LEGAL
Privacy Policy
Last Updated: 10 March 2025
Effective: 10 March 2025
01
Introduction
Thornbury ("we", "us", "our") is committed to protecting the personal data of individuals who interact with our business. This policy sets out how we collect, use, store, and protect personal data in connection with the operation of our consulting practice and this website.
Thornbury operates in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong ("PDPO"). This policy explains your rights under that ordinance and how to exercise them.
For any privacy-related queries, contact us at: [email protected]
02
What Data We Collect
We collect personal data through the following channels:
- Contact form submissions: Name, email address, phone number (optional), and message content
- Email correspondence: Name, contact details, and the content of communications
- Website analytics: Anonymised browsing behaviour, page visits, and session duration (where analytics cookies are accepted)
- Engagement delivery: Data provided by clients in the course of consulting engagements, governed by separate confidentiality and engagement agreements
Retention: Contact enquiry data is retained for 24 months. Engagement-related data is retained for 7 years for professional record purposes, unless a shorter period is agreed in writing.
03
Legal Basis and How We Use Your Data
We process personal data under the following lawful bases:
- Consent: Where you submit a contact form or accept optional cookies
- Contractual necessity: To deliver consulting services under an engagement agreement
- Legitimate interest: To respond to enquiries, maintain business records, and improve our website
We use your personal data to: respond to enquiries; deliver consulting engagements; send engagement-related communications; maintain professional records; and, with your consent, send periodic updates about Thornbury's services.
We do not use your data for automated decision-making or profiling.
04
Data Sharing
We do not sell or rent personal data to third parties. Limited sharing occurs in the following circumstances:
- Technology providers who host our website or email systems, under data processing agreements
- Analytics providers, where analytics cookies are accepted (data is anonymised where possible)
- Legal or regulatory authorities where required by law
Client engagement data is never shared with third parties without explicit written consent, except where legally required.
05
Data Protection Measures
- Data stored on encrypted servers with restricted access controls
- Access to personal data limited to staff with a direct need
- Breach notification: affected individuals and the Privacy Commissioner notified without undue delay in the event of a data breach
- Regular review of data handling practices
06
Cookies
We use cookies on this website to support basic functionality and, with your consent, to understand how the site is used. For full details, please see our Cookie Policy.
07
Your Rights
Under the PDPO, you have the right to:
- Request access to personal data we hold about you (Data Access Request)
- Request correction of inaccurate or incomplete data
- Request erasure of data where it is no longer necessary for the original purpose
- Object to processing for direct marketing purposes
- Lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD)
To exercise any of these rights, contact: [email protected]. We will respond within 40 days as required by the PDPO.
08
Third-Party Links
Our website may contain links to external sites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.
09
Children's Privacy
Our services are directed to business organisations and individuals aged 18 and over. We do not knowingly collect data from persons under the age of 18. If we become aware of such data having been submitted, we will delete it promptly.
10
Policy Updates
We may update this policy from time to time. Material changes will be communicated via a notice on our website. The date at the top of this page indicates when the policy was last revised. Continued use of the site following a policy update constitutes acceptance of the revised terms.
11
Contact
Data Controller: Thornbury
32/F, Tower 6, The Gateway, 9 Canton Road, Tsim Sha Tsui, Hong Kong
Privacy queries: [email protected]