私隱政策 Privacy Policy

1. Information we collect

From the marketing site (kongmerce.com). If you submit the waitlist form, we collect your name, email address, business name, current sales channels, and approximate product count. If you opt in to marketing communications on the waitlist form, we also record the date and time of that opt-in. If you contact us by email, we receive whatever information you choose to send.

From the merchant platform (app.kongmerce.com). When a merchant signs up, we collect their store name, email address, and a password hash (never the plaintext password). When merchants use the platform, we process catalog data, order data, and limited customer information that they configure. Network metadata (IP address, user agent, request timestamps) is logged for security and operational purposes. Security-sensitive admin actions are recorded in an internal audit log (login, payment-settings changes, refunds, product archival, tenant-status changes). Application error logs and aggregated usage analytics are collected to keep the service running. Where applicable in the future, we will collect billing-related data (e.g. invoice metadata, tax identifiers) for paid plans.

Cookies. We use a small number of strictly necessary cookies for authentication and session management. We do not use third-party advertising or cross-site tracking cookies on our own surfaces.

2. How we use your information

• To respond to waitlist submissions and to invite you to the founding-merchant programme.
• To operate the merchant platform, including authentication, account administration and billing (where applicable), customer support, and product updates.
• To monitor service security, detect abuse, and comply with our legal obligations under Hong Kong law.
• To send transactional emails (e.g., account verification, order receipts on merchant storefronts) via our email infrastructure provider.
• To send marketing communications only where you have explicitly opted in at the point of collection (per PDPO Part VIA). You can withdraw that opt-in at any time — see §6.

We do not sell your personal information. We do not share waitlist or merchant information with third-party advertisers.

3. AI processing

Kongmerce uses AI features to help merchants draft product copy and translations. We design these features so they do not require personal identifiers (names, email addresses, phone numbers, addresses), and we apply automated filtering and product controls intended to prevent personal identifiers from being sent to our AI providers. Merchants must not include customer personal data in AI prompts, product descriptions, or any other content submitted to AI features.

Merchant-supplied product copy and AI prompts are processed by selected AI providers under contracts that, where available, prohibit training on merchant data. We review vendor terms periodically; current vendors and their terms can be requested at [email protected].

4. Service providers

We rely on a small number of vendors to operate the platform. The categories of services we use include:

• DNS, content delivery, and edge hosting (global edge with Hong Kong points of presence).
• Application hosting (Asia-Pacific region).
• Managed PostgreSQL database (Asia-Pacific region).
• Transactional email delivery (Asia-Pacific region).
• Object storage for merchant-uploaded product images and platform backups (Asia-Pacific region).
• Managed Redis for background job queueing (Asia-Pacific region).
• AI inference providers for the merchant-content workflows described in §3.

A current, dated list of the specific vendors and sub-processors used for each category is available at [email protected] on request, and will be published at a dedicated URL ahead of public commercial launch. Material changes to the list will be announced to active merchants at least 30 days in advance.

Each vendor is engaged under a data-processing agreement (or equivalent vendor terms) that limits use to what is necessary to provide service to Kongmerce and prohibits independent commercial use of our data.

5. Data retention

We keep waitlist submissions until you ask us to remove them or until 18 months pass with no engagement. Merchant account data is retained for the life of the account plus a 30-day grace period after closure, after which deleted records are purged from primary systems. Backups age out on the schedule documented in our internal backup runbook — typically daily per-tenant dumps for ~90 days, weekly full dumps for ~12 weeks, with monthly snapshots retained longer where required for incident review or legal hold. Specific retention windows may evolve in line with our backup lifecycle and cost posture; any material shortening or extension affecting your data will be announced under §10.

6. Your rights (Hong Kong PDPO)

Under the Personal Data (Privacy) Ordinance (Cap. 486), you have the right to:

• Ask whether we hold personal data about you.
• Request a copy of that data.
• Request correction of inaccurate data, and request deletion or cessation of retention where we no longer need the data for the purpose for which it was collected or another lawful purpose.
• Withdraw consent for marketing communications at any time. To opt out of marketing, click the unsubscribe link in any marketing email we send you, or email us at the address below.

To exercise any of these rights, email [email protected]. We will respond within 40 days as required by the PDPO.

7. International transfers

Our infrastructure is currently located in Hong Kong (edge), Singapore (application hosting + database), Tokyo (transactional email), and globally for edge content delivery. Merchant and customer personal data principally resides in Singapore (database) and is replicated for backup within the Asia-Pacific region. We do not currently transfer personal data to mainland China. If our data residency posture changes (for example, to support a merchant requirement that requires mainland-China processing), we will update this policy and notify affected merchants in accordance with §10 before the change takes effect.

Where data is transferred to service providers outside Hong Kong, we do so only under contractual and technical safeguards (data-processing agreements, encrypted transit, regional residency commitments). We remain accountable for vendor handling of personal data we route through them.

8. Security

We use industry-standard practices: TLS for all data in transit, encrypted-at-rest storage for the database and object store, and principle-of-least-privilege role separation in our database (row-level security enforces tenant isolation). Passwords are stored as bcrypt hashes. Security-sensitive operations (login, refund, payment-settings change, product archival, tenant-status changes) are recorded in an internal audit log; technical and application-level controls are designed to make these records tamper-resistant in normal operation.

No system is perfect. If we discover a personal data breach affecting you, we will notify affected individuals and, where required by law, the relevant regulators as soon as reasonably practicable and in accordance with applicable law. PDPO does not currently impose a statutory notification deadline; we will not unduly delay notification to manage operational matters.

9. Children

Kongmerce’s merchant platform is not directed to children — merchants must be at least 18 to operate a store under our Terms. The marketing site and merchant storefronts may be visited by younger users. We do not knowingly collect personal data from children under 16 through our own surfaces. The applicable age threshold may vary by jurisdiction; the 16-year threshold above reflects our current default posture and is subject to counsel review for the jurisdictions where merchants and shoppers operate. If you believe a child has provided us personal data, please contact [email protected] and we will delete it.

10. Changes to this policy

We may update this policy as our service and the law evolve. Material changes will be announced via email to active merchants at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

Questions about this Privacy Policy can be sent to:

Kongmerce Limited
Hong Kong
[email protected]