Introduction

Welcome to Cotton Tree Labs Limited (“we,” “our,” “us”). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and safeguard information when you use our website www.cottontreelabs.com, and it outlines your rights under applicable laws.

By accessing or using our website in any manner, you acknowledge that you have read and understood this Privacy Policy. Use of information we collect is subject to this Privacy Policy. Some uses of your data, such as marketing or non-essential cookies, will only take place where you have given consent. Your use of our website is also subject to our Terms of Use, which incorporates this Privacy Policy by reference.

This Privacy Policy applies to information collected through our website and any related interactions (for example, contacting us by email or through online forms). It does not cover the practices of companies we do not own or control, or individuals we do not manage.

We are based in 905, 9/F, Connaught Marina, 48 Connaught Road W, Sheung Wan, Hong Kong and comply with the Personal Data (Privacy) Ordinance of Hong Kong. If you are visiting from the European Economic Area or other jurisdictions, please note that additional rights may apply to you under local data protection laws.

What data do we collect?

We collect different types of personal data depending on how you interact with our website:

●  Technical Data: Information automatically collected when you visit our site, such as your IP address, browser type and version, time zone setting, device information, and interaction data. We also collect data through cookies and tracking technologies (Google Analytics 4, Google Ads Tag, Meta Pixel, LinkedIn Insight Tag, Microsoft Clarity).

●  Contact Data: Information you provide when contacting us by email or, in the future, through online forms. This may include your name, email address, and other details necessary for us to respond to your inquiry.

●  Identity and Profile Data: Information you may provide if we later introduce sign-up forms, surveys, or participation in research activities. This may include names, preferences, or responses you choose to share.

●  Marketing Data: Your communication preferences and any opt-ins for receiving updates from us.

When do we collect data?

We collect personal data in the following circumstances:

●  When you provide it directly: For example, when you email us, complete a form (once available), participate in surveys or research, or otherwise choose to share information with us.

●  When you interact with our site: We automatically collect Technical Data (such as IP address, browser type, device information, and usage data) through cookies, pixels, and similar technologies (including Google Analytics 4, Google Ads Tag, Meta Pixel, LinkedIn Insight Tag, Microsoft Clarity).

●  When you engage with us externally: We may collect information if you interact with us through social media, attend an event we host, or provide your details to us for follow-up.

●  From third-party sources (if applicable): In some cases, we may receive information from service providers, publicly available sources, or business partners, subject to their own privacy policies and applicable law.

How do we use your data and what legal bases do we rely on?

Purposes

We use personal data for the following purposes:

●  To operate and secure our website: We process Technical Data to ensure our website functions properly, to maintain security, and to detect or prevent fraud and misuse.

●  To respond to you: We use Contact Data to reply to your inquiries, provide requested information, and support your interactions with us.

●  To improve our services: We analyze Technical and Usage Data, including through cookies and tracking tools (Google Analytics 4, Google Ads Tag, Meta Pixel, LinkedIn Insight Tag, Microsoft Clarity) to understand how our site is used and to improve performance and user experience.

●  To personalize communications: If you provide Identity or Profile Data (for example, in forms or surveys), we may use it to tailor our communications and research activities.

●  For marketing (with consent): Where you opt in, we use Contact or Marketing Data to send updates, invitations, or other communications. You may withdraw consent at any time.

●  To comply with legal and regulatory obligations: We may process data where required by Hong Kong’s Personal Data (Privacy) Ordinance or, where applicable, GDPR or other laws. This may include responding to lawful requests, enforcing our rights, and protecting our business. 

We will only use your personal data for the purposes described above, unless we reasonably determine that another use is compatible with the original purpose. If we intend to use it for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

Legal bases

As a company based in Hong Kong, we comply with the Personal Data (Privacy) Ordinance, which requires that personal data be collected fairly, used for lawful and necessary purposes, and not kept longer than necessary.

For visitors from the European Economic Area and other jurisdictions where stringent data protection laws may apply, we process personal data only where we have a legal basis to do so. These include:

●  Consent: Where we obtain your explicit consent separately for different processing activities, such as marketing communications, use of non-essential cookies, and sharing your personal data with third parties. You can provide, refuse, or withdraw your consent at any time through our cookie settings or by contacting us directly at privacy@cottontreelabs.com. Your preferences will be recorded and managed securely to ensure compliance with applicable data protection laws.

●  Contractual necessity: Where processing your personal data is required to perform a contract with you or to take steps at your request prior to entering into a contract (for example, if you register for an event or complete a sign-up form).

●  Legal obligation: Where processing your personal data is necessary to comply with applicable laws or regulatory requirements.

●  Legitimate interests: Where processing your personal data is necessary for our legitimate business interests, such as operating our website, improving user experience, understanding how our services are used, and ensuring network security — provided these interests are not overridden by your rights and freedoms.

Cookies

Our website uses cookies and similar tracking technologies (including pixels, tags, and scripts) to operate effectively, improve performance, and measure how visitors use our site.

1. What are cookies?
   Cookies are small text files stored on your device when you visit a website. They help us recognize your browser, remember your preferences, and understand how visitors interact with our site.

2. Types of cookies we use:

   ○  Essential cookies: Required to enable core functionality, such as security and basic site access.

   ○  Functional cookies: Remember your settings and preferences, improving your browsing experience.

   ○  Performance/analytical cookies: Collect information on how visitors use our site, helping us improve content and measure effectiveness.

   ○  Advertising/third-party cookies: Placed by tools such as Google Analytics 4, Google Ads Tag, Meta Pixel,, LinkedIn Insight Tag and Microsoft Clarity. These help us understand audience engagement and measure campaign performance.

3. Consent
   We collect non-essential cookies only with your consent. You may refuse or withdraw your consent at any time by either rejecting cookies in our banner or managing them through your browser’s cookie settings. Please note that rejecting or disabling cookies may affect how our site functions.

4. Third-party cookies
   Some cookies are set by third parties, such as social media platforms or embedded services. We do not control these cookies; you should review the relevant third-party privacy or cookie policies.

   
   

Who do we share your data with?

We may share your personal data with third parties in the following circumstances:

●  Service providers: We engage trusted third parties to help operate our website and provide related services, such as hosting, analytics, communication tools, marketing platforms, and security providers. We require these service providers to respect the security of your personal data and to treat it in accordance with the law. We do not allow them to use your personal data for their own purposes and only permit them to process it for specified purposes in accordance with our instructions.

●  Professional advisors and regulators: We may disclose data to lawyers, auditors, insurers, regulators, government authorities, or law enforcement when required to comply with legal obligations or protect our rights.

●  Business transfers: If we undergo a merger, acquisition, restructuring, or sale of assets, your data may be transferred as part of the transaction to ensure continuity.

●  With your consent: Where you authorize us, we may share data with third parties for purposes you have agreed to (for example, if you sign up for an event involving partners).

Data Processor Compliance

We require all third-party service providers that process personal data on our behalf to enter into data processing agreements that comply with the standards under the Personal Data (Privacy) Ordinance of Hong Kong and GDPR. These contracts require processors to implement appropriate technical and organizational measures to protect personal data, act only on our instructions, maintain confidentiality, and assist us in meeting our obligations.

Links to Third-Party Sites

Our website may contain links to websites or services operated by third parties. Please note that this Privacy Policy does not apply to those third parties. Any personal data you provide to third-party websites or services will be governed by their own privacy policies and practices, not ours.

We are not responsible for the privacy practices, content, or security of third-party sites, and we encourage you to review their policies before providing them with your personal data. 

How do we transfer data internationally?

As Cotton Tree Labs Limited is based in Hong Kong, your personal data may be stored or processed outside of your home jurisdiction, including in countries that may not offer the same level of data protection as Hong Kong or the European Economic Area (EEA).

When we transfer personal data internationally, we take steps to ensure that it is protected in line with this Privacy Policy and applicable laws. This may include:

●  Transferring to countries recognized as providing an adequate level of protection under applicable law;

●  Implementing appropriate safeguards, such as standard contractual clauses approved by relevant regulators, required; or

●  Relying on specific exceptions where these are available under data protection law.

By using our website, you understand that your data may be transferred to and processed in jurisdictions outside your own.

How long do we keep your data?

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements.

When determining how long to keep data, we consider:

●  The type and sensitivity of the data;

●  The potential risk of harm from unauthorized use or disclosure;

●  The purposes for which we process the data and whether those purposes can be achieved through other means; and

●  Applicable legal, regulatory, and business requirements.

As a Hong Kong–based company, we may be required to retain certain business records for 7 years under the Personal Data (Privacy) Ordinance and other applicable laws. After the relevant retention period has expired, we will securely delete or anonymize personal data in accordance with our data retention policy and applicable laws.

In some cases, you may request that we delete your personal data earlier (see “Your Rights” below). In other cases, we may retain information in an anonymized or aggregated form that does not identify you.

How do we protect your data?

We take the security of your personal data seriously and implement appropriate safeguards to protect it from unauthorized access, use, disclosure, alteration, or loss.

●  Technical and organizational measures: We use physical, technical, and administrative controls that are appropriate to the type of data we process. This includes encryption protocols such as Secure Sockets Layer (SSL) for data transmission and secure servers with password or equivalent protections.

●  Access controls: Personal data is accessible only to employees, contractors, or service providers who have a business need to know and who are bound by confidentiality obligations.

●  Breach procedures: We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator where we are legally required to do so.

●  Limitations: While we work hard to protect your information, no method of transmitting or storing data over the Internet is completely secure. We cannot guarantee absolute security, but we will take all reasonable steps to safeguard your personal data. 

Data Breach Notification

In the event of a personal data breach, we have established procedures to promptly identify, assess, and respond to the incident. We will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach poses a high risk to your rights, we will inform you without undue delay, providing details about the nature of the breach, potential consequences, and measures you can take to protect yourself.

Your Rights

Depending on where you are located, you may have certain rights regarding your personal data under applicable data protection laws. These may include:

●  Access and correction: You may request access to the personal data we hold about you and ask us to correct any inaccuracies.

●  Erasure: You may request that we delete your personal data in certain circumstances.

●  Restriction: You may request that we limit the way we use your data.

●  Portability: You may request a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format.

●  Objection: You may object to our processing of your data in certain circumstances, including for direct marketing.

●  Withdraw consent: Where processing is based on your consent, you may withdraw it at any time.

You have the right to access, correct, delete, restrict, and object to the processing of your personal data, as well as to data portability and withdrawal of consent. To exercise any of these rights, please contact us at privacy@cottontreelabs.com. We will respond to your request without undue delay and in any case within one (1) month. In some cases, we may request additional information to validate your identity or clarify your request. Where permitted by law, we may charge a reasonable fee for repeated or manifestly unfounded requests.

If you are based in the EEA or another jurisdiction with its own data protection authority, you may also have the right to lodge a complaint with your local authority. 

Profiling and Automated Decision-Making

At present, we do not engage in automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals. Should we introduce such processing, we will inform you of the logic involved, the significance, and the envisaged consequences. You will have the right to obtain human intervention, express your point of view, and contest any automated decision as required under applicable laws.

Do we collect children’s data?

Our website is not intended for children, and we do not knowingly collect personal data from individuals under 16 years of age. If we learn that we have collected personal data from someone under 16, we will delete that information as soon as reasonably practicable. If you believe that a child under 16 has provided personal data to us, please contact us at privacy@cottontreelabs.com.

How will we notify you of changes to this policy?

We may update this Privacy Policy from time to time. Any changes will be posted on this page, and the “last updated” date at the top will reflect the most recent version.

If we make material changes to how we collect, use, or share your personal data, we will take reasonable steps to notify you in advance — for example, by posting a prominent notice on our website or, where appropriate, contacting you directly.

Your continued use of our website after changes are posted will indicate your acceptance of those changes.

How can you contact us?

If you have any questions or concerns about this Privacy Policy or our handling of your personal data, or if you wish to exercise your rights under the Personal Data (Privacy) Ordinance or, where applicable, under the General Data Protection Regulation, please contact us at:

Cotton Tree Labs Limited
Personal Data Privacy Officer

Address: 905, 9/F, Connaught Marina,
48 Connaught Road W, 
Sheung Wan, Hong Kong
Email: privacy@cottontreelabs.com