Privacy Policy

1. Introduction

Common Analytics Limited (trading as "SMAQ"), a company incorporated in Hong Kong (the "Data User", "we," "us," or "our"), is committed to protecting your privacy and complying with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong ("PDPO"). This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you access or use our services (the "Service").

By accessing or using the Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal data as described in this Privacy Policy and our Terms of Service.

2. Information We Collect

A. Personal Data

We collect personal data that identifies you as an individual or relates to an identifiable individual. Providing this data is voluntary; however, if you choose not to provide certain data, we may not be able to provide you with access to the Service or certain features. The personal data we collect includes:

• Identity Data: First name, last name, username, or similar identifier.
• Contact Data: Email address, telephone number, and billing address.
• Credential Data: Passwords, password hints, and similar security information used for authentication and account access.
• Payment Data: Payment card details and billing information processed through our third-party payment processor.

B. Usage & Technical Data

We automatically collect certain information when you visit, use, or navigate the Service. This information does not directly reveal your identity but may include:

• Log and Usage Data: Service-related, diagnostic, usage, and performance information our servers automatically collect (e.g., IP address, browser type, date/time stamps, pages visited, referring URL).
• Device Data: Information about your computer, phone, tablet, or other device you use to access the Service (e.g., operating system, device type, screen resolution).

C. Cookies and Tracking Technologies

We use the following cookies and similar tracking technologies:

You can manage your cookie preferences using the cookie banner that appears when you first visit our site, or by adjusting your browser settings. Disabling non-essential cookies will not affect core Service functionality.

3. Purpose of Collection and How We Use Your Data

In accordance with Data Protection Principle 1 of the PDPO, we collect and use your personal data for the following purposes:

• Providing, operating, and maintaining the Service, including processing your transactions and managing your account.
• Improving, personalizing, and developing new features and functionality of the Service.
• Understanding and analyzing how you use our Service to enhance user experience.
• Communicating with you regarding customer service, technical support, updates, and administrative notices.
• Detecting, preventing, and addressing fraud, security issues, and technical problems.
• Complying with legal obligations and enforcing our terms and policies.

We will not use your personal data for any purpose other than those stated above or a directly related purpose, unless we have obtained your prescribed consent.

4. Direct Marketing

In accordance with Part VIA of the PDPO, we may use your name and email address to send you marketing communications about our products, services, promotions, and industry insights, but only with your explicit opt-in consent.

We will not provide your personal data to third parties for their direct marketing purposes.

You may withdraw your consent to receive direct marketing at any time by clicking the "unsubscribe" link in any marketing email, or by contacting us at privacy@smaq.io. We will cease sending marketing communications without charge within 10 business days of receiving your request.

6. Disclosure and Transfer of Your Data

We may share your personal data with the following classes of persons, each of whom may use your data only for the purposes described:

• Cloud Infrastructure Providers: We use cloud hosting services (e.g., Amazon Web Services, Google Cloud) to store and process data. These providers act as data processors on our behalf.
• Payment Processors: Payment information is processed by our third-party payment provider (e.g., Stripe) to handle billing and transactions.
• Analytics Providers: Google Analytics and Microsoft Clarity process usage data to help us understand how the Service is used.
• Communication Services: Email delivery and customer support platforms that help us communicate with you.
• Professional Advisors: Our lawyers, auditors, and insurers where necessary for the provision of professional services.
• Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business.
• Law Enforcement and Regulators: Where required by law, regulation, or court order, or in response to valid requests by public authorities in Hong Kong or other jurisdictions.

7. Cross-Border Data Transfers

Our Service may involve the transfer of your personal data to servers and service providers located outside of Hong Kong, including in the United States and the European Economic Area. Where such transfers occur, we take reasonable steps to ensure that your personal data receives a standard of protection comparable to that under the PDPO, including:

• Using service providers that maintain appropriate data protection certifications or standards.
• Entering into contractual arrangements that require our service providers to protect your personal data.
• Implementing technical security measures such as encryption in transit and at rest.

8. Data Security & Retention

We implement administrative, technical, and physical security measures to help protect your personal data, including encryption (TLS/SSL), access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure.

In accordance with Data Protection Principle 2 of the PDPO, we retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account Data: Retained for the duration of your account and up to 12 months after account deletion.
• Transaction and Billing Data: Retained for 7 years to comply with Hong Kong tax and accounting obligations.
• Usage and Analytics Data: Retained for up to 26 months, after which it is anonymized or deleted.
• Marketing Consent Records: Retained for as long as you are subscribed plus 3 years after withdrawal of consent.
• Aggregated Benchmark Data: Retained indefinitely in fully anonymized form (not personal data).

When personal data is no longer required, it will be securely deleted or anonymized.

9. Your Rights Under the PDPO

Under the Personal Data (Privacy) Ordinance, you have the following rights:

A. Right of Access (Section 18, PDPO)

You have the right to request access to the personal data we hold about you by submitting a Data Access Request (DAR). We will respond to your request within 40 calendar days of receiving it. We may charge a reasonable fee to cover the cost of complying with your request.

B. Right of Correction (Section 22, PDPO)

You have the right to request correction of any personal data we hold about you that is inaccurate by submitting a Data Correction Request (DCR). We will respond to your request within 40 calendar days of receiving it.

C. How to Submit a Request

To submit a Data Access Request or Data Correction Request, please contact us at:

• Email: privacy@smaq.io
• Post: Data Protection Officer, Common Analytics Limited, Unit 539, 5/F, Building 19W, No. 19 Science Park West Avenue, Hong Kong Science Park, Pak Shek Kok, N.T., Hong Kong

We may request proof of identity before processing your request to protect your privacy.

10. Children's Privacy

Our Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and you become aware that your child has provided us with personal data, please contact us at privacy@smaq.io and we will take steps to delete such data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we will also notify you by email. You are advised to review this Privacy Policy periodically.