Cardex

Privacy Policy (Hong Kong)

Last updated: February 15, 2026

Applicable Region: Hong Kong SAR

Effective Date: 13 February 2026
Version: MVP v1.0
Data User: Cardexfy Limited
Contact Email (Privacy/Data Requests): cardex.hk@gmail.com (temporary for MVP)

1. Overview

1.1 This Policy explains how the Platform collects, uses, retains, discloses, and protects information you provide or generate while using the Platform.

1.2 This Policy is prepared with reference to the principles of the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (the "PDPO").

2. Information We Collect

2.1 We may collect information including, without limitation:

  • (a) Account data: email, phone number, display name/username, full name (if provided), and your entered Trading Location (transaction location/region);
  • (b) Content data: listing content (text, images), message content, report submissions, and interaction data;
  • (c) Technical data: IP address, device information, browser information, access time, page interaction events, and error logs;
  • (d) Analytics data: usage data collected via Google Analytics or similar tools (e.g., page views, clicks, dwell time, traffic sources);
  • (e) Login and identity data: records of email/password login; and basic sign-in identifiers from Google SSO (if enabled in the future) such as a unique identifier and email address, subject to on-page notices at the time of enablement;
  • (f) any other information you voluntarily provide or that reasonably arises from your use of the services.

2.2 Real-time location (MVP): Your browser may prompt for access to real-time location. At MVP stage, the Platform will not store real-time location in the database. Your Trading Location is based on your manual input.

3. How We Use Your Information

We use information for purposes including, without limitation:

  • (a) account creation and management, and identity checks (e.g., email verification);
  • (b) providing and maintaining Platform functions (listing, search, messaging, reporting, etc.);
  • (c) Platform operations (customer support, internal administration, risk control, review, statistics, research, and product improvement);
  • (d) Platform security (detecting abuse, fraud, violations, and maintaining system integrity);
  • (e) handling disputes, investigating reports, and complying with law/regulatory requests;
  • (f) analytics in an anonymized or aggregated manner (e.g., via Google Analytics) to improve user experience;
  • (g) where you consent or do not object (if applicable), sending Platform updates, promotions, or marketing information (you can opt out at any time).

4. Do We Share Your Information?

4.1 We do not "sell" your personal data to third parties.

4.2 We may disclose information, under a reasonable need and data minimization principle, to:

  • (a) infrastructure and service providers, such as Vercel, Cloudflare, Supabase, and (if enabled) payment service providers;
  • (b) analytics providers such as Google Analytics;
  • (c) law enforcement/regulators where required by law or to prevent crime, fraud, harm to others, or threats to Platform security;
  • (d) parties involved in corporate restructuring, financing, mergers and acquisitions, or asset transfers, on a confidential and lawful basis and to the extent necessary.

5. Data Storage Location and Cross-Border Transfers

5.1 Your data may be stored on servers located outside Hong Kong (e.g., in regions where cloud providers operate).

5.2 We will take reasonable measures to ensure cross-border processing meets applicable legal requirements and appropriate protection standards.

6. Security Measures

6.1 We adopt reasonable technical and organizational measures to protect data (e.g., access controls, encrypted transmission, permission management, audit logs).

6.2 For additional details on security and incident response provided by cloud providers (e.g., Supabase), you may refer to their official documentation/security policies (the Platform may provide links or guidance pages where needed).

6.3 No method of internet transmission or electronic storage is 100% secure. To the maximum extent permitted by law, the Platform makes no guarantee against losses caused by force majeure or third-party attacks.

7. Retention

7.1 At MVP stage, the Platform may retain your information during the life of your account (including messages, listings, operational logs, and audit logs) to maintain Platform security and handle disputes.

7.2 After account termination, the Platform may retain necessary information for a limited period as required by law, regulatory needs, or reasonable operational needs, and will apply appropriate protections where feasible.

8. Your Rights and Request Mechanism

8.1 General Users may request access and correction of their personal data.

8.2 Shop Managers may make reasonable requests regarding data involved in their Shop operations (e.g., Shop public information and listing data).

8.3 Important statement: The Platform will process requests within a reasonable and practicable scope, but does not guarantee processing timeframes or that all requests will be granted. The Platform may, where permitted by law, refuse unreasonable, repetitive, excessive, or unverifiable requests.

9. Disclaimer and Reservation of Legal Rights

9.1 To the maximum extent permitted by law, the Platform is not responsible for preservation risks of any data/digital records (including, without limitation, data loss, delay, errors, or failure to recover).

9.2 If any User, Shop, or organization steals, damages, or otherwise infringes the rights or interests of the Company/Platform/related personnel (including reputation, operations, commercial interests, or data security), the Company reserves the right to recover all losses and take legal action.

9.3 Defamation, disparagement, false statements, or malicious allegations are strictly prohibited. The Company may take enforcement actions such as bans, takedowns, and legal proceedings.