Privacy Policy (EN)
Privacy Policy
All information provided by you to Credit Ko Company Limited (“the Company”) will be treated with strict confidentiality. To this end, the Company implements the following privacy policy principles:
- The Company will only collect personal data that we deem relevant and necessary for understanding your financial needs and for the operation of our business.
- The Company utilizes your personal data to confirm, verify, and authenticate your identity in order to provide you with better customer service and products.
- The Company may transfer your personal data to other members or agent institutions of the Company, but only in accordance with the law.
- Unless you have given your consent, the Company will not disclose your personal data to any external organization.
- The Company may be required to disclose your personal data to government departments, judicial bodies, or regulatory authorities, but only within appropriate legal boundaries.
- The Company is committed to maintaining accurate and up-to-date records of your personal data.
The Company implements strict online security systems to prevent unauthorized access to your personal data.
Your Privacy is of Utmost Importance to Us
This section outlines specific details on how the Company will handle the personal data you may provide to us.
Data Security
- The Company is committed to ensuring the security of your personal data and preventing unauthorized or accidental access, processing, or deletion by others. To safeguard data security, the Company has implemented appropriate measures in facilities, electronic systems, and management to protect your personal data.
- The Company’s website servers are protected by firewalls, and the Company continuously monitors its systems to prevent unauthorized access. The Company will not transmit personal data to you via regular email. Due to the inherent insecurity of regular email, you should only use the secure email facilities provided by the Company’s website to communicate with us.
- The Company will take all practical steps to ensure that customer personal data is not retained beyond the necessary time, and the Company will also comply with all relevant laws and regulatory requirements in the Hong Kong Special Administrative Region regarding the retention of personal identity data.
Security Assurance
- The Company reminds you not to share your username and/or password and/or biometric data with others and to ensure that such information is not shared or allowed to be used by unauthorized individuals. The Company will strive to maintain high security standards to safeguard your interests.
- Your username and password are unique to you, and you should keep them confidential. Do not write them down or let anyone else know this information. If you believe that your user password and/or password have been disclosed, lost, or stolen, or if unauthorized transactions may have been conducted on your account, you are responsible for notifying the Company immediately.
Collection of Personal Data through Non-Traditional Channels
In our daily operations, we may collect personal data from the internet, through phone calls, or via the mobile application “WhatsApp.” We adhere to the following practices:
- Security
We maintain strict security and confidentiality standards to safeguard any data provided to us. We use encryption methods to transmit sensitive data, ensuring the privacy of individuals. - Cookies
When you visit our website, we keep records to analyze website traffic and general usage patterns. Some of this data is collected through cookies.
Cookies are small pieces of information sent from a website server to a browser. They are stored in the computer’s hard drive, allowing the website server to retrieve them later.
Cookies do not collect personally identifiable information. They help the website retain certain information about your usage, enabling us to provide more useful features, tailor the website content to your interests, and deliver targeted advertising or promotions based on your usage patterns. We may obtain data on how you use our website through cookies.
Cookies are designed to be read only by the website that issues them and cannot access a user’s hard drive, email address, or collect sensitive information.
We also collaborate with third-party organizations such as Google, Yahoo, Facebook, and DoubleClick for research on general website usage and activities. These organizations use monitoring technologies including cookies, spotlight, and web beacons to conduct research. Through these technologies, they collect data to (i) understand user demographics, behavior, and usage patterns, (ii) generate more accurate reports, and (iii) assist in improving our marketing effectiveness. The data collected by them is shared with us after processing. However, during these research processes, whether it is Google, Yahoo, Facebook, or DoubleClick, no personally identifiable information is collected or shared with us. Most browsers are set to accept cookies by default. If you believe it is necessary, you can configure your browser to stop accepting cookies or notify you when cookies are being used. However, if you choose to disable cookies, you may not be able to access certain financial products and services provided online. By accepting the use of cookies, you consent to the collection, storage, retrieval, and usage of your data as described above.
If you want more information about the use and collection of cookies or wish to opt-out of such processes, you can visit the following websites: Google (https://policies.google.com/technologies/cookies?hl=en-US), Yahoo (http://privacy.yahoo.com/privacy/us/pixels/details.html), Facebook (https://www.facebook.com/legal/FB_Work_Cookies), and DoubleClick (www.doubleclick.net). - Data Correction
Once personal data is submitted through our online facilities, it may not be possible to cancel, correct, or update it online. To make cancellations, corrections, or updates, please contact our relevant personnel. - Data Retention
The personal data we collect is shared with our employees, departments, branches, contractors, or service providers for processing. Generally, personal data is not stored in our system databases for more than six months. - The facial data collected through our applications is only used for verifying user identity and preventing fraudulent activities such as identity theft. We store facial data securely and take appropriate measures to prevent unauthorized access, use, or disclosure. We retain facial data only until the collection purpose is fulfilled or as required by law.
Note: In case of any discrepancies between the Chinese and English versions, the English version shall prevail.
Important Notice: By browsing this website, accessing any page, or using smart ATMs, you are deemed to have agreed to the above terms.
Notice Regarding the Personal Data (Privacy) Ordinance Policy
- Guidelines and Code of Practice on Consumer Credit Data to Customers and Other Individuals. Respecting and safeguarding the privacy rights of personal data is a consistent policy of Credit-KO Company Limited (“the Company”). Compliance with the Personal Data (Privacy) Ordinance (“the Ordinance”) is not only a principle adhered to by our management but also a direct responsibility of every employee of the Company. This statement clearly defines the purposes of collecting personal data and how we ensure that personal data is not disclosed to unauthorized parties.
- The Company will handle with care the personal data provided by customers. Customers have the right to access and correct their personal data when necessary. Customers should take note of the following:
- The term “data subject,” mentioned in this notice, refers to the following categories of individuals:
- Applicants or customers/users of credit and related loan services and products provided by the Company and their authorized persons;
- Individuals who act as guarantors, sureties, or provide mortgages, guarantees, or any form of support based on their responsibility to the Company;
- Directors, shareholders, senior officers, and managers of any corporate applicants or customers/users;
- Users who access the Company’s website, smart ATMs, and other electronic methods and procedures provided or authorized by the Company to access its services; and
- Suppliers, contractors, service providers, and other contracting parties of the Company.
For the avoidance of doubt, “data subject” does not include any legal entities. The content of this notice applies to all data subjects and forms part of the terms and conditions of any loan account or related agreements or arrangements that are entered into or may be entered into between them and the Company. In case of any discrepancy or inconsistency between this notice and the relevant agreements, this notice shall prevail with respect to the protection of personal data of the data subjects. This notice does not limit the rights of data subjects under the Ordinance.
4. Data subjects are required to provide relevant information to the Company from time to time when opening or continuing accounts, establishing or continuing credit with the Company, or requesting credit and related services and products (including, but not limited to, personal loans, revolving loans, mortgage services, and property valuation services). The data involved may include, but is not limited to:
- Full name;
- Identity card number or travel document number, including copies of identity cards and travel documents and data embedded in their integrated circuits;
- Date of birth;
- Residential and/or correspondence address;
- Telephone/mobile phone number;
- Email address;
- Biometric data, including but not limited to facial images and biometric data stored in identity and/or travel documents with biometric functions, collected whether through the user’s electronic device or other methods using biometric data sensing modules;
- Salary and income;
- Household expenses and number of dependents; and
- Other or further information as deemed necessary by the Company.
5. Failure to provide such information to the Company may result in the Company being unable to open or continue accounts, establish or continue credit, or provide requested credit and related services and products.
6. In the course of normal business operations, the Company may also collect data subject’s data, for example, when applying for loans or renewing loan accounts in person, via telephone, online, or through other means (including reviewing, reconsidering, assessing, examining, viewing, auditing, analyzing, monitoring, complying with, and ensuring compliance with relevant laws, rules, and regulations), including data obtained from credit data service agencies and/or electronic identity authentication service providers.
7. The use of personal data of data subjects will vary depending on their relationship with the company, which includes the following purposes:
Assessing the data subject’s suitability and eligibility as an actual, potential, or ongoing applicant for credit and related loan services and products, as well as processing and approving their applications, renewals, and/or cancellations.
Providing services and credit facilities to facilitate the data subject’s day-to-day operations.
Conducting credit investigations when the data subject applies for credit and conducting regular or special account reviews at least once a year. These account reviews assist the company in determining whether to increase or decrease the data subject’s credit limit or maintain it unchanged.
Developing and maintaining the company’s credit scoring models.
Providing credit reference reports.
Assisting other financial institutions in conducting credit checks and debt recovery.
Ensuring that the data subject maintains a reliable credit profile.
Designing credit and related loan services and products for the data subject’s use.
Promoting services, products, and other initiatives (as detailed in paragraph 11 below).
Calculating the outstanding debt between the company and the data subject.
Pursuing the collection of outstanding debts from the data subject and any person who has provided security for the data subject’s obligations.
Complying with obligations, regulations, or arrangements regarding the disclosure and use of data applicable to the company or any of its branches, or expected to be followed by the company or any of its branches, including:
- Any applicable laws within or outside the Hong Kong Special Administrative Region.
- Any guidelines or directives issued or provided by statutory, regulatory, governmental, tax, enforcement, or other agencies within or outside the Hong Kong Special Administrative Region, or by self-regulatory bodies or industry associations or organizations of financial service providers.
- Any contractual or other commitments between the company or any of its branches and statutory, regulatory, governmental, tax, enforcement, or other agencies or self-regulatory bodies or industry associations or organizations of financial service providers, which arise due to the company’s financial, commercial, operational, or other interests or activities being in or connected with the relevant jurisdiction of such agencies or bodies.
Sharing and/or using data and information within the company and/or between different departments of the company, as well as any other responsibilities, regulations, policies, procedures, measures, or arrangements regarding data and information sharing and/or use, for compliance with the company’s plans concerning anti-money laundering, counter-terrorism financing, or other unlawful activities, approvals or prevention or detection measures.
Assessing the proposed assignee or transferee of the company’s rights or the participation rights or affiliated participation rights of the company in relation to the data subject, as well as participating in or facilitating transactions involving the data subject.
Comparing data with the data of the data subject or other persons for the purpose of conducting credit investigations, data verification, or generating or verifying data in any other manner, regardless of whether the comparison is made for the purpose of taking adverse action against the data subject.
Maintaining credit records or other records of the data subject, whether or not there is any relationship between the data subject and the company, for present or future reference.
Insuring with underwriters against any debts owed by the data subject to the company and related to life insurance to safeguard the company’s interests in the event of the data subject’s death. The company will be the policyholder and the sole and ultimate beneficiary of such policy. The term “data” in this provision includes but is not limited to the data subject’s name, identification document number, loan account number, loan amount, and changing outstanding balance. The ownership, interest, rights, and benefits of such policy will belong exclusively to the company and shall not constitute security for the data subject’s indebtedness to the company.
Confirming, verifying, and authenticating the data subject’s identity.
Reviewing loan applications, services, and ongoing services; conducting fraud reviews and investigations; conducting, preparing, and facilitating internal and external audits; exercising credit monitoring on loan applications, services, and ongoing services; processing claims and potential claims against the company; exercising internal monitoring and data management for the company (including its different departments), the company, and its contractors; and
All other purposes connected, incidental, or related to the above.
8. The company will keep confidential the personal data of data subjects it holds, but the company may provide and disclose such data to the following parties for the purposes listed in paragraph 7:
Any third-party service providers, including agents, auditors, contractors, or providers of administrative, general support, auditing, data management, credit monitoring, analysis, product review, fraud investigation, compliance regulation, telecommunications, computer, payment or securities settlement, electronic identity authentication services, or other services related to the company’s business operations, regardless of their location.
Any persons who have a confidentiality obligation to the company, including companies and different departments within the company that have committed to maintaining the confidentiality of the data.
Payment banks providing copies of paid cheques to the payee (which may contain information about the recipient).
Any persons making payments to the data subject’s account.
Any persons collecting payments from the data subject, their receiving banks, and any intermediaries processing or handling such payments.
Credit reference agencies, which may be provided with the data when the data subject has outstanding debts.
Debt collection agencies when the data subject has outstanding debts.
Any person to whom the company is required to make disclosure under applicable laws, regulations, or obligations, or in accordance with guidelines or directives issued or provided by statutory, regulatory, governmental, tax, enforcement, or other agencies or self-regulatory bodies or industry associations or organizations of financial service providers, whether within or outside the Hong Kong Special Administrative Region.
Any actual or proposed assignee or participant or affiliated participant of the company’s rights in relation to the data subject.
Disclosure of collected data to the following persons:
- Any member of the company.
- Third-party financial institutions, insurers, credit card companies, securities, commodities and investment service providers.
- Third-party reward, loyalty, co-branding, and promotional program providers.
- The company (the name of the co-branding partner will be provided on the application form for services and products, depending on the circumstances).
- Charitable or non-profit organizations.
- Third-party service providers employed by the company for the purposes mentioned in paragraph 7(i), including but not limited to mail delivery companies, telecommunications companies, telemarketing and direct sales agents, call centers, data processing companies, information technology companies, and contractors providing electronic identity authentication services, regardless of their location.
The company may transfer the data of data subjects to locations outside the Hong Kong Special Administrative Region for the purposes listed in paragraph 7.
9.
For the purposes stated in paragraphs 7(c), 7(o), and 7(r), the company may periodically access and retrieve the personal credit information of data subjects from credit reference agencies to review the following matters related to credit arrangements:
- The identity of the data subject.
- Increasing the credit limit.
- Reducing the credit limit (including canceling or reducing the credit).
- Formulating or implementing a debt repayment plan with the data subject.
When accessing the personal credit information of data subjects from credit reference agencies, the company must comply with the provisions of the “Code of Practice on Consumer Credit Data” approved and issued under the relevant ordinance.
10. Regarding data related to mortgage applications made on or after April 1, 2011 (whether as a borrower, mortgagor, or guarantor and whether in the name of the data subject alone or jointly with others), the company (in its own capacity and/or as an agent) may provide the following information about the data subject to credit reference agencies (including any but not limited to the following data that may be updated from time to time):
- Full name.
- Identity as a borrower, mortgagor, or guarantor for each mortgage (whether in the name of the data subject alone or jointly with others).
- Identity card number or travel document number.
- Date of birth.
- Correspondence address.
- Mortgage account number for each mortgage.
- Type of credit for each mortgage.
- Status of the mortgage account for each mortgage (e.g., active, closed, defaulted (except for defaults due to bankruptcy orders), defaulted due to bankruptcy orders).
- End date of the mortgage account for each mortgage (if applicable).
Credit reference agencies will use the information provided by the company to compile statistics on the number of mortgages held by data subjects (separately identified as borrowers, mortgagors, or guarantors, and whether in the name of the data subject alone or jointly with others) with credit providers within the Hong Kong Special Administrative Region. This information will be shared among credit providers in the credit database (subject to the provisions of the “Code of Practice on Consumer Credit Data” approved and issued under the relevant ordinance).
11. Using Data for Direct Marketing
The company intends to use the personal data of data subjects for direct marketing purposes, and the company must obtain the data subject’s consent for this purpose (including any indication of non-objection by the data subject). Therefore, please take note of the following:
- The company may use the data subject’s personal information, contact details, product and service portfolio information, transaction patterns and behavior, financial background, and statistical data for direct marketing purposes.
- The following categories of services may be promoted:
– Credit and related services and products.
– Reward, loyalty, or incentive programs and related services and products.
– Services and products provided by the company’s co-branding partners (the application form for such services and products will specify the name of the co-branding partner, as applicable).
– Donations and sponsorships for charitable and/or non-profit purposes. - The above-mentioned services, products, and purposes may be provided by the company and/or the following entities or organizations, including (but not limited to):
– Any member of the company.
– Third-party financial institutions, insurers, credit card companies, securities, commodities, and investment service providers.
– Third-party providers of reward, loyalty, co-branding, and incentive programs.
– The company’s co-branding partners (the application form for such services and products will specify the name of the co-branding partner, as applicable).
– Charitable or non-profit organizations. - In addition to promoting the aforementioned services, products, and purposes, the company also intends to provide the data subject’s information as stated in paragraph 11(a) above to any or all of the entities mentioned in paragraph 11(c) above for the purpose of promoting the aforementioned services, products, and purposes. The company must obtain the data subject’s consent (including any indication of non-objection by the data subject) for this purpose.
- The provision of data by the company to other entities as described in paragraph 11(d) above may result in monetary or other forms of compensation. If the company receives any monetary or other forms of compensation for providing data to other entities, the data subject will be notified when seeking consent or non-objection, as mentioned in paragraph 11(d) above.
If the data subject does not wish for the company to use or provide their data to other entities for the purpose of direct marketing as described above, the data subject may notify the company to exercise their right to object to such arrangement.
12. In accordance with the provisions of the ordinance and the Personal Credit Data Practice Code approved and issued under the ordinance, any data subject has the right to:
- Check whether the company holds their data and access such data.
- Request the company to correct any inaccurate data relating to them.
- Ascertain the company’s policies and practices in relation to data and be informed of the types of personal data held by the company.
- Be informed of the categories of personal data that may be routinely disclosed to credit reference agencies or debt collection agencies upon request, and be provided with further information by the company to facilitate making a data access or correction request to the relevant credit reference agency or debt collection agency.
- Instruct the company to request the deletion of any account data (including any account repayment data) provided by the company to a credit reference agency upon full settlement of the outstanding debt to terminate the account. However, such instruction must be given within 5 years from the termination of the account, and the account must not have any record of overdue repayment exceeding 60 days within the 5 years immediately preceding the termination of the account. Account repayment data includes the last repayment amount due, the repayment amount made during the last reporting period (i.e., the period not exceeding 31 days immediately preceding the provision of the last account data by the company to the credit reference agency), the remaining available credit, or the outstanding balance and debt data (i.e., the overdue amount and the number of days overdue, the date of repayment of the overdue amount, and the date of full repayment of any overdue debt exceeding 60 days, if applicable).
13. In the event of any outstanding debt in the account, unless the outstanding debt is fully settled or written off (excluding bankruptcy orders) within 60 days from the occurrence of the default date, the credit reference agency may retain the account repayment data (as defined in paragraph 12(e) above) for a period of 5 years from the date of full settlement of the outstanding debt.
14. When an amount in the account is written off as a result of the data subject being issued a bankruptcy order, regardless of whether the account repayment data (as defined in paragraph 12(e) above) shows any outstanding debt exceeding 60 days, the credit reference agency may retain the account repayment data for a period of 5 years from the date of full settlement of the outstanding debt or from the date the data subject provides evidence of the discharge of the bankruptcy order, whichever is earlier.
15. In accordance with the provisions of the ordinance, the company is entitled to charge a reasonable fee for processing any data access request.
16. Any requests for accessing or correcting data, or inquiries regarding data policies, practices, or the types of data held, should be directed to the following individuals:
Data Protection Officer
Credit KO Company Limited
Room 312B, 3/F, East Ocean Centre,
98 Granville Road, Tsim Sha Tsui,
Hong Kong
Tel no.: 2388 8530
Email: [email protected]
17. When considering any credit application or conducting periodic credit reviews, the company obtains credit reports from credit reference agencies regarding the data subject. If the data subject wishes to access such credit reports, the company will provide detailed contact information of the relevant credit reference agency.
17. In the event of any discrepancy between the Chinese and English versions of this notice, the English version shall prevail.