Privacy Policy

v1.0 · Effective 11 June 2026 · Operated by HG-Solution Co., Limited (CR 80121024) · Wan Chai, Hong Kong

1. Who we are

Controller: HG-Solution Co., Limited, a Hong Kong private company limited by shares (CR No. 80121024, BR No. 80121024-000-04-26-9), registered office at RM 1701, 17/F Henan Building, 90 Jaffe Road, Wan Chai, Hong Kong. We operate the website clarivy.ai and the Clarivy GEO audit product.

EU/UK representative (Art. 27 GDPR): To be appointed before any EU/UK data is processed. Until then, please contact our DPO at [email protected] for any EU/UK privacy matter.

2. What we collect

• Account & billing — name, work email, company name, country, VAT/GST number (where applicable), Stripe customer ID. We do not collect or store credit card numbers (Stripe handles that).
• Audit input — the brand/URL you submit and the 3 queries you want tested. (The 3 queries are the entire product — we do not crawl or scrape anything else from your website beyond the publicly fetchable HTML needed to score a citation.)
• Correspondence — emails you send us, briefing call recordings only with your consent.
• Operational telemetry — anonymous page-view counts (Plausible or self-hosted, no cross-site cookies), server logs retained ≤ 30 days for security.

3. What we do not collect

• We do not collect special-category data (race, religion, health, sexual orientation, etc.).
• We do not collect end-user PII from the websites we audit. We score AI-search answers about brands — we do not build consumer profiles.
• We do not use any third-party advertising, retargeting, or social-graph trackers.

4. Why we collect it (purpose & legal basis)

For HK PDPO: we rely on DPP 1 (necessary & not excessive) and DPP 2 (accuracy & retention).

5. Subprocessors (who we share with)

We share the minimum data needed. The full list — with country, purpose, retention, and DPA status — lives at /legal/subprocessors.html and is also exposed as machine-readable JSON. We commit to 30-day prior notice for any new subprocessor; if you object, you may terminate affected services and receive a pro-rata refund.

6. Where it is stored (data residency)

Customer data at rest is stored in Cloudflare R2, region selected at tenant creation (default: auto-routed to nearest of US/EU/APAC; EU customers default to EU region, US customers default to US). LLM inference runs on vendor infrastructure under ZDR (zero-data-retention) contracts — see subprocessor list for the specific region mapping per vendor.

7. How long we keep it

• Audit reports & raw JSON — 12 months from delivery, then auto-archived to cold storage for 24 more months, then deleted. Customer may request earlier deletion at any time.
• Invoices & tax records — 7 years (HK Inland Revenue Ordinance Cap. 112 §51C).
• Server logs — 30 days.
• Backups — 30-day rolling, then permanently deleted (end-of-window, no indefinite backup retention).

8. Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA/CPRA, HK PDPO, PIPL):

• Access (Art. 15) — request a copy of the data we hold about you.
• Rectification (Art. 16) — fix inaccurate data.
• Erasure (Art. 17) — "right to be forgotten."
• Restriction (Art. 18) — pause processing while a dispute is resolved.
• Portability (Art. 20) — export your data as JSON/CSV.
• Object (Art. 21) — including objection to legitimate-interest processing.
• Withdraw consent (Art. 7(3)) — at any time, without retroactive effect.
• Complain to a supervisory authority (Art. 77) — e.g. PCPD (HK), BfDI (DE), CNIL (FR), ICO (UK). We will not retaliate.

Email [email protected] — we respond within 30 days. Most requests handled within 5 business days.

9. Security measures

• Transport: TLS 1.3 with forward secrecy (TLS_AES_256_GCM_SHA384).
• At rest: AES-256, per-tenant key rotation every 12 months.
• Access: least-privilege RBAC, mandatory MFA on all production systems.
• Vendors: all LLM subprocessors operate under ZDR (zero-data-retention) contracts; we will not route customer prompts to a non-ZDR engine without notice.

10. Incident response

On confirmed breach: 48-hour preliminary report to affected customers; 72-hour notification to the lead supervisory authority (GDPR); 30-day root-cause report. Public incident log at trust.clarivy.ai/incidents (planned; not live in v1.0).

11. Children's data

Clarivy is a B2B product. We do not knowingly collect data from anyone under 16. If you believe a minor's data is in our system, email [email protected] and we will delete it within 24 hours.

12. International transfers (PIPL / Schrems II)

For data leaving the EEA, UK, or Mainland China, we rely on (a) Standard Contractual Clauses 2021/914, (b) EU-US Data Privacy Framework for US destinations, or (c) for China-out, PIPL §38 security assessment / §39 standard contract / §40 certification — applied case-by-case. We do not transfer Mainland-China-resident data outside China without one of the three PIPL mechanisms in place.

13. Changes to this policy

Material changes are notified by email at least 30 days in advance, with a clear diff and an opt-out / terminate-and-refund path for affected customers. Non-material changes (typos, clarifications) are tracked in CHANGELOG.md on the repo.

14. Contact & DPO

Data Protection Officer: [email protected] (we will assign a named DPO before any EU/UK data is processed; until then, the founder is the contact).

Postal: HG-Solution Co., Limited, RM 1701, 17/F Henan Building, 90 Jaffe Road, Wan Chai, Hong Kong.

This policy v1.0 was published on 11 June 2026. It will be reviewed at least annually. The next scheduled review is 11 June 2027.