私隱政策 | KongPaper

📌 PRIVACY COMMITMENT

This Privacy Policy is formulated in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") of Hong Kong. We are committed to protecting your privacy and handling your personal data in an open and transparent manner.

1. Data Collection & Categories

We collect "Personal Data" through your interactions with our AI engines and web interface. In accordance with Data Protection Principle (DPP) 1 of the PDPO, we collect only data that is necessary for our lawful purposes.

📋 Identity & Account Data

Full name and preferred alias
Gender and Date of birth
Account credentials and profile settings

1.2 Children's Data Collection

⚠️ PARENTAL RESPONSIBILITY NOTICE

Under the PDPO, users who cannot understand this policy must have consent from a "Relevant Person" (parent/guardian). Schools using KongPaper represent that they have obtained all necessary parental consents. We reserve the right to delete any account if we believe consent has not been properly obtained.

2. How We Use Your Information

In accordance with DPP 3 of the PDPO, we use personal data only for the purposes for which it was collected or for directly related purposes. Your data is used for:

2.1 Primary Purposes

Product Development & AI Training: We use de-identified, aggregated, or anonymized data to train, improve, and develop our AI models, algorithms, and commercial offerings. You grant us a perpetual right to use such non-personally identifiable data for any business purpose.
Business Analytics: Monitoring usage patterns to assess the commercial viability of features and optimize our marketing spend.
Automated Assessment: Generating real-time feedback, "weakness reports," and personalized study recommendations for students based on performance patterns.
Service Provision: Creating and managing your account, delivering exam papers, facilitating quiz functionality, and storing your progress data.
Administrative Communication: Notifying users of platform downtime, security patches, policy changes, billing updates, and account-related matters.
Customer Support: Responding to inquiries, troubleshooting technical issues, and providing educational guidance.
Security & Fraud Prevention: Detecting, preventing, and addressing technical issues, fraudulent activities, unauthorized access attempts, and policy violations.

2.2 Direct Marketing (Opt-In Required)

Subject to your explicit opt-in consent, we may send newsletters, promotional offers, and updates regarding new educational features. You have the right to:

Opt-out at any time via the "Unsubscribe" link in marketing emails;
Manage communication preferences in your Account Settings;
Request complete cessation of marketing communications at [email protected].

3. Data Disclosure & Third-Party Transfers

🔒 NO SALE OF PERSONAL DATA

We do not sell your personal information to third parties. We only share data with trusted partners bound by strict confidentiality obligations.

3.1 Sub-Processors

We share data with reputable third-party sub-processors to provide the Service, including:

Payment Gateways: Regulated providers for secure transaction processing.
Operational Tools: Service providers for customer support, email delivery, and security monitoring.

3.2 Educational Institutions

We share student exam data, performance analytics, and progress reports with:

The student's enrolled school (if registered via institutional account);
Designated educators and teachers (with appropriate authorization);
School administrators managing bulk licenses.

3.3 Legal and Regulatory Disclosure

We may disclose your information if required by law or in response to valid legal requests from:

Hong Kong Police Force (HKPF) - Cyber Security and Technology Crime Bureau (CSTCB)
Education Bureau (EDB) of Hong Kong
Courts, tribunals, or government agencies with lawful jurisdiction
Legal compliance with court orders, subpoenas, or statutory obligations

3.4 Cross-Border Data Transfers

Some data may be stored on servers outside Hong Kong (e.g., AWS Singapore, Azure East Asia). When transferring data internationally, we ensure:

The recipient jurisdiction provides a level of protection at least equivalent to the PDPO;
Contractual safeguards (Standard Contractual Clauses) are in place;
Data Processing Agreements comply with PDPO Section 33 requirements.

4. Data Security & Retention

4.1 Security Measures

We implement a multi-layered security stack to protect your personal data from unauthorized access, alteration, disclosure, or destruction:

🔐 Encryption

TLS 1.3 for data in transit
AES-256 encryption for data at rest
Encrypted database backups

🛡️ Access Controls

Role-based access control (RBAC)
Multi-factor authentication (MFA)
Principle of least privilege

🔍 Monitoring

24/7 security monitoring
Automated intrusion detection
Regular security audits

🧪 Testing

Annual penetration testing
Vulnerability assessments
Security patch management

⚠️ Security Limitation Disclosure

Please be aware that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

4.2 Data Retention Policy

We retain personal data in accordance with legal requirements and business needs:

Retention Period: We retain personal data for as long as your account is active or as needed to provide Services. Upon termination, we may retain data for up to 7 years to comply with HKSAR tax laws and for legal defense purposes.
De-identified Data: Data that has been de-identified or aggregated such that it no longer identifies you may be retained indefinitely at our sole discretion.
Active Accounts: Data retained for the lifetime of the account plus 7 years after termination (for tax and legal compliance purposes)
Inactive Accounts: Accounts with no login activity for 24 consecutive months will be flagged for anonymization
School/Institutional Data: Retained per the school's contract terms and written instructions
Anonymized Data: May be retained indefinitely for research and AI model improvement

4.3 Data Deletion Requests

Upon account deletion or at your request, we will delete or anonymize your personal data within 30 days, except where retention is required by:

Hong Kong Inland Revenue Ordinance (7-year business record retention)
Pending legal proceedings or investigations
Contractual obligations with educational institutions

5. Your Privacy Rights (PDPO Data Access Rights)

Pursuant to Section 28 of the PDPO, KongPaper reserves the right to charge a reasonable fee for the processing of any data access request. Requests must be made in writing via email. We may refuse requests that are frivolous, vexatious, or involve disproportionate technical effort.

Under the PDPO, you have the following rights regarding your personal data:

🔍 Right of Access

You may submit a formal request to verify whether we hold your personal data and receive a copy. As permitted by HK law, we reserve the right to charge a reasonable fee for processing any data access request. We will respond within 40 days of receiving a valid, written request and the associated fee.

✏️ Right of Correction

You have the right to request the correction of any inaccurate personal data held by us. Such requests must be made in writing. We will process your request within 40 days, subject to verification of the inaccuracy.

🚫 Opt-out of Direct Marketing

You may at any time request that we cease using your personal data for direct marketing purposes. We will update our records to ensure you are removed from marketing lists at no cost to you.

5.1 How to Exercise Your Rights

To exercise any of these rights, please:

Email [email protected] with the subject line: "Data Subject Access Request - [Your Name]"
Provide proof of identity (e.g., sending from your registered account email)
Specify the right you wish to exercise and provide relevant details

5.2 Student Data Requests

For student data enrolled through schools, such requests must typically be made by:

The school administrator (for institutional accounts)
A parent or legal guardian (for users under 18)

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information.

6.1 Types of Cookies We Use

Essential Cookies: Necessary for the Service to function (e.g., session management, authentication)
Functional Cookies: Remember your preferences (e.g., language, theme)
Analytics Cookies: Help us understand how users interact with the Service (Google Analytics)
Marketing Cookies: Track visits across websites for targeted advertising (requires consent)

6.2 Managing Cookies

You can manage cookie preferences through:

Your browser settings (blocking or deleting cookies)
Opting out of Google Analytics: Google Analytics Opt-out

7. Teacher & School Addendum (Institutional Accounts)

This section applies to educational institutions with School License Agreements and overrides general terms where conflicts exist.

7.1 Data User vs. Data Processor

Under institutional agreements:

The School acts as the "Data User" - determining the purpose and manner of data collection
KongPaper acts as the "Data Processor" - processing student data only based on the School's documented instructions

7.2 Teacher Dashboard & Monitoring

Teachers with "Super-User" status can:

Monitor student progress, scores, and engagement metrics
Access individual student performance reports
Generate and distribute AI-generated assessments

Teacher Responsibilities:

Maintain confidentiality of login credentials
Review AI-generated content before distributing as official assessments
Use the Platform as a supplementary tool, not replacement for pedagogical oversight

7.3 Student Record Privacy

We assist schools in complying with parental inspection requests for children's digital educational records within 15 business days.

7.4 Data Export & Portability

Upon contract termination, schools have a 30-day window to export all student performance data in CSV/PDF format. After this period, all student-identifiable data will be purged from our active databases.

7.5 School Liability & Indemnity

Schools and educators using institutional accounts assume the role of Data User. The School is solely responsible for ensuring that its use of KongPaper complies with Education Bureau (EDB) guidelines and the PDPO. The School agrees to fully indemnify ThinkThinkSyn Limited against any claims, losses, or regulatory fines resulting from the School's failure to obtain valid parental consent.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

Posting the new Privacy Policy on this page with an updated date of "Last Updated"
Sending email notification to registered users (for significant changes)
Displaying an in-platform banner for 14 days after changes

We recommend reviewing this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the revised policy.

9. Contact Information & Complaints

9.1 Privacy Inquiries

For privacy-related questions, data access requests, or concerns:

General or Data Protection Inquiries: [email protected]

Website: https://kongpaper.com

📋 PRIVACY POLICY ACKNOWLEDGMENT

By using KongPaper, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal data as described in this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

Last Updated: 20/12/2025