Legal
Privacy Policy
Effective date: 1 March 2026 · Last updated: 15 March 2026
HPT Group Limited
1603, 16/F The L. Plaza
367–375 Queen's Road Central
Sheung Wan, Hong Kong
HPT Group Limited (“HPT Group”, “we”, “us” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. Please read the following carefully to understand our practices.
This Policy applies to our website at hpt.group, all enquiry and application forms operated by us, and our advisory and implementation services. It should be read alongside our Cookie Policy and Terms of Service.
1. Data Controller
The data controller responsible for your personal data is:
HPT Group Limited
1603, 16/F The L. Plaza
367–375 Queen's Road Central
Sheung Wan, Hong Kong
Telephone: +852 5161 5505
Email: privacy@hpt.group
Where we process the personal data of individuals located in the United Kingdom or European Economic Area, we do so in compliance with the UK GDPR and EU GDPR respectively, in addition to the Personal Data (Privacy) Ordinance (Cap. 522) of Hong Kong (“PDPO”).
2. Scope
This Policy applies to all individuals who:
- Visit or use our website at hpt.group;
- Submit an enquiry, application or contact form on our website;
- Engage HPT Group for advisory, structuring or implementation services;
- Correspond with us by email, telephone or any other means;
- Are introduced to us by a third-party referral partner.
3. Information We Collect
We may collect and process the following categories of personal data:
Identity and Contact Data
Name, title, date of birth, nationality, email address, postal address, telephone number, and similar identifying information provided through our forms, correspondence or engagement process.
Financial and Business Data
Information about your business, corporate structure, revenue, assets, financial objectives, existing structures, and jurisdictions of operation, provided in the course of applying for or receiving our services.
KYC and Compliance Data
Passport or identity document details, proof of address, source of funds and wealth documentation, beneficial ownership information, and any other information required to meet our AML/CTF obligations under applicable law.
Technical and Usage Data
IP address, browser type and version, operating system, referral source, pages visited, time and duration of visits, and other diagnostic data collected automatically when you use our website.
Communications Data
Records of correspondence, emails, meeting notes, and any other communications between you and HPT Group.
Referral Data
Where you are referred to us by a professional introducer, we may receive your name, contact details, and a brief description of your advisory needs.
We do not intentionally collect special category data (such as health, religious or political data) unless strictly required for a specific engagement and provided with your explicit consent.
4. How We Use Your Information
We use your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Responding to enquiries and applications | Legitimate interests / Pre-contractual steps |
| Delivering advisory, structuring and implementation services | Contract performance |
| AML/KYC identification and verification | Legal obligation |
| Compliance with sanctions screening obligations | Legal obligation |
| Sending service updates and engagement communications | Contract performance |
| Improving our website, services and client experience | Legitimate interests |
| Analytics and aggregate usage reporting (anonymised) | Legitimate interests |
| Responding to legal claims or regulatory enquiries | Legal obligation / Legitimate interests |
| Sending marketing communications (with consent) | Consent |
5. Legal Basis for Processing
Where we are subject to UK GDPR or EU GDPR, we rely on the following lawful bases:
- ContractProcessing necessary for the performance of a contract with you, or to take steps at your request before entering into a contract.
- Legal ObligationProcessing necessary for compliance with a legal obligation to which we are subject, including AML/CTF legislation, sanctions law, and applicable financial regulation.
- Legitimate InterestsProcessing necessary for our legitimate interests (or those of a third party), where those interests are not overridden by your rights and interests. These include operating and improving our services, fraud prevention, and business development.
- ConsentWhere we rely on your consent (e.g. for marketing emails or certain cookies), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
7. International Transfers
Given the international nature of our practice, your personal data may be transferred to, stored in, and processed in jurisdictions outside your country of residence, including Hong Kong, the United Kingdom, the European Economic Area, the British Virgin Islands, the Cayman Islands, Singapore, and the UAE.
Where such transfers involve personal data subject to UK GDPR or EU GDPR, we ensure that appropriate safeguards are in place, including: standard contractual clauses approved by the relevant supervisory authority; adequacy decisions; or other lawful transfer mechanisms as required.
Transfers of personal data subject to the PDPO are conducted in accordance with the data export restrictions set out in that Ordinance, including ensuring the receiving jurisdiction provides comparable protection or that the transfer is otherwise exempted.
8. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this Policy and to comply with our legal obligations. Our key retention periods are:
| Category | Retention Period |
|---|---|
| Active client files (KYC, engagement records) | Duration of engagement + 7 years |
| AML/KYC identification documents | 5 years from end of business relationship (statutory minimum) |
| Pre-engagement enquiry data (non-clients) | 12 months from last contact |
| Website analytics and technical data | 26 months (anonymised thereafter) |
| Marketing consent records | Until withdrawal of consent + 3 years |
| Financial and billing records | 7 years (statutory accounting requirement) |
After the relevant retention period, data is securely deleted or anonymised in accordance with our internal data destruction procedures.
9. Security
We implement and maintain appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access. These measures include encrypted data transmission (TLS), access controls, staff confidentiality obligations, and regular review of our security practices.
Where we have given you (or you have chosen) a password or access credential, you are responsible for keeping it confidential. We ask that you do not share access credentials with any third party.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, you directly, in accordance with applicable law.
10. Your Rights
Depending on the data protection legislation applicable to your situation, you may have the following rights in respect of your personal data:
Right of Access
Request a copy of the personal data we hold about you (Data Access Request under PDPO; Subject Access Request under GDPR).
Right to Rectification
Request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
Request deletion of your personal data where there is no compelling reason for its continued processing (subject to legal retention obligations).
Right to Restriction
Request that we restrict processing of your data in certain circumstances, for example while accuracy is contested.
Right to Portability
Receive your personal data in a structured, commonly used and machine-readable format where processing is based on consent or contract.
Right to Object
Object to processing based on legitimate interests, including for direct marketing purposes.
Withdrawal of Consent
Where processing is based on consent, withdraw that consent at any time without affecting prior processing.
PDPO Data Access
Residents of Hong Kong may exercise their access and correction rights under the Personal Data (Privacy) Ordinance (Cap. 522).
To exercise any of these rights, please contact us at privacy@hpt.group. We will respond within one month (GDPR standard) or 40 days (PDPO standard) of receipt of a valid request. We may require proof of identity before processing your request.
We will not charge a fee for exercising your rights unless a request is manifestly unfounded, excessive or repetitive, in which case we reserve the right to charge a reasonable fee or refuse.
11. Children
Our services are directed exclusively at adults. We do not knowingly collect or process personal data relating to children under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately at privacy@hpt.group and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or regulatory guidance. The effective date at the top of this page will be updated accordingly. We will notify active clients of any material changes by email. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.
We encourage you to review this Policy periodically. Prior versions are available on request.
14. Contact & Complaints
If you have any questions or concerns about this Privacy Policy or the way we handle your personal data, please contact our Privacy Officer:
Privacy Officer — HPT Group Limited
1603, 16/F The L. Plaza, 367–375 Queen's Road Central, Sheung Wan, Hong Kong
Email: privacy@hpt.group
Telephone: +852 5161 5505
Hong Kong: If you are dissatisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.
United Kingdom: UK data subjects have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
European Union: EEA data subjects may lodge a complaint with the supervisory authority in their country of residence.