Privacy Policy

01Scope & who we are

Yau Hing Technology Consultants Limited (燠興科技顧問有限公司) is an IT solutions company incorporated in the Hong Kong SAR. We build and operate software products for small and medium-sized enterprises, and we provide WhatsApp Business messaging services to business clients as a technology partner.

This Privacy Policy applies to:

• Our public website at yauhingtech.hk and its subdomains.
• Our four products — WhatsApp Business Suite, Beauty Salon System, PMS for Engineering & Trades, and Finance Company Platform — where Yau Hing Tech is the data controller.
• WhatsApp Business and other Meta-platform messaging services that we provide as a tech partner / Business Solution Provider, where the business that uses our service is the controller and we act as a processor on their behalf.

02Information we collect

Information you provide

• Contact details — name, business name, email address, phone number, WhatsApp number, when you fill in our enquiry form, request a demo, or sign a service agreement.
• Account information — login credentials, role, branch, and preferences for our products.
• Business content — data you upload into our products (e.g. customer records, bookings, quotations, invoices, project documents).
• Support communications — messages, attachments, and call notes you share with our support team.

Information collected automatically

• Usage data — pages visited, features used, timestamps, and approximate location derived from IP.
• Device & technical data — IP address, browser type, operating system, device identifiers, and crash logs.
• Cookies & similar technologies — see Section 10 below.

Information from third parties

• Meta / WhatsApp — when our clients use our WhatsApp Business Suite, we receive messages, delivery receipts, contact identifiers, and metadata from the WhatsApp Cloud API on the business's behalf.
• Payment & integration partners — limited transaction data from providers such as Stripe, FPS rails, or Shopify, only as needed to fulfil a service.

03How we use information

We use personal information for the following purposes:

• To provide our products and services — including authentication, processing messages, generating quotations and invoices, scheduling bookings, and other features you request.
• To support and improve our services — diagnosing issues, monitoring performance, and developing new features.
• To communicate with you — responding to enquiries, sending service notices, security alerts, and (where you have consented) product updates.
• To meet legal and regulatory obligations — including the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong, the Money Lenders Ordinance (where applicable), and platform-specific rules from Meta and WhatsApp.
• To prevent abuse and fraud — protecting our services, our clients, and end users from misuse.

We do not sell personal data, and we do not use personal data to train third-party AI models without a separate written agreement.

04WhatsApp Business & Meta data

We integrate with the WhatsApp Business Platform (Cloud API) as a technology partner. When a business client uses our WhatsApp Business Suite, the following applies:

• Role — the business client is the controller of its end-customer data; we are a processor.
• Data processed — phone numbers, WhatsApp profile names, message content (including text, media, and templates), delivery and read receipts, and conversation metadata.
• Purpose — only to route, store, and display messages within the business's account, to apply automation the business has configured, and to provide reporting to the business.
• No advertising use — we do not use WhatsApp message content for advertising, profiling, or training general-purpose AI models, and we do not share it with third parties for those purposes.
• Meta requirements — our processing complies with the WhatsApp Business Solution Terms, the Meta Platform Terms, and WhatsApp Business Messaging Policy. Meta is an independent controller for its own platform-level data.
• End-user rights — end customers may exercise their rights (access, correction, deletion) by contacting the business they are messaging; we will assist that business in responding.

05Sharing & disclosure

We share personal information only in the following circumstances:

• Service providers / sub-processors — hosting (AWS / Google Cloud, in Hong Kong, Singapore, or other regions you have approved), email delivery, monitoring, and analytics partners. Each is bound by written contracts requiring confidentiality and adequate safeguards.
• Platform partners — Meta / WhatsApp, where the service inherently routes through their infrastructure.
• Professional advisors — lawyers, auditors, and accountants, under duties of confidentiality.
• Legal & regulatory — when required by law, court order, or a binding request from a regulator with proper jurisdiction.
• Business transfers — if Yau Hing Tech is involved in a merger, acquisition, or asset sale, personal data may be transferred under equivalent protections; you will be notified before any material change.

06Data retention

We retain personal information only for as long as necessary to provide our services, comply with legal and regulatory obligations, resolve disputes, and enforce agreements.

• Account & product data — retained for the duration of the service, plus up to 24 months after termination unless a longer period is required by law (e.g. accounting records: 7 years).
• WhatsApp messages — retained according to the business client's configured retention period; default is 24 months from the message date.
• Support records — retained for up to 36 months from the last interaction.
• Server logs — retained for up to 12 months for security and troubleshooting.

When data is no longer needed we securely delete or anonymise it.

07Security

We apply technical and organisational measures designed to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for production data stores.
• Role-based access control and least-privilege principles for staff access.
• Centralised audit logging for finance-related and admin actions.
• Regular backups, vulnerability scanning, and a documented incident-response process.
• Staff confidentiality undertakings and periodic security training.

No method of transmission or storage is 100% secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected parties and regulators as required by law.

08International transfers

Our primary hosting is in Hong Kong and Singapore. Some service providers (e.g. Meta, email and monitoring vendors) may process data in other regions. Where data is transferred outside Hong Kong, we rely on appropriate safeguards such as contractual clauses, equivalent protection standards, and the recipient's published commitments.

09Your rights

Subject to applicable law, you may have the right to:

• Access the personal data we hold about you and obtain a copy.
• Correct inaccurate or incomplete data.
• Request deletion of your data, where there is no overriding legal obligation to keep it.
• Object to or restrict certain processing.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) at pcpd.org.hk.

To exercise these rights, email [email protected]. We will respond within 30 days. If your request relates to data held by us on behalf of a business client, we may need to refer your request to that business.

10Cookies & tracking

We use a small number of cookies and similar technologies to operate our website and products:

• Strictly necessary — session cookies for authentication and security.
• Preference — to remember your language choice (e.g. EN / 繁中).
• Analytics — aggregate, privacy-friendly analytics to understand how the site is used; we do not load third-party advertising trackers by default.

You can control cookies through your browser settings. Disabling essential cookies may affect site functionality.

11Children's privacy

Our services are intended for business users and are not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

12Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website or by direct notice to active customers. The “Last updated” date at the top of this page indicates when the policy was most recently revised.

13Contact us

If you have any questions, comments, or requests regarding this Privacy Policy or our handling of personal data, please contact our Data Protection contact: