PRIVACY POLICY

Last updated on 1 March 2025

This Data Protection Policy (this “Policy”) sets out the basis upon which Grossfit Limited and business units (“we”, “us” or “our”) may collect, use, disclose or otherwise process personal data of customer, e.g. tenant, licensee, etc. or enquirer (“you” or “your”) in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO“). This Policy applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.

 

APPLICATION OF THIS POLICY

  1. ThisPolicy applies to all individuals making inquiries and individuals engaged in a leasing or licensing contract or agreement (an “Agreement“) with us.

 

PERSONAL DATA

  1. In this Policy, “personal data” refers to information, whether true or not, about a customer or enquirer who can be identified: (a) from that data or (b) from that data and other accessible information.
  2. For a customer, personal data we may collect in the context of an Agreement includes, but is not limited to:
    • full name or alias, gender;
    • mailing address, mobile numbers, email address and other contact details;
    • any additional information voluntarily provided by you.
  1. For anenquirer, personal data we may collect in the context of an Agreement includes, but not limited to:
    • full name or alias, gender;
    • mailing address, mobile numbers, email address and other contact details; and
    • any additional information voluntarily provided by you.

 

COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

  1. We collect personal data that (a) you knowingly and voluntarily provide in the course of or in connection with your Agreement with us, or via a third party who has been duly authorized by you to disclose your personal data to us (your “authorisedrepresentative”), after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes; or (b) collection and use of personal data without consent is permitted or required by the PDPO or other applicable laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).
  2. As a customer, your personal data will be collected, used and disclosed for purposes including but not limited to:
    • performing obligations under or in connection with your Agreement with us;
    • handling financial and administrative matters relating to your Agreement with us;
    • managing and terminating your Agreement with us;
    • providing services to you;
    • verifying your identity;
    • ensuring security and safety at our premises;
    • complying with any applicable laws, regulations, codes of practice, guidelines, and/or rules, or to assist in law enforcement and/or investigations conducted by any governmental and/or regulatory authority; and
    • any other incidental business purposes related to or in connection with any of the above.
  1. Asan enquirer, your personal data will be collected, used and disclosed for purposes including but not limited to:
    • administrating and addressing your request (e.g. enquires, complaint, etc.);
    • verifying your identity;
    • complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and/or investigations conducted by any governmental and/or regulatory authority; and
    • any other incidental business purposes related to or in connection with any of the above. 
  1. The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rightsunder any contract with you).
  2. As a customer or enquirer, if you provide another individual’s personal data other than your own personal data to us, you must obtain consent from that individual before disclosure to us.

 

IDENTITY CARD NUMBER

  1. We may also collect your identity card number (or any other identification document number) and process this as required under applicable law or regulation, as required by any regulator having authority over us and, subject to the PDPO, for the purpose of identifying you where it is reasonable for your identity card number to be used for this purpose.

 

TERMINATION OR CANCELLATION

  1. Should your relationship with us be cancelled or terminated at any time, we shall cease processing your personal data as soon as reasonably practicable following such cancellation or termination, provided that we may keep copies of your data as is reasonably required for archival purposes, for use in relation to any actual or potential dispute, for the purpose of compliance with applicable laws and regulations and for the purpose of enforcing any agreement we have with you, for protecting our rights, property or safety, or the rights, property or safety of our employees, and for performing or discharging our functions, obligations and responsibilities.

 

WITHDRAWAL OF CONSENT

  1. The consent that you provide for the collection, use and disclosure of your personal data will remains valid until you withdraw it in writing via email. You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing via email to us at the contact details provided.
  2. Upon receipt of your written request to withdraw your consent, we may require a reasonable amount of time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process and to take effect your request within 40 days after receiving the request. However, if we are unable to complete your request within the timeline, we will inform you within 40 days from receiving your request.
  3. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and extent of your request, we may not be in a position to process your request. We shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing via email.
  4. Please note that withdrawing consent does not affect our right to continue to collect, use, and disclose personal data where such collection, use, and disclosure without consent is permitted or required under all applicable laws.

 

ACCESS OF PERSONAL DATA

  1. If you wish to make an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use and/or disclose your personal data, you may submit your request in writing via email to us at the contact details provided below.
  2. We will respond to your access request as soon as reasonably possible. Should we not be able to respond to your access request within 40 days after receiving your access request, we will inform you in writing via email of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data requested by you, we shall generally inform you of the reasons(s) why we are unable to do so (except where we are not required to do so under the PDPO).
  3. Please note that depending on the request that is being made, we will only need to provide you with access to the personal data contained in the documents requested, and not to the entire documents themselves. In those cases, it may be appropriate for us to simply provide you with confirmation of the personal data that our organisation has on record, if the record of your personal data forms a negligible part of the document.
  4. We shallrefuse to comply with a data access request under the following circumstances, as outlined by the PDPO:-
    • the requestor fails to provide sufficient proof of identity (e.g., a Hong Kong Identity Card) or fails to provide information reasonably required to ascertain their identity (see section 20(1)(a) of the PDPO); or
    • if the personal data sought under the data access request comprise personal data of another individual and the party concerned cannot comply with the request without disclosing the personal data of that other individual. On the other hand, if the party concerned is satisfied that the other individual has consented to the disclosure, it should comply with the request. In addition, if the party concerned can comply with the request without disclosing the identity of other individual, for example by omitting the names or other identifying particulars, it should do so.

 

  1. We mayrefuse to comply with a data access request under the following circumstances:-
    • the request is not made in Chinese or English (see section 20(3)(a) of PDPO);
    • the request does not contain sufficient details to enable us to locate the requested data (see section 20(3)(b) of the PDPO);
    • the request follows two or more similar requests (see section 20(3)(c) of the PDPO);
    • another party controls the use of the personal data in a way that prohibits the party receiving the request from complying with it (see section 20(3)(d) of the PDPO);
    • the request is not made in the Privacy Commissioner for Personal Data’s specified form (i.e. Form OPS003) pursuant to section 67 of the PDPO (see section 20(3)(e) of the PDPO), which may be found via this link: https://www.pcpd.org.hk/english/publications/files/Dforme.pdf;
    • we are entitled under the PDPO or any other ordinance not to comply with the request (see section 20(3)(ea) of the PDPO);
    • there is an applicable exemption under Part 8 of the PDPO from the requirement to comply with an access request provided for in the PDPO, e.g. if the personal data are held for the purpose of the detection of crime and compliance with the request would be likely to prejudice that purpose, the party concerned may refuse to comply (see section 20(3)(f) of the PDPO); or
    • any other circumstances as specified in section 20 of the PDPO.

 

ACCURACY OF PERSONAL DATA

  1. We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changesto your personal data by informing us in writing via email at the contact details provided below.

 

CORRECTION OF PERSONAL DATA

  1. If you wish to make a correction request to correct or update any of your personal data which we hold, you may submit your request via email to us at the contact details provided
  2. We will respond to your correction request as soon as reasonably possible. Should we not be able to correct the correction request within 40 days after receiving your request, we will inform you in writing via email on the time by which we will be able to correct your correction request. If we are unableto make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPO).

 

REQUEST

  1. Requests for access and correction of personal data or for information regarding policies and practices and kinds of data held by us should be addressed in writing and sent by email to us (see the “Contact Us” section below). A reasonable fee may be charged to offset our administrative and actual costs incurred in complying with your data access requests.

 

PROTECTION OF PERSONAL DATA

  1. To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as up-to-date antivirus and firewall protection, encryption and the use of privacy filters to secure all storage and transmission of personal data by us, and disclosing personal data both internally and to our authorised third party service providers and agents only on a need-to-know basis.
  2. You should be aware, however, that no method of transmission over the internet or methods of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security
  3. We will notify you within 48 hours upon identifying a data breach incident that occurs which has compromised your personal data.

 

RETENTION OF PERSONAL DATA

  1. We may retain your personal data for as long as it is necessary to fulfil the purposes for which they were collected, or as required or permitted by all applicable laws.
  2. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data were collected, and are no longer necessary for legal or business purposes.
  3. We generally do not transfer your personal data to countries outside of Hong Kong. However, if we do so, we will obtain your consent for the transfer to be made in advance and will take steps to ensure that yourpersonal data continues to receive the standard of protection that is comparable to that provided under the PDPO.

 

CONTACT US 

  1. You may contact us if you have any enquiries or feedbacks on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:

Contact Person: Data Protection Officer

Email: data_privacy@mustardseedathk.com

 

EFFECT OF POLICY AND CHANGES TO POLICY

  1. This Policy applies in conjunction with any other policies, notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.

 

CONSEQUENCES OF NOT CONSENTING AND/OR PROVIDING PERSONAL DATA

  1. Please note that if you do not consent to provide us with the relevant personal data required to fulfilthe purposes of collection, use, and disclosure of your personal information, it may hinder our ability to continue our interaction with you. Without your consent and the provision of the necessary personal data, we may not be able to:
  • provide you with our full range of services;
  • onboard you as a new customer or client; and/or
  • administer and support the ongoing delivery of our services to you.

In other words, your refusal to consent to the collection, use, and disclosure of your personal information may limit our capacity to engage with you and offer the complete suite of products and services that we provide.