Legal Document

Privacy Policy

Last Updated: 28 April 2025 Vellum Atlas, Hong Kong

Vellum Atlas ("we", "us", "our") operates a legal document template library accessible to businesses and individuals in Hong Kong and elsewhere. This policy describes what personal data we collect when you use our website or services, why we collect it, how we use and protect it, and the choices available to you. We handle personal data in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong ("PDPO").

1. Personal Data We Collect

We collect personal data through three channels:

1.1 Contact and Enquiry Forms

Full name
Email address
Telephone number (if provided)
Message content and nature of enquiry
Organisation name (if provided)

1.2 Subscription and Account Data

Billing name and contact details
Payment information (processed via third-party payment services; we do not store card details)
Account seat holder names and email addresses

1.3 Automatically Collected Data

IP address and approximate location derived from it
Browser type and operating system
Pages viewed and navigation paths on our website
Referral source
Cookie and session identifiers (see Section 5)

Legal basis: Enquiry and account data is processed on the basis of contract performance or pre-contractual steps. Automatically collected data is processed on the basis of our legitimate interest in maintaining and improving the website. Where processing requires consent (for example, optional analytics cookies), we seek it explicitly.

2. How We Use Personal Data

Responding to enquiries: We use the contact details you provide to respond to your messages and to discuss access options, workshop arrangements, or other matters raised in your enquiry.

Service delivery: For subscriptions and workshop engagements, we use your account details to set up access, send quarterly digests, and manage the contractual relationship.

Billing and payment processing: We share necessary billing information with our payment processor to complete transactions. We do not retain full payment card data.

Website analytics: Where you have consented to analytics cookies, we use aggregated data from tools such as Google Analytics to understand how pages are used. This data does not identify individual users in our own records.

Legal compliance: We retain records as required by applicable law and respond to lawful requests from government authorities.

Data retention: Enquiry records are retained for up to 3 years from the last contact. Active subscription records are kept for the duration of the subscription plus 7 years for financial record-keeping purposes. Analytics data is retained in aggregated form per the policy of the relevant analytics provider.

3. Data Sharing

We do not sell personal data. We may share it in the following limited circumstances:

Service providers: Hosting providers, payment processors, and email delivery services that process data on our behalf under contractual data processing agreements.
Analytics services: Aggregated and anonymised data shared with analytics platforms where you have consented.
Legal requirements: Where disclosure is required by law, court order, or lawful authority.
Business transfer: In the event of a merger or acquisition, subscriber data may be transferred as part of that process, subject to equivalent privacy protections.

4. Data Security

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS. We do not operate pages over unencrypted HTTP.

Secure Storage

Data is stored on servers maintained by our hosting provider with access controls limiting who can reach it. We do not store payment card details on our own infrastructure.

Access Controls

Internal access to personal data is limited to staff who need it to perform their role. Access credentials are managed and reviewed periodically.

Breach Procedures

In the event of a data breach that creates a real risk of significant harm, we will notify affected individuals and relevant authorities in accordance with PDPO requirements.

5. Cookies

Our website uses cookies to support basic site functionality and, where you consent, to collect analytics data. Cookie categories are:

Essential

Required for basic site functions such as session management and security. These cannot be disabled.

Analytics

Collect aggregated data on page views and navigation to help us understand how the site is used. Enabled only with your consent.

Marketing

Track interactions with advertising platforms. Enabled only with your consent.

Preferences

Remember settings such as consent choices. Enabled only with your consent.

You can review and update your cookie choices at any time on our Cookie Policy page.

6. Your Rights

Under the PDPO and applicable privacy frameworks, you have the following rights regarding personal data we hold about you:

Access: Request a copy of the personal data we hold about you.
Correction: Request that inaccurate or incomplete data be corrected.
Erasure: Request deletion of personal data where there is no lawful reason for us to continue holding it.
Objection: Object to processing based on our legitimate interests.
Withdraw consent: Where processing relies on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Portability: Receive personal data you have provided in a structured, machine-readable format where technically feasible.

To exercise any of these rights, write to us at [email protected]. We will respond within 40 days as required by the PDPO. We may ask you to verify your identity before processing the request.

If you are not satisfied with how we have handled your data, you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data Hong Kong (pcpd.org.hk).

7. Third-Party Links

Our website may include links to external websites or services. We are not responsible for the privacy practices of those third parties and do not control their data handling. We recommend reviewing the privacy policy of any external site you visit from a link on our pages.

8. Children's Privacy

Our services are directed at businesses and individuals aged 18 and above. We do not knowingly collect personal data from persons under 18. If we become aware that personal data has been collected from a minor, we will delete it promptly.

9. Policy Updates

We review this policy periodically and will update it when our practices change or when required by law. Material changes will be indicated by an updated "Last Updated" date at the top of the page. Continued use of our services after a change constitutes acceptance of the revised policy. We encourage you to review this page from time to time.

10. Contact for Data Enquiries

For any questions about this policy or how we handle personal data, please contact our data team:

Vellum Atlas

18/F, 33 Wyndham Street, Central, Hong Kong

[email protected]

+852 2847 6391