Privacy Policy & Personal Information Collection Statement
Effective date: 15 August 2025
Last updated: 6 May 2026
A. WHO WE ARE
I II Concept (Hong Kong) Limited (“we”, “our”, “us”)
Registered in Hong Kong
Registered office: 6/F Vogue Building, 67 Wyndham Street, Central, Hong Kong
B. WHY WE COLLECT YOUR DATA (PURPOSES)
| Purpose | Examples of personal data | Legal basis under PDPO |
|---|---|---|
| Enquiry & project discussion | Name, company, email, phone, message content | DPP 1 – purpose notified before collection |
| Site security & operation | IP address, browser type, server logs | DPP 4 – security |
| Site analytics (aggregate) | Page views, device type (stored via Webflow Analyze local-storage) | Not personal data; if ever identifiable we rely on DPP 1 & 3 |
| Legal / regulatory compliance | All categories above | Statutory obligation |
We will not use your data for direct marketing without obtaining your explicit consent under Part VI A PDPO.
C. WHETHER IT IS OBLIGATORY TO PROVIDE DATA
Fields marked “required” on our forms are necessary for us to respond; if you do not provide them we may be unable to assist you. Other fields are voluntary.
D. CLASSES OF TRANSFEREES
We may share data with:
- Service providers – Webflow Inc. (hosting, US), email/IT suppliers, professional advisers.
- Government or regulators when required by law.
- Successors in any corporate transaction affecting our business.
Whenever we transfer personal data outside Hong Kong, we use contractual safeguards equivalent to the PCPD’s Model Clauses.
E. RETENTION
- Enquiry-related data: kept 3 years after final interaction, then erased or anonymised.
- Server logs: 12 months for security review.
- Aggregate analytics: anonymous; retained indefinitely.
F. DATA SECURITY
We employ HTTPS, encryption at rest, access controls, and regular vulnerability patching. Service providers are contractually bound to comparable standards.
G. YOUR RIGHTS (DPP 6)
You may:
- Access a copy of the personal data we hold about you.
- Correct any inaccuracy.
- Withdraw consent to any new purpose we proposed (if applicable).
How to exercise your rights: email info@i-iiconcept.com. We will respond within 40 days. A reasonable fee may be charged for access requests as permitted by s.28 PDPO.
H. COOKIES & ONLINE TRACKING
We use only the cookies/local-storage items listed in our separate Cookie & Online-Tracking Policy. Those items do not identify you personally. If any tracking technology does identify you, this Privacy Policy will apply.
I. THIRD-PARTY API INTEGRATIONS (GOOGLE LIMITED USE DISCLOSURE)
We operate internal marketing-analytics tooling under the OAuth application name i ii concept Marketing Foundation (Google Cloud project i-ii-marketing-foundation, project number 762641702731). This application connects to the following Google APIs on behalf of our authorised personnel:
- Google Ads API — OAuth scope
https://www.googleapis.com/auth/adwords - Google Analytics 4 Data API — service-account based access (no OAuth user scope)
- Google Search Console API — OAuth scope
https://www.googleapis.com/auth/webmasters.readonly - Google Business Profile API — OAuth scope
https://www.googleapis.com/auth/business.manage - YouTube Analytics API — OAuth scope
https://www.googleapis.com/auth/yt-analytics.readonly
For APIs that require OAuth authorisation, access is granted only after the relevant authorised user has completed the Google OAuth consent flow and explicitly approved the scopes listed above.
Data Accessed
The data classes accessed through each API are limited to the following:
- Google Ads API: campaign metadata and structure, ad-group configuration, keyword and ad performance metrics (impressions, clicks, cost, conversions, quality scores), and customer-account information for our own Google Ads manager account (
168-022-6600) and its linked customer account (565-251-5003). No data belonging to third-party advertisers or end consumers is accessed. - Google Analytics 4 Data API: aggregate web-traffic and event data from our own GA4 properties only.
- Google Search Console API: search analytics data (queries, impressions, clicks, average position) and sitemap status for our own verified domains only.
- Google Business Profile API: location information, posts, customer reviews, and performance metrics for our own business listings only.
- YouTube Analytics API: aggregate channel and video performance metrics for our own YouTube channels only.
The application does not access end-user personal data, individual user profiles, demographic detail, or any data belonging to third parties outside our own accounts.
Data Usage
All data retrieved through these APIs is used exclusively for internal back-office purposes by i ii concept staff. Specific uses are:
- internal performance reporting and trend analysis across our own marketing channels;
- operational reconciliation of marketing spend and outcomes;
- back-office analytics informing internal commercial and planning decisions;
- subject to roadmap: automated optimisation of our own paid-search campaigns (Google Ads only).
This data is not displayed to end users of our website, is not used to make automated decisions that affect any individual user, is not used for serving advertising to any party, and is not used to build user profiles or audience segments for advertising purposes.
Data Sharing
i ii concept does not sell, transfer, or disclose Google user data to any third party, with the following narrow exceptions:
- Infrastructure sub-processors: data resides on our self-hosted servers in Hong Kong. We do not transmit it to third-party data warehouses, analytics-as-a-service providers, or any external cloud-storage product.
- Legal compliance: we may disclose data if required to do so by applicable law, regulation, or court order.
- Business transfer: in the event of a merger, acquisition, or sale of assets, Google user data may transfer to a successor entity; we will give affected authorised users prior notice.
Under no circumstance is Google user data transferred to advertising platforms, data brokers, or information resellers.
Data Storage and Protection
OAuth refresh tokens and any cached API responses are stored on our self-hosted server located in Hong Kong. Storage is restricted to permission-controlled filesystem locations (mode 600, accessible only to a single named administrator). No copies are maintained in third-party cloud storage services. All communication with Google API endpoints is conducted over TLS. Cached data is not publicly accessible and is reachable only by the named administrator on the host machine.
Data Retention and Deletion
Cached Google API data is retained for up to 90 days for trend-analysis purposes and is then purged automatically. OAuth tokens are retained only for as long as the authorised user's consent remains active.
The authorised user may revoke our application's access at any time via Google's account permissions page at myaccount.google.com/permissions. Revoking access causes all subsequent API calls to fail immediately; we do not re-acquire tokens without a fresh OAuth consent.
To request deletion of any cached data attributable to a specific user or account, please contact homan@i-iiconcept.com. We will purge the relevant data within 30 days of receiving a verifiable request.
Limited Use of Google User Data
i ii concept's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We limit our use of this data to providing or improving the internal-tools features described in the Data Usage section above.
- We transfer this data only as described in the Data Sharing section above.
- We do not allow humans to read this data except by the authorised user who granted consent (i.e. our own staff operating on data they themselves consented to share), or where required for security investigations, abuse prevention, or legal compliance, or where data has been aggregated and anonymised for internal operational purposes.
- We do not transfer or sell this data to third parties for serving advertising, and we do not use it for serving advertising of any kind, including personalised or retargeted advertising.
AI and Machine Learning Model Training
Google user data obtained through these APIs is not used to train or fine-tune generalised artificial-intelligence or machine-learning models, whether ours or any third party's. Where we use AI assistants for analytical insights on this data (for example, summarising campaign performance trends), the data is processed transiently per request and is not retained for model training by us or by our AI service providers.
J. CHANGES TO THIS POLICY
We review this statement annually. The “Last updated” date reflects the most recent revisions. Material changes will be announced on this page.