Privacy Policy

1. Introduction and Data User

GREATWILL SOURCING (HK) LTD ("we", "us", "our"), trading as Greatwill, is the data userwithin the meaning of the Personal Data (Privacy) Ordinance, Cap. 486 of the Laws of Hong Kong ("PDPO"), in respect of personal data collected through this e-commerce website, your customer account, orders, communications with us, and related services.

This Privacy Policy explains how we collect, hold, process, use and disclose personal data in accordance with the PDPO and the six Data Protection Principles ("DPPs") in Schedule 1. By using our website, creating an account, placing an order, or providing personal data to us, you acknowledge this policy. Where the PDPO requires your prescribed consent (for example, for direct marketing or use of data for a new purpose), we will obtain it separately and you may withdraw it at any time.

2. Personal Data We Collect (DPP1 — Purpose and Manner of Collection)

We collect personal data only where it is necessary and not excessive for purposes directly related to our functions or activities, by lawful and fair means. Categories include:

• Identity and contact: name, email, telephone, billing and delivery addresses.
• Account and transactions: login credentials (stored in hashed form), order history, preferences, and payment-related information. Card details are processed by our payment service provider (e.g. Stripe); we do not store full card numbers on our servers.
• Communications: messages sent via our contact form, email, or customer support, including marketing consent choices.
• Security and fraud prevention: when enabled, data processed through Cloudflare Turnstile (such as IP address, browser characteristics, and challenge results) to verify that requests are made by humans and to protect our platform.
• Technical and usage: IP address, device and browser type, pages viewed, session identifiers, cookies, and similar technologies (see Section 10).

Where collection is mandatory (e.g. to fulfil an order), we will inform you. Where it is voluntary, refusal may limit the services we can provide. We will not use your data for a new purpose without notifying you and, where required, obtaining prescribed consent.

3. Purposes of Use (DPP3 — Use of Personal Data)

We use personal data for purposes including:

• Registering and managing your account, and authenticating access.
• Processing, fulfilling, and delivering orders; handling returns and refunds.
• Communicating about orders, deliveries, security, and service updates.
• Responding to enquiries submitted via our contact form or other channels.
• Sending password-reset and other transactional emails necessary for account security.
• With your consent, sending direct marketing about our products and offers (see Section 9).
• Preventing fraud, abuse, and unauthorised access, including through rate limiting, logging, and security verification tools.
• Improving our website, analysing performance, and complying with legal and regulatory obligations.

We will not use personal data for purposes incompatible with the original purpose of collection unless permitted by the PDPO or with your prescribed consent.

4. Classes of Transferees and Cross-Border Transfers (DPP3)

We do not sell personal data. We may disclose or transfer data to:

• Service providers: payment processors (e.g. Stripe), couriers, IT hosting and cloud providers, email (SMTP) services, e-commerce platform operators, and security providers (e.g. Cloudflare), bound by contract or other means to protect data and use it only for specified purposes.
• Professional advisers and authorities: where required by law, court order, or to protect rights, safety, or property.
• Corporate transactions: in connection with a merger, acquisition, or restructuring, subject to equivalent protection.

Some providers may process data outside Hong Kong. Where we transfer personal data outside Hong Kong, we comply with section 33 of the PDPO and take all practicable steps to ensure that the data is protected to a standard comparable to the PDPO (for example through contractual clauses, approved mechanisms, or your consent where an exemption applies).

5. Security of Personal Data (DPP4 — Security)

We take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use, having regard to the nature of the data and the harm that could result. Measures include:

• Encryption in transit (TLS/SSL) for website and API communications.
• Access controls, least-privilege principles, and secure authentication.
• Hashed storage of passwords; segregation of production and development environments where practicable.
• Due diligence on processors and contractual security obligations.
• Staff awareness and incident response procedures.

No online system is completely secure. You must keep your account credentials confidential. If you suspect unauthorised access, contact us immediately.

6. Data Breach Notification

If a data breach occurs that is likely to result in a real risk of harm to affected individuals, we will take prompt steps to contain the incident, assess impact, and mitigate harm. Where required under the PDPO (including obligations relating to data breach notification as amended and guidance issued by the Office of the Privacy Commissioner for Personal Data, "PCPD"), we will notify the PCPD and affected data subjects without undue delay, and provide information on the nature of the breach and recommended protective steps.

7. Retention and Accuracy (DPP2)

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, tax, and accounting requirements, dispute resolution, and enforcement of agreements.

We take practicable steps to ensure data is accurate, complete, and not misleading. You may update account details when logged in, or contact us to correct inaccuracies. When data is no longer required, we delete or anonymise it securely, subject to lawful retention obligations.

8. Your Rights — Access and Correction (DPP6)

Under the PDPO, you may:

• Request access to personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure where we have no overriding legal or legitimate need to retain the data.
• Withdraw consent for processing based on consent (e.g. marketing), without affecting lawfulness of prior processing.
• Lodge a complaint with the PCPD at www.pcpd.org.hk.

To exercise these rights, email coco@gwshk.com or use our Contact page. We may verify your identity. We will respond within 40 days of a data access request as required by the PDPO, or explain if an exemption applies. A reasonable fee may be charged for access requests as permitted by law.

9. Direct Marketing (Part 6A, PDPO)

We will not use your personal data for direct marketing (including email or SMS promotions) unless we have obtained your consent or indication of no objection in the manner required by Part 6A of the PDPO, or another lawful basis applies. You may opt out at any time via the unsubscribe link in communications or by contacting us.

Where you tick a marketing consent box on our contact or registration forms, that consent relates only to the purposes stated at the time of collection.

10. Cookies and Similar Technologies

We use cookies and similar technologies for essential site operation (e.g. session management, cart, authentication), security (including Turnstile), and, where enabled, analytics. You may refuse non-essential cookies through browser settings; some features may not function correctly if you do so.

Third-party providers (e.g. payment, security, analytics) may set their own cookies subject to their policies. We encourage you to review those policies where relevant.

11. Minors

Our services are not directed at persons under 18. We do not knowingly collect personal data from minors without appropriate parental or guardian consent. If you believe we have collected such data, please contact us and we will take practicable steps to delete it.

12. Openness (DPP5) and Policy Updates

We make this policy available on our website. We may update it from time to time; the "Last updated" date will be revised. For material changes, we may provide additional notice where required by law. Continued use after changes constitutes acceptance of the updated policy, subject to your statutory rights.

For questions, data access or correction requests, or to opt out of marketing, contact us at coco@gwshk.com, or write to: GREATWILL SOURCING (HK) LTD, Rm 1603, 16/F., Pat Tat Ind Bldg.,, No.1, Pat Tat St.,, San Po Kong, Kowloon, HK.