1. Scope
This Policy explains how ADG collects, uses and protects personal data in connection with adg.ac, marketing and delivery of services to business clients. Where ADG processes Client Data as a processor, the client is the controller and the DPA governs.

2. Data we process
2.1 Website and marketing

• Contact data - name, work email, phone, company, role.
• Technical data - IP, device, browser, cookies, analytics events.
• Preferences - language, communications choices.

2.2 Service delivery

• Account and access data - usernames, business emails, role-based permissions.
• Operational logs - service usage, performance and audit logs.
• Client Data - datasets and exports provided by clients. We prefer client-controlled storage. We do not access bank accounts or payment gateways.

We do not knowingly collect sensitive personal data unless contractually required and lawfully instructed by the client.

3. Legal bases (EEA/UK)
Where GDPR/UK GDPR applies, we rely on: contract performance, legitimate interests (security, service improvement, fraud prevention), consent where required, and legal obligation.

4. Use of data

• Provide and operate services, including support and security.
• Communicate about scopes, incidents, updates and billing.
• Improve reliability and performance of our systems.
• Comply with law and enforce agreements.
• Marketing to business contacts where lawful, with opt-out.

We do not sell personal data.

5. Cookies and analytics
We may use strictly necessary cookies and limited analytics to understand site performance. You can control cookies via browser settings and our banner where required. See Cookie Notice for details of categories and retention.

6. Sharing and sub-processors
We may share data with vetted service providers under data processing terms, including cloud hosting, monitoring, email and document systems. A current list of sub-processors is available on request. We disclose data to authorities only when legally required.

7. International transfers
Data may be processed in Hong Kong and other countries where we or our providers operate. Where GDPR applies and data leaves the EEA/UK, we use approved transfer mechanisms such as SCCs and implement supplementary measures as needed.

8. Security
We apply reasonable technical and organizational measures: least privilege, MFA where supported, encrypted transport, secrets management, logging and audits. Security obligations for specific projects are defined in the SOW or DPA.

9. Retention
We retain personal data only as long as necessary for the purposes above or as required by law. For Client Data, retention follows the SOW or client instruction. Working copies used for delivery are removed after handover unless agreed otherwise.

10. Your rights
Where GDPR/UK GDPR applies, you may request access, rectification, erasure, restriction, portability or object to certain processing. Contact us at [privacy@adg.ac]. We may need to verify your identity and coordinate with your employer if they are the controller.

11. Children
Our services target business users. We do not knowingly collect data from children.

12. Third-party links
Our site may link to third-party sites. Their privacy practices are their own.

13. Data Processing Addendum (DPA)
For clients subject to GDPR/UK GDPR or similar laws, ADG offers a DPA that includes processor obligations, SCCs and security measures. Contact [privacy@adg.ac] to obtain and execute the DPA.

14. Changes
We may update this Policy. Material changes will be posted with a new effective date. Continued use after changes means acceptance.

15. Contact
Questions or requests:
Advanced Data Group Limited
[Address]
[privacy@adg.ac]