This Privacy Policy explains how HK Drinks collects, uses, stores and protects your personal data. We are committed to complying with the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") of Hong Kong and the six Data Protection Principles ("DPPs") contained therein.
1. Data Controller
The data controller responsible for your personal data is:
HK Drinks
Central, Hong Kong
Email: hello@hkdrinks.shop
WhatsApp: +852 5344 0036
For all data privacy enquiries, please contact us at the above email address. We will respond within 10 business days.
2. What Personal Data We Collect
We collect only the personal data that is necessary for the purposes described in this Policy (DPP 1 — Purpose & Collection). This may include:
| Category | Data Collected | Why We Collect It |
|---|---|---|
| Identity | Full name | Order processing and age verification |
| Contact | Email address, phone/WhatsApp number | Order confirmation, delivery coordination |
| Delivery | Delivery address, district | Fulfilling your order |
| Payment | Transaction reference (no card data stored) | Payment reconciliation |
| Order History | Products ordered, amounts, dates | Order management and customer service |
| Technical | IP address, browser type, pages visited | Website security and analytics |
| Communications | Enquiry content, messages sent to us | Responding to your queries |
We do not collect sensitive personal data such as identification numbers, biometric data, or financial account details beyond what is necessary for payment processing.
3. How We Use Your Personal Data
We use your personal data only for the purposes for which it was collected (DPP 3 — Use of Data):
- Processing and fulfilling your orders
- Verifying your age in compliance with the Dutiable Commodities Ordinance (Cap. 109)
- Communicating with you via email and WhatsApp about your orders
- Sending order confirmation and delivery notifications
- Responding to customer service enquiries
- Improving our website and services
- Complying with our legal and regulatory obligations
- Detecting and preventing fraudulent activity
We will not use your personal data for direct marketing purposes without your explicit consent, in accordance with Section 35C of the PDPO.
4. Legal Basis for Processing
We process your personal data on the following grounds:
- Contractual necessity — to fulfil orders you have placed with us
- Legal obligation — to comply with the Dutiable Commodities Ordinance, tax laws, and other applicable Hong Kong legislation
- Legitimate interests — to operate and improve our business, prevent fraud, and ensure website security
- Consent — where you have given us explicit permission (e.g. marketing communications)
5. Data Accuracy
We take all practicable steps to ensure that personal data we hold is accurate (DPP 2 — Accuracy & Retention). You are responsible for ensuring the information you provide to us is accurate and up to date. Please contact us promptly if your details change.
6. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law (DPP 2 — Accuracy & Retention):
- Order data — retained for 7 years to comply with the Inland Revenue Ordinance (Cap. 112) and Dutiable Commodities Ordinance requirements
- Customer service records — retained for 2 years from last contact
- Website analytics — aggregated data retained indefinitely; individual session data deleted after 26 months
After the applicable retention period, your personal data will be securely deleted or anonymised.
7. Sharing Your Personal Data
We do not sell, trade, or rent your personal data to third parties. We may share your data with the following categories of third parties solely to enable us to provide our services (DPP 3 — Use of Data):
- Stripe, Inc. — Payment processing (subject to Stripe's own Privacy Policy at stripe.com/privacy)
- Resend — Transactional email delivery
- Delivery partners — Name and delivery address only, for order fulfilment
- Government and regulatory authorities — Where required by law (e.g. Customs & Excise Department, ICAC)
All third-party service providers are contractually required to handle your data securely and only for the purposes we specify.
8. Cross-Border Data Transfers
Some of our third-party service providers (including Stripe and Resend) may process your data outside Hong Kong. Where this occurs, we ensure that appropriate safeguards are in place in compliance with Section 33 of the PDPO. By using our website, you consent to such transfers for the purpose of providing services to you.
9. Data Security
We take all practicable steps to protect your personal data against unauthorised or accidental access, processing, erasure, loss, or use (DPP 4 — Data Security). Our security measures include:
- SSL/TLS encryption for all data transmitted via this website
- PCI DSS compliant payment processing via Stripe (card data never touches our servers)
- Access controls limiting who within our organisation can access personal data
- Regular security reviews of our systems and processes
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Office of the Privacy Commissioner for Personal Data (PCPD) as required by law.
10. Cookies & Tracking Technologies
Our website uses cookies and similar technologies to enhance your browsing experience. We use:
- Essential cookies — Required for the website to function (e.g. session management, age verification status). These cannot be disabled.
- Preference cookies — To remember your settings (e.g. light/dark theme preference).
- Analytics cookies — To understand how visitors use our site (anonymised data only).
You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the website. For more information about cookies, visit www.allaboutcookies.org.
11. Your Rights Under the PDPO
Under the Personal Data (Privacy) Ordinance (Cap. 486), you have the following rights (DPP 6 — Access & Correction):
- Right of Access — You have the right to request a copy of the personal data we hold about you. We will respond within 40 days as required by the PDPO. A reasonable fee may be charged for data access requests.
- Right of Correction — You have the right to request that we correct any inaccurate personal data we hold about you.
- Right to Object to Direct Marketing — You have the right to opt out of receiving direct marketing communications from us at any time by contacting us or clicking "unsubscribe" in any marketing email.
- Right to Erasure — Subject to our legal retention obligations, you may request the deletion of your personal data.
To exercise any of these rights, please contact us at hello@hkdrinks.shop. We will verify your identity before processing any request.
12. Complaints
If you believe we have handled your personal data in a manner that contravenes the PDPO, you may lodge a complaint with the:
Office of the Privacy Commissioner for Personal Data (PCPD)
Website: www.pcpd.org.hk
Hotline: 2827 2827
Address: 12/F, 248 Queen's Road East, Wan Chai, Hong Kong
We encourage you to contact us first at hello@hkdrinks.shop so we can attempt to resolve your concern directly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the updated policy on this page with a revised date. Your continued use of our website after any changes constitutes acceptance of the updated policy.
Data Privacy Enquiries
For any questions about how we handle your personal data: