ClearPass

Legal

Privacy Policy

Privacy Policy

Version: PP-2026-05-11
Last Updated: 11 May 2026
Effective Date: 11 May 2026

Massive Dynamic Limited ("we", "our", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy applies to our websites including mdhk.ltd, track.mdhk.ltd, and app.mdhk.ltd, and explains how we collect, use, store, and protect your information.

1. What This Website Does NOT Collect

No Passport Data via Website

We do not request, collect, or store passport numbers, passport scans, or similar identity documents through our websites. When your service requires passport documents, they are exchanged outside the website via secure encrypted channels (WhatsApp, Telegram, Facebook Messenger).

No Payment Card Data Storage

We do not collect or store payment card numbers, CVV codes, or PAN (Primary Account Number) on our servers. All payment card details are handled exclusively by our payment processors.

No Special-Category Data

We do not use the website to collect sensitive personal data such as biometric data, health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation.

2. Minimal Data for Browsing

We process only the minimum information necessary to operate and secure our websites:

  • IP Address: For security, fraud prevention, and geographic service delivery
  • Device Information: Browser type, operating system, device type (for compatibility and security)
  • Usage Data: Pages visited, time spent, referral source (for service improvement)
  • Essential Cookies: Session management, security, authentication (see Section 8)

If you create an account or log in, your identity data (email, phone number) is handled by our authentication provider (see Section 3).

3. Third-Party Processors and Providers

We use trusted third-party service providers who process data on our behalf:

Payment Processing

Stripe & Airwallex

  • Purpose: Secure payment processing for all card transactions
  • Data Processed: Payment card details, transaction information, billing address
  • Storage: Card details are entered and stored on their secure infrastructure, NOT on our servers
  • Security: PCI DSS Level 1 compliant
  • Privacy Policies:
    • Stripe: https://stripe.com/privacy
    • Airwallex: https://www.airwallex.com/privacy-policy

Authentication & Account Management

Clerk

  • Purpose: User sign-up, sign-in, session management, account security
  • Data Processed: Email address, phone number (optional), name, authentication tokens
  • Storage: Identity data is processed and stored by Clerk under their infrastructure
  • Security: SOC 2 Type II compliant, encryption at rest and in transit
  • Privacy Policy: https://clerk.com/privacy

Third-Party Service Providers (Case Implementers)

Substantive Service Delivery Partners

  • Purpose: Delivery of substantive services (immigration processing, company formation, licensed activities)
  • Data Processed: Identity documents, application forms, supporting documentation, case-specific information necessary for service delivery
  • Legal Basis: Contract performance (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR)
  • Relationship: Each Third-Party Provider acts as an independent data controller within the meaning of Article 4(7) GDPR for the substantive services it provides
  • Disclosure: The identity of the Third-Party Provider assigned to your case is disclosed in your service agreement (MSA Schedule A) or upon engagement
  • Geographic Locations: Third-Party Providers operate in EU member states, Hong Kong, UAE, and other jurisdictions relevant to the requested service; international transfers comply with GDPR Article 46 safeguards

Communication Channels

WhatsApp Business (Meta Platforms, Inc.)

  • Purpose: Real-time messaging and document exchange (optional)
  • Data Processed: Messages, documents, attachments transmitted via the platform
  • Storage: Data is processed by Meta Platforms, Inc. (USA) under its own privacy policy
  • Cross-Border Transfers: Use of WhatsApp involves data transfers to the United States. EU/EEA-based clients who do not consent to such transfers should use the secure portal at app.mdhk.ltd as the exclusive channel for sensitive documents
  • Privacy Policy: https://www.whatsapp.com/legal/business-privacy-policy

Important: We never receive full payment card numbers and we do not store them on our servers. Authentication cookies are set and managed by Clerk.

4. Secure File Handling (app.mdhk.ltd)

Our secure client portal at app.mdhk.ltd provides bank-level security for document management:

Security Measures

  • Bank-Level Encryption: All files encrypted at rest using AES-256 encryption
  • Transmission Security: TLS 1.3 encryption for all data transfers
  • Cloudflare Protection: DDoS protection, WAF (Web Application Firewall), and CDN security across all IT channels
  • Access Control: Zero-trust architecture with strict authentication

Access Restrictions

Only two parties can access uploaded files:

  1. The person who uploaded the file (authenticated user)
  2. Assigned company case manager (specific employee handling your case)

No other employees, third parties, or systems have access to your files.

File Retention & Deletion

Client Control:

  • You can delete your files at any time through the client portal
  • Deletion is immediate and permanent from active systems
  • Backup copies are overwritten within 7 days

Automatic Deletion:

  • Files are automatically deleted 180 days after case completion or account closure
  • You will receive notification 30 days before automatic deletion
  • You can request early deletion or extended retention

Document Exchange Outside Website

When services require passport documents, identity cards, or other sensitive materials:

  • Documents are exchanged via encrypted messaging channels (WhatsApp, Telegram, Facebook Messenger)
  • Documents are NOT stored on our web servers
  • Documents uploaded to app.mdhk.ltd follow the security measures above

5. Legal Basis & Purposes

We process your personal data under the following legal bases:

Legitimate Interests

  • Website Operation: Ensuring website functionality, performance, and user experience
  • Security: Protecting against fraud, unauthorized access, and cyber threats
  • Service Improvement: Analyzing usage patterns to enhance our services
  • Sanctions Screening: Compliance with international sanctions regimes (see Section 14)

Contract Performance

  • Service Delivery: Processing your orders and delivering contracted services
  • Payment Processing: Collecting payment and issuing invoices
  • Communication: Providing support, status updates, and service-related information
  • Third-Party Provider Coordination: Forwarding required documentation to assigned Third-Party Providers for substantive service delivery

Legal Compliance

  • Anti-Money Laundering (AML): Customer due diligence and transaction monitoring under Hong Kong's AMLO Cap. 615
  • Sanctions Compliance: Mandatory screening against UN, HK, OFAC, and EU sanctions lists
  • Accounting & Tax: Maintaining financial records as required by Hong Kong law
  • Regulatory Requirements: Compliance with immigration, corporate, and industry regulations

6. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

Active Service Period:

  • Account information: Duration of service + 180 days
  • Transaction records: 7 years (accounting and tax requirements)
  • Communication logs: 3 years (dispute resolution and quality assurance)
  • Uploaded files: 180 days after case completion (automatic deletion)
  • Sanctions screening records: 6 years (AMLO Cap. 615 record-keeping requirement)

After Service Completion:

  • Minimal data retained for legal, accounting, and security purposes
  • Full anonymization or deletion after statutory retention periods
  • Payment card data: Retained by Stripe/Airwallex under their policies (not on our servers)

7. Your Privacy Rights

Depending on your jurisdiction (Hong Kong PDPO, EU GDPR, etc.), you may have the following rights:

Right to Access

  • Request confirmation of what personal data we hold about you
  • Receive a copy of your personal data in a structured, commonly used format

Right to Rectification

  • Request correction of inaccurate or incomplete personal data
  • Update your account information directly through app.mdhk.ltd

Right to Deletion ("Right to be Forgotten")

  • Request deletion of your personal data where:
    • No longer necessary for original purpose
    • You withdraw consent (where consent was the legal basis)
    • You object to processing and no overriding legitimate grounds exist
    • Data was unlawfully processed

Exceptions: We may retain data where legally required (accounting, dispute resolution, regulatory compliance, AML record-keeping)

Right to Restriction

  • Request temporary restriction of processing while we:
    • Verify accuracy of disputed data
    • Assess whether legitimate grounds override your objection

Right to Object

  • Object to processing based on legitimate interests
  • Object to direct marketing (we do not engage in unsolicited marketing)
  • Note: Sanctions screening cannot be opted out of, as it is a mandatory regulatory requirement

Right to Data Portability

  • Receive your personal data in machine-readable format
  • Request direct transfer to another controller where technically feasible

Right to Withdraw Consent

  • Where processing is based on consent, you may withdraw at any time
  • Withdrawal does not affect lawfulness of processing before withdrawal

How to Exercise Your Rights: Email: [email protected] with subject "Privacy Rights Request"
Response time: 30 days (may be extended by 60 days for complex requests)

8. Cookies

We use only essential cookies required for website functionality:

Essential Cookies (Cannot be Disabled)

  • Session Cookies: Maintain your logged-in state and shopping cart
  • Security Cookies: Protect against CSRF attacks and unauthorized access
  • Authentication Cookies: Set by Clerk for account management (httpOnly, secure, SameSite)

We do NOT use:

  • Analytics cookies (beyond essential server logs)
  • Advertising cookies
  • Social media tracking cookies
  • Third-party marketing cookies

Cookie Duration:

  • Session cookies: Deleted when you close your browser
  • Authentication cookies: 30 days (configurable in your account settings)

9. International Data Transfers

Massive Dynamic Limited is based in Hong Kong. Your data may be transferred to and processed in:

  • Hong Kong: Our primary servers and business operations
  • European Union: For EU client service delivery and compliance, including transfers to EU-based Third-Party Providers
  • United States: Third-party processors (Stripe, Clerk, Meta/WhatsApp) with EU-US Data Privacy Framework certification where applicable
  • Other Jurisdictions: Where required for Third-Party Provider service delivery (e.g., UAE, Singapore, jurisdictions of target immigration programs)

All international transfers comply with GDPR Article 46 safeguards:

  • Standard Contractual Clauses (SCCs) with processors
  • Adequacy decisions (where applicable)
  • Processor security certifications (SOC 2, ISO 27001)
  • Explicit consent for transfers to non-adequate jurisdictions where required

10. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately for deletion.

11. Changes to This Policy

We may update this Privacy Policy to reflect:

  • Changes in our services or business practices
  • New legal or regulatory requirements
  • Improvements to security or privacy protections

Notification of Changes:

  • Updated version and date displayed at top of this page
  • Material changes communicated via email to account holders
  • Continued use after changes constitutes acceptance

Version History: Current: PP-2026-05-11 (11 May 2026)
Previous: PP-2026-02-21 (21 February 2026)

12. Contact & Data Protection Officer

Massive Dynamic Limited
Unit 1603, 16/F, The L. Plaza
367-375 Queen's Road Central
Sheung Wan, Hong Kong

Hong Kong Company Registration: #78076051

Privacy Inquiries:
Email: [email protected]
Phone: +852 9290 0201
Subject Line: "Privacy Policy Inquiry"

Supervisory Authority (EU Residents): If you are located in the EU and have concerns about our data processing practices, you may lodge a complaint with your national data protection authority.

Hong Kong Privacy Commissioner (HK Residents):
Office of the Privacy Commissioner for Personal Data
Website: https://www.pcpd.org.hk

13. Security Incident Response

In the unlikely event of a data breach affecting your personal data:

  1. Notification: We will notify affected individuals within 72 hours of discovery
  2. Disclosure: Notification will include nature of breach, data affected, and remedial actions
  3. Regulatory Reporting: Serious breaches reported to relevant authorities as required
  4. Remediation: Immediate steps taken to contain breach and prevent recurrence

14. Sanctions Screening

As part of our AML/CFT compliance obligations under Hong Kong's Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615), we conduct mandatory sanctions screening of all clients against:

  • United Nations Security Council Sanctions List
  • Hong Kong Sanctions List (Financial Services and the Treasury Bureau)
  • OFAC Specially Designated Nationals (SDN) List (where applicable to USD transactions)
  • EU Consolidated Sanctions List (where applicable to EUR transactions)
  • UK HM Treasury Consolidated Sanctions List (where applicable to GBP transactions)

Screening Process

  • At Engagement: All new clients screened before service commencement
  • Periodic Re-Screening: Active clients re-screened periodically and upon material updates to sanctions lists
  • KYC Timeline: Identity verification must be completed within 30 working days of engagement, in accordance with AMLO requirements. Failure to complete verification results in mandatory suspension of the business relationship.
  • Data Processed: Full legal name, date of birth, nationality, address, beneficial ownership information (for corporate clients)
  • Data Source: Customer due diligence (KYC) documentation provided by the client
  • Retention: Screening records retained for 6 years per AMLO Cap. 615 record-keeping requirements

Outcome

Engagement may be declined or terminated if a client appears on a sanctions list, if a true match is identified, or if KYC verification cannot be completed within the regulatory timeline. Where a positive screening result is identified, the matter may be reported to relevant competent authorities (including the Joint Financial Intelligence Unit) as required by law.

Your Rights

  • Notification: You will be notified if your engagement is declined or terminated due to sanctions screening, to the extent permitted by law
  • Disclosure to Third Parties: No personal data resulting from screening is shared with third parties except as required by competent regulatory authorities
  • Right to Object: Sanctions screening is a mandatory regulatory requirement and cannot be opted out of

Your privacy is fundamental to our business.

We are committed to transparency, security, and your control over personal data. If you have questions or concerns about this Privacy Policy or our data practices, please contact us at [email protected].

This Privacy Policy is governed by the laws of Hong Kong SAR and complies with the Personal Data (Privacy) Ordinance (PDPO, Cap. 486) and, where applicable, the EU General Data Protection Regulation (GDPR).

Questions about this policy? Email [email protected].