PRIVACY POLICY

1. Overview

• This Privacy Policy explains how The Companions CCM Limited (“we”, “us”, “our”) collects, uses, discloses and protects your personal data in connection with:
  • https://thecompanions.com.hk (the Website)
  • https://booking.thecompanionsccm.com (the Booking Site)
  • any related services, booking forms, blogs, telehealth and client portals (collectively, the “Services”).
• We are committed to complying with the Hong Kong Personal Data (Privacy) Ordinance (PDPO) and to respecting your privacy.

2. Personal Data We Collect We may collect the following categories of personal data:

• Identity and contact information: name, date of birth, gender, postal address, email address, phone numbers, emergency contact details.
• Health and clinical data: medical history, mental health information, therapy notes, medication, risk assessments and other clinical information necessary for counselling.
• Booking and payment details: appointment dates/times, payment method, billing address, transaction records (note: full card details are not stored by us).
• Usage data: IP address, browser and device information, pages visited, and booking site activity (via cookies and analytics).
• Communications: correspondence with us (email, messages, call recordings if applicable and with notice).
• Any other personal data you provide.

3. How We Use Personal Data (Purposes) We will use personal data for purposes including:

• Providing counselling, intake, assessment, treatment planning and related services.
• Managing bookings, payments, invoicing and refunds.
• Communicating with you about appointments, administrative matters, follow-ups and promotions (with consent for marketing).
• Maintaining clinical records and complying with legal, professional or regulatory obligations.
• Ensuring safety (e.g., assessing risk), case management, referrals and emergency contact.
• Improving our Services, website administration, analytics and research (aggregated/anonymized).
• Protecting legal rights, preventing fraud and resolving disputes.

4. Legal Basis and PDPO Considerations

• Under PDPO, we collect personal data for lawful business purposes related to providing health/counselling services, with consent where required.
• For sensitive data (health/clinical information), we will obtain explicit consent where required by professional standards and PDPO guidance, except where the disclosure is necessary to prevent harm or required by law.

5. Sharing and Disclosure of Personal Data We may share personal data with:

• Our staff and contracted counsellors for the purpose of delivering services.
• Service providers and processors: payment processors, booking platform providers, IT providers, cloud hosting, analytics providers, telehealth platform vendors and other vendors who process data on our behalf. These parties are bound by confidentiality and data protection obligations.
• Referrers and other healthcare professionals with your consent or where necessary for your care.
• Legal and regulatory authorities when required by law or a court order or to protect safety.
• In emergencies: to emergency services, hospitals or authorities if we have reasonable grounds to believe disclosure is necessary to prevent harm.
• Aggregated/anonymized data: we may publish or use de-identified or aggregated data for reporting or research without identifying individuals.

6. Cross-border Transfers

• Personal data may be processed or stored outside Hong Kong (e.g., cloud hosting, third-party processors). Where data is transferred cross-border, we will take reasonable steps to ensure adequate protections (contractual clauses, security measures). By using the Services you consent to such transfers.

7. Data Security

• We implement technical and organizational measures to protect personal data against unauthorized access, loss, alteration or disclosure. Measures include:
  • Access controls and role-based permissions
  • Encryption of data in transit (e.g., TLS/HTTPS) and, where possible, at rest
  • Secure hosting and vendor due diligence
  • Staff training and confidentiality agreements
• While we strive to protect data, no system is completely secure; we cannot guarantee absolute security.

8. Data Retention

• We retain personal data only as long as necessary for the purposes for which it was collected and to meet legal, regulatory and professional record-keeping obligations.
• Typical retention: active client records while services are provided and for a period of [suggested: 7 years] after the end of the client relationship (adjust as required). Administrative and financial records may be retained for tax and accounting purposes in accordance with statutory requirements.
• If you request erasure, we will assess the request and may retain limited records as required by law or professional obligations.

9. Cookies and Tracking

• We use cookies and similar technologies on the Website and Booking Site to facilitate functionality, analytics and marketing:
  • Strictly necessary cookies: required for site functioning (booking, login, security).
  • Performance/analytics cookies: to understand site usage (Google Analytics or similar).
  • Functional cookies: enhance user experience (language, preferences).
  • Advertising/targeting cookies: for marketing (where used).
• You can set your browser to refuse cookies or to alert you when cookies are being sent; disabling some cookies may affect site functionality. For analytics and targeted advertising, you can opt-out through tools provided by service providers.

10. Marketing Communications

• We will only send marketing or promotional materials with your consent where required. You may opt out at any time by clicking the unsubscribe link in emails or contacting us at [insert marketing contact email].

11. Your Rights Under PDPO you have certain rights, including:

• Right of access: you can request a copy of your personal data we hold (we may charge a reasonable fee for copying, in accordance with PDPO guidance).
• Right to correction: you may request correction of inaccurate personal data.
• Right to erasure: to the extent permitted by law and professional obligations, you can request deletion of your data.
• Right to withdraw consent: where processing is based on consent, you may withdraw consent (withdrawal will not affect processing already carried out lawfully).
• To make a request: contact us at [insert privacy contact email or postal address]. We will respond within a reasonable time and as required by PDPO.
• If dissatisfied, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong.

12. Data Breach Notification

• In the event of a suspected data breach that may cause real risk of significant harm, we will investigate, take remedial action and notify affected individuals and the PCPD as appropriate and in accordance with PDPO guidance.

13. Children and Vulnerable Persons

• We do not knowingly collect personal data from children under 18 without parental/guardian consent. Special rules apply for minors; parents/guardians should contact us for bookings and consents.

14. Third-Party Processors and Links

• Third-party services (payments, telehealth, analytics) may collect and process data according to their own policies. Please refer to their privacy policies. We are not responsible for third-party practices.

15. Changes to this Policy

• We may update this Privacy Policy occasionally. We will post the updated policy on the Website and Booking Site with the “Effective date”. Continued use constitutes acceptance of the updated policy.

16. Contact and Data Protection Officer

• Questions, access/correction requests or complaints:
  • Email: [insert privacy contact email, e.g., privacy@thecompanions.com.hk]
  • Postal: [insert company address]
• We may appoint a Data Protection Officer or designated privacy contact; details will be provided here if applicable.

17. Governing Law

• This Privacy Policy is governed by the laws of Hong Kong Special Administrative Region.