Privacy Policy

1. Introduction

Orchid Peak ("we", "our", "us") is committed to protecting the personal data of the individuals and organisations who engage with us. This Privacy Policy explains what data we collect, how we use it, how we protect it, and the rights you hold in relation to it.

Our practices are governed by the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (the "PDPO"). If you have any questions about this policy, please contact us at [email protected].

2. Data We Collect

We collect personal data in the following ways:

Via our contact form: Name, email address, and phone number (optional), along with the content of your enquiry.

Via email and phone: Contact details and the content of communications when you reach out to us directly.

Via cookies and analytics: Non-personally identifiable data about how visitors interact with our website, including pages visited, browser type, and approximate location. See our Cookie Policy for details.

During engagements: Organisational and individual data provided to us as part of a consulting engagement is handled under a separate confidentiality agreement and is not covered by this web privacy policy.

3. How We Use Your Data

Personal data collected through our website is used for the following purposes:

• Responding to enquiries submitted via our contact form
• Preparing and delivering consulting proposals where requested
• Understanding how our website is used in order to improve it
• Complying with legal obligations where applicable

We do not use personal data for unsolicited marketing purposes. We do not sell or share personal data with third parties for their marketing use.

4. Legal Basis for Processing

Under the PDPO, we process personal data on the following bases:

• Consent: When you submit our contact form, you consent to us using your data to respond to your enquiry.
• Legitimate interest: We analyse site usage data to improve our website and service offering.
• Contractual necessity: Where a formal engagement agreement exists, data is processed as necessary to fulfil that contract.

5. Data Retention

We retain personal data only as long as necessary for the purpose it was collected:

• Enquiry data with no resulting engagement: retained for up to 12 months, then deleted.
• Client contact data related to completed engagements: retained for up to 3 years for record-keeping, then securely destroyed.
• Analytics data: retained in aggregated, non-identifiable form only.

6. Data Protection Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. These include:

• TLS/SSL encryption for all data transmitted via our website
• Access controls limiting who within our team can view personal data
• Secure storage and handling practices for client-related records

In the event of a data breach that poses a risk to individuals, we will act promptly and in accordance with PDPO guidance.

7. Cookies

We use cookies to understand how visitors use our website and to maintain preferences. For a full explanation of the cookies we use and how to manage them, please see our Cookie Policy.

8. Third-Party Services

Our website may use third-party analytics tools (such as Google Analytics) that collect aggregated usage data. These services have their own privacy policies. We do not permit these third parties to use your data for their own marketing purposes.

Our website may contain links to external sites. We are not responsible for the privacy practices of those sites.

9. Your Rights

Under the PDPO, you have the following rights in respect of personal data we hold about you:

• Right of access: You may request a copy of the personal data we hold about you.
• Right of correction: You may request that inaccurate data be corrected.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
• Right to erasure: You may request deletion of personal data in certain circumstances.

To exercise any of these rights, contact us at [email protected]. We will respond within 40 days in accordance with PDPO requirements. Complaints may be referred to the Office of the Privacy Commissioner for Personal Data (PCPD) at pcpd.org.hk.

10. Children's Privacy

Our services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that we have collected such data, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The most current version will always be available on this page, with the "Last Updated" date revised accordingly. Continued use of our website following an update constitutes acceptance of the revised policy.

12. Contact

For any privacy-related questions or to exercise your rights:

• Email: [email protected]
• Address: Unit 06, 31st Floor, Empire Square, 177 Johnston Road, Wan Chai, Hong Kong