← Back to Home

Privacy Policy

Effective Date: November 10, 2025

Digital Tools Company Limited ("we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal data through the Pondara platform ("Service"). We are committed to compliance with applicable laws, including the Hong Kong Personal Data (Privacy) Ordinance (PDPO), EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and others. The Service is used by both organizations and individual prosumers.

We adopt a "Unified Global Standard" based on GDPR principles, with addenda for jurisdiction-specific rights.

1. Data We Collect

We collect the following categories of personal data:

  • Identity and Account Data: Name, email, initials, password (hashed), organization (if applicable), department/position (optional).
  • Preferences: Language (en/zh), theme (light/dark), notifications.
  • Usage and Content Data: Login timestamps, tasks, messages, time charges, file attachments, client records.
  • Technical Data: IP address, browser type, device info, session tokens.
  • Financial Data: Billing info (handled by Stripe; we don't store card details).
  • Other: Analytics (if implemented) for usage monitoring.

We do not collect sensitive data (e.g., racial origin, health) unless uploaded by you.

2. How We Use Your Data

We process data for:

  • Providing the Service (e.g., authentication, task management) – Lawful Basis (GDPR): Performance of Contract.
  • Security, fraud prevention, and improvements (e.g., IP logs, analytics) – Lawful Basis: Legitimate Interests (balanced against your rights).
  • Marketing communications – Lawful Basis: Consent (opt-in required; separate from Terms).
  • Compliance with legal obligations (e.g., audits).

We do not use data for automated decision-making with legal effects.

3. Data Sharing

We share data as follows:

  • Within Your Organization: With other users in your workgroup/organization (e.g., shared tasks). Not applicable to individual prosumers unless you choose to share.
  • Third-Party Processors:
    • Microsoft Azure (hosting, storage in West US 2).
    • Stripe (payments).
    • SendGrid (emails).
    These are bound by Data Processing Agreements (DPAs) ensuring GDPR/PDPO compliance.
  • Legal Requirements: If required by law, regulators, or in mergers/acquisitions.
  • No Sales: We do not sell your data.

4. Data Security

We use industry-standard measures:

  • Encryption (TLS in transit, Azure encryption at rest).
  • Access controls (role-based).
  • Virus scanning for uploads.
  • Breach Notification: We notify affected users and authorities as required (e.g., within 72 hours under GDPR).

Despite these, no system is 100% secure; we cannot guarantee absolute security.

5. International Data Transfers

Data is stored in Microsoft Azure West US 2 (USA). Transfers comply with:

  • EU-US: EU-US Data Privacy Framework (DPF; Microsoft, Stripe, Twilio certified) as primary; Standard Contractual Clauses (SCCs) as fallback.
  • HK-US: No statutory restrictions under PDPO (Section 33 not in force); we use Recommended Model Clauses for diligence.
  • Other: Adequate safeguards for transfers (e.g., SCCs for non-adequate countries).

6. Data Retention

  • Active data: Retained while your account is active.
  • Deleted data: Retained in backups for up to 90 days for recovery/legal holds.
  • We delete data when no longer needed, subject to legal requirements.

7. Your Rights

You have rights under applicable laws:

  • GDPR (EU Users): Access, rectification, erasure ("right to be forgotten"), restriction, objection, portability. Contact us to exercise; we respond within 1 month.
  • CCPA (CA Users): Know collected data, delete, opt-out of sales (we don't sell). Non-discrimination.
  • PDPO (HK Users): Access and correction.
  • All Users: Update preferences, delete content you created, export data (where feasible).

To exercise rights, email enquiries@jfuconsultants.com. We may verify identity. Appeals: Contact relevant authority (e.g., PCPD in HK, supervisory authority in EU).

8. Cookies and Tracking

We use essential cookies for functionality (e.g., session management) and non-essential for analytics (opt-out available). No third-party advertising cookies. See our Cookie Policy (if separate) for details. EU users: Consent required for non-essential.

9. Children's Privacy

The Service is not for children under 18. We do not knowingly collect their data. If discovered, we delete it promptly.

10. Data Protection Officer

Our DPO is the internal contact for privacy inquiries: enquiries@jfuconsultants.com.

11. Updates to This Policy

We may update this Policy. Material changes will be notified via email or the Service, with 30 days' notice. Continued use constitutes acceptance.

For questions, contact enquiries@jfuconsultants.com.

Terms of ServiceContact Us