Privacy Policy

1. Introduction

1.1 This Privacy Policy outlines the commitment of eCOM DataFin Limited (“eCOM DataFin”) to safeguarding the privacy of Personal Data (as defined below) concerning the Data Subjects (as defined below) in compliance with the provisions of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (the “Ordinance”) and all relevant guidance thereto.

1.2  The policies and practices established herein reflect eCOM DataFin’s dedication to upholding the highest standards of data protection.

1.3  The term “Personal Data” in this Policy adopts the definition provided under the  Ordinance.

1.4  “Data Subjects” means customers of eCOM DataFin and other parties whose data (including Personal Data) have been supplied to (whether by themselves or otherwise) or otherwise held or obtained by eCOM DataFin, including without limitation, applicants for financial services and credit facilities, sureties, suppliers, contractors, service providers, officers, representatives, managers, partners of any company, partnership, association or organization having relationship with eCOM DataFin.

1.5  “Group” means eCOM DataFin and its holding companies, subsidiaries and affiliates.

2. COLLECTION OF PERSONAL DATA

2.1  From time to time, it is necessary for Data Subjects to supply eCOM DataFin with data in connection with the opening or continuation of loan accounts and the establishment or continuation of credit facilities or provision of other financial services.

2.2  Failure to supply such data may result in eCOM DataFin being unable to open or continue loan accounts, or establish or continue credit facilities, or provide other financial services to the Data Subjects.

2.3  It is also the case that data are collected from Data Subjects in the ordinary course of the continuation of the relationship between eCOM DataFin and Data Subjects. eCOM DataFin also collects data relating to Data Subjects from third parties, including third party service providers with whom Data Subjects interact in connection with the marketing of eCOM DataFin’s products and services and in connection with Data Subjects’ application for eCOM DataFin’s products and services (including receiving Personal Data from credit reference agencies (“CRAs”) approved for participation in the Multiple Credit Reference Agencies Model (“MCRA Model”)).

3. PURPOSES OF THE PERSONAL DATA HELD

3.1  The purposes for which data relating to a Data Subject may be used will vary depending on the nature of the Data Subject’s relationship with eCOM DataFin. Broadly, they may comprise any or all of the following purposes:

processing, considering, and assessing the Data Subjects’ application for eCOM DataFin’s products and services;

  • the daily operation of the products, services, and credit facilities provided to the Data Subjects;
  • conducting credit or other status checks at the time of application for credit and at the time of regular or special reviews which normally takes place one or more times each year;
  • creating and maintaining eCOM DataFin’s credit scoring models;
  • ensuring ongoing credit worthiness of Data Subjects;
  • designing financial services or related products for Data Subjects’ use;
  • marketing services, products and other subjects (please see further details in paragraph 4 below);
  • enforcing Data Subjects’ obligations, including without limitation determining the amounts of indebtedness owed by Data Subjects and the collection of amounts outstanding from Data Subjects and those providing security for Data Subjects’ obligations;
  • complying with any obligations, requirements, or arrangements for disclosing and using data that apply to eCOM DataFin or any other member of the Group or that it is expected to comply according to:
  • any law or regulation binding on or applying to it within or outside the Hong Kong Special Administrative Region of the People’s Republic of China (“Hong Kong”) existing currently and in the future;
  • any guidelines or guidance given or issued by legal, regulatory, governmental, tax, law enforcement, or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong currently and in the future;
  • any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement, or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on eCOM DataFin or any other member of the Group by reason of its financial, commercial, business, or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
  • complying with any obligations, requirements, policies, procedures, measures, or arrangements for sharing data and information within the Group and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
  • enabling an actual or proposed assignee of eCOM DataFin, or participant or sub-participant of eCOM DataFin’s rights in respect of the Data Subjects to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
  • conducting matching procedures (including related comparisons), whether for credit checking, data verification or otherwise and whether or not for and/or would result in adverse actions against the Data Subjects;
  • responding to requests for information made for the purpose of complying with legal and/or regulatory requirements or by the court, the police, the law enforcement, supervisory or regulatory authority;
  • research and statistical analysis (including behavioural analysis); and
  • all other incidental and associated purposes relating to any of the foregoing purposes.

4. USE OF PERSONAL DATA IN DIRECT MARKETING

4.1  eCOM DataFin intends to use Data Subjects’ data in direct marketing and eCOM DataFin requires consent (which includes an indication of no objection) from the Data Subjects for that purpose. In this connection, please note that:

  • the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a Data Subject held by eCOM DataFin from time to time may be used by eCOM DataFin in direct marketing;
  • the following classes of services, products and subjects may be marketed:
  • credit facilities, financial and related services and products;
  • reward, loyalty or privileges programmes and related services and products; and
  • services and products offered by eCOM DataFin’s co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
  • the above services, products and subjects may be provided by eCOM DataFin and/or:
  • any other member of the Group;
  • third party financial institutions;
  • third party reward, loyalty or privileges programme providers; and
  • co-branding partners of eCOM DataFin (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
  • in addition to marketing the above services, products and subjects itself, eCOM DataFin also intends to provide the data described in paragraph 4.1(a) above to all or any of the persons described in paragraph 4.1(c) above for use by them in marketing those services, products and subjects, and eCOM DataFin requires Data Subjects’ written consent (which includes an indication of no objection) for that purpose; and
  • eCOM DataFin may receive money or other property in return for providing the data to the other persons in paragraph 4.1(c) above and, when requesting the Data Subject’s consent or no objection as described in paragraph 4.1(d) above, eCOM DataFin will inform the Data Subject if it will receive any money or other property in return for providing the data to the other persons.

4.2  A Data Subject may require eCOM DataFin to cease to use his/her Personal Data in direct marketing by notifying eCOM DataFin at any time and without charge.  Upon receiving such requirement, eCOM DataFin shall refrain from utilizing his/her Personal Data for direct marketing purposes.

5. SECURITY OF DATA

5.1  Electronic Data Security Measures: Data stored electronically are safeguarded by password protection and encryption technology is employed. eCOM DataFin’s computer systems are located in restricted access areas with access limited to authorized employees who have undergone training on eCOM DataFin’s privacy policies.

5.2  Protection Policy: eCOM DataFin maintains a policy to ensure an appropriate level of protection for Personal Data in full compliance with the requirements under the Ordinance, aiming to prevent unauthorized or accidental access, processing, or other use of that data. The level of protection is aligned with the sensitivity of the data and the potential harm that could result from unauthorized access. Our practices include restricting physical access to data by providing secure storage facilities and implementing security measures in data-holding equipment. Measures are also in place to ensure the integrity, prudence, and competence of personnel with access to Personal Data. Data transmission occurs only through secure means.

5.3  Engagement of Marketing Companies and Data Processors: When engaging a marketing company for direct marketing purposes, eCOM DataFin ensures the safe handling and erasure of data after use by the marketing company to prevent unauthorized access or use. In the event eCOM DataFin engages a data processor (whether within or outside Hong Kong) to process data on eCOM DataFin’s behalf, contractual or other means are adopted to prevent unauthorized or accidental access, processing, erasure, loss, or use of the data transferred to the data processor for processing. Additionally, eCOM DataFin ensures that data processors are competent to protect the security and confidentiality of the Personal Data entrusted to them.

6. ACCURACY OF PERSONAL DATA

eCOM DataFin upholds a strict policy to ensure the accuracy of all data collected and processed by it having regard to the purpose (including any directly related purpose) for which the data is or is to be used. eCOM DataFin implements appropriate procedures to regularly review and update all Personal Data held by it to maintain the accuracy of the data in relation to the purposes for which that data is used. Additionally, in cases where data consists of statements of opinion, eCOM DataFin take all reasonably practicable steps to verify the accuracy of any facts cited in support of such statements.

7. DISCLOSURE OF PERSONAL DATA

7.1  Data (except data already in the public domain) held by eCOM DataFin relating to Data Subjects will be kept confidential but eCOM DataFin may provide such data to the following classes of persons for any of the purposes set out in paragraph 3 above, irrespective of whether the place of business of the recipient is within or outside Hong Kong, whether or not the data would be transferred outside Hong Kong and whether the data will following such disclosure be collected, held, processed or used by such recipient in whole or in part outside Hong Kong:

  • any member of the Group and any other person who has expressly or impliedly undertaken to keep such information confidential or otherwise is under a duty of confidentiality to eCOM DataFin or any other member of the Group;
  • any agent, contractor, third-party service provider, adviser or consultant who provides administrative, telecommunication, computer, payment, debt collection, data processing or other services to eCOM DataFin or any other member of the Group in connection with the operation of its business;
  • persons who provide information to eCom DataFin to assist it in its credit approval for its proposed customers and businesses;
  • any financial or other institution, credit charge or other card company with which the Data Subject has or proposes to have dealings;
  • the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
  • third party service providers with whom the Data Subject has chosen to interact with in connection with the Data Subject’s application for eCOM DataFin’s financial products and services;
  • CRAs (including the operator of any centralized database used by CRAs), and, in the event of default, to debt collection agencies;
  • any person to whom eCOM DataFin or any other member of the Group is under an obligation or otherwise required to make disclosure under the requirements of any law, rule, regulation and court order binding on or applying to eCOM DataFin or any other member of the Group or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies, or associations of financial services providers with which eCOM DataFin or any other member of the Group is expected to comply, or any disclosure pursuant to any contractual or other commitment of eCOM DataFin or any other member of the Group with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside Hong Kong and may be existing currently and in the future;
  • any party giving or proposing to give a guarantee or third party security to guarantee or secure the Data Subject’s obligations;
  • any party making any request mentioned in paragraph 3.1(l) above;
  • any actual or proposed assignee of eCOM DataFin or any other member of the Group, or participant or sub-participant or transferee of the rights of eCOM DataFin or those of any other member of the Group in respect of the Data Subject;;
  • parties involved in transactions relating to the purchase or sale of credit insurance or other contractual protection or hedging with respect to eCOM DataFin’s rights and obligations;
  • third party financial institutions, insurers, card companies, securities and investment services providers;
  • third party reward, loyalty and privilege programme providers;
  • co-branding partners of eCOM DataFin or any other member of the Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
  • charitable and non-profit making organisations; and
  • external service providers (including without limitation mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies, information technology companies and market research firms) that eCOM DataFin engages for the purposes set out in paragraph 3.1(g) above; and
  • legal and other professional advisers of any party mentioned in sub-paragraphs (a) to (q) above.

8. APPLICATION OF COOKIES

8.1  Definition and Usage: Cookies are small text files placed on the device by a web server when Data Subject’s access eCOM DataFin’s website. They are useful for allowing a website to maintain certain information on a particular Data Subject and are designed to be read only by the website that provides them. eCOM DataFin utilizes cookies to identify Data Subjects’ access, monitor usage and web traffic on eCOM DataFin’s website, aiming to customize and enhance its products and services.

8.2  Third-Party Web Analytic Services: eCOM DataFin may employ third-party web analytic services on its website. These service providers utilize technologies such as cookies, web server logs, and web beacons to assist eCOM DataFin in analyzing visitor usage of the website. The information collected through these means, including but not limited to IP addresses, is disclosed to these service providers. They utilize this information to evaluate the usage of eCOM DataFin’s website and may use the data collected to personalize marketing materials within their own advertising network.

8.3  Managing Cookies: Web browsers typically offer options for Data Subjects to manage cookies, including erasing existing cookies, blocking their use, or receiving notifications when encountering cookies. It’s important to note that if Data Subjects choose to block cookies, they may not fully utilize all features and functions of the site. Please be aware that cookies are necessary for some website features to function properly, such as maintaining continuity during a browser session.

9. RECORD RETENTION

9.1  Retention Period: eCOM DataFin adheres to regulatory obligations regarding the retention of personal data to ensure personal data is not kept longer than is necessary for the fulfillment of the purposes (including any directly related purposes) for which the data is to be used.

9.2.  Data Processor Engagement: In cases where eCOM DataFin engages a data processor (whether within or outside Hong Kong) to process Personal Data on its behalf, contractual or other measures are implemented to ensure that Personal Data transferred to the data processor is not retained longer than necessary for data processing purposes or kept longer than is necessary for processing the data.

10. CONSUMER CREDIT DATA

10.1 For the purpose stated in paragraph 3.1(c) above, eCOM DataFin may from time to time access and obtain consumer credit data of Data Subjects from CRAs for reviewing any of the following matters in relation to the credit facilities granted:

  • an increase in the credit amount or limit;
  • the curtailing of credit (including the cancellation of credit or termination of account or a decrease in the credit amount or limit); or
  • the putting in place or the implementation of a scheme of arrangement with Data Subjects.

10.2  When eCOM DataFin accesses consumer credit data about a Data Subject held with CRAs, it will comply with the Code of Practice on Consumer Credit Data approved and issued under the Ordinance (the “Code”) and other relevant regulatory requirements.

10.3  Under and in accordance with the Ordinance and the Code, any Data Subject has the following rights regarding their data held by eCOM DataFin:

  • to check whether eCOM DataFin holds data about him/her and of access to such data;
  • to require eCOM DataFin to correct any data relating to him/her which is inaccurate;
  • to ascertain eCOM DataFin’s policies and practices in relation to data and to be informed of the kind of Personal Data held by eCOM DataFin;
  • to be informed on request which items of data are routinely disclosed to CRAs or in the event of default to debt collection agencies, and to be provided with further information to enable the making of data access and/or correction requests to these entities; and
  • in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by eCOM DataFin to a CRA, to instruct eCOM DataFin, upon termination of the account by full repayment, to make a request to the CRA to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by eCOM DataFin to the CRA), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)) (“Account Repayment Data”).

10.4 In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the Account Repayment Data may be retained by the CRAs until the expiry of five years from the date of final settlement of the amount in default.

10.5  In the event any amount in an account is written off due to a bankruptcy order being made against a Data Subject, the Account Repayment Data may be retained by CRAs, regardless of whether the Account Repayment Data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the Data Subject with evidence to CRAs, whichever is earlier.

10.6  eCOM DataFin may have obtained a credit report on a Data Subject from one or more CRA(s) in considering any application for credit. In the event the Data Subject wishes to access the credit report, eCOM DataFin will advise the contact details of the relevant CRAs.

10.7  The MCRA Model enables credit providers (such as eCOM DataFin) to share and use consumer credit data through more than one CRAs, with all consumer credit data transmitted through or stored in the centralized database of the credit reference platform (“CRP”). Data Subjects understand, acknowledge and agree that eCOM DataFin is not operator of the CRP and shall not be liable for any loss or damage arising from the use of CRP and/or services provided by any CRA(s), including without limitation: (1) any delay, unavailability, disruption, failure, error, inaccuracy, loss, misuse or compromise of data caused by CRP operations or use of CRP by any person or party, or (2) any breach of obligation, fraud, wilful default or negligence by any CRA(s), any other credit providers, or any owners, operators, service providers or other participants of the MCRA Model or CRP. Data Subjects also agree and accept that owners and operators of the CRP shall not be liable for any loss or damage arising from any use of the CRP by any person or party.

11. DATA ACCESS REQUESTS AND DATA CORRECTION REQUESTS

11.1  Compliance with Data Requests: eCOM DataFin will fully comply with and process all data access and correction requests in accordance with the provisions of the Ordinance and the relevant guidelines in relation thereto regarding the collection, handing, or use of Personal Data of Data Subjects. All staff members are required to be familiar with the procedures for assisting individuals in making such requests.

11.2  Fee Imposition for Data Access: eCOM DataFin may, as permitted by the Ordinance, impose a reasonable fee for complying with any data access request. If an individual requires an additional copy of previously supplied Personal Data, eCOM DataFin reserves the right to charge a fee covering administrative and other relevant costs.

11.3  Verification of Identity: When handling a data access or correction request, eCOM DataFin may request personal details to verify the identity of the requester. Responses to requests will be provided within a reasonable timeframe and efforts will be made to do so promptly.

11.4  To co-ordinate and oversee compliance with the Ordinance and the relevant guidelines in relation thereto, and the personal data protection policies of Promise, a Data Protection Officer (“DPO”) has been appointed by eCOM DataFin.

11.5  Contact Information for Data Access and Correction Requests: Data access and correction requests should be addressed to the DPO at:

Data Protection Officer
eCOM DataFin Limited
Rm 49, 4th Floor, Core E, Cyberport 3, 100 Cyberport Road, Telegraph Bay, Pok Fu Lam, Hong Kong
Tel: +852 3500 5648
Email Address: info@ecomdatafin.com

12. GENERAL

12.1  The contents of this Privacy Policy may be amended from time to time. Please approach eCOM DataFin or visit eCOM DataFin’s website regularly for eCOM DataFin’s latest Privacy Policy.

12.2  Language Discrepancy Clause: In the event of any inconsistency between the English and Chinese versions of this Privacy Policy, the English version shall prevail.

Scroll to Top