Privacy Notice - Hong Kong

Last updated: September 2022

  1. Purpose of Notice (Statement)

    This notice statement is the Privacy Notice statement of NIUM Limited (formerly known as Instarem. Limited) and its affiliates and subsidiaries (collectively, “Companies”). The purpose is to share with you, on our policies and practices surrounding our commitment to protect the privacy of personal data and to comply with the relevant privacy regulations in the locations we operate in. It is the corporate notice and the social responsibility of Companies and each of our subsidiaries to respect and safeguard the privacy of an individual’s personal data. Compliance with this notice and the respective jurisdiction’s privacy laws and regulations, is not only the responsibility of Companies management but also the direct responsibility of every employee of Companies and its direct subsidiaries. NIUM Limited and its affiliates are collectively referred to as “Companies”, “we”, “our” or “us” in this notice. Whenever that there are conflicts between this notice and the local privacy legislation, the latter shall prevail. It is thus necessary for you to share your personal data in connection with the opening or continuation of accounts and the establishment or continuation of any services/ facilities with Companies to initiate or maintain the business relationship.

  2. Scope

    This Privacy notice explains how we handle personal data you share with Companies businesses globally.

    1. Personal Data.

      Personal data is information that identifies you as an individual, such as your name, mailing address, email address, age range, etc. Personal data is only obtained when you voluntarily provide the information to us. Companies use personal data to better understand your needs and interests and to provide you with better service.

    2. Data Subjects.

      Customers and beneficial owners and related parties and all individuals connected with Companies in the course of our business are all considered (each a “Data Subject”), whom shall be collectively referred to “Data subject”, “you” or “your” in this notice. This includes employees and any third-party vendors we engage in the course of our business.

  3. Privacy Principles

    Your privacy matters to us. Our business has been built on trust between our customers and ourselves. To preserve the confidentiality of all information you provide to us, Companies shall maintain the following privacy principles:

    1. we only collect personal information that we believe to be relevant and necessary, in order to help us conduct our business;
    2. we may use your personal information to provide you with better customer services and products;
    3. we may pass your personal information on to other companies or agents, as permitted by law;
    4. we will not disclose your personal information to any external organization unless we have your consent or are required by law or have previously informed you;
    5. we may be required from time to time to disclose your personal information to Governmental or judicial bodies or agencies or our regulators, but we will only do so under proper authority;
    6. we should aim to keep your personal information on our records accurate and up to date;
    7. we shall maintain strict security systems designed to prevent unauthorized access to your personal information by anyone, including our staff;
    8. Companies and its subsidiaries, all our staff and all third parties with permitted access to your information shall be specifically required to observe our confidentiality obligations.

    By maintaining our commitment to these principles, Companies will ensure that we respect the inherent trust that you place in us.

    This notice shall stipulate:

    1. our purposes of personal data collection;
    2. the important controls employed by each member of the Companies for protection of personal data;
    3. the classes of persons we can transfer personal data to;
    4. the data access and correction right of customers and beneficial owners and security providers (each a “Data Subject”).

  4. Purposes of Data Collection

    1. From time to time, it is necessary for a Data Subject to supply Companies with personal data in connection with the opening or continuation of accounts and/ or the establishment or continuation of facilities or provision of commercial services.
    2. Failure to supply such personal data may result in the relevant member of the Companies being unable to open or continue accounts or establish or continue facilities or provide commercial services to the Data Subject.
    3. It is also the case that personal data are collected from a Data Subject in the ordinary course of the continuation of the relationship, for example, when a Data Subject effects payment transactions, request for additional commercial services, implementation of ecommerce capabilities, or discusses / arranges commercial facilities for himself / herself or for any third party.
    4. The purpose for which personal data relating to a Data Subject may be used by Companies or any person who has obtained such data from the relevant member of the Companies are as follows:
      1. the daily operation of the commercial services and facilities provided to the Data Subject or any third party when the Data Subject is a guarantor or security provider for such facilities;
      2. conducting credit checks and carrying out matching procedures at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year; iii. creating and maintaining the Companies’ credit assessments;
      3. ensuring ongoing credit worthiness of a Data Subject whether or not for the purpose of taking adverse action against the Data Subject;
      4. designing commercial services or related products for a Data Subject’s use;
      5. marketing services, products and other subjects in respect of which a Companies may or may not be remunerated;
      6. determining the amount of indebtedness owed to or by a Data Subject;
      7. enforcement of a Data Subject’s obligations, including without limitation the collection of amounts outstanding from a Data Subject;
      8. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the relevant member of the Companies or its group company or that it is expected to comply according to:
        1. any law binding or applying to Companies or its subsidiaries existing currently and in the future;
        2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers existing currently and, in the future, applying to itself or its subsidiaries;
        3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the relevant member of the Companies or its subsidiaries by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations.
      9. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the group of Companies and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
      10. processing and maintenance of Companies colleagues’ personal data as legally required and fundamentally required for the evaluation of each individual’s career movement within Companies; and
      11. purpose relating thereto.

  5. Important Controls Employed by Companies For Protection of Personal Data

    1. Personal data held by Companies and its subsidiaries relating to a Data Subject shall be kept confidential and private under encryption. We shall take reasonable technical and organizational precautions to prevent the loss, misuse or alteration of your personal data. We shall store all the personal data you provide on our secure servers.
    2. Physical copies shall be under lock and key with logged access.
    3. Any losses of personal data shall be handled as per legislated requirements or guidelines firstly. Should there be none, Companies and its subsidiaries should make arrangements to notify the relevant internal and external stakeholders. Periodic updates will be arranged to notify on actions and remedies taken with the final solution to be shared, on a fair and equitable basis. The final handling decision lies with Companies, based on legal and regulatory priorities firstly followed by its social responsibility.

  6. Classes of Persons We Can Transfer Personal Data

    Companies may provide such personal data to the following parties for the purposes set out in Section 4:

    1. any agent, contractor or third-party service provider who provides administrative, telecommunications, computer, payment, debt collection or other services to it in connection with the operation of its business;
    2. any other person or entity under a duty of confidentiality within Companies which has to be in line with their nature of function on a need to know basis;
    3. credit reference agencies, and, in the event of defaults, to debt collection agencies;
    4. any person or entity to whom the relevant member of the Companies or its group company is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to the relevant member of the Companies or its group company, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the relevant member of the Companies or its group company is expected to comply, or any disclosure pursuant to any contractual or other commitment of the relevant member of the Companies or its group subsidiaries with local or foreign legal, regulatory, govern-mental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be existing currently and in the future applying to itself or its subsidiaries;
    5. any other person or entity (including its associated companies or affiliates) who has established or proposes to establish any business relationship with it or recipient of the data; and
    6. any party giving or proposing to give a guarantee or third-party security to guarantee or secure the data Subject’s obligations.

  7. Data Access and Correction Right of Customers and Beneficial Owners and Related Parties

    You have the right:

    1. Any data subject has the right:
      1. to check whether Companies holds personal data about him / her and access to such personal data;
      2. to require Companies to correct any personal data relating to him / her which is inaccurate;
      3. to ascertain Companies’ policies and practices in relation to personal data and to be informed of the kind of personal data held by that relevant member of the Companies.
    2. Personal data of a data Subject may be processed, kept, transferred or disclosed in and to any country as the relevant member of the Companies or any person who has obtained such personal data from the relevant member of the Companies referred to in above considers appropriate, within the relevant member of the Companies only. Such personal data may also be processed, kept, transferred or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country.
    3. In accordance with the terms of local legislation when it permits, Companies or its subsidiaries has the right to charge a reasonable fee for the processing of any personal data access request.
    4. As per the Instarem policies, deletion may apply where information has been collected from and about the customer for the purpose of an Instarem service and where: a customer that has partially registered; has an approved Instarem account; or has an active NIUM account. The individual can submit a request pertaining to the information held/collected about them to using the contact details listed below in section 8.
    5. The request will be assessed and handled in line with the Instarem’s internal Global Data Retention and Purging Policy which encompasses Instarem’s obligation to maintaining, keeping, archiving, purging the data in accordance to the applicable Privacy Laws.
    6. In respect of each member of the Companies or their subsidiary, any requests for access to personal data or correction of data or for information regarding policies and practices and kinds of data held can be addressed as follows:

      Address: Room 517 5F, Inno Centre, 72 Tat Chee Avenue, Kowloon Tong, Hong Kong;

      Email: [email protected].

      Help Centre available on our website or mobile application

  8. Use of Data in Direct Marketing

    1. Should any Companies or its subsidiaries intend to use a data Subject’s personal data in direct marketing, we should require the data Subject’s explicit consent (which includes an indication of no objection) for that purpose.
    2. If a data Subject does not wish Companies to use or provide to other persons his personal data for use in direct marketing as described above, the Data Subject may exercise his opt-out right by notifying the relevant member of the Companies or its subsidiary. For your convenience, you may also send your request as follows.

      Attention to:

      Address: Room 517 5F, Inno Centre, 72 Tat Chee Avenue, Kowloon Tong, Hong Kong

      Email: [email protected].

    3. Nothing in this Notice Statement shall limit the rights of Data Subjects under any local privacy legislation of any jurisdiction we operate in.

NIUM Limited (formerly known as Instarem Limited) is regulated by Hong Kong Customs and Excise Department