Privacy Policy | EasyCart

1. Definitions

Personal Data: Any information relating to an identified or identifiable living individual that is recorded in a form in which access to or processing of the data is practicable.
Data User: A person who, either alone or jointly with others, controls the collection, holding, processing, or use of Personal Data.
Data Processor: A person who processes Personal Data on behalf of a Data User rather than for their own purposes.
Merchant: A business or individual who registers and operates an online store on the EasyCart Platform.
End-Customer: A shopper or visitor of a Merchant's online storefront hosted on EasyCart.
Inquirer: Any individual who submits a contact, partnership, support, or other inquiry form to us, without necessarily holding an EasyCart account.
Visitor: Any individual who browses our marketing website, blog, or mobile application without submitting Personal Data.

2. Who This Policy Applies To

This Policy applies to the following categories of individuals whose Personal Data we collect, including but not limited to:

Marketing website Visitors (www.easycart.hk and our blog).
Inquirers — those who submit the partnership / cooperation form, support tickets, or any other forms we operate.
Merchants — registered account holders on the EasyCart SaaS merchant portal.
End-Customers of Merchants — Personal Data collected on behalf of Merchants in the course of providing Platform services.
Mobile App users — users of the EasyCart iOS or Android applications.
Business partners — resellers, affiliates, integration partners, media and strategic collaborators.
Job applicants — candidates submitting CVs or applying to open positions.
Offline contacts — those who interact with us via email, phone, WhatsApp, or trade events.

3. Our Role: Data User & Data Processor

Our role under the PDPO differs depending on context:

As Data User. For Merchant account data, Inquirer form submissions, marketing website visitor analytics, job applicant data, and our own employee data, we act as a Data User and are directly responsible for compliance with the Data Protection Principles ("DPPs") of the Ordinance.
As Data Processor. For End-Customer data collected by Merchants through their storefronts hosted on EasyCart (e.g. customer orders, shipping addresses, payment confirmations), we generally act as a Data Processor on the Merchant's behalf. The Merchant is the Data User of such data and is responsible for compliance with the PDPO in relation to their customers. We process such data strictly in accordance with the Merchant's instructions, our service agreement, and applicable law.

Merchants are strongly encouraged to maintain their own privacy policy on their storefront, to provide a Personal Information Collection Statement ("PICS") to their End-Customers, and to comply with DPP 1–6 for all data they collect.

4. What Personal Data We Collect

The categories and specific items of Personal Data we collect vary by channel. Providing Personal Data is voluntary, but certain data is necessary for us to deliver services — failing to provide such data may prevent us from fulfilling your request or providing you with the Platform.

4.1 Marketing Website & Blog Visitors

Technical data (automatic): IP address, approximate geolocation derived from IP, user-agent, device type, operating system, browser type and version, referring URL, pages visited, date and time of visits, session duration, clickstream, language preference.
Cookies and similar identifiers: see Section 8.
Analytics identifiers: Google Analytics and Meta (Facebook) Pixel identifiers and equivalent event data.
User preferences: language and display preferences stored in first-party preference cookies.

4.2 Inquiry & Partnership Form Submissions Inquirers

When you submit a partnership, cooperation, contact, or support form to us, we collect the following:

Identity & Contact: company / organization name, contact person's name, email address, phone number (optional), company website (optional).
Inquiry content: selected partnership type, your message or cooperation proposal, and any attachments you voluntarily include.
Automatically collected: IP address, user-agent, date and time of submission, anti-abuse tokens (CSRF) and honeypot signals.

4.3 Merchant Account Holders Merchants

Registration: full name, business / trading name, business registration number (if applicable), email, password (stored as a salted cryptographic hash; we never store plaintext passwords), phone number, billing address, preferred language.
Identity verification (KYC): where required by law, by our payment partners, or for anti-fraud purposes — government-issued ID or business registration documents.
Store content: store name, logo, banner images, product descriptions, pricing, category structure, policies you publish on your storefront.
Subscription & billing: plan level, subscription status, invoices, tax identifiers. Credit card and other sensitive payment tokens are handled directly by our payment service providers and are not stored on our servers in their raw form.
Support communications: tickets, chat logs, attachments, screen recordings you voluntarily share.
Platform activity: login timestamps, IP addresses, device fingerprints (for security), audit trails of account actions.

4.4 End-Customers of Merchants Processor Role

On behalf of Merchants, we process End-Customer data including order details, shipping and billing addresses, contact details, order and payment history, customer-service messages, and loyalty / membership records. The Merchant determines what data is collected and for what purpose; we process this data in accordance with the Merchant's instructions. Please refer to the relevant Merchant's privacy policy.

4.5 Mobile Application Users App

Account credentials and session tokens.
Device identifiers (e.g. iOS IDFV, Android Advertising ID where permitted), OS version, app version, crash and diagnostic logs.
Push notification tokens (if you grant notification permission).
Camera — used only when you actively take a photo within the app (e.g. for product images); no image is captured or uploaded until you confirm the action.
Photo library / Photos access — used only when you actively select an image from your device to upload; the app does not scan or upload other photos.

We do not request location, contacts, microphone, calendar, health, or other sensitive permissions. If we add new permissions in the future we will update this Policy and, where required, request your consent.

4.6 Job Applicants HR

Full name, contact details, résumé / CV, employment history, educational qualifications, professional licences, salary expectations, and other information you voluntarily submit in the application process.

4.7 Business & Partnership Documents

Personal data contained in contracts, tender/bid documents, cooperation proposals, invoices, and similar business documents exchanged with you or your organization.

Sensitive data. We do not intentionally collect sensitive categories such as biometric data, racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. If you voluntarily submit such information (e.g. in a free-text message), we will treat it with additional care and delete it as soon as practicable if not required for the stated purpose.

5. How We Collect Personal Data

Directly from you — when you register an account, fill in a form, subscribe to a newsletter, download our app, contact customer service, attend an event, apply for a job, or otherwise interact with us.
Automatically — through cookies, server logs, analytics tools, error-reporting tools, and device / app telemetry when you use the Platform.
From third parties — from our payment, logistics, verification, or marketing partners; from publicly available sources; from Merchants (in the case of their End-Customers); or from referrers who provide your contact details with your prior consent.

6. Purposes of Use

We use Personal Data for purposes directly related to, and reasonably necessary for, the functions or activities of the Platform, including the following:

Operating the Platform — account creation and authentication, rendering pages and apps, enabling storefront publishing, processing orders, coordinating payments and delivery, issuing invoices and tax documents.
Responding to inquiries & partnership requests — evaluating your submission, routing it to the relevant team, contacting you by email, phone or WhatsApp, and keeping records of the communication.
Customer support — diagnosing issues, providing technical assistance, handling refund and dispute requests.
Security, fraud prevention & integrity — detecting suspicious activity, rate limiting, anti-spam (honeypot, CSRF tokens), account recovery, audit logging, and defending against abuse.
Service improvement & analytics — measuring feature usage, A/B testing, diagnosing bugs, improving user experience, and developing new features.
Marketing & communications — subject to your choice under Section 7 — sending product updates, tutorials, event invitations, and promotional content.
AI-assisted features — generating product descriptions, blog drafts, and operational suggestions on your instruction; see Section 17.
Legal & regulatory compliance — responding to lawful requests from law-enforcement or regulators, tax filings, and other obligations.
Corporate events — in the event of a merger, acquisition, reorganization, or asset transfer, we may transfer Personal Data to the relevant counterparties or successors under confidentiality obligations.
Recruitment — evaluating candidates and maintaining a talent pool.

We will not use Personal Data for any materially new purpose inconsistent with the original purpose of collection without first obtaining your prescribed consent, as required under DPP 3.

7. Direct Marketing

Under section 35C of the Ordinance, before using your Personal Data for direct marketing, we must notify you of our intention and obtain your consent (or an indication of no objection). We will not use your data for direct marketing if you have objected.

7.1 Categories of data used

Where you have consented, we may use your name, email, phone number, language preference, interests, and usage information.

7.2 Classes of marketing subject matter

Promotions, feature updates, tutorials, webinars and events, partner offers, and research surveys relating to e-commerce.

7.3 Opt-out at any time — free of charge

You may withdraw consent and ask us to cease direct marketing at any time, free of charge, by:

Clicking the "unsubscribe" link in any marketing email we send you;
Replying "STOP" to a marketing WhatsApp or SMS message;
Changing your marketing preferences in your account settings; or
Emailing [email protected] or the DPO at the address in Section 19.

We will stop using your Personal Data for direct marketing within a reasonable period after receiving your request. If we intend to provide your data to a third party for their direct marketing, we will obtain your written consent beforehand.

8. Cookies & Tracking Technologies

Cookies are small text files stored on your device. Similar technologies include web beacons, pixel tags, local storage, and SDK identifiers. We use them to operate the Platform, remember your preferences, measure performance, and — with your consent where required — to market our services.

8.1 Categories of cookies we use

Category	Examples	Purpose	Retention
Strictly necessary	Session, authentication, and form-security tokens	Session management, login state, and anti-CSRF protection. Cannot be disabled without breaking the Platform.	Session or up to 30 days
Preferences	Language / UI preference cookies	Remember your language or display preference across visits.	Up to 365 days
Analytics	Google Analytics 4 cookies	Aggregate traffic and feature usage measurement. Data is processed by Google LLC.	Up to 24 months
Marketing	Meta (Facebook) Pixel cookies	Measure ad effectiveness and build custom audiences. Data is processed by Meta Platforms, Inc.	Up to 90 days

8.2 Your choices

You can manage or delete cookies through your browser settings. Most browsers also support a "Do Not Track" signal; we currently do not respond to DNT, but we honor industry-standard opt-outs. You can opt out of Google Analytics using the Google Analytics Opt-Out Browser Add-on, and manage Meta advertising preferences in your Meta / Facebook account settings. Blocking strictly-necessary cookies may prevent the Platform from functioning.

9. Sharing & Disclosure

We do not sell Personal Data. We share Personal Data only in the following circumstances and only to the extent necessary:

9.1 Service providers (processors entrusted by us)

Category	Representative Providers	Function
Cloud hosting & database	Reputable cloud infrastructure providers	Application hosting and managed database services.
Object storage & CDN	Reputable CDN and object-storage providers	Image and asset storage; content delivery.
Analytics	Google LLC (Google Analytics)	Aggregate website and app analytics.
Advertising measurement	Meta Platforms, Inc. (Facebook Pixel)	Ad performance measurement.
Email & notifications	Transactional email & SMS providers	Account, transaction, and support notifications.
Payment processing	Licensed payment processors (card, e-wallet, FPS, etc.)	Payments for Merchants.
Logistics	Local and cross-border courier providers	Shipping label generation and tracking.
Customer support	WhatsApp Business (Meta)	Customer-service conversations.
AI providers	OpenAI, L.L.C.; Google LLC (Gemini API)	Powering AI-assisted features on the Platform (product description generation, blog drafting, AI assistant "Easy 仔").
Professional advisors	Auditors, lawyers, insurers	Subject to confidentiality obligations.

The table above lists the categories of service providers we use. In the interest of information security, we do not publish the specific identities of our cloud-infrastructure, payment, or logistics providers, as this varies over time to suit different markets, Merchant needs, and operational requirements. If you have a legitimate need to know the identity of a specific sub-processor (for example, to complete your own vendor-risk assessment), please submit a written request to our Data Protection Officer (see Section 19), and we will provide a current list under reasonable confidentiality.

All service providers are engaged under written contracts requiring them to process Personal Data only on our documented instructions and to apply appropriate security measures, in line with DPP 2(3) and DPP 4(2).

9.2 Other recipients

Merchants — when you, as an End-Customer, transact with them on their EasyCart storefront.
Law-enforcement, regulators, courts — where required by law, court order, or to establish, exercise, or defend legal claims.
Corporate transaction counterparties — in the event of a merger, acquisition, or asset transfer (under confidentiality).
With your consent — to any other party where you give us specific consent.

10. Cross-Border Data Transfers

Our infrastructure and certain service providers are located outside Hong Kong, including in Singapore, the United States, the European Union, and other jurisdictions where our service providers operate. Although section 33 of the Ordinance (restricting cross-border transfers) has not yet come into force, we voluntarily apply controls aligned with PCPD guidance, including:

Conducting due diligence on overseas recipients.
Entering into contractual safeguards (PCPD Recommended Model Contractual Clauses or equivalent).
Applying encryption in transit (TLS 1.2+) and at rest where feasible.
Referring to the "Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong–Hong Kong–Macao Greater Bay Area" for applicable Greater Bay Area transfers.

11. Data Retention

We retain Personal Data only for the period necessary to achieve the purposes stated in this Policy, or as required by law. The following is our general retention schedule:

Data Category	Retention Period
Marketing website server logs & analytics	Up to 24 months
Partnership / contact form submissions	24 months from last contact; longer if a commercial relationship forms
Merchant account data	For the duration of the account, plus up to 7 years after closure for tax / accounting / legal purposes
Order, invoice, and tax records	7 years (per Hong Kong Inland Revenue Ordinance)
Support tickets and correspondence	Up to 36 months from resolution
Marketing preferences & opt-out records	Indefinite (to honor your opt-out)
Job applications (unsuccessful)	Up to 24 months, unless you consent to a longer talent-pool retention
Security logs & audit trails	Up to 24 months
Cookies	See Section 8

When the retention period expires, we will securely delete or anonymize the data, except where continued retention is required by law or for the establishment, exercise, or defense of legal claims.

12. Data Security

We implement reasonable and practicable technical and organizational measures to protect Personal Data from unauthorized or accidental access, processing, deletion, loss, or use, including:

Encryption in transit (TLS 1.2 or higher) for all web and API traffic.
Encryption at rest for sensitive fields and storage volumes where feasible.
Password hashing using industry-standard salted algorithms; we never store passwords in plaintext.
Role-based access control and least-privilege principles; access restricted to staff who need it for their role.
Multi-factor authentication (MFA) for administrative and privileged accounts.
Firewalls, Web Application Firewall (WAF), rate limiting, CSRF tokens, and honeypots on public forms.
Regular vulnerability scanning, patching, and dependency updates.
Backups and disaster-recovery procedures.
Employee onboarding, training, and confidentiality obligations.
Security-incident response procedures and breach logging.

Despite these measures, no system is 100% secure. If you believe your account has been compromised, please contact us immediately.

13. Data Breach Handling

In the event of a personal-data breach, we will follow our internal incident-response process in line with the PCPD's "Guidance on Data Breach Handling and Data Breach Notifications". Our response typically includes:

Immediate containment and preservation of evidence.
Risk assessment of the likelihood and severity of harm.
Notification of the PCPD where the breach presents a real risk of harm to data subjects.
Notification of affected data subjects where required or appropriate, without undue delay.
Remediation, root-cause analysis, and implementation of preventive measures.

14. Your Rights (Access, Correction, Opt-Out)

Subject to the Ordinance, you have the following rights in respect of your Personal Data:

Right of access — to ask whether we hold Personal Data about you and to request a copy (a reasonable fee may apply under section 28 of the Ordinance).
Right of correction — to request correction of data that is inaccurate, outdated, or incomplete.
Right to withdraw consent / object to direct marketing — at any time, free of charge (see Section 7).
Right to erasure — to ask us to delete Personal Data that is no longer necessary, subject to legal and contractual retention obligations. For account & data deletion (in-app, admin console, and 30-working-day timeline), see our Account & Data Deletion page.
Right to complain — to the PCPD (see Section 20).

14.1 How to exercise your rights

Submit a written request to the Data Protection Officer using the contact details in Section 19. To protect your privacy, we may need to verify your identity (and, where applicable, your authority to act on behalf of another person) before responding.

14.2 Response time

We aim to respond within 40 calendar days of receipt of a valid Data Access Request or Data Correction Request, as required by the Ordinance. If we cannot respond within this period, we will inform you and provide an estimated timeframe.

14.3 Where we may refuse

We may refuse a request, and will explain the reasons, where permitted or required by law — for example, where the request is manifestly unfounded or excessive, where compliance would disclose data of a third party, or where an exemption under Part 8 of the Ordinance applies.

15. Children's Privacy

The Platform is not directed at children under the age of 13 and we do not knowingly collect Personal Data from children under 13. Certain features may require users to be 18 or older (e.g. to enter into a Merchant services contract). If you are a parent or guardian and believe your child has provided Personal Data to us, please contact us and we will take reasonable steps to delete it.

16. Third-Party Links & Services

The Platform may contain links to third-party websites, applications, or services (including social media, payment providers, delivery providers, and Merchants' own storefronts). We are not responsible for the privacy practices of such third parties. Please review their privacy policies before providing Personal Data to them.

17. Automated Decision-Making & AI Features

The Platform offers AI-assisted features (such as automatic product-description generation, blog drafting, and the "Easy 仔" AI assistant). These features operate under your instruction and do not make decisions that have legal or similarly significant effects on you. To power these features, data you submit (for example, product details you ask the AI to rewrite, or questions you ask the AI assistant) may be transmitted to third-party AI API providers, including OpenAI, L.L.C. and Google LLC (Gemini API). These providers process the data on our behalf under contractual arrangements that, where available, opt us out of using your inputs or outputs to train their foundation models. You can choose not to use AI features if you prefer; doing so will not affect your ability to use the rest of the Platform.

We use rule-based and scoring systems for anti-fraud and anti-abuse purposes (e.g. rate limiting, bot detection). These processes may automatically block a request; a human review is available upon request.

18. Updates to This Policy

We may update this Policy from time to time to reflect changes in our operations, technology, law, or regulatory expectations. When we make material changes, we will:

Update the "Last Updated" date at the top of this page;
Publish the revised Policy on our website;
Where appropriate, provide additional notice (for example, by email, in-app banner, or prominent website notice).

Continued use of the Platform after the effective date of a revised Policy indicates acceptance of the revised Policy. If you do not agree, please stop using the Platform and contact us to exercise your rights.

19. Contact Us (Data Protection Officer)

For any questions, access or correction requests, withdrawal of consent, or privacy-related complaints, please contact our Data Protection Officer ("DPO"):

Data Protection Officer
LET IT CONNECT INTERNATIONAL LIMITED
Registered Address: Room 1906–1907, OnePort Side, 29 Tai Yau Street, San Po Kong, Wong Tai Sin District, Kowloon, Hong Kong
Business Registration No.: 71985546
Email: [email protected]
WhatsApp: +852 2154 0186

20. Complaints to PCPD

If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong:

Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD)
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Hotline: (+852) 2827 2827
Fax: (+852) 2877 7026
Email: [email protected]
Website: www.pcpd.org.hk

21. Governing Law

This Policy is governed by the laws of the Hong Kong Special Administrative Region. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Hong Kong.

↑ Back to top