§ L02 / LEGAL · PRIVACY NOTICE

How we handle
your data.

Effective since

19 July 2017

Last revised

5 May 2026

Governing law

Hong Kong SAR

Document

v3.2 · Active

§ 01 / About This Policy

About This Policy

This Privacy Policy explains how HEADGATE TECHNOLOGY LTD ("HEADGATE", "we", "us", "our") collects, uses, discloses, and protects Personal Data when you visit https://headgatetech.com (the "Site"), inquire about our services, engage us under a Statement of Work, or otherwise interact with us.

We are a digital marketing agency headquartered in Hong Kong SAR. This Policy is a "Personal Information Collection Statement" (PICS) for the purposes of Data Protection Principle 1 of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the "PDPO"). It is also designed to satisfy the transparency requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"), and the Swiss Federal Act on Data Protection ("FADP").

If you are an end-user of one of our clients (i.e., we are processing your Personal Data on behalf of one of our clients as a processor), the controller of your Personal Data is the client, and you should refer to their privacy notice for information about how your Personal Data is processed.

§ 02 / Who We Are (Data Controller)

Who We Are (Data Controller)

HEADGATE TECHNOLOGY LTD in Hong Kong is the data controller. Our Data Protection Lead is reachable at privacy@headgatetech.com.

Data Controller: HEADGATE TECHNOLOGY LTD Address: Suite C, Level 7, 50 Stanley Street, Central, Hong Kong Data Protection Lead: privacy@headgatetech.com General contact: hello@headgatetech.com

We have appointed a Data Protection Lead (acting as our Data Protection Officer for jurisdictions where formal DPO designation is not mandatory) responsible for overseeing compliance with this Policy and applicable data protection law. You can contact the Data Protection Lead at privacy@headgatetech.com for any privacy-related questions or to exercise your rights.

EU Representative (Article 27 GDPR): Where required, we have appointed a representative in the EU pursuant to Article 27 GDPR. The current representative's name and address will be listed here once appointed.

UK Representative (Article 27 UK GDPR): Where required, we have appointed a representative in the United Kingdom. The current representative's name and address will be listed here once appointed.

§ 03 / What Personal Data We Collect

What Personal Data We Collect

We collect (a) business contact details when you reach out, (b) engagement records when you become a client, and (c) basic, privacy-preserving website analytics. We do not collect special-category data and we do not knowingly collect data from children under 16.

We collect the following categories of Personal Data:

3.1 Identity and Contact Information

  • Name (first and last)
  • Business email address
  • Company / organization name
  • Job title or role
  • Country of business
  • Phone number (only if you provide it voluntarily)

Source: Provided by you (contact forms, email correspondence, scheduling tools).

3.2 Engagement and Service Records

  • Notes from briefs, calls, and meetings
  • Project correspondence (emails, messages, document comments)
  • Deliverables produced for you
  • Invoices and payment records
  • Client Materials you provide to us in connection with an engagement (which may contain Personal Data of your end-users; see Section 11)

Source: Provided by you or generated in the course of the engagement.

3.3 Website Telemetry

  • Pages visited
  • Referring URL
  • Approximate, city-level location derived from IP address
  • Device type and browser (aggregated)

Source: Automatically collected by privacy-preserving analytics. We do not use Google Analytics, Meta Pixel, or similar third-party advertising trackers.

3.4 Cookies and Similar Technologies

See our Cookie Policy for the full list of cookies we set, including their purposes, durations, and consent categories.

3.5 Categories We Do NOT Collect

  • We do not knowingly collect special categories of personal data (race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, sexual orientation, criminal convictions) under GDPR Article 9.
  • We do not knowingly collect Sensitive Personal Information (SSN, government identifiers, financial account credentials, precise geolocation, race, ethnicity, religion, mail/email/text content, genetic data, biometric data, health data, sexual orientation) for purposes beyond those permitted by 11 CCR § 7027(m) under CCPA/CPRA.
  • We do not knowingly collect Personal Data of children under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly. Parents or guardians who believe we may have collected their child's Personal Data should contact privacy@headgatetech.com.
§ 05 / Who We Share Personal Data With

Who We Share Personal Data With

We don't sell your data. We don't share it for advertising. We do use a small set of named processors (cloud, email, analytics, accounting). We list them publicly and notify you 30 days before adding new ones.

5.1 No Sale; No Cross-Context Behavioral Advertising

We do not sell Personal Data, and we do not share Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

5.2 Processors and Sub-processors

We share Personal Data with a small set of carefully selected third-party processors that help us operate our business. Each is bound by a written data processing agreement (or equivalent) requiring confidentiality, security, and use of the data only on our documented instructions.

We maintain a public, current list of our sub-processors at https://headgatetech.com/subprocessors, including name, purpose, country of processing, transfer mechanism, and DPA reference. We provide at least thirty (30) days' notice of material changes to the sub-processor list.

Categories of processors include:

  • Cloud hosting and storage
  • Email and calendar
  • Privacy-preserving website analytics
  • Customer relationship management (CRM)
  • Invoicing and accounting / tax advisers
  • Banking and payment processing
  • AI / machine-learning vendors (used only with no-training contractual commitments — see Section 12)

5.3 Other Recipients

We may also share Personal Data:

  • With professional advisers (lawyers, accountants, auditors) bound by confidentiality
  • With government authorities, regulators, or courts where required by law or to establish, exercise, or defend legal claims
  • With a successor entity in connection with a merger, acquisition, restructuring, or sale of assets (subject to your continuing rights under this Policy)
  • With your consent or at your direction
§ 06 / International Data Transfers

International Data Transfers

We're in Hong Kong, which the EU/UK haven't formally recognized as "adequate." For data coming from the EU/UK to us, we use the EU's Standard Contractual Clauses and the UK's IDTA. We've done the homework (Transfer Impact Assessments) and we encrypt everything in transit and at rest.

Hong Kong does not currently benefit from an adequacy decision from the European Commission or the UK Information Commissioner's Office. Where Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to HEADGATE in Hong Kong (or to our sub-processors located outside those jurisdictions), we rely on the following Chapter V GDPR safeguards:

6.1 EU / EEA Transfers

  • Mechanism: Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021
  • Modules used: Module Two (Controller-to-Processor) where we act as a processor of an EU-based controller's data; Module Three (Processor-to-Processor) where we onward-transfer to a sub-processor
  • Supplementary measures: Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), pseudonymization where appropriate, strict access controls, and the security measures described in Section 9

6.2 UK Transfers

  • Mechanism: International Data Transfer Addendum (IDTA) to the EU SCCs (Version B1.0), as issued by the UK ICO under section 119A of the UK Data Protection Act 2018

6.3 Swiss Transfers

  • Mechanism: Swiss Addendum to the EU SCCs, recognized by the Swiss Federal Data Protection and Information Commissioner

6.4 Transfer Impact Assessments

We have completed Transfer Impact Assessments (TIAs) covering Hong Kong as a destination jurisdiction and the relevant sub-processor jurisdictions. The TIAs evaluate the laws and practices of the destination, the technical and organizational supplementary measures in place, and any additional contractual measures. TIAs are reviewed at least annually and on material change.

6.5 Hong Kong PDPO Cross-Border Transfers

For cross-border transfers initiated from Hong Kong, we voluntarily apply the Privacy Commissioner for Personal Data's Recommended Model Contractual Clauses where appropriate, in addition to the safeguards above.

6.6 Article 49 Derogations

Where the safeguards above are not available, we will rely only on the derogations in Article 49 GDPR (e.g., your explicit informed consent or necessity for the performance of a contract requested by you).

§ 07 / Direct Marketing (PDPO Part VIA + GDPR + ePrivacy + CAN-SPAM)

Direct Marketing (PDPO Part VIA + GDPR + ePrivacy + CAN-SPAM)

We only send marketing emails to people who opt in. You can unsubscribe at any time, free of charge, with one click. The legal frameworks we follow are listed below.

This section satisfies the requirements of Part VIA of the Hong Kong PDPO and analogous opt-in requirements under EU/UK ePrivacy laws and the U.S. CAN-SPAM Act.

7.1 What We Use for Direct Marketing

  • Kinds of Personal Data used: Name, business email address, company, role, and country
  • Classes of marketing subjects: HEADGATE service updates, market intelligence, event invitations, content offers (e.g., research reports, guides), and case studies relevant to your industry

7.2 Consent

We will only use your Personal Data for direct marketing if you have provided your explicit consent (e.g., by checking an unchecked-by-default opt-in box on a contact form, by confirming a double-opt-in email, or by replying YES to a clearly-worded opt-in request). Consent is sought separately from any other consent or contractual purpose.

7.3 Opt-Out

You may opt out of direct marketing at any time, free of charge, by:

  • Clicking the unsubscribe link in any marketing email
  • Replying STOP to any opt-in messaging channel where applicable
  • Emailing privacy@headgatetech.com requesting opt-out

We will give effect to your opt-out within ten (10) business days and will not use your Personal Data for direct marketing after that date.

7.4 No Sale of Personal Data

We do not provide your Personal Data to any third party for that third party's direct marketing.

§ 08 / Data Retention

Data Retention

We keep engagement records for 7 years after our work with you ends (we need to for tax and legal reasons), then we delete or anonymize them. Other categories are kept for shorter periods, as set out below.

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. The following table sets out our typical retention periods:

CategoryRetention periodReason
Engagement records (briefs, correspondence, deliverables, invoices)7 years after engagement endsHong Kong Inland Revenue Ordinance (s. 51C requires 7 years for business records); tax and accounting obligations in other jurisdictions; defence of legal claims
Identity & contact data of inactive prospects24 months from last interactionTo avoid stale outreach; deleted thereafter unless re-engaged
Marketing subscriber listUntil consent is withdrawn, then deleted within 30 daysHonoring opt-out
Website telemetry (privacy-preserving)30 days (per Cookie Policy)Aggregated analytics; not retained beyond this
Cookie-based identifiersPer Cookie Policy categories (Necessary: session/12 months; Preferences: 12 months; Analytics: 30 days)Functional and consent-based
Job-applicant data12 months from application close (with consent for talent-pool retention beyond that)Recruitment record-keeping
BackupsUp to 90 days from primary deletionDisaster recovery; backups are encrypted and access-restricted

After the applicable retention period, Personal Data is securely deleted or anonymized in such a way that it cannot be re-associated with an identifiable individual.

For Personal Data we process on behalf of clients (where we are a processor), retention is governed by the applicable Data Processing Agreement and the client's instructions.

§ 09 / Security

Security

We encrypt data in transit and at rest, restrict access to a need-to-know basis, log everything, train our team, and maintain a written incident-response plan. The full picture is on our Data & Trust page.

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, in compliance with PDPO DPP4, GDPR Article 32, and analogous requirements:

  • Encryption: All Personal Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Access control: Need-to-know access; named, time-bounded, and logged access to client environments; multi-factor authentication on all administrative accounts; monthly access-log reviews and engagement close-out audits.
  • Endpoint security: All devices have full-disk encryption and remote-wipe capability; centrally managed via a mobile device management platform.
  • Personnel: Background checks where permitted by law; written confidentiality and data-protection clauses in all employment and contractor agreements; mandatory annual privacy and security training.
  • Network: Hardened cloud infrastructure with vendor SOC 2 Type II or equivalent; segmented networks; intrusion detection.
  • Backup and disaster recovery: Encrypted backups; documented business-continuity and disaster-recovery procedures.
  • Vendor management: Sub-processor due diligence including security and privacy review; contractual obligations no less protective than those we accept.
  • Incident response: Written incident-response plan; named incident coordinator; tabletop exercises.

For full details, see our Data & Trust page.

§ 10 / Personal Data Breach Notification

Personal Data Breach Notification

If something goes wrong, we'll notify regulators within 72 hours where required by law, notify affected people promptly when there's a real risk to them, and notify our clients within 24 hours of confirmation.

In the event of a personal data breach affecting Personal Data:

  • EU/UK supervisory authorities (GDPR Article 33): Without undue delay and, where feasible, within seventy-two (72) hours of becoming aware
  • Affected EU/UK data subjects (GDPR Article 34): Without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons
  • Hong Kong Privacy Commissioner (PDPO voluntary breach notification): Promptly, in line with the PCPD's Guidance on Data Breach Handling and Notifications
  • California residents and the California Attorney General (Cal. Civ. Code § 1798.82): Where the breach involves their unencrypted personal information and meets statutory thresholds
  • Clients (where we act as processor): Within twenty-four (24) hours of confirmation, in accordance with the DPA

A post-incident report is prepared within fourteen (14) days, including root-cause analysis and remediation measures.

§ 11 / Your Rights

Your Rights

You can ask what we have on you, fix it, delete it, take it elsewhere, restrict or object to processing, or withdraw consent. Email privacy@headgatetech.com and we'll get back within 30 days (or 45 for California requests).

Subject to applicable law, you have the following rights with respect to your Personal Data.

11.1 Rights Under GDPR / UK GDPR / Swiss FADP / Hong Kong PDPO

  • Right of access (Art. 15): Confirmation of whether we process your Personal Data and a copy of that data
  • Right to rectification (Art. 16): Correction of inaccurate or incomplete data
  • Right to erasure / "right to be forgotten" (Art. 17): Deletion where the data is no longer necessary, you withdraw consent, or you object to processing without overriding legitimate interests
  • Right to restriction (Art. 18): Suspension of processing in specified circumstances
  • Right to data portability (Art. 20): Receipt of your data in a structured, commonly used, machine-readable format and the right to transmit it to another controller
  • Right to object (Art. 21): Objection to processing based on legitimate interests, including for direct marketing (which we will always honor)
  • Right not to be subject to automated decision-making (Art. 22): We do not engage in such decision-making, but you have this right where it applies
  • Right to withdraw consent: At any time, free of charge, where processing is based on consent (withdrawal does not affect the lawfulness of prior processing)
  • Right to lodge a complaint with a supervisory authority: Including the Hong Kong Privacy Commissioner for Personal Data, your local EU Data Protection Authority, the UK Information Commissioner's Office, or the Swiss FDPIC

11.2 Rights Under CCPA / CPRA (California Residents)

  • Right to know: Categories and specific pieces of Personal Information we have collected, sources, business or commercial purposes, and categories of third parties with whom we share it
  • Right to delete: Deletion of Personal Information we have collected, subject to legal exceptions
  • Right to correct: Correction of inaccurate Personal Information
  • Right to opt-out of sale or sharing: We do not sell or share Personal Information for cross-context behavioral advertising; we still offer this opt-out as a matter of policy. See the "Do Not Sell or Share My Personal Information" link in our footer or email privacy@headgatetech.com.
  • Right to limit use of Sensitive Personal Information: We do not use Sensitive Personal Information for purposes beyond those permitted by 11 CCR § 7027(m), so this right does not apply in practice. We have included this disclosure for transparency.
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights.
  • Authorized agents: You may use an authorized agent to submit a request, subject to verification.
  • Shine the Light (Cal. Civ. Code § 1798.83): California residents may request information about disclosures of Personal Information to third parties for those third parties' direct-marketing purposes. We do not make such disclosures.

11.3 How to Exercise Your Rights

Submit your request via:

We will:

  • Acknowledge your request within ten (10) business days
  • Verify your identity using reasonable measures (we may ask for additional information)
  • Respond within thirty (30) days for GDPR/UK GDPR/PDPO requests, or forty-five (45) days for CCPA/CPRA requests, with one extension period where reasonably necessary and on notice to you

There is no charge for exercising your rights, except where requests are manifestly unfounded, excessive, or repetitive (in which case we may charge a reasonable fee or refuse the request, as permitted by law).

11.4 Global Privacy Control

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request for California residents and as a withdrawal of analytics-cookie consent for visitors generally.

§ 12 / AI / Machine-Learning Processing

AI / Machine-Learning Processing

We use AI tools (large language models, audience-modeling tools, on-site assistants) for our work. We do not let AI vendors train their models on your data. We tell you which tools we used. We review AI outputs before delivery, but you should review them too. We follow Hong Kong's PCPD AI framework and the EU AI Act's transparency rules.

This section addresses the Privacy Commissioner for Personal Data's Model Personal Data Protection Framework for AI Use (June 2024) and the EU AI Act (Regulation (EU) 2024/1689), in particular Article 50 transparency obligations.

12.1 Purposes of AI Processing

We use AI Tools for:

  • Content production (copywriting, editorial assistance)
  • Audience modeling (segmentation based on aggregated, non-identifying signals)
  • On-site assistants (only where deployed for clients with explicit notice)
  • Internal productivity (summarization, transcription)

12.2 No Training on Your Data

We will only use AI Tools that contractually commit not to train, retrain, or fine-tune their models on your inputs or outputs. Where this commitment is not technically feasible for a specific tool, we will inform you in advance and obtain your written consent before processing your data with that tool.

12.3 Transparency

Where an AI Tool was materially used to produce a Deliverable that will be published to the public, we will disclose AI involvement to the extent required by Article 50 of the EU AI Act, applicable PDPO requirements, your reasonable instructions, or industry best practice.

12.4 Human Oversight

A human reviews AI-generated outputs before delivery to you. You retain full editorial control of any Deliverable.

12.5 Prohibited Uses

We will not use AI Tools to (a) make decisions producing legal or similarly significant effects on individuals without human oversight, (b) generate non-consensual intimate imagery, (c) create deepfakes intended to deceive about identity, (d) infer sensitive attributes (race, religion, health, sexual orientation, political views) from non-sensitive inputs, or (e) any use prohibited by Article 5 of the EU AI Act.

12.6 Records

We maintain internal records of which AI Tools are used, the data flows associated with them, and the safeguards applied, in alignment with the PCPD AI framework.

§ 13 / When We Act as a Processor for Our Clients

When We Act as a Processor for Our Clients

When we work on your behalf and process your end-users' personal data, you are the controller and we are the processor. The DPA governs that relationship. End-users should look at your privacy notice, not ours.

In the course of performing the Services for our clients, we may process Personal Data of the client's end-users on the client's behalf. In that case:

  • The client is the controller of that Personal Data
  • HEADGATE is the processor acting on the client's documented instructions
  • The relationship is governed by a written Data Processing Agreement in the form available at headgatetech.com/dpa

End-users whose data is processed by us on behalf of a client should refer to that client's privacy notice for information on the controller, the purposes of processing, and the legal bases. Rights requests submitted directly to HEADGATE will be forwarded to the relevant client controller without undue delay.

§ 14 / Cookies and Similar Technologies

Cookies and Similar Technologies

Quick summary of cookies; full details in the Cookie Policy.

We use a small set of first-party cookies — strictly necessary cookies for site function and consent recording, a preference cookie (theme), and a privacy-preserving analytics cookie that requires your consent before being set. We do not use third-party advertising or social-tracking cookies. For full details, including the cookie list, durations, and how to manage your preferences, see our Cookie Policy. A persistent Cookie preferences link in the Site footer allows you to update your preferences at any time.

§ 15 / Changes to This Policy

Changes to This Policy

We update this Policy from time to time. Material changes get a 30-day heads-up. The "Last Updated" date at the top tells you when we last changed it.

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice by posting a prominent notice on the Site and, where we have your email, by email. Non-material changes (clarifications, formatting, typo fixes) take effect on posting. The "Last Updated" date at the top of this Policy reflects the most recent changes.

A change history is maintained in Appendix B for transparency.

§ 16 / How to Contact Us; How to Complain

How to Contact Us; How to Complain

Privacy questions and rights requests go to privacy@headgatetech.com. If you're not happy with our response, you can complain to your local data protection regulator.

  • Data Protection Lead: privacy@headgatetech.com
  • Postal: HEADGATE TECHNOLOGY LTD, Suite C, Level 7, 50 Stanley Street, Central, Hong Kong
  • Hong Kong Privacy Commissioner: pcpd.org.hk
  • EU Data Protection Authorities: List of National DPAs
  • UK Information Commissioner's Office: ico.org.uk
  • Swiss FDPIC: edoeb.admin.ch
  • California Privacy Protection Agency: cppa.ca.gov
§ Appendix A / CCPA/CPRA Categories Disclosure (Past 12 Months)

CCPA/CPRA Categories Disclosure (Past 12 Months)

CCPA Category (§ 1798.140)Examples we collectSourcesBusiness purposes (§ 1798.140(e))Third parties to whom disclosed for a business purpose
A — IdentifiersName, business email, IP-derived locationYou; automaticService delivery; marketing (with consent); fraud preventionCloud, email, CRM, analytics, accounting processors
B — Customer records (Cal. Civ. Code § 1798.80(e))Name, address, telephoneYouService delivery; billingAccounting, banking processors
C — Protected classificationsNot collected
D — Commercial informationService preferences, engagement historyYou; automaticService delivery; marketingCRM, analytics processors
E — Biometric informationNot collected
F — Internet/network activityPages visited, referrerAutomaticSite operation; analyticsAnalytics processor
G — Geolocation (precise)Not collected
H — Sensory dataNot collected
I — Professional/employmentJob title, company, roleYouService delivery; marketingCRM processor
J — Education informationNot collected
K — InferencesAggregated audience-segment inferencesAutomatic / AI ToolsService improvement; (with consent) marketingNone
Sensitive Personal InformationNot used beyond § 7027(m) permitted purposes

Sale or Share of Personal Information: HEADGATE has not sold and does not sell Personal Information. HEADGATE has not shared and does not share Personal Information for cross-context behavioral advertising.

Retention: As set out in Section 8 above.

§ Appendix B / Change History

Change History

VersionDateSummary of changes
2.02026-05-05Comprehensive rewrite: explicit SCCs / UK IDTA / Swiss Addendum citations; 72-hour breach notification commitment; CCPA/CPRA categories table; PDPO Part VIA Direct Marketing section; AI processing section aligned with PCPD Model Framework + EU AI Act Article 50; processor/controller distinction; expanded retention table; GPC honored; DPO and Article 27 representative placeholders
1.0Initial publication
§ L01 Terms of service § L02 Privacy notice § L03 Cookie policy § L04 Data & trust § L05 Data processing § L06 Sub- processors § L07 Accessibility