§1. Data we collect on this site.
We collect: server-side page-view records (URL, timestamp, geo-country, device class), the eleven first-party telemetry events documented at the bottom of this page, and the email + form-field content you choose to submit. That is the entire collection surface.
§2. Data we do NOT collect.
We do not run the Meta Pixel, Google Ads conversion tracker (client-side), Hotjar, FullStory, LinkedIn Insight Tag, X / Twitter pixel, or any other third-party tracking script. There are zero cross-site cookies dropped by this site. The only first-party cookie is a short-lived functional session cookie when you authenticate to /account/.
§3. Cookies — single first-party functional cookie.
We set one first-party HTTP-only Secure cookie named ttpa_session when you authenticate to /account/. It expires 24 hours after issue or on logout, whichever comes first. No advertising cookie is ever set.
§4. Identity capture (email).
Your email is captured only when you actively type it into a form (newsletter, /book/, /checkout/, /legal/* download). Newsletter sign-ups are double-opt-in (you receive a confirmation email; the address is not added to the list until you click the confirmation link). One-click unsubscribe lands on every email.
§5. Subprocessors.
Our current subprocessors are listed at /legal/subprocessors/ — Airwallex, Stripe, Google Workspace, LastPass (Toptronic tenant), Plausible. We give 30 days' prior notice on any change and offer a 1-business-day veto window per /legal/dpa/ §7.
§6. International transfers.
For EU/EEA visitors: SCCs Module 2 + DPF (where the recipient is DPF-certified). For UK visitors: UK International Data Transfer Addendum. For Australian visitors: Australian Privacy Principles APP 8 cross-border-disclosure framework. For Hong Kong visitors: PDPO compliance. For Singapore visitors: PDPA cross-border framework with consent at form-fill.
§7. Retention periods.
Activity log (server-side page-views): 36 months. Invoices and payment records: 7 years (Hong Kong Companies Ordinance / IRD record-keeping). Newsletter subscribers post-unsubscribe: 24 months in a suppression list to prevent accidental re-subscription, then permanent deletion. Form submissions that did not result in an engagement: 12 months.
§8. Subject rights.
You may request access, rectification, erasure, portability, or objection to processing by emailing dpo@toptronic.com. Service-level: acknowledge within 5 business days, fulfil within 30 days (extendable to 60 days for complex requests, with reason given to you in writing).
§9. Children's data.
This site is not directed at, and we do not knowingly collect data from, anyone under 18 years of age. If you believe we have inadvertently collected data from a minor, contact dpo@toptronic.com and we will delete it.
§10. Security.
See /security/ Controls C1-C13 for the operational measures. TLS 1.2+ on every public endpoint. HSTS enforced. At-rest encryption per Control C4. Operator workstations under EDR per Control C7.
§11. Breach notification.
Confirmed personal-data breaches: notification to the relevant supervisory authority within 72 hours (GDPR Art. 33). Notification to affected data subjects without undue delay where the breach is likely to result in a high risk to rights and freedoms (GDPR Art. 34). Australian Notifiable Data Breach scheme equivalent procedure for AU-resident data subjects.
§12. Updates to this policy.
Material updates are notified at least 30 days in advance via newsletter and via the "Last updated" date at the top of this page. Non-material updates (typographic fixes, link refresh) are made silently with the date stamp updated.
§13. Data Protection Officer (DPO).
The DPO function is currently held by Jacques Plante (Toptronic Ltd founder), reachable at dpo@toptronic.com. Trigger to transition to a dedicated, separately-employed DPO: monthly recurring revenue exceeding USD 20,000, OR a single personal-data incident that triggers GDPR Art. 33 notification, whichever comes first.
§14. Governing law and supervisory authority.
Hong Kong PDPO governs the parent operating relationship. For data-protection complaints, you may also contact: ICO (UK), the supervisory authority of your habitual residence (EU/EEA per GDPR Art. 79), the OAIC (Australia), the PDPC (Singapore). We do not contest your right to choose your local supervisory authority.