Background

A. Company Operations and Data Processing Context

Lifewood Data Technology Limited operates as a dynamic technology company dedicated to delivering cutting-edge AI and data-driven solutions. Building on a decades-long legacy of innovative global data services and industrialized workflow methodologies, Lifewood specializes in collecting, processing, and securely managing diverse forms of personal data, including text, audio, pictures, videos, and AI-generated content.

The Company operates globally through corporate offices, franchise partners, subcontractors, and affiliated entities located in multiple jurisdictions including Hong Kong, Malaysia, China, the United States, the Philippines, Bangladesh, Indonesia, and other countries, and may also engage with participants from European Union member states for specific data collection projects.

Leveraging its proprietary cloud-based platform, LiFT, Lifewood seamlessly integrates multimedia data annotation, labeling, and quality assurance through this global network of partners and data centers. It supports clients across industries such as autonomous driving, digital media, and enterprise AI development.

Committed to compliance and aligned with international best practices, Lifewood emphasizes stringent data security, transparent user rights, and responsible data governance to empower innovation while safeguarding privacy across its services worldwide.

B. Commitment to Privacy Protection

The Company is committed to protecting the privacy and personal data of all individuals who interact with our services, recognizing that privacy protection is fundamental to maintaining trust and ensuring compliance with applicable data protection laws and regulations.

C. Regulatory Compliance Framework

This Privacy Policy has been developed to ensure compliance with Hong Kong privacy laws and regulations, including the Personal Data (Privacy) Ordinance (Cap. 486) and any amendments thereto, as well as applicable privacy and data protection laws in all jurisdictions where the Company operates or engages with data subjects.

This includes, but is not limited to, Malaysia, China, the United States, the Philippines, Bangladesh, Indonesia, and European Union member states, alongside adherence to international best practices for data protection such as GDPR standards.

D. Purpose and Scope of Policy

This Privacy Policy serves to:

• Inform users about our data handling practices;

• Explain their rights regarding personal data; and

• Establish transparent procedures for data collection, use, sharing, security, and retention across all our business operations and technology platforms.

E. Business Context and Data Usage

As a technology company operating in the digital economy, Lifewood processes personal data for various legitimate business purposes including:

• Service delivery

• Customer support

• Product development

• Analytics

• AI model training

• Marketing communications

• Other commercial activities essential to its operations

F. International Operations Consideration

Given that Lifewood’s business operations may involve cross-border data transfers and international service delivery — including engagement with participants from European Union member states for specific projects — this Privacy Policy addresses the handling of personal data in compliance with Hong Kong law while considering international data protection standards and transfer mechanisms for global operations.

1.Definitions

1.1 Personal Data

Means any data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access, including but not limited to names, identification numbers, location data, online identifiers, and factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

1.2 Processing

Means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3 Data Subject

Means an identified or identifiable natural person who is the subject of personal data, including users, customers, website visitors, employees, and any other individuals whose personal data we collect, process, or store.

1.4 Data Controller / Processor

Depending on the activity, Lifewood acts either:

• (i) as a data processor / data intermediary / service provider when processing Personal Data on documented instructions of a client (the controller), or

• (ii) as an independent controller for Lifewood-run functions (e.g., HR, recruitment, security logging, finance, marketing).

Where Lifewood acts as a processor, the client’s privacy notice governs and Lifewood will not determine the purposes or means beyond client instructions.

1.5 Data Processor

Means any natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

1.6 Third Party

Means any natural or legal person, public authority, agency or body other than the data subject, the data controller, the data processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

1.7 Consent

Means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

1.8 Services

Means all technology solutions, platforms, websites, applications, software, and related services provided by the Company to users and customers.

1.9 User Account

Means any account created by a user to access our Services, including associated login credentials, preferences, and account information.

1.10 Cookies

Means small text files that are placed on a user's device when visiting our website or using our Services to store and retrieve information about the user's browsing behaviour and preferences.

1.11 AI-Generated Content

Means any content, including but not limited to text, images, audio, or video, that is created, modified, or enhanced through artificial intelligence, machine learning algorithms, or automated systems operated by the Company.

1.12 Data Breach

Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.13 Retention Period

Means the period for which personal data is stored and processed by the Company before it is deleted or anonymised, as specified in this Privacy Policy or as required by applicable law.

1.14 Cross-Border Transfer

Means the transfer of personal data from Hong Kong to a jurisdiction outside Hong Kong, whether directly or indirectly through intermediate jurisdictions.

1.15 Legitimate Interest

Means the lawful basis for processing personal data where such processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

1.16 Anonymisation

Means the process of removing or modifying personal data in such a way that the data subject can no longer be identified directly or indirectly by the Company or any other party.

1.17 Data Protection Officer (DPO)

Means the individual appointed by the Company to monitor compliance with data protection laws and serve as the primary contact for data protection matters.

1.18 Regulatory Authority

Means the Privacy Commissioner for Personal Data in Hong Kong or any other competent supervisory authority with jurisdiction over data protection matters affecting the Company or data subjects.

2. Information Collection

2.1 Types of Personal Data Collected

We collect and process various categories of personal data necessary for providing our Services, including but not limited to:

2.1.1 Identity and Contact Information

Full name, email addresses, telephone numbers, postal addresses, job titles, company affiliations, and other contact details.

2.1.2 Account and Authentication Data

Usernames, passwords, security questions and answers, account preferences, and authentication credentials.

2.1.3 Technical and Usage Information

IP addresses, device identifiers, browser types and versions, operating system information, referring URLs, access times, and usage patterns.

2.1.4 Content Data

Text files, documents, audio recordings, images, videos, and other content materials uploaded, created, or processed through our Services.

2.1.5 AI-Generated Content

Data outputs, results, and derivatives created through artificial intelligence processing, including machine learning models and algorithmic outputs based on User input.

2.1.6 Communication Records

Correspondence, support tickets, feedback, survey responses, and other communications between Users and the Company.

2.1.7 Financial Information

Billing addresses, payment method details, transaction records, and invoicing information where applicable to paid Services.

2.1.8 Likeness and Performance Rights

Where datasets capture an individual’s image, voice, or performance, Lifewood (acting as processor) requires the controller or data supplier to warrant that all necessary consents, licences, waivers of moral rights (where applicable), and publicity/portrait rights clearances have been obtained for the project scope, territory, media and duration, including use in quality assurance and security review. Lifewood will not expand use beyond the authorised scope.

2.2 Methods of Data Collection

2.2.1 Direct Collection

We collect Personal Data directly from Data Subjects through registration forms, account creation processes, service usage, file uploads, and direct communications.

2.2.2 Automated Collection

We automatically collect certain data through Cookies, web beacons, server logs, and other tracking technologies when Users access our Services.

2.2.3 Third-Party Sources

We may receive Personal Data from business partners, service providers, publicly available sources, and integrated third-party platforms with appropriate consent or legal basis.

2.2.4 Device and Browser Collection

Technical information is collected through Users' devices and browsers when accessing our platforms and Services.

2.3 Circumstances of Collection

Personal Data is collected during account registration, service activation, content upload and processing, customer support interactions, marketing communications, and ongoing service usage.

Collection occurs when Users voluntarily provide information, engage with our Services, participate in surveys or feedback processes, or interact with our customer support teams.

Automated data collection takes place continuously during service usage to ensure proper functionality, security monitoring, and service optimization.

2.4 Legal Basis for Collection

We collect Personal Data based on legitimate business interests, contractual necessity for service provision, legal compliance requirements, and with explicit Consent where required by applicable law.

For AI-Generated Content and related Processing, collection is based on contractual necessity and legitimate interests in providing advanced technology services and improving our AI capabilities.

3. Use of Information

3.1 Service Provision and Operations

We process Personal Data to provide, maintain, and improve our Services, including user authentication, account management, and delivery of requested technology solutions.

Personal Data is used to customize and personalize user experiences, configure system settings, and ensure proper functionality of our technology platforms.

We process data to fulfill contractual obligations, process transactions, generate invoices, and manage billing and payment processes.

3.2 Customer Support and Communications

Personal Data is processed to respond to user inquiries, provide technical support, troubleshoot issues, and maintain communication records for quality assurance purposes.

We use contact information to send service-related notifications, system updates, security alerts, and other essential communications regarding our Services.

Communication data including text, audio, and video content may be processed to resolve support requests and improve service quality.

3.3 Analytics and Performance Monitoring

We process Personal Data to analyze usage patterns, monitor system performance, generate statistical reports, and conduct research to enhance our Services.

Data is used to identify trends, measure service effectiveness, and develop insights for business intelligence and strategic planning purposes.

We may process aggregated and anonymized data for benchmarking, industry analysis, and service optimization. For avoidance of doubt, aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data which will be used in accordance with this privacy policy.

3.4 AI Model Training and Development

Lifewood will not use client-provided datasets containing Personal Data to train, fine-tune, or evaluate models except where (i) the client (as controller) has provided documented instructions and appropriate lawful basis/notice, or (b) the data has been irreversibly anonymised by or for the client such that no person is identifiable by Lifewood or any third party. For the avoidance of doubt, ‘Anonymised’ means de-identification that is irreversible, with technical and organisational measures to prevent re-identification. By default, client datasets are siloed to that client’s project scope; Lifewood does not repurpose such data for unrelated model development.

AI-Generated Content created through our Services may be processed for model refinement, quality assessment, and system enhancement purposes.

Data processing for AI purposes includes pattern recognition, machine learning model training, and automated content generation improvement.

3.5 Marketing and Commercial Communications

Subject to appropriate Consent or Legitimate Interest, we process Personal Data to send marketing communications, promotional materials, newsletters, and information about new products or services.

We use data for market research, customer segmentation, targeted advertising, and developing marketing strategies relevant to user interests.

Marketing communications may be delivered through various channels including email, SMS, phone calls, and digital platforms, where legally permitted.

Non-essential cookies/marketing communications are opt-in where required. We do not sell Personal Data or engage in cross-context behavioural advertising. Any third-party marketing pixels are disabled by default and activated only upon consent.

3.6 Security and Fraud Prevention

Personal Data is processed to maintain system security, detect and prevent fraud, unauthorized access, and other security threats to our Services and users.

We use data for identity verification, risk assessment, monitoring suspicious activities, and implementing appropriate security measures.

3.7 Legal Compliance and Business Operations

We process Personal Data to comply with legal obligations, respond to lawful requests from authorities, and meet regulatory requirements applicable to our business operations.

Data is processed for business administration, financial reporting, audit purposes, and maintaining corporate records as required by law.

Personal Data may be processed in connection with business transactions, mergers, acquisitions, or corporate restructuring activities.

3.8 Data Quality and Management

We process Personal Data to maintain data accuracy, completeness, and currency, including data validation, correction, and update procedures.

Data processing includes backup and recovery operations, data migration, and system maintenance activities to ensure service continuity.

3.9 Likeness and Performance Rights (Images, Audio, Video, Biometric-Derived Data)

This clause applies where Personal Data includes an identifiable person’s image, voice, or performance (including data derived from such materials).

Where we process on a client’s documented instructions, the client is the controller and is responsible for the lawful basis, notices, and all required permissions (e.g., consents, publicity/portrait rights, performers’ permissions, and – where permitted – moral-rights waivers).

We use likeness/voice/performances only to:
(i) perform the contracted services (collection, annotation, classification, transcription, QA, acceptance testing, delivery),
(ii) enforce platform integrity and security (access control, fraud/leakage detection, incident investigation),
(iii) comply with legal, audit, or regulatory obligations, and
(iv) in our controller capacity only, manage recruitment and workforce administration.

We do not sell, license, promote, or otherwise exploit a person’s image, voice, or performance for our own purposes; we do not use such material for advertising without explicit consent or controller confirmation that valid consent has been obtained.

Client-provided material containing Personal Data (including likeness/voice) is not used to train, fine-tune, or evaluate models unless expressly instructed by the controller and permitted by law with appropriate notice/consent, or the material has been irreversibly anonymised with contractual and technical prohibitions on re-identification.

Where materials involve children/minors, we rely on the controller to ensure verifiable parental/guardian consent or another valid legal basis; absent such basis, the controller must instruct deletion or provide suitably masked/blurred or de-identified alternatives.

Any third party assisting us with such processing is bound by written terms that restrict use to the instructed purpose, impose equivalent confidentiality, security, and deletion obligations, and prohibit independent reuse or re-identification.

Where feasible and consistent with project accuracy, we apply pseudonymisation, masking/blur, redaction, access controls, audit logging, and (where appropriate) watermarking/fingerprinting and export controls to deter unauthorised copying.

We retain such materials only as necessary for the purposes in (c) and in accordance with controller instructions and applicable law, then delete or irreversibly anonymise and require subprocessors to do the same.

Individuals wishing to exercise data-subject or publicity/portrait/performer rights for client projects should contact the controller. Where we act as controller (e.g., recruitment), contact hr@lifewood.com.

4. Data Sharing and Disclosure

4.1 Categories of Third Party Recipients

We may share your Personal Data with the following categories of third parties: service providers and contractors who assist in our business operations; professional advisors including lawyers, accountants, and auditors; technology partners and cloud service providers; payment processors and financial institutions; marketing and analytics service providers; and affiliates and subsidiary companies within our corporate group.

We may also share Personal Data with regulatory authorities, law enforcement agencies, courts, and other governmental bodies when required by law or legal process.

4.2 Service Providers and Contractors

We engage third party service providers to perform functions on our behalf, including IT infrastructure management, customer support services, data analytics, marketing automation, payment processing, and AI model training and development.

Service providers are contractually bound to process Personal Data only for the specific purposes outlined in our agreements with them and in accordance with our instructions and applicable data protection requirements.

4.3 Business Partners and Affiliates

We do not disclose client-provided Personal Data to ‘business partners’ for their own purposes. Any partner access is as our processors/sub-processors under contract, limited to the project purpose and prohibited from independent reuse.

Personal Data may be shared with affiliated companies within our corporate group for internal business operations, consolidated reporting, and service delivery across our organization.

4.4 Legal and Regulatory Disclosure

We will disclose Personal Data when required by applicable law, court order, subpoena, or other legal process, or when we believe disclosure is necessary to protect our rights, property, or safety, or that of our users or the public.

In the event of a merger, acquisition, sale of assets, or similar corporate transaction, Personal Data may be transferred to the acquiring entity, subject to appropriate confidentiality protections and user notification.

4.5 Commercial and Marketing Purposes

We may share aggregated, anonymized, or de-identified data with third parties for commercial purposes, market research, industry analysis, or product development, provided such data cannot reasonably be used to identify individual Data Subjects.

Personal Data may be shared with marketing partners for targeted advertising or promotional campaigns, only with appropriate user consent or where permitted by applicable law for legitimate business interests.

4.6 Conditions for Data Sharing

All data sharing is conducted based on one or more of the following legal bases: user consent; performance of a contract; compliance with legal obligations; protection of vital interests; performance of tasks in the public interest; or legitimate business interests that do not override individual privacy rights.

Before sharing Personal Data, we ensure recipients have appropriate technical and organizational measures in place to protect the data and comply with applicable privacy laws and our contractual requirements.

4.7 User Control and Opt-Out Rights

Users may withdraw consent for certain data sharing activities where consent is the legal basis for processing, and may opt-out of marketing-related data sharing through account settings or by contacting us directly.

Certain data sharing may be necessary for service delivery or legal compliance and cannot be opted out of while maintaining an active account or receiving our Services.

5. Data Security Measures

5.1 Data Security Framework

The Company implements comprehensive technical and organizational security measures designed to protect Personal Data against unauthorized access, disclosure, alteration, destruction, or loss, taking into account the nature, scope, context, and purposes of Processing as well as the risks to Data Subjects.

5.2 Technical Security Measures

The Company employs industry-standard encryption protocols to protect Personal Data both in transit and at rest, including but not limited to SSL/TLS encryption for data transmission and AES-256 encryption for data storage.

Access controls are implemented through multi-factor authentication systems, role-based access permissions, and regular access reviews to ensure that only authorized personnel can access Personal Data on a need-to-know basis.

Network security measures include firewalls, intrusion detection systems, and regular security monitoring to prevent unauthorized access to our systems and infrastructure.

Data backup and recovery systems are maintained with encrypted backup storage and regular testing of recovery procedures to ensure data integrity and availability.

5.3 Organizational Security Measures

All employees with access to Personal Data undergo mandatory privacy and data security training upon employment and receive regular updates on security protocols and best practices.

The Company maintains strict confidentiality agreements with all staff members and Third Party service providers who may have access to Personal Data during the course of their duties.

Clear data handling procedures and security policies are established and regularly reviewed to ensure ongoing compliance with security standards and regulatory requirements.

Regular security audits and vulnerability assessments are conducted to identify and address potential security risks and ensure the effectiveness of implemented security measures.

5.4 Physical Security Controls

Physical access to facilities containing Personal Data is restricted through secure access controls, surveillance systems, and environmental controls to protect against unauthorized physical access, theft, or damage to data storage systems.

5.5 Third Party Security Requirements

All Third Party service providers and data processors are required to implement appropriate technical and organizational security measures equivalent to those maintained by the Company and must provide adequate assurances regarding the security of Personal Data Processing.

5.6 Security Incident Response

The Company maintains documented procedures for detecting, reporting, and responding to security incidents, including immediate containment measures, impact assessment, and notification procedures in accordance with applicable legal requirements.

5.7 Continuous Security Improvement

Security measures are regularly reviewed and updated to address evolving threats, technological developments, and regulatory changes, ensuring that Personal Data protection remains effective and compliant with current standards.

6. User Rights and Controls

6.1 Right of Access

Data subjects have the right to request confirmation of whether the Company processes their Personal Data and, where applicable, to obtain access to such Personal Data and information about the processing activities.

Upon receiving a valid access request, the Company will provide a copy of the Personal Data being processed, details of the purposes of processing, categories of Personal Data involved, recipients of the data, and retention periods.

Access requests must be submitted in writing using the contact information specified in Section 16 of this Privacy Policy, and the Company will respond within thirty (30) days of receipt.

6.2 Right to Rectification

Data subjects may request correction of inaccurate Personal Data or completion of incomplete Personal Data held by the Company.

The Company will assess rectification requests promptly and make necessary corrections within thirty (30) days where the request is substantiated and technically feasible.

Where Personal Data has been shared with Third Parties, the Company will take reasonable steps to inform such parties of the rectification unless this proves impossible or involves disproportionate effort.

6.3 Right to Erasure

Data subjects may request deletion of their Personal Data where:
(i) the data is no longer necessary for the original purposes;
(ii) consent is withdrawn and no other legal basis exists;
(iii) the data has been unlawfully processed; or
(iv) erasure is required for compliance with legal obligations.

The Company may refuse erasure requests where processing is necessary for:
(i) compliance with legal obligations;
(ii) establishment, exercise, or defense of legal claims;
(iii) performance of contractual obligations; or
(iv) legitimate business interests that override the data subject's rights.

Where erasure is granted, the Company will delete the Personal Data within sixty (60) days and notify relevant Third Parties where technically feasible.

6.4 Right to Data Portability

Data subjects have the right to receive their Personal Data in a structured, commonly used, and machine-readable format where processing is based on Consent or contract performance and carried out by automated means.

Data subjects may request direct transmission of their Personal Data to another data controller where technically feasible.

Data portability requests will be fulfilled within thirty (30) days in commonly used electronic formats such as CSV, JSON, or XML.

6.5 Right to Object

Data subjects may object to processing of their Personal Data based on Legitimate Interests, including processing for direct marketing purposes.

Upon receiving an objection, the Company will cease processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms.

For direct marketing objections, the Company will immediately cease such processing and update its marketing preferences accordingly.

6.6 Right to Restrict Processing

Data subjects may request restriction of processing where:
(i) the accuracy of Personal Data is contested;
(ii) processing is unlawful but erasure is not desired;
(iii) the Company no longer needs the data but it is required for legal claims; or
(iv) an objection has been lodged pending verification of legitimate grounds.

Where processing is restricted, the Company will only store the Personal Data and will not perform further processing without the data subject's consent, except for legal claims or protection of rights of other persons.

6.7 Exercise of Rights

All rights requests must be submitted in writing to the DPO using the contact details provided in Section 16, accompanied by sufficient information to verify the identity of the requestor.

The Company may request additional information to verify identity and prevent fraudulent requests, particularly for sensitive requests such as data access or erasure.

Rights requests will be processed free of charge unless requests are manifestly unfounded, excessive, or repetitive, in which case the Company may charge a reasonable administrative fee or refuse the request.

6.8 Response Timeframes

The Company will acknowledge receipt of rights requests within five (5) business days and respond within the period required by applicable law (for example, up to forty (40) days in Hong Kong for data access requests). Where law permits, we may extend once for complex requests and will inform you of the reasons.

Complex requests may require extension of the response period by an additional thirty (30) days, of which the data subject will be notified along with reasons for the delay.

6.9 Appeal Process

Where a rights request is refused or the data subject is dissatisfied with the Company's response, they may file a complaint with the Privacy Commissioner for Personal Data in Hong Kong.

Data subjects retain the right to seek judicial remedy through Hong Kong courts for alleged violations of their privacy rights under applicable law.

7. Data Retention Periods

7.1 General Retention Principle

The Company retains Personal Data only for as long as necessary to fulfil the purposes described in this notice (or as instructed by the relevant controller), to comply with legal, regulatory, tax, accounting, or reporting obligations, to maintain security and audit trails, and to establish, exercise, or defend legal claims. When data is no longer required, we delete or irreversibly anonymise it.

7.2 Processor vs. Controller

7.2.1 Processor Role (Client Projects)

Retention, deletion, and return are governed by the client’s documented instructions and applicable law; our internal default schedules do not override controller mandates.

7.2.2 Controller Role (Our Own Business Operations)

We apply the purpose-based periods set out below or any mandatory statutory period, whichever is longer.

7.3 Typical Retention Periods (Non-Exhaustive, for Lifewood-Controller Data)

These are indicative and may vary by law and system of record:

7.3.1 Customer & User Account Records (Business contacts, portal accounts, role/access metadata):

retained for the life of the account and typically up to 24 months after closure, unless a longer period is needed for audit, security, or dispute resolution.

7.3.2 Customer Support & Communications (Tickets, emails, chat logs):

retained for service history and QA and typically up to 24–36 months after resolution, unless a longer period is required by law or to resolve a dispute.

7.3.3 Financial & Tax Records (Invoices, POs, payment confirmations):

retained for at least seven (7) years or longer where required by applicable law.

7.3.4 Security & Access Logs (Authentication, activity, anomaly signals):

retained typically 12–24 months, subject to security and fraud-prevention needs.

7.3.5 Marketing Preferences & Outreach

Retained until you opt out or we no longer need the data for lawful marketing, then suppressed to respect future opt-outs.

7.3.6 Recruitment Data (Applicants)

Retained typically up to 12–24 months after the process ends unless hired or local law requires otherwise.

7.3.7 AI-Generated Content and Training Data

We typically retain authorised training artefacts only for the period specified by the controller and no longer than necessary for audit and model validation. Where feasible we retain only anonymised, non-personal artefacts for longer-term improvement, with re-identification prohibited.

8. Cookies and Tracking Technologies

8.1 Types of Tracking Technologies Used

The Company uses cookies, which are small text files stored on users' devices to enhance website functionality and user experience.

We employ web beacons (also known as pixel tags) to track user interactions with our websites and email communications.

Our Services may utilize local storage technologies, including HTML5 local storage and browser cache, to store user preferences and technical information.

We implement analytics tracking tools and software development kits (SDKs) to collect usage statistics and performance data.

8.2 Categories of Cookies

8.2.1 Essential Cookies

Necessary for basic website functionality, user authentication, and security features, and cannot be disabled without affecting core Services.

8.2.2 Performance Cookies

Collect aggregated information about website usage, page load times, and technical performance to improve our Services.

8.2.3 Functional Cookies

Remember user preferences, language settings, and customization choices to enhance user experience.

8.2.4 Marketing Cookies

Track user behavior across websites to deliver targeted advertising and measure campaign effectiveness.

8.3 Purposes of Data Collection

Tracking technologies are used to maintain user sessions, remember login credentials, and provide personalized content recommendations.

We collect analytics data to understand user behavior patterns, optimize website performance, and improve our technology solutions.

Marketing cookies enable us to deliver relevant advertisements, measure marketing campaign performance, and conduct A/B testing of our Services.

Technical cookies support fraud prevention, security monitoring, and system diagnostics essential for maintaining service integrity.

8.4 Third-Party Tracking Technologies

Our websites may contain third-party tracking technologies from analytics providers, advertising networks, and social media platforms.

Third-party cookies are governed by the respective privacy policies of external service providers, and we do not control their data collection practices.

We may share aggregated and anonymized data collected through tracking technologies with business partners and service providers for commercial purposes.

8.5 User Control and Management Options

Users can manage cookie preferences through their browser settings, including blocking, deleting, or restricting certain types of cookies.

We provide a cookie consent management tool on our website allowing users to customize their tracking preferences for non-essential cookies.

Users may opt out of marketing cookies and targeted advertising through industry opt-out mechanisms and third-party preference centers.

Disabling essential cookies may result in reduced website functionality and limited access to certain Services features.

8.6 Data Retention for Tracking Technologies

When acting as processor, client instructions and applicable law govern retention and deletion; Lifewood’s default schedules do not override controller mandates. For Lifewood-controller data, we retain only as long as necessary for stated purposes and legal obligations, then delete or irreversibly anonymise.

8.7 Cross-Site Tracking and Advertising

We may participate in cross-site tracking activities to deliver personalized advertising experiences across different websites and platforms.

Users can enable "Do Not Track" browser settings, though we cannot guarantee that all third-party services will honor such requests.

We comply with applicable advertising industry standards and guidelines regarding behavioral advertising and user privacy preferences.

9. International Data Transfers

9.1 Cross-Border Transfer Framework

Transfers rely on recognised safeguards (e.g., Standard Contractual Clauses, intragroup agreements, or other approved mechanisms). Where a client mandates residency (e.g., EU-only processing), Lifewood will enforce geographic access controls and contractual flow-down to all subprocessors.

9.2 Adequacy Assessments

Before transferring Personal Data to any jurisdiction outside Hong Kong, the Company conducts assessments to determine whether the receiving jurisdiction provides adequate protection for Personal Data comparable to the standards required under Hong Kong law.

9.3 Transfer Safeguards

Where Personal Data is transferred to jurisdictions that do not provide adequate protection, the Company implements appropriate safeguards including:

• Standard contractual clauses approved by relevant data protection authorities;

• Binding corporate rules for transfers within our corporate group;

• Certification schemes and codes of conduct that demonstrate adequate protection;

• Specific contractual obligations requiring recipients to maintain equivalent data protection standards.

9.4 Consent-Based Transfers

In certain circumstances, the Company may rely on explicit consent from Data Subjects for Cross-Border Transfers where other safeguards are not available, provided such consent is freely given, specific, informed, and unambiguous.

9.5 Transfer Documentation

The Company maintains records of all Cross-Border Transfers including:

• Details of receiving parties and their locations;

• Categories of Personal Data transferred;

• Safeguards implemented for each transfer;

• Legal basis and necessity for the transfer.

9.6 Third-Party Processor Obligations

All Third Parties receiving Personal Data through Cross-Border Transfers must:

• Process Personal Data only for specified purposes and in accordance with our instructions;

• Implement appropriate technical and organizational security measures;

• Notify the Company immediately of any Data Breach or unauthorized access;

• Assist the Company in responding to Data Subject rights requests.

9.7 Transfer Restrictions

The Company will not transfer Personal Data to jurisdictions or entities subject to international sanctions, trade restrictions, or where such transfer would violate applicable laws or compromise Data Subject rights.

9.8 Notification of Changes

Data Subjects will be notified of any material changes to Cross-Border Transfer practices through policy updates, direct communication, or website notifications as appropriate to the circumstances.

10. Data Breach Procedures

10.1 Data Breach Detection and Assessment

The Company maintains continuous monitoring systems and procedures to detect potential Data Breaches affecting Personal Data under our control or processing.

Upon discovery of a suspected Data Breach, the Company will immediately conduct a preliminary assessment to determine the nature, scope, and potential impact of the incident within 24 hours of detection.

The assessment shall evaluate the categories of Personal Data involved, the number of Data Subjects potentially affected, the likelihood of harm, and the severity of consequences for affected individuals.

10.2 Internal Breach Response Team

The Company has established a dedicated data breach response team comprising representatives from information technology, legal, compliance, and senior management to coordinate breach response activities.

The Data Protection Officer or designated privacy lead shall serve as the primary coordinator for all Data Breach response activities and external communications.

10.3 Containment and Risk Mitigation

Upon confirmation of a Data Breach, the Company will immediately implement containment measures to prevent further unauthorized access, use, or disclosure of Personal Data.

The Company will take all reasonable steps to mitigate potential harm to affected Data Subjects, which may include resetting passwords, suspending compromised accounts, or implementing additional security measures.

Where technically feasible, the Company will attempt to recover any Personal Data that has been improperly accessed or disclosed.

10.4 Regulatory Notification Requirements

The Company will notify regulators and affected individuals in accordance with applicable law in each jurisdiction (e.g., “as soon as practicable or within statutory time limits where prescribed) We assess materiality, harm likelihood, and scale to determine notification. 

The notification to regulatory authorities will include a description of the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

Where the initial notification cannot contain all required information, the Company will provide additional information in phases without undue delay as it becomes available.

10.5 Individual Notification Procedures

The Company will notify affected Data Subjects without undue delay when a Data Breach is likely to result in a high risk to their rights and freedoms, privacy, or may cause significant harm.

Individual notifications will be communicated through the most effective means available, including email, direct mail, telephone contact, or prominent website notices, depending on the circumstances and available contact information.

The notification to individuals will be written in clear and plain language and include a description of the nature of the breach, categories of Personal Data involved, steps taken to address the breach, recommendations for protective measures, and contact information for further inquiries.

10.6 Documentation and Record Keeping

The Company will maintain comprehensive documentation of all Data Breaches, including the facts surrounding the breach, its effects, and remedial actions taken.

Breach records will be retained for a minimum period of seven (7) years and will be made available to regulatory authorities upon request.

10.7 Post-Breach Review and Improvement

Following resolution of any Data Breach, the Company will conduct a thorough post-incident review to identify root causes, evaluate the effectiveness of response measures, and implement improvements to prevent similar incidents.

The Company will update its security measures, policies, and procedures based on lessons learned from Data Breach incidents and evolving threat landscapes.

10.8 Third Party Processor Breaches

Where a Data Breach occurs at a Third Party Data Processor acting on behalf of the Company, the processor must notify the Company immediately upon becoming aware of the breach.

The Company will coordinate with Third Party processors to ensure appropriate breach response measures are implemented and regulatory notification obligations are met within required timeframes.

11. Commercial Use of Data

11.1 General Commercial Use Principles

The Company may use Personal Data for legitimate commercial purposes that support our business operations, service delivery, and growth objectives, provided such use is lawful, fair, and transparent to Data Subjects.

11.2 Marketing and Communications

We may use Personal Data to send marketing communications, promotional materials, newsletters, and service updates through email, SMS, or other communication channels where we have obtained appropriate Consent or have a Legitimate Interest to do so, in compliance with applicable laws including GDPR requirements for EU data subjects.

Marketing communications may include information about new products, services, features, special offers, industry insights, and company updates relevant to our technology solutions.

Data Subjects may opt out of marketing communications at any time through unsubscribe links, account settings, or by contacting us directly using the information provided in Section 16.

11.3 Product Development and Innovation

Personal Data may be used to develop, improve, test, and enhance our technology products and Services, including the development of new features, functionalities, and AI-Generated Content capabilities.

We may analyze usage patterns, user feedback, and interaction data to identify opportunities for product improvements and to create more personalized user experiences.

AI model training and machine learning activities may utilize Personal Data to improve the accuracy, performance, and capabilities of our technology solutions, subject to appropriate data protection safeguards.

11.4 Business Analytics and Intelligence

We process Personal Data for business analytics purposes including market research, trend analysis, performance measurement, and strategic planning to support informed business decision-making.

Analytics activities may involve creating aggregated, statistical, or trend reports that help us understand user behaviour, service performance, and market opportunities.

Where possible, we utilize Anonymisation techniques to reduce privacy risks while maintaining the analytical value of data for commercial insights.

11.5 Customer Relationship Management

Personal Data is used to manage customer relationships, provide personalized service experiences, and maintain comprehensive records of customer interactions and preferences.

We may use Personal Data to segment customers for targeted service delivery, customize user interfaces, and provide relevant content and recommendations.

11.6 Revenue Generation and Monetisation

Personal Data may be used to support revenue-generating activities including subscription management, billing processes, payment processing, and financial reporting.

We may analyze purchasing patterns and user behavior to develop pricing strategies, identify cross-selling opportunities, and optimize our commercial offerings.

11.7 Legal Basis for Commercial Use

Commercial use of Personal Data is conducted under appropriate legal bases including Consent, Legitimate Interest, contractual necessity, or legal obligation as required by applicable Hong Kong privacy laws.

Where we rely on Legitimate Interest as a legal basis (including under GDPR Article 6(1)(f) for EU data subjects), we conduct balancing assessments to ensure our commercial interests do not override the fundamental rights and freedoms of Data Subjects.

11.8 Limitations and Safeguards

Commercial use of Personal Data is subject to the data minimization principle, ensuring we only process data that is necessary, relevant, and proportionate to the specified commercial purposes.

All commercial data processing activities are conducted in accordance with our Data Security measures outlined in Section 5 and are subject to the Data Retention periods specified in Section 7.

Data Subjects retain all rights specified in Section 6 regarding Personal Data used for commercial purposes, including the right to object to Processing based on Legitimate Interest.

12. Third-Party Services and Links

12.1 Third-Party Websites and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by the Company. This Privacy Policy does not apply to such third-party websites or services.

12.2 Limitation of Responsibility

The Company is not responsible for the privacy practices, content, or policies of any third-party websites, applications, or services that may be accessed through links provided on our Services.

12.3 User Responsibility for Third-Party Interactions

When you access third-party websites or services through our Services, you do so at your own risk and subject to the terms and privacy policies of those third parties.

12.4 Third-Party Service Providers

We may engage third-party service providers to assist in delivering our Services, including cloud storage providers, analytics services, payment processors, and marketing platforms. Such third parties are bound by contractual obligations to protect Personal Data in accordance with this Privacy Policy.

12.5 Data Sharing with Third-Party Service Providers

Personal Data shared with third-party service providers including but not limited to:
(i) business partners, suppliers, and subcontractors for contract performance,
(ii) professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers, and
(iii) regulators, authorities, and enforcement agencies is limited to what is necessary for them to perform their designated functions and is subject to appropriate data protection safeguards and confidentiality obligations.

12.6 Social Media Integration

Our Services may include social media features and widgets provided by third parties. These features may collect information about your IP address, pages visited, and may set Cookies to enable proper functionality.

12.7 Recommendation to Review Third-Party Policies

We strongly encourage users to read the privacy policies and terms of service of any third-party websites or services before providing Personal Data or engaging with such platforms.

12.8 Changes to Third-Party Relationships

The Company reserves the right to add, remove, or modify third-party service relationships as necessary for business operations, with appropriate notice provided for material changes that may affect Personal Data processing.

13. Children’s Privacy

13.1 Age Restrictions and Service Eligibility

Our Services are not intended for use by individuals under the age of 18 years. We do not knowingly collect, use, or disclose Personal Data from children under 18 years of age without appropriate parental or guardian consent as required by applicable law. Any minor data in client archives is controller-authorised, and Lifewood applies heightened safeguards as processor.

13.2 Verification of Age

We implement reasonable measures to verify the age of users during account registration and service access. Users are required to confirm their age and represent that they are at least 18 years old or have obtained appropriate parental consent.

13.3 Parental Consent Requirements

Where we become aware that Personal Data of a child under 18 has been collected without proper parental consent, we will take immediate steps to obtain such consent or delete the Personal Data.

Parents or legal guardians may provide consent for their child's use of our Services by contacting us using the details provided in Section 16 of this Privacy Policy.

We may require additional verification measures to confirm the identity of parents or guardians before processing consent requests.

13.4 Enhanced Protection for Children's Data

When processing Personal Data of children with appropriate consent, we apply additional safeguards including limited data collection, enhanced security measures, and restricted data sharing.

We do not use children's Personal Data for direct marketing purposes or behavioral advertising without explicit parental consent.

Children's Personal Data is subject to shorter Retention Periods and more restrictive access controls than adult user data.

13.5 Parental Rights and Controls

Parents or guardians have the right to access, review, modify, or request deletion of their child's Personal Data at any time.

Parents may withdraw consent for their child's use of our Services, which may result in account termination and data deletion.

We will respond to parental requests regarding children's Personal Data within 30 days of receipt.

13.6 Discovery of Underage Users

If we discover that we have collected Personal Data from a child under 18 without appropriate consent, we will delete such information within 30 days unless legally required to retain it or unless valid parental consent is obtained within that timeframe.

13.7 Educational and Training Content

Where our Services include AI-Generated Content or training materials that may be accessed by children, we ensure such content is appropriate and does not collect additional Personal Data beyond what is necessary for service provision.

14. Policy Updates and Notifications

14.1 Policy Modification Authority

The Company reserves the right to modify, update, or amend this Privacy Policy at any time to reflect changes in our business practices, legal requirements, or regulatory developments.

14.2 Types of Changes

14.2.1 Material Changes

Include modifications that significantly affect how we collect, use, share, or protect personal data, changes to user rights, alterations to data retention periods, or modifications to our legal basis for processing.

14.2.2 Non-Material Changes

Include administrative updates, clarifications of existing practices, contact information updates, or minor editorial corrections that do not substantively alter our data handling practices.

14.3 Notification Methods for Material Changes

We will provide thirty (30) days advance notice of material changes through prominent notice on our website homepage and primary service interfaces.

Direct notification will be sent to users via email to their registered email addresses for material changes that may affect their rights or our processing activities.

In-application notifications will be displayed to active users upon their next login or service access following material policy changes.

14.4 Non-Material Change Notifications

Non-material changes will be communicated through updated version information on our website and within the policy document itself, without requirement for advance notice.

14.5 Effective Date Implementation

Material changes become effective thirty (30) days after notification, allowing users time to review changes and exercise their rights.

Non-material changes become effective immediately upon publication of the updated policy.

The "Last Updated" date at the beginning of this policy will reflect the most recent modification date.

14.6 User Response to Changes

Continued use of our Services after the effective date of material changes constitutes acceptance of the updated Privacy Policy.

Users who disagree with material changes may discontinue use of our Services and request data deletion in accordance with Section 6 (User Rights and Controls).

14.7 Version Control and Archive

We maintain version control for all policy updates with clear identification of version numbers and modification dates.

Previous versions of this Privacy Policy will be archived and made available upon request for a period of three (3) years from their replacement date.

14.8 Emergency Updates

In cases of data security incidents or urgent legal compliance requirements, we may implement immediate policy changes with concurrent notification to affected users and subsequent formal notice procedures.

15. Compliance and Regulatory Framework

15.1 Applicable Laws and Regulations

This Privacy Policy and the Company's data processing activities are governed primarily by the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong and all applicable amendments, subsidiary legislation, and codes of practice issued thereunder.

Additionally, the Company complies with applicable privacy and data protection laws in all jurisdictions where it operates or engages with data subjects, including but not limited to Malaysia's Personal Data Protection Act, relevant Chinese data protection regulations, United States federal and state privacy laws, Philippine Data Privacy Act, Bangladesh Data Protection Act, Indonesian data protection regulations, the European Union General Data Protection Regulation (GDPR) for engagement with EU data subjects, and other applicable local privacy laws.

15.2 Data Protection Principles Compliance

The Company commits to adhering to the six Data Protection Principles established under the Personal Data (Privacy) Ordinance and equivalent principles under applicable privacy laws in all jurisdictions where it operates or engages with data subjects, including GDPR principles for EU data subjects.

These principles encompass purpose limitation, accuracy, retention limitation, data security, openness, and access principles in all data processing activities.

15.3 Privacy Commissioner Guidelines

The Company follows guidance, codes of practice, and enforcement notices issued by the Privacy Commissioner for Personal Data, Hong Kong, and equivalent regulatory authorities in all jurisdictions where it operates or engages with data subjects, including European data protection authorities for GDPR compliance.

The Company regularly reviews its practices to ensure ongoing compliance with regulatory expectations and best practices across multiple legal frameworks.

15.4 Cross-Border Transfer Compliance

Where personal data is transferred outside Hong Kong or between other jurisdictions where the Company operates or engages with data subjects, including transfers involving EU data subjects, the Company ensures compliance with:

• Prescribed requirements under Data Protection Principle 3 of the Hong Kong Ordinance,

• GDPR adequacy and safeguard requirements, and

• Equivalent cross-border transfer requirements under applicable laws in all relevant jurisdictions, including any exemptions or prescribed circumstances as defined in the respective privacy legislation.

15.5 Regulatory Monitoring and Updates

The Company maintains ongoing monitoring of changes to privacy laws and regulations, and all other jurisdictions where it operates or engages with data subjects — including GDPR developments and European data protection regulations.

Necessary updates are implemented to policies, procedures, and technical measures to ensure continued compliance with evolving legal requirements across multiple regulatory frameworks.

15.6 Industry Standards Alignment

In addition to legal compliance, the Company strives to align its data protection practices with recognized international standards and industry best practices for data security and privacy protection in the technology sector.

15.7 Compliance Auditing and Review

The Company conducts regular internal audits and reviews of its data processing activities, privacy controls, and compliance measures to ensure adherence to applicable laws and the effectiveness of implemented safeguards.

15.8 Legal Basis for Processing

All personal data processing activities are conducted based on lawful grounds including consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests as recognized under applicable Hong Kong privacy law and equivalent legal bases under privacy legislation in all jurisdictions where the Company operates or engages with data subjects, including the six lawful bases under GDPR for EU data subjects.

16. Contact Information and Complaints

16.1 Privacy Inquiries Contact Information

All privacy-related inquiries, requests, and communications should be directed to our designated privacy contact:

Email: hr@lifewood.com

Postal Address:
Lifewood Data Technology Limited, Unit 19, 9/F, Core C, Cyberport 3, 100 Cyberport Road, Hong Kong

16.2 Response Time Commitments

We will acknowledge receipt of privacy inquiries within three (3) business days of receiving your communication.

We will provide a substantive response to data subject rights requests within thirty (30) days of verification of your identity and request validity.

Complex requests may require additional time, in which case we will notify you of the extended timeframe and provide regular updates on progress.

16.3 Identity Verification Requirements

To protect your privacy and prevent unauthorized access to personal data, we may require verification of your identity before processing certain requests.

Acceptable forms of identification include government-issued photo identification, account credentials, or other verification methods as determined appropriate by the Company.

16.4 Complaints Procedure

If you are not satisfied with our handling of your privacy inquiry or believe we have violated your privacy rights, you may file a formal complaint with us using the contact information provided in Clause 16.1.

We will investigate all complaints thoroughly and provide a written response within forty-five (45) days of receiving the complaint.

16.5 Regulatory Authority Complaints

You have the right to lodge a complaint with the relevant regulatory authority in Hong Kong regarding our data processing practices.

Primary Regulatory Authority:
Privacy Commissioner for Personal Data, Hong Kong

• Address: 12/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong

• Telephone: +852 2827 2827

• Fax: +852 2877 7026

• Email: communications@pcpd.org.hk

• Website: www.pcpd.org.hk

You may file a complaint with the regulatory authority at any time, regardless of whether you have first contacted us directly about your concerns.

Additional Regulatory Authorities - Depending on your location and the nature of your inquiry, you may also contact relevant data protection authorities in other jurisdictions where the Company operates:

• Malaysia: Personal Data Protection Department, Ministry of Digital, Malaysia

• United States: Federal Trade Commission or relevant state attorneys general

• Philippines: National Privacy Commission of the Philippines

• European Union: Relevant Data Protection Authorities in EU member states, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) for GDPR-related matters

• Other Jurisdictions: Contact details for relevant authorities available upon request

16.6 Contact Information Updates

We may update our contact information from time to time and will publish any changes on our website and through appropriate communication channels.

Current contact information is always available on our website.

This Privacy Policy has been duly approved and adopted by Lifewood Data Technology Limited and shall be effective from 3 November 2025