TTPA services are “Valet-Tailored” for each customer; this site shows examples only. Yours will differ according to your particular needs.

Legal · Bundle 1 · Privacy

Privacy policy.

Fourteen clauses plus a plain-English list of every analytics event we record. Zero third-party tracking pixels. One first-party functional cookie. Multi-jurisdiction overlay (UK / EU / AU / SG / HK).

Last updated 2026-04-30.

Fourteen clauses — table of contents.

  1. §1 — Data we collect on this site.
  2. §2 — Data we do NOT collect.
  3. §3 — Cookies — single first-party functional cookie.
  4. §4 — Identity capture (email).
  5. §5 — Subprocessors.
  6. §6 — International transfers.
  7. §7 — Retention periods.
  8. §8 — Subject rights.
  9. §9 — Children's data.
  10. §10 — Security.
  11. §11 — Breach notification.
  12. §12 — Updates to this policy.
  13. §13 — Data Protection Officer (DPO).
  14. §14 — Governing law and supervisory authority.
  15. + The eleven events we record (plain English)

Data we collect on this site.

We collect: server-side page-view records (URL, timestamp, geo-country, device class), the eleven first-party telemetry events documented at the bottom of this page, and the email + form-field content you choose to submit. That is the entire collection surface.

Data we do NOT collect.

We do not run the Meta Pixel, Google Ads conversion tracker (client-side), Hotjar, FullStory, LinkedIn Insight Tag, X / Twitter pixel, or any other third-party tracking script. There are zero cross-site cookies dropped by this site. The only first-party cookie is a short-lived functional session cookie when you authenticate to /account/.

Cookies — single first-party functional cookie.

We set one first-party HTTP-only Secure cookie named ttpa_session when you authenticate to /account/. It expires 24 hours after issue or on logout, whichever comes first. No advertising cookie is ever set.

Identity capture (email).

Your email is captured only when you actively type it into a form (newsletter, /book/, /checkout/, /legal/* download). Newsletter sign-ups are double-opt-in (you receive a confirmation email; the address is not added to the list until you click the confirmation link). One-click unsubscribe lands on every email.

Subprocessors.

Our current subprocessors are listed at /legal/subprocessors/ — Airwallex, Stripe, Google Workspace, LastPass (Toptronic tenant), Plausible. We give 30 days' prior notice on any change and offer a 1-business-day veto window per /legal/dpa/ §7.

International transfers.

For EU/EEA visitors: SCCs Module 2 + DPF (where the recipient is DPF-certified). For UK visitors: UK International Data Transfer Addendum. For Australian visitors: Australian Privacy Principles APP 8 cross-border-disclosure framework. For Hong Kong visitors: PDPO compliance. For Singapore visitors: PDPA cross-border framework with consent at form-fill.

Retention periods.

Activity log (server-side page-views): 36 months. Invoices and payment records: 7 years (Hong Kong Companies Ordinance / IRD record-keeping). Newsletter subscribers post-unsubscribe: 24 months in a suppression list to prevent accidental re-subscription, then permanent deletion. Form submissions that did not result in an engagement: 12 months.

Subject rights.

You may request access, rectification, erasure, portability, or objection to processing by emailing dpo@toptronic.com. Service-level: acknowledge within 5 business days, fulfil within 30 days (extendable to 60 days for complex requests, with reason given to you in writing).

Children's data.

This site is not directed at, and we do not knowingly collect data from, anyone under 18 years of age. If you believe we have inadvertently collected data from a minor, contact dpo@toptronic.com and we will delete it.

Security.

See /security/ Controls C1-C13 for the operational measures. TLS 1.2+ on every public endpoint. HSTS enforced. At-rest encryption per Control C4. Operator workstations under EDR per Control C7.

Breach notification.

Confirmed personal-data breaches: notification to the relevant supervisory authority within 72 hours (GDPR Art. 33). Notification to affected data subjects without undue delay where the breach is likely to result in a high risk to rights and freedoms (GDPR Art. 34). Australian Notifiable Data Breach scheme equivalent procedure for AU-resident data subjects.

Updates to this policy.

Material updates are notified at least 30 days in advance via newsletter and via the "Last updated" date at the top of this page. Non-material updates (typographic fixes, link refresh) are made silently with the date stamp updated.

Data Protection Officer (DPO).

The DPO function is currently held by Jacques Plante (Toptronic Ltd founder), reachable at dpo@toptronic.com. Trigger to transition to a dedicated, separately-employed DPO: monthly recurring revenue exceeding USD 20,000, OR a single personal-data incident that triggers GDPR Art. 33 notification, whichever comes first.

Governing law and supervisory authority.

Hong Kong PDPO governs the parent operating relationship. For data-protection complaints, you may also contact: ICO (UK), the supervisory authority of your habitual residence (EU/EEA per GDPR Art. 79), the OAIC (Australia), the PDPC (Singapore). We do not contest your right to choose your local supervisory authority.

The eleven events we record — in plain English.

Our telemetry surface is finite. Below is every event name we emit and exactly what triggers it. If it is not in this list, we are not recording it.

Event name What it means
page.view Server-side aggregate page-view (URL + country + device class).
awareness.engaged You scrolled / paused on a page in a way that suggests engagement (one-shot per session).
consideration.calc_used You submitted a calculator on /pricing/ or /services/sales-navigator/.
lead.email_captured You typed your email into a form (the form field, not the submit).
lead.email_confirmed You clicked the double-opt-in link in a confirmation email.
discovery.booked You booked a /book/ slot via Google Calendar Appointment Schedules.
discovery.held A discovery call you booked actually took place.
proposal.deposit_paid You completed checkout on /checkout/.
proposal.deposit_refunded A refund per /legal/refund/ executed on your account.
cancellation.requested You initiated cancellation on /account/.
account.recovery.consult_paid You completed the Tier-0 Hosted-Page payment for the suspension consultation.