or more of the following ways or circumstances:

• Information provided directly: You may be asked to provide Personal Data when visiting or using certain parts of our websites and/or services. While you are not obligated to share your Personal Data, opting not to do so may prevent you from accessing certain areas of our website or using our services.
• Information collected automatically: Certain information, such as your IP address and device type, is automatically collected when you visit our websites or use our services. This information is valuable because it helps us understand how you interact with our websites and services, allowing us to continue providing you with the best possible experience.
• Information from third parties: Most of the Personal Data we collect comes directly from you. However, some data may be sourced from other channels, such as publicly available information or credible third parties, to conduct background checks related to your relationship with us. We use this information to enhance the Personal Data we have gathered from you.

Where your Personal Data is collected from third parties, we will only use such Personal Data if you have provided consent to the third party, which would also cover our processing of your Personal Data, or where we have a legitimate interest in using the Personal Data to evaluate the suitability of your relationship with us.
We aim to protect the information we share by imposing contractual privacy and security safeguards on the recipient. Whenever you are redirected away from us, we encourage you to read the provider’s relevant privacy policy to understand better how your data is processed.

Where we collect personal data, we will only process it:

• to perform a contract with you, or
• where we have a legitimate interest in protecting the personal data that is not overridden by your rights, or
• by a legal obligation, or
• where we have your consent.

Please note that if you choose not to provide us with your Personal Data or do not consent to our processing of your Personal Data, we may be unable to offer you some or all of our Services or respond to your other requests. For job applicants, we would not be able to assess your suitability for our employment opportunities.

We share information with external parties carrying out tasks on our behalf (including data processors and sub-contractors), as well as with other companies, organizations, government bodies, and individuals outside our company when we have a legitimate legal reason to do so (for example, in connection with any merger or acquisition or to comply with a court order) or when we are instructed to share the information on behalf of our clients.

Unless authorized under the PDPA, PDPO, GDPR, or any other applicable law, we will not collect, use, or disclose your Personal Data without your knowledge and consent. We'll make sure to highlight the relevant Purposes to you through the right means at the time we collect your Personal Data.
We may obtain your consent through any of the following methods:

• through express provisions in a contract, application form, and/or registration form to be signed or submitted to us;
• through notifications on our website;

Insofar as any Purpose(s) are intrinsic to the relationship or provision of services, we reserve the right to decline to engage in the relevant relationship or to provide the appropriate services to you if you do not consent to our collection, use, or disclosure of your Personal Data for such purposes.
If you:

• voluntarily provide Personal Data to us for any specified purpose,
• use or access our website or computer network,
• enter our premises or use any of the facilities there, and/or
• attend or participate in events or programmes organised by us,

You'll be considered to have agreed and consented to our collection, use, or disclosure of your personal data in the manner outlined in this Privacy Policy.

There may be occasions when we need to share your Personal Data with third parties. We will disclose your Personal Data only under the following circumstances,

• to our third-party service providers or agents,
• to our auditors and professional advisors,
• to regulators, law enforcement bodies, government agencies, courts, or any other third party to whom disclosure is permitted or required by applicable law or regulation,
• to other parties where we have your consent.

You have the right to withdraw your consent to the collection, use, and/or disclosure of your Personal Data in our possession by submitting your request to our Data Protection Officer at info@bontiss.com at any time.
We will process your request to withdraw consent within a reasonable timeframe from when the request is made. After this period, we will not collect, use, or disclose your Personal Data as outlined in your request.
If you're not able to give your consent, it may impact the services we can offer you. Depending on the degree of your withdrawal of consent for us to process your Personal Data, it might mean that we cannot maintain our current business relationship.

We do not use cookies on our website, but we may place and access certain cookies on your computer and/or any electronic device used to access the website. We use cookies to enhance your experience on the website and to improve our services.
We have taken steps to ensure that your privacy is always protected and respected. Regarding the data collected by cookies, you may disable their use in your internet browser while accessing our Website. However, disabling cookies may result in a loss of functionality, restrict your use of our website, and/or delay or affect how our website operates.

For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to the controller), we utilize SSL or TLS encryption. You can recognize an encrypted connection by the character string "https://" and the lock symbol in your browser bar.
We implement reasonable security measures to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks to the Personal Data in our possession.
We ensure that third parties receiving Personal Data from us protect that data in a manner consistent with this Policy and do not use it for any purposes other than those specified by us, by incorporating appropriate contractual terms into their written agreements with third parties.
We are not responsible in any way for the security or management of personal data that you share with third-party websites accessible through links on our website.

Our website may occasionally contain links to and from the websites of our partner networks and affiliates. If you follow a link to any of these websites, please note that they have their own privacy policies, and we do not accept any responsibility for them. Please check these policies before submitting any personal data to these websites.

The information you voluntarily provide to us will be considered complete and accurate.
We will take reasonable steps to verify the accuracy of the Personal Data received at the collection point. However, you will remain primarily responsible and liable for ensuring that all Personal Data you submit to us is complete and accurate.
We will also take reasonable steps to periodically verify the Personal Data in our possession, considering the scope of our operations. However, you are responsible for notifying us about any applicable changes to your Personal Data. You can amend your Personal Data by contacting the Personal Data Officer at info@bontiss.com at any time.
We shall not be held liable for any inability to provide services if you do not ensure that the personal data you submit to us is complete and accurate.

Generally, the rights to access and correct Personal Data granted to Individuals are:

• Right to Access. You have the right to be informed about and request access to the personal data we process concerning you. This allows you to verify what personal data we are processing and whether the processing is lawful. We will respond to your access request as soon as possible. If we cannot reply within 30 days of receiving it, we will notify you in writing via email within 30 days of when we can respond. If we are unable to provide the Personal Data you requested, we will generally explain why we cannot do so (except where we are not required to notify you under the PDPA, PDPO, GDPR, or any other applicable laws).
• Right of Correction/Rectification. You have the right to request that we amend or update your Personal Data when it is inaccurate or incomplete. Please note that while we will make a reasonable effort to ensure the accuracy and completeness of the Personal Data we collect, you are responsible for ensuring the accuracy of the Personal Data you provide directly to us. We will respond to your correction request as soon as reasonably possible. If we cannot perform the correction request within 30 days of receiving it, we will inform you in writing via email about when we expect to fulfill your correction request. If we cannot fulfill a correction you requested, we will generally notify you of our inability to do so, except where we are not required to disclose this under the PDPA, PDPO, GDPR, or any other applicable laws.
• Right to Withdraw Consent. You have the right to withdraw your consent at any time, where consent is the legal basis for processing your Personal Data. Please note that, depending on the nature and scope of your request, we may be unable to continue fulfilling our obligations in connection with the Event for you. For Individuals covered by the PDPA, PDPO, and GDPR, they also have the following rights (as available and subject to any applicable law):
• Right to Erasure. The right to request that we temporarily or permanently cease processing some or all of your Personal Data.
• Right to Object. The right to object to the processing of your Personal Data by us for direct marketing purposes, or to object to our processing of your Personal Data based on factors related to your specific situation.
• Right to Data Portability. The right to request a copy of your personal data in electronic format and the right to transfer that personal data for use in another party’s service.
• Right not to be subject to Automated Decision-making. The right not to be subjected to a decision based solely on automated decision-making that would have legal effects on you or produce a similarly significant outcome. Suppose we send you electronic marketing messages (i.e., newsletters) based on your consent or as permitted by applicable law. In that case, you may withdraw such consent or declare your objection at any time, at no cost. The electronic marketing messages you receive from us will also include an “unsubscribe” option within the message itself, enabling you to manage your Personal Data. Please note that if you opt out of receiving direct marketing materials, we may still send you non-promotional messages, such as receipts or information about our Services.

Additionally, you have the right to complain to your local Data Protection Authority at any time if you are unhappy with how we use your Personal Data. To assist you in easily exercising these rights and recording your preferences regarding our use of your Personal Data, you may email us at info@bontiss.com.

The duration for which we retain your Personal Data depends on its nature and whether we have an ongoing business need to keep it. We will keep your data only for as long as we maintain a business relationship with you, and for a period thereafter if we still have a business need to keep it or if we are legally required to do so. Once the time related to any business needs or legal obligations for retaining your Personal Data expires, we will ensure that your Personal Data is deleted or anonymized. To learn more about our retention policies, please email your request to info@bontiss.com.

In providing our Services, we may transfer and process the Personal Data we collect with third parties in other countries. In all cases, we will make sure that your Personal Data is transferred and that appropriate safeguards (e.g., contractual, technical, and organizational measures) are established before these transfers occur.

You are welcome to contact us if you have any complaints or concerns regarding our handling of personal data that is within our control or possession. To file a complaint, please get in touch with our Data Protection Officer via email at info@bontiss.com.

If any provision of this Policy is deemed illegal, void, invalid, or unenforceable under the laws of any jurisdiction, the legality, validity, and enforceability of the remainder of this Policy in that jurisdiction will not be affected; nor will the legality, validity, and enforceability of the entire Policy in any other jurisdiction be impacted.
Nothing in this Policy shall be interpreted as providing indemnity to any Customer regarding any Customer Data or its use.
According to this Policy, we're not responsible for any losses that the Customer may suffer due to our collection, storage, or use of Customer Data. In any event, we expressly exclude any liability to the Customer for indirect or consequential losses, special losses, loss of profits, loss of contracts, loss of reputation or goodwill, or other tangential or intangible losses that a Customer may incur due to a breach of this Policy by us or any of its agents or service providers.

This Privacy Policy may be updated due to ongoing developments on our website and changes in legal or regulatory requirements.