Privacy Policy

1. About us and this policy

Insyteful Limited (“Insyteful”, “we”, “us”, “our”) is a Hong Kong–incorporated learning technology company. We provide an AI‑powered learning platform for small and mid‑sized organisations across the Asia‑Pacific region.We take privacy seriously. This policy explains how we collect, use, share, and protect personal data — under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and other applicable data protection laws.For privacy matters, contact us at privacy@insyteful.ai or by post at the address above.

2. Who this policy applies to

This policy describes how we handle personal data of:

• Visitors to insyteful.ai and our other websites
• Prospects and marketing contacts we communicate with about our products
• Customer administrators and contacts at organisations that subscribe to our platform
• Learners who use our platform under a subscription held by their employer or sponsor
• Suppliers, partners, advisors, and contractors
• Job applicants and candidates

For platform learner data processed under a customer subscription, Insyteful acts as a data processor on behalf of the customer organisation, which is the data controller. A separate Data Processing Addendum between Insyteful and the customer governs that relationship. This policy applies to all other interactions.

3. What personal data we collect

4. How we collect personal data

• Directly from you when you visit our website, contact us, register for an event, complete a survey, apply for a role, or use our platform.
• From your organisation when an employer provisions you as a learner on the platform.
• From publicly available sources such as professional networking sites, company websites, and public business registers, for B2B prospecting and marketing.
• From service providers and partners who help us deliver our services or marketing.

5. Why we use personal data and our legal basis

The table below sets out our processing purposes, the lawful basis we rely on under GDPR, and the corresponding basis under PDPO.

When we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. When we rely on legitimate interests, we have assessed that those interests are not overridden by your privacy rights, and you can object at any time.

6. Who we share personal data with

We share personal data only with the following categories of recipients, and only as needed:

7. International transfers of personal data

Insyteful is based in Hong Kong. Our service providers are located in Hong Kong, Singapore, other Asia‑Pacific jurisdictions, the European Union, the United Kingdom, and the United States.
Where we transfer personal data across borders, we rely on appropriate safeguards, including:

• EU Standard Contractual Clauses and the UK International Data Transfer Addendum for transfers from the EU / UK to jurisdictions without an adequacy decision
• Contractual undertakings equivalent to PDPO standards for transfers from Hong Kong to jurisdictions with lower protection
• Adequacy decisions where available

You can request more information about the safeguards in place for specific transfers by emailing privacy@insyteful.ai.

8. How long we keep personal data

We retain personal data only for as long as necessary for the purposes set out in this policy.

At the end of the retention period, we securely delete or fully anonymise the data.

9. Cookies and similar technologies

Our website uses:

• Essential cookies — required for core functionality (e.g. login, session management). These cannot be disabled.
• Analytics cookies — to understand site usage in aggregate and improve the experience.
• Functional cookies — to remember your preferences.

We do not currently use advertising or cross‑site tracking cookies. You can manage non‑essential cookies through our cookie banner and your browser settings.
A separate Cookie Notice sets out the specific cookies in use, their purpose, and their duration.

10. Your rights

Subject to applicable law, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your data, subject to legal retention requirements
• Restriction — ask us to limit how we use your data in certain circumstances
• Objection — object to processing based on legitimate interests, including direct marketing (which you can always opt out of)
• Portability — receive a copy of your data in a structured, machine‑readable format (GDPR / UK GDPR only)
• Withdraw consent — where consent is the legal basis, at any time, without affecting prior processing
• Not be subject to automated decision‑making that produces legal or similarly significant effects without your consent or other lawful basis

To exercise any of these rights, email privacy@insyteful.ai. We will respond within 30 calendar days. We may ask you to verify your identity before acting on a request.
If you are dissatisfied with our response, you have the right to complain to:

• Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD) — pcpd.org.hk
• European Union: the supervisory authority in your country of residence (list at edpb.europa.eu)
• United Kingdom: the Information Commissioner's Office — ico.org.uk
• Other jurisdictions: the equivalent local data protection authority

11. How we protect personal data

We use appropriate technical and organisational security measures, including:

• Encryption of data in transit (TLS) and at rest where supported
• Role‑based access control and the principle of least privilege
• Multi‑factor authentication for administrative access
• Regular security testing and vulnerability management
• Documented incident response procedures
• Vendor due diligence before engaging any processor
• Staff training on privacy and security
• Periodic review of policies, controls, and access rights

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals within statutory timeframes (72 hours under GDPR; without undue delay under PDPO).

12. Children

Insyteful's services are designed for business use by professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have collected data from a minor, please contact us and we will delete it.

13. Third‑party websites and services

Our website and platform may contain links to, or integrate with, third‑party websites and services. This policy does not apply to those services. We encourage you to read the privacy policies of any third party before providing personal data to them.

14. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, services, or legal requirements. Material changes will be communicated through the website and, where appropriate, by direct notice to active customers. The “Last updated” date at the top of this policy shows when it was last revised. We encourage you to review this policy periodically.

15. Contact

Privacy queries and rights requests: privacy@insyteful.ai

Postal address:

Privacy Officer

Insyteful Limited

21st Floor, The Phoenix Building23 Luard RoadWan ChaiHong Kong S.A.R.