Privacy Policy

1. Introduction and Data User

San Ser Corporation Limited ("we", "us", "our") is the data user within the meaning of the Personal Data (Privacy) Ordinance, Cap. 486 of the Laws of Hong Kong ("the Ordinance"), in respect of personal data collected and processed in connection with this website and our services. We are committed to protecting your privacy and to full compliance with the Ordinance and the six data protection principles set out in Schedule 1 thereto.

This Privacy Policy sets out our practices regarding the collection, holding, processing, use and disclosure of personal data. It also describes the rights of data subjects under the Ordinance. By using our website or services, or by providing your personal data to us, you consent to the collection, use and disclosure of your personal data as described in this policy, to the extent such consent is required by law.

2. Personal Data We Collect (Data Protection Principle 1 — Purpose and Manner of Collection)

We collect personal data only for a purpose directly related to a function or activity of our company, by lawful and fair means, and only where necessary for or directly related to that purpose. We may collect the following categories of personal data:

• Identity and contact data: name, telephone number, email address, delivery and billing address.
• Account and transaction data: login credentials, order history, and payment-related information (we do not store full card numbers; payment processing may be handled by third-party processors).
• Technical and usage data: IP address, device type, browser type, pages visited, time and date of access, and similar information collected via cookies and similar technologies.
• Communications: correspondence when you contact us, including via our contact form, email or telephone.
• Marketing preferences: your consent and preferences regarding verification codes, direct marketing (SMS, email) and promotional communications.

Personal data is collected that you provide directly (e.g. when registering, placing an order, or contacting us) and, where lawful, data generated from your use of our website. You are not obliged to provide personal data, but refusal may prevent us from providing certain services (e.g. account, orders, support). All practicable steps are taken to ensure that you are informed of the purpose of collection and the classes of persons to whom the data may be transferred, at or before the time of collection.

3. Purposes of Use (Data Protection Principle 3 — Use of Personal Data)

Personal data shall not be used for any purpose other than the purpose for which the data was collected or a directly related purpose, unless the prescribed consent of the data subject is obtained. We use your personal data for the following purposes:

• Processing and fulfilling orders, and managing your account.
• Verifying your identity, including by sending and validating verification codes via SMS.
• Providing customer support and responding to your enquiries.
• Sending service-related communications (e.g. order confirmations, shipping updates).
• With your consent, sending direct marketing and promotional communications (SMS, email) about our products, offers and events, in compliance with Part 6A of the Ordinance where applicable.
• Improving our website, services and user experience, including analytics and troubleshooting.
• Complying with legal, regulatory and contractual obligations, and protecting our rights and the rights of others (e.g. fraud prevention, dispute resolution).

We will not use your personal data for purposes other than those set out above without notifying you and, where required by the Ordinance, obtaining your prescribed consent.

4. Disclosure and Transfer of Personal Data

We do not sell your personal data. We may disclose or transfer your personal data only in the following circumstances and in accordance with the Ordinance and this policy:

• Service providers: payment processors, couriers, IT and hosting providers, and others who assist us in operating our business. We require them to protect your data and use it only for the purposes we specify and in compliance with the Ordinance.
• Legal and regulatory: where required by law, court order, or to comply with government or regulatory requests; or to protect our rights, safety or property.
• With your consent: where you have given prescribed consent for a specific disclosure or use.
• Corporate transactions: in the event of a merger, acquisition or sale of assets, personal data may be transferred as part of that transaction, subject to the same protection under this policy and the Ordinance.

We do not disclose personal data to third parties for their own marketing purposes without your consent. Where we transfer personal data to places outside Hong Kong, we will comply with section 33 of the Ordinance and take all practicable steps to ensure that the data is not used or disclosed in that place except in accordance with the Ordinance, or that the transferee is bound by laws or contractual arrangements affording protection no less than that under the Ordinance, unless an exemption applies.

5. Security of Personal Data (Data Protection Principle 4 — Security)

We take all practicable steps to ensure that your personal data is protected against unauthorised or accidental access, processing, erasure, loss or use, having regard to the kind of data and the harm that could result from such access or use.

• Secure transmission (e.g. TLS/SSL) where applicable.
• Access controls and limits on who can access personal data.
• Training for staff who handle personal data.
• Regular review of our security practices.

No method of transmission or storage over the Internet is completely secure. We cannot guarantee absolute security but we will act promptly to mitigate and, where required by the Ordinance or applicable law, notify you and/or the Office of the Privacy Commissioner for Personal Data of any significant data breach affecting your personal data.

6. Retention of Personal Data (Data Protection Principle 2 — Accuracy and Duration of Retention)

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting or reporting requirements. All practicable steps are taken to ensure that personal data is accurate and not kept longer than necessary.

Criteria we use to determine retention include: the nature of the data, the purpose of processing, legal obligations, and whether we need the data to resolve disputes or enforce our agreements. When personal data is no longer required, we will delete or anonymise it in a secure manner, except where we are required or permitted to retain it by law.

7. Data Accuracy (Data Protection Principle 2)

We take all practicable steps to ensure that your personal data is accurate, complete, not misleading and up-to-date. We may ask you to update your information from time to time. You are responsible for providing accurate information and for informing us of any changes. Where we are satisfied that personal data is inaccurate, we will take all practicable steps to ensure that it is erased or corrected, as appropriate.

8. Openness (Data Protection Principle 5) and Your Rights (Data Protection Principle 6 — Access and Correction)

We make available our policies and practices in relation to personal data. You have the following rights under the Ordinance:

• Request access to your personal data that we hold. We will comply with a data access request in accordance with the Ordinance (sections 18–22) and may charge a fee as permitted thereunder.
• Request correction of personal data that is inaccurate, incomplete or misleading. We will comply with a data correction request in accordance with the Ordinance (sections 22–25).
• Withdraw consent for processing that is based on consent (e.g. direct marketing). Withdrawal does not affect the lawfulness of processing before withdrawal. You may opt out of direct marketing at any time.
• Lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) of Hong Kong if you believe your rights under the Ordinance have been infringed. The PCPD may be contacted at www.pcpd.org.hk.

To exercise these rights, please contact us using the details in Section 12. We may need to verify your identity before processing your request. We will respond within 40 days of a data access request as required by the Ordinance, or within such other timeframes as applicable law may prescribe. There may be circumstances where we are not required to comply with a request under the Ordinance (e.g. where an exemption under Part 8 applies).

9. Direct Marketing (Part 6A of the Ordinance)

We will not use your personal data for direct marketing (including by means of emails, SMS or other electronic messages) unless we have received your consent (or indication of no objection) in the manner required by Part 6A of the Ordinance. We will also comply with the use and provision of personal data for direct marketing in accordance with sections 35C and 35E of the Ordinance, including providing you with the option to opt out at any time.

You may at any time request that we cease to use or provide your personal data for direct marketing by contacting us or by using the opt-out mechanism in any marketing communication.

10. Cookies and Similar Technologies

We may use cookies, web beacons and similar technologies to collect technical and usage data, to remember your preferences, and to improve our website. You can adjust your browser settings to refuse or limit cookies; some features may not function correctly if you disable cookies.

We may work with analytics or advertising partners who use such technologies. Where they act as data users in their own right, their use is governed by their privacy policies. We recommend that you review our cookie notice or settings, if provided, for more detail.

11. Minors

Our website and services are not directed at individuals under 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without parental or guardian consent, please contact us and we will take practicable steps to delete such data in accordance with the Ordinance.

12. Changes to This Policy and Contact

We may update this Privacy Policy from time to time. We will post the revised policy on this page and indicate the date of the last update. For material changes, we may notify you by email or through a notice on our website where required by law. Your continued use of our website or services after changes constitutes acceptance of the updated policy.

For any questions about this Privacy Policy, to make a data access or correction request, to opt out of direct marketing, or to contact our Data Protection Officer (if designated), please use our Contact page or email us at privacy@sanser.online. We will respond in accordance with the Ordinance and applicable law.