PDPO Compliance Statement

Last updated: 8 May 2026

🔒 Compliant with Hong Kong Personal Data (Privacy) Ordinance (Cap. 486)

Infinity Intelligence Tech Limited (hereinafter "the Company") is committed to full compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (hereinafter "PDPO") in the design, development and operation of the BizMind platform. This statement explains how we implement the six Data Protection Principles of the PDPO.

Data Protection Principle 1: Purpose and Manner of Collection

We collect personal data solely for providing and improving the BizMind service, in a lawful and fair manner:

A Personal Information Collection Statement (PIC Statement) is provided before collection to inform data subjects of the purpose
Only minimal data directly related to the service is collected (data minimization principle)
Data is not collected by deceptive or misleading means
Users can view the categories of data we collect in their account settings

Data Protection Principle 2: Accuracy and Retention

We take reasonable steps to ensure personal data held is accurate
Users may correct their account information at any time
Personal data is not retained longer than necessary to fulfill the collection purpose
Account data is deleted within 30 days and knowledge base content within 7 days after account termination
Data retention policies are regularly reviewed for compliance

Data Protection Principle 3: Use of Data

Personal data is used only for the purpose stated at collection or a directly related purpose:

User data will not be used for purposes without consent
Data will not be sold to third parties
AI model training does not use users' personal data or knowledge base content
Prior consent is obtained before any change in the purpose of use

Data Protection Principle 4: Data Security

We implement multi-layered security measures to protect personal data from unauthorized access, processing, deletion, loss or use:

Transit Encryption: All data transfers use TLS 1.3 encryption
At-Rest Encryption: Stored data uses AES-256 encryption
Access Control: Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA)
Multi-Tenant Isolation: Row-Level Security (RLS) ensures complete data isolation between enterprises
Data Residency: All customer data stored in AWS Hong Kong Region (ap-east-1)
Audit Logs: All data access is fully traceable with complete records
Regular Assessment: Regular security vulnerability assessments and penetration testing

Data Protection Principle 5: Openness

We handle personal data in an open and transparent manner:

This statement and our Privacy Policy publicly outline all data processing practices
Clearly states the types of personal data held
Explains the primary purposes of data use
Provides contact information for data access and correction requests
Users are proactively notified of any significant policy amendments

Data Protection Principle 6: Access and Correction

Data subjects have the right to access and correct their personal data:

Right of Access: You have the right to request access to personal data we hold about you
Right to Correction: You have the right to request correction of inaccurate personal data
Response Time: We will respond within 40 days of receiving a written request
Fees: We may charge a reasonable fee to cover administrative costs of access requests
How to Apply: Please send an email to [email protected]

Special Statement on AI Data Processing

Given the AI-driven nature of BizMind, we make the following special declarations regarding AI data processing:

Query Processing: When user queries are processed by third-party AI models (DeepSeek), they do not contain personally identifiable information
Knowledge Base Isolation: Each customer's knowledge base is completely independent; AI responses are based solely on that customer's own knowledge base content
No Model Training: Users' queries and knowledge base data are not used to train any AI models
Data in HK: Knowledge base data is stored in Hong Kong; queries are fully encrypted during transmission
Explainability: AI responses cite source documents, allowing users to trace the basis of answers

Cross-Border Data Transfer

Our processing principles:

Customer knowledge base data and account information are stored exclusively in the AWS Hong Kong Region
AI query processing may involve sending anonymized queries to AI model providers, but does not include personal data
If cross-border transfer is required in the future for service needs, we will notify users and obtain consent in advance
All third-party service providers have signed Data Processing Agreements (DPAs) ensuring equivalent protection standards

Data Breach Response

In the event of a data breach, we will:

Notify affected data subjects within 72 hours of discovery
Report to the Privacy Commissioner for Personal Data
Take immediate remedial measures to prevent further damage
Provide post-incident analysis reports and improvement measures

Complaints and Inquiries

If you believe our data processing does not comply with the PDPO requirements, or have any questions about this statement:

Data Protection Officer email: [email protected]
We will provide a written response within 40 days of receiving a complaint

If you are not satisfied with our handling, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong:

Website: www.pcpd.org.hk
Phone: (852) 2827 2827
Address: 12/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong