1. Introduction
This Policy is a supporting document to the Data Protection Policy of Digital Wizard Limited (herein referred to as ‘the Company’), a company registered in Hong Kong under number 2876482, whose registered office is at Unit 2A, 17/F, Glenealy Tower n1, Glenealy, Central, Hong Kong, regarding data protection and the rights of Employees, Individuals, Corporates and Clients.
This Policy sets out rules and guidance for all employees, agents, contractors, or other parties working on behalf of the Company regarding the handling of Personal Data.
2. Definitions
“Consent”
means the consent of the Data Subject which must be a freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they (by a statement or by a clear affirmative action) signify their agreement to the Processing of Personal Data relating to them;
“Contact us”
how to contact Company about this Policy
“Collection of information”
the sources of and methods by which we, our service providers, and our advertisers collect information from and about you, including information about your interaction with the Company B2B Services.
“Data Protection Legislation”
means all applicable data protection and privacy laws including, but not limited to, the General Data Protection Regulation – Hong Kong Personal Data (Privacy) Law / Ordinance passed on 29 September 2021, and any successor legislation, (collectively, “the Data Protection Legislation”), together with the Hong Kong Privacy Commissioner for Personal Data, and Ordinances.
“Data Subject”
means a living, identified, or identifiable individual about whom the Company holds Personal Data.
“Other Important Information”
Other things you should know about this Policy and how we handle your information.
“Personal Data”
means any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that Data Subject. Unless otherwise stated, references in this Policy to “Personal Data” shall also include Special Category Personal Data.
“Personal Data Breach”
means a breach of Security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Processing”
means any operation or set of operations performed on Personal Data or sets of Personal Data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Scope and Application”
who and what this Policy covers.
“Security”
how we protect your information from loss or misuse.
“Special Category Personal Data”
means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data.
“Use and Disclosure”
how we use the information we collect from and about you, and who we might share it with and why
“User Access and Control”
how you can access and control the information we maintain about you
3. The Company
Digital Wizard Limited (“Company” or “we”) wants you to be familiar with how we collect, use and disclose information from and about you. This Privacy Policy describes our practices in connection with business-to-business related services (the “Company B2B Services. By using the Company B2B Services, you agree to the terms and conditions of this Privacy Policy.
The Company B2B Services are for a general audience, are not targeted to children, and do not knowingly collect personal information from children under 18 years of age.
This Privacy Policy applies to all users, including both those who use the Company B2B Services without being registered with a Company B2B Service and those who have registered with a Company B2B Service. This Privacy Policy applies to Company’s collection and use of your personal information (i.e., information that identifies a specific person, such as full name or email address). It also describes generally Company’s practices for handling non-personal information (for example, demographics and services usage).
4. Collection of Information
Depending on your interactions with us, Company and our service providers may collect the following information from and about you:
Registration Information is the information you submit to register for the Company B2B Services, for example, to create an account, register for or participate in an event, or receive a newsletter. Registration Information may also include, for example, name, email address, address, and phone number.
5. Activity Information
When you access and interact with the Company B2B Services, Company and its service providers may collect certain information about those visits. For example, in order to permit your connection to the Company B2B Services, our servers receive and record information about your computer, device, and browser, including potentially your IP address, browser type, and other software or hardware information. If you access the Company B2B Services from a mobile or other device, we may collect a unique device identifier assigned to that device, geolocation data (including your precise location), or other transactional information for that device.
6. Cookies
Cookies and other tracking technologies (such as browser cookies, pixels, beacons, and local storage, and other mechanisms) use various approaches to collect and store data. Some of these technologies store data in the browser or on your device. Other technologies may use network-related or other information to recognize your device (e.g., IP address). Company’s websites, apps and other services use these technologies, for example, when you first request a web page and then store the data on your computer or other device so the website or other service can access information when you make subsequent requests for pages from that service. These technologies may also be used to collect and store information about your usage of the Company B2B Services, such as pages you have visited, search history, and the video and other content you have viewed.
Other parties that support the Company B2B Services by providing services, such as tracking aggregate Company B2B Services usage statistics, may also use these technologies to collect similar information when you use the Company B2B Services or other parties’ services.
Your browser may be initially set to accept cookies, but you can change your settings to notify you when a cookie is being set or updated, and to block cookies altogether. Please consult the “Help” section of your browser for more information, including on how to clear data from local storage and, depending on your browser, how to turn off other data collection by the browser. For more information about Google Analytics, please review the site “How Google uses information from sites or apps that use our services,,” located at www.google.com/policies/privacy/partners/. To opt out of Google Analytics specifically, please go to https://tools.google.com/dlpage/gaoptout. Please note that by blocking any or all cookies, you may not have access to certain features, content or personalization available through the Company B2B Services.
7. Information from Other Sources
We may supplement the information we collect with information from other sources, such as publicly available information about your online and offline activity from social media services, advertisers, commercially available sources, and information from our Company Affiliates or business partners.
Depending on your interactions with us, the Company may not have collected information from you for each of the categories above.
‘Do Not Track’. At this time we do not respond to the ‘Do Not Track’ signal, as we await the work of interested stakeholders and others to develop standards for how the ‘Do Not Track’ signal should be interpreted.
8. Use and Disclosure
We may use and disclose some or all of the information we collect from and about you for the following purposes:
To provide the Company Services.
We use information we collect from and about you to provide the Company Services.
8.1 This may include:
8.2 To measure, maintain and improve those Company Services and features and to develop new products and services, including making inferences, conducting research and quality and safety assurance measures;
8.3 To perform identity verification:
8.4 To provide you with customer support and to respond to inquiries. This may include the use of chatbots. Please note that your inquiries and responses to these chatbots may be transcribed and retained.
8.5 To maintain our facilities and infrastructure;
8.6 To comply with internal policies, including accounting, audit, and other internal functions; and to maintain records, conduct risk and Security controls, and monitoring.
To allow service providers to assist us in providing and managing the Company B2B Services. Information we collect from and about you may be made available to certain service providers, such as contractors, chatbot providers, analytics and other measurement companies, and agents or sponsors, who help us analyze and understand your use of the Company B2B Services, organize and/or host events, and manage and/or provide the Company B2B Services.
To contact you. Company may periodically send emails or notifications related to the Company B2B Services. If you want to stop receiving emails, you can follow unsubscribe links at the bottom of promotional emails or contact Company on support@digitalwizardhub.com. There are certain service notification and other emails that you may not opt-out of, such as notifications of changes to the Company B2B Services or policies.
9. Company Affiliate
To share with our Company Affiliates. Company may share information we collect from and about you as described in this Privacy Policy with Company Affiliates for the purposes described in this Privacy Policy. Users who visit Company Affiliates’ services should still refer to their separate privacy policies, which may differ in some respects from this Privacy Policy.
To deliver video content. In the ordinary course of our business, we may share information that we collect from or about you with other parties in order to process your requests and fulfill your orders for video content offered through the Company B2B Services.
To protect the rights of Company and others. There may be instances when Company may use or disclose information we collect from and about you as described in this Privacy Policy, including situations where Company has a good faith belief that such use or disclosure is necessary in order to: (i) protect, enforce, or defend the legal rights, privacy, safety, or property of Company, our Company Affiliates or our or their employees, agents and contractors (including enforcement of our agreements and our terms of use); (ii) protect the safety, privacy, and Security of users of the Company B2B Services or members of the public; (iii) protect against fraud or for risk management purposes; (iv) comply with the law or legal process; or (v) respond to requests from public and government authorities.
To complete a merger or sale of assets or other corporate transaction. If Company sells all or part of its business or makes a sale or transfer of its assets or is otherwise involved in an acquisition, reorganization, merger or transfer of all or a part of its business, or other corporate transaction (including in connection with a bankruptcy or similar proceedings), Company may transfer or disclose information we collect from and about you as described in this Privacy Policy to the party or parties involved in the transaction as part of that transaction.
Depending on your interactions with us, Company may not have collected, used or disclosed information from you in each of the categories above, and to the extent that Company has disclosed information from or about you, it may not include all of the information that we collect from and about you as described in this Privacy Policy.
Please note that when the information collected from or about you does not identify you as a specific person, we may use that information for any purpose or share it with other parties, to the extent permitted by applicable law.
10. Security
Company uses commercially reasonable administrative, technical, personnel, and physical measures designed to safeguard information in its possession against loss, theft and unauthorized use, disclosure, or modification. However, no one can guarantee the complete safety of your information.
11. User Access and Control
If you would like to access, review, correct, update, suppress, delete, or otherwise limit our use of your personal information you have previously provided directly to us, you may Contact us as outlined in Section 7. In your request, please include your email address, name, address, and telephone number and specify clearly what information you would like to access, change, update, suppress, or delete. We will try to comply with your request as soon as reasonably practicable and consistent with applicable law. Please note that subject to applicable law, in some cases we may not comply with your request where we may require your information in order to comply with applicable law, or to protect, enforce or defend our rights or employee rights, or those of a Company Affiliate.
12. Other Important Information
Updates to Privacy Policy. Company may modify this Privacy Policy. Please look at the Effective Date at the top of this Privacy Policy to see when this Privacy Policy was last revised. Any changes to this Privacy Policy will become effective when we post the revised Privacy Policy on the Company B2B Services.
13. Data Protection Officer and Scope of Policy
13.1 Data Protection Officer is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and / or guidelines.
13.2 All management members are responsible for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company comply with this Policy and, where applicable, must implement such practices, processes, controls, and training as are reasonably necessary to ensure such compliance.
13.3 Any questions relating to this Policy, the Company’s collection, Processing, or holding of Personal Data, or to the Data Protection Legislation should be referred to the Data Protection Officer.
14. Data Protection
14.1 The Company collects and processes the Personal Data set out in onboarding of clients.
14.2 The Company only collects, processes, and holds Personal Data for the specific purposes set out in the client registration and on-boarding of clients (or for other purposes expressly permitted by the Data Protection Legislation).
14.3 The Company will only collect and process Personal Data for and to the extent necessary for the specific purpose or purposes of which Data Subject have been informed (or will be informed).
14.4 Employees, agents, contractors, or other parties working on behalf of the Company may collect Personal Data only to the extent required for the performance of their job duties and only in accordance with this Policy and the Company’s Data Protection Policy. Excessive Personal Data must not be collected.
14.5 Employees, agents, contractors, or other parties working on behalf of the Company may process Personal Data only when the performance of their job duties requires it. Personal Data held by the Company cannot be processed for any unrelated reasons.
14.6 The Company shall ensure that all Personal Data collected, processed, and held by it is kept accurate and up to date. This includes, but is not limited to, the rectification of Personal Data at the request of a Data Subject.
14.7 If any Personal Data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
14.8 The Company shall not keep Personal Data for any longer than is necessary for the purpose or purposes for which that Personal Data was originally collected, held, and processed.
14.9 When Personal Data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
14.10 For full details of the Company’s approach to data retention, including retention periods for specific Personal Data types held by the Company, please refer to our Data Retention Policy.
14.11 For more details about the Company’s approach to Data Protection and the obligations which apply to the Company and to all employees, agents, contractors, or other parties working on behalf of the Company, please refer to the Company’s Data Subjects Rights Policy which includes sections on:
a. The data protection principles
b. The rights of Data Subjects
c. Consent
d. The accuracy of Personal Data and keeping Personal Data up to date
e. Personal Data retention
f. Accountability and record-keeping
g. Data protection impact assessments
h. Privacy by design
i. Keeping Data Subjects informed about their Personal Data and our use of it
j. Data Subject access requests
k. Rectification of Personal Data
l. Erasure of Personal Data
m. Restricting Personal Data Processing
n. Objections to Personal Data Processing
o. Automated Personal Data Processing, decision-making, and profiling
p. Details of the Personal Data collected, held, and processed by the Company
q. Data Security
r. Organizational Security
s. Transferring Personal Data to countries located outside of the EU
t. Handling data breaches
15. Data Security
15.1 The Company shall ensure that all Personal Data collected, held, and processed is kept secure and protected against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. Further details of the technical and organizational measures which shall be taken are set out below in Part 16.
15.2 Data Security must be maintained at all times by protecting the confidentiality, integrity, and availability of all Personal Data as follows:
a. Only those with a genuine need to access and use Personal Data and who are authorized to do so may access and use it;
b. Personal Data must be accurate and suitable for the purpose or purposes for which it is collected, held, and processed; and
c. Authorized users must always be able to access the Personal Data as required for the authorized purpose or purposes.
16. Data Handling
16.1 All Personal Data must be handled in accordance with the requirements of the Data Protection Legislation, the Company’s Data Protection Policy, and other related policies.
16.2 All emails containing Personal Data must be protected using PGP encryption.
16.3 All emails containing Personal Data must be marked “confidential” in the subject.
16.4 Personal Data may be transmitted over secure networks only.
16.5 Where Personal Data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data.
16.6 Where Personal Data is to be transferred in hard copy form it should be passed directly to the recipient or sent using recipient to sign for courier service.
16.7 All Personal Data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.
16.8 All electronic copies of Personal Data should be stored securely using PGP encryption
16.9 All hardcopies of Personal Data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar.
16.10 All Personal Data stored electronically should be backed up in a live state as they are stored on our AWS cloud-based server offsite.
16.11 When any Personal Data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of Personal Data, please refer to the Company’s Data Retention Policy.
16.12 No Personal Data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the Data Protection Officer, compliance@blockfort.io and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary.
16.13 No Personal Data should be transferred to any computer or device personally belonging to an employee, agent, contractor, or other party working on behalf of the Company and Personal Data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Data Protection Legislation (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
16.14 No Personal Data may be shared informally and if an employee, agent, contractor, or other party working on behalf of the Company requires access to any Personal Data that they do not already have access to, such access should be formally requested from the Data Protection Officer, compliance@blockfort.io.
16.15 No Personal Data may be shared with or transferred to any employee, agent, contractor, or other party, whether such parties are working on behalf of the Company or not, without the authorisation of the Data Protection Officer, compliance@blockfort.io OR relevant manager, and only then if the sharing or transfer is secure, lawful, and fair. Personal Data shared with third parties must be covered by a suitable written agreement to ensure compliance with the Data Protection Legislation.
16.16 Personal Data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, contractors, or other parties at any time.
16.17 If Personal Data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
16.18 Where Personal Data held by the Company is used for marketing purposes, it shall be the responsibility of the Relevant Manager to ensure that the appropriate Consent is obtained and that no Data Subject have opted out, whether directly or via a third-party service such as the TPS.
16.19 All passwords used to protect Personal Data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords.
16.20 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.
16.21 Under no circumstances should any passwords relating to Company systems and/or Personal Data be saved on any computer or device that is not Company-owned. This includes saving passwords in internet browsers and in third-party password manager applications.
16.22 Under no circumstances should any computer or device used for accessing or handling Personal Data be used without the correct Security functions enabled including, as appropriate, passwords, PIN codes, biometric Security (e.g., fingerprint), and any additional Security software provided by the Company.
16.23 All software (including, but not limited to, applications and operating systems) shall be kept up to date. The Company’s IT staff shall be responsible for installing any and all Security-related updates as soon as reasonably and practically possible, unless there are valid technical reasons not to do so.
16.24 No software may be installed on any Company-owned computer or device without the prior approval of the IT Management of the company. Note, notwithstanding the above in 6.23, only the Company’s IT staff shall be permitted to install software updates. Users who are not part of the IT staff or do not have the authorisation of the IT staff shall not install software updates themselves. Automatic updates (as enabled by the IT staff) are permitted.
16.25 If any computer or device used to access or store Personal Data, whether personal or Company-owned, is lost or stolen, the loss or theft must be reported to Data Protection Officer as soon as possible, and all assistance required provided with any investigation.
16.26 All employees, agents, contractors, or other parties working on behalf of the Company all be made fully aware of both their individual responsibilities and the Company’s responsibilities under the Data Protection Legislation and under all applicable Company policies, including (but not limited to) this Policy and the Data Protection Policy.
16.27 Only employees, agents, contractors, or other parties working on behalf of the Company that need access to, and use of, Personal Data in order to carry out their assigned duties correctly shall have access to Personal Data held by the Company.
16.28 All sharing of Personal Data shall comply with the information provided to the relevant Data Subject and, if required, the Consent of such Data Subject shall be obtained prior to the sharing of their Personal Data.
16.29 All employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data will be appropriately trained to do so.
16.30 All employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data will be appropriately supervised.
16.31 All employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to Personal Data, whether in the workplace or otherwise.
16.32 Methods of collecting, holding, and Processing Personal Data shall be regularly evaluated and reviewed.
16.33 All Personal Data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy.
16.34 The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data shall be regularly evaluated and reviewed.
16.35 All employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data will be bound to do so in accordance with the principles of the Data Protection Legislation and this Policy by contract.
16.36 All agents, contractors, or other parties working on behalf of the Company handling Personal Data must ensure that any and all of their employees who are involved in the Processing of Personal Data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the Data Protection Legislation.
16.37 Where any agent, contractor or other party working on behalf of the Company handling Personal Data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
17. Accountability and Record-Keeping
17.1 The Data Protection Officer is responsible for administering this Policy and for developing and implementing all applicable related policies, procedures, and/or guidelines.
17.2 The Company shall follow a privacy by design approach at all times when collecting, holding, and Processing Personal Data. Data Protection Impact Assessments shall be conducted if any Processing presents a significant risk to the rights and freedoms of Data Subject.
17.3 All employees, agents, contractors, or other parties working on behalf of the Company shall be given appropriate training in data protection and privacy, addressing the relevant aspects of the Data Protection Legislation, this Policy, the Company’s Data Protection Policy, and all other applicable Company policies.
17.4 The Company’s data protection compliance shall be regularly reviewed and evaluated by means of Data Protection Audits.
17.5 The Company shall keep written internal records of all Personal Data collection, holding, and Processing.
