Skip to main content
HK · Privacy · 中文版本待補

Privacy — Hong Kong

Caselaw operates under the Personal Data (Privacy) Ordinance (Cap 486) ("PDPO") for users in Hong Kong, including the 2021 anti-doxxing amendments and the 2024 PCPD Guidance Note on Protecting Personal Data Privacy in the Use of Generative AI by Employees. We follow each of the six Data Protection Principles (DPPs) and accept the supervisory authority of the Office of the Privacy Commissioner for Personal Data (PCPD). Effective 2026-05-03.

Data we collect (DPP1 — purpose & manner)

  • Email — account, magic-link auth, transactional comms.
  • University, year-level, exam focus — only what you give us in the waitlist or settings.
  • Salted IP hash — abuse prevention only; never raw IP.
  • Reading history within Caselaw — drives flashcards and revision; never sold.
  • Stripe customer / subscription state — Stripe handles card data; we never see it.

What we don't collect

  • Cross-site tracking cookies.
  • Advertising profiles or third-party retargeting.
  • Card numbers (Stripe processes them).
  • Identity-card numbers — never collected. We do not require HKID.
  • Biometric data, voice, video.

Cross-border transfer (DPP3 + s 33 + 2024 cloud guidance)

Caselaw uses Supabase EU-WEST (Frankfurt, Germany) for primary storage and Vercel's edge network for delivery. PDPO s 33 (cross- border transfer prohibition) is not yet operative. Even so, we apply the PCPD's Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (2022) to our Supabase data-processing agreement, and follow the 2024 PCPD Cloud Accountability Guidance for generative-AI prompts (Anthropic, used for the AI brief generator): no personal data is included in those prompts — case metadata only.

Six Data Protection Principles — applied

  • DPP1 — Purpose & Manner. We collect only the data listed above, and only for the purposes set out in this notice.
  • DPP2 — Accuracy & Retention. You can edit your profile any time. Account data is retained while your account is active and for 12 months after closure for tax/audit; aggregated analytics are retained indefinitely with no personal identifiers.
  • DPP3 — Use Limitation. Personal data is used only for the purposes described, or for directly-related purposes you would reasonably expect.
  • DPP4 — Security. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access is role-restricted under Supabase row-level security.
  • DPP5 — Openness. This notice plus our global policy are kept current and linked from every page footer.
  • DPP6 — Access & Correction. See your rights below.

Your rights (s 18, s 22, s 26 PDPO)

You may request access (s 18 — Data Access Request) or correction (s 22) of personal data we hold about you. We respond within 40 days as required by the PDPO. Statutory fee for access requests is HK$0 (we waive the maximum allowed fee).

Email [email protected]. Unsatisfied? Lodge a complaint with the PCPD complaint office.

Tax + payments

Hong Kong has no GST or VAT. Subscription prices are quoted in HKD inclusive of any applicable Profits Tax. PCLL Conversion Bundle (HK$2,999) is a one-time payment processed by Stripe Hong Kong Ltd.

This regional privacy notice supplements our global privacy policy — read both. Bilingual EN / 中文 version targeted Phase 2. Effective 2026-05-03.