HPT
Legal

Privacy Policy

How HPT Group collects, uses, retains and protects personal information. Applies to visitors to hpt.group and to individuals who engage HPT for advisory services.

Last updated: 1 May 2026. Effective from: 1 May 2026.

1. Who we are and how to contact us

HPT Group (“HPT”, “we”, “us”) is the brand name for a network of independent affiliated firms providing offshore structuring, banking, licensing and family-office advisory services. The data controller for personal information collected through hpt.group and via our advisory engagements is the HPT Group entity that contracts with you under the relevant engagement letter. Our principal place of business is Hong Kong SAR, with a second office in London.

For any matter relating to this policy, including subject-access requests, write to privacy@hpt.group or to our Data Protection lead at the firm's registered office.

2. The personal information we collect

We collect personal information in three principal contexts: when you browse hpt.group, when you make an enquiry, and when you become a client.

2.1 Website visitors

When you visit hpt.group we may collect: your IP address (partially anonymised), the pages you view, the device and browser you use, your approximate geographic location, the website that referred you, and the time and duration of your visit. We collect this through first- party server logs and, where you have consented via the cookie banner, through privacy- respecting analytics (Plausible and/or Google Analytics 4 with IP anonymisation).

2.2 Enquirers

When you submit an enquiry, request a quote, ask to become a client, request a partner conversation, or subscribe to the director's note newsletter, we collect the information you provide. Typically this includes your name, email address, telephone number, country of residence, the matter you are enquiring about, your indicative budget and timeline, and any further information you choose to share.

2.3 Clients (KYC, AML and engagement information)

When you engage HPT we are required by anti-money-laundering legislation in our regulated jurisdictions to collect and verify customer due-diligence information. This includes: full name, date of birth, nationality, residential address, identification documents (passport, national ID, proof of address, source-of-funds documentation), beneficial-ownership declarations, sanctions and politically-exposed-person (PEP) screening results, tax residency declarations, and any further information required by the regulator in the jurisdiction where the engagement is performed.

For corporate clients we also collect equivalent information on directors, ultimate beneficial owners (UBOs), authorised signatories and other connected parties.

3. Why we collect personal information (lawful bases)

We process personal information for the following purposes, and only where we have a lawful basis to do so under the UK GDPR, EU GDPR, Hong Kong PDPO, UAE PDPL or equivalent legislation:

  • Performance of a contract. To deliver the advisory services set out in your engagement letter, including formation, banking introductions, licensing applications, ongoing fiduciary and compliance work, and family-office administration.
  • Legal obligation. To meet our regulatory duties, including AML and counter-terrorist-financing identification and verification, sanctions screening, beneficial- ownership filings, tax-information reporting (CRS, FATCA, DAC8, CARF where applicable), and statutory records retention.
  • Legitimate interests. To respond to enquiries, to maintain the security of hpt.group, to detect and prevent fraud, and to operate and improve our services. We balance our legitimate interests against your rights and freedoms before relying on this basis.
  • Consent. Where you opt in to receive the director's note newsletter or other non-essential communications, or where you consent to non-essential cookies via the cookie banner. You can withdraw consent at any time without affecting the lawfulness of processing already carried out.

4. Who we share information with

We share personal information only where necessary, and only with categories of recipients who are themselves bound by confidentiality and data-protection obligations:

  • Affiliated HPT entities involved in delivering your engagement (in Hong Kong, London or other locations as required by the matter).
  • Regulators in jurisdictions where HPT is licensed, including registries and financial-services authorities, where we are obliged to make filings or respond to information requests.
  • Banks, formation agents, trustees, licensed counsel, accountants and other counterparties introduced into your engagement with your authorisation. We do not share information with these parties for marketing purposes and we do not receive commissions for the introductions.
  • Service providers who support us under contract: cloud hosting (within ISO/IEC 27001-aligned regions), email and document infrastructure, secure file exchange, sanctions and PEP screening providers, and our auditors.
  • Courts, tax authorities and law enforcement where we are legally required to disclose.

We do not sell personal information. We do not share it with advertising networks or behavioural-targeting platforms.

5. International transfers

Because HPT operates internationally, personal information may be transferred outside the jurisdiction in which it was collected. Where information is transferred from the EEA or the UK to a country that has not received an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum and we conduct a transfer-risk assessment. Where transferred under Hong Kong PDPO, we ensure equivalent protection through contract. Copies of the relevant safeguards are available on request to privacy@hpt.group.

6. How long we retain information

We retain personal information only for as long as is necessary for the purpose for which it was collected and to meet applicable regulatory retention requirements:

  • Website analytics: 14 months from collection (Plausible) or 14 months (anonymised IP, GA4 default).
  • Enquiry data (no engagement followed): 24 months from last contact, then deleted.
  • Newsletter subscriptions: until you unsubscribe, plus 12 months for audit-trail purposes.
  • Engagement and KYC records: seven years from end of engagement, as required by AML legislation in the jurisdictions where the engagement was delivered. Where local law requires longer (for example certain trust records), we retain for the longer period.
  • Working papers and memoranda: retained for thirty years as part of our professional duty of file integrity.

7. Your rights

Subject to applicable law, you have the right to: access the personal information we hold about you; correct inaccurate information; request deletion (where retention is no longer required by law); restrict or object to processing; data portability; and to withdraw consent where consent is the lawful basis. To exercise any of these, write to privacy@hpt.group. We will respond within the statutory timeframe (typically 30 days under UK and EU GDPR, 40 days under Hong Kong PDPO).

If you are not satisfied with our response, you may complain to your data-protection authority. Relevant authorities include: the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong and the Information Commissioner's Office (ICO) in the United Kingdom.

8. Security

HPT operates an information-security management programme aligned with ISO/IEC 27001 principles. Client information is encrypted in transit (TLS 1.2 or higher) and at rest. Access is restricted to engaged directors and authorised support staff on a need-to-know basis, with multi-factor authentication required for all systems holding client information. Hardware and credentials are subject to centralised inventory and access revocation. We carry out periodic penetration testing and staff training.

9. Children

Our services are not directed at children. We do not knowingly collect information from anyone under the age of 18. If you believe a child has provided us with personal information, write to privacy@hpt.group and we will delete it.

10. Changes to this policy

We may update this policy from time to time to reflect changes in our procedures or in applicable law. The “Last updated” date at the top of this page shows the most recent revision. Material changes will be flagged in advance for clients and subscribers where appropriate.

See also: Cookie Policy, Terms of Use, Regulatory Information.