Legal

Privacy Policy

How CareEZ collects, uses, and protects personal data — in compliance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486).

Last updated: 2026-06-09

📋 1. Introduction and Scope

This Privacy Policy applies to CareEZ, the public-good brand operated by our parent social enterprise registered in Hong Kong under the Social Enterprise Directory (HKCSS). References to "CareEZ", "we", "us", or "our" in this Policy refer to that entity.

We operate the website at careez.org, the live demo platform at demo.careez.org, and associated APIs and services. This Policy explains what personal data we collect, why we collect it, how it is used, who it may be shared with, and your rights under Hong Kong law.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

Important — Screening Tool, Not a Medical Device: CareEZ provides AI-assisted swallowing-safety screening tools only. These tools are not medical devices and do not constitute a medical diagnosis. No clinical decisions should be made solely on the basis of CareEZ outputs. Always consult a qualified healthcare professional, such as a speech-language therapist or registered dietitian, for individual assessment and treatment.

📦 2. Personal Data We Collect

We collect personal data only to the extent necessary to provide our services. The categories of data we may collect are:

2.1 Data You Provide Directly

  • Contact enquiries: Name, email address, organisation, and message content when you submit a contact form or send us an email.
  • Pilot / trial applications: Name, role, organisation name, facility type, and contact information submitted via the trial application form.

2.2 Data Collected Automatically

  • Usage data: Pages visited, time and duration of visit, referring URL, browser type, device type, and operating system — collected via Cloudflare Web Analytics (privacy-preserving; no individual tracking cookies are set).
  • API request data: Input text descriptions, food images, or symptom selections submitted to our live classification API endpoints are processed transiently to return a response. These inputs are not stored beyond the request lifecycle and are not associated with any individual user account.
  • Log data: Standard server-side request logs (IP address, request path, timestamp, HTTP status code) retained for security and operations purposes.

2.3 Data We Do Not Collect

  • We do not collect protected health information (PHI) identifiable to any named individual.
  • We do not build individual user profiles from API usage.
  • We do not use third-party advertising trackers or cross-site tracking technologies.

🎯 3. Purpose of Collection and Use

In accordance with Data Protection Principle 1 of the PDPO, personal data is collected for specified, explicit, and lawful purposes. We use the data we collect for the following purposes:

  • To respond to enquiries, partnership requests, and clinical deployment applications;
  • To deliver and improve our AI-assisted screening tools and classification API;
  • To maintain the security, integrity, and performance of our services;
  • To comply with applicable laws and regulatory requirements;
  • To send service-related communications (not marketing) to users who have contacted us or applied for a pilot.

We will not use personal data for purposes incompatible with those stated above without obtaining your prior consent.

🏛 4. PDPO Compliance (Hong Kong)

Our parent social enterprise is subject to the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong. We comply with the six Data Protection Principles (DPPs) set out in Schedule 1 of the PDPO:

  • DPP 1 — Purpose and collection: Data is collected only for lawful purposes that are directly related to our services, and only to the extent necessary.
  • DPP 2 — Accuracy and retention: Reasonable steps are taken to ensure data is accurate and not held longer than necessary.
  • DPP 3 — Use of data: Personal data is used only for the purpose for which it was collected, unless we have obtained your consent.
  • DPP 4 — Security: We apply appropriate technical and organisational measures to protect data against unauthorised or accidental access, processing, loss, or destruction.
  • DPP 5 — Openness: We make available this Policy and information about our data handling practices.
  • DPP 6 — Access and correction: Data subjects have the right to access and correct their personal data held by us (see Section 9 below).

For clinical dataset governance, co-stewardship structure, and the public-asset principles that apply to our research data, see our Data Governance page.

🗓 5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Contact enquiry records: Retained for up to 2 years from the date of the enquiry, then securely deleted.
  • API request inputs (text, images, symptom selections): Not retained — processed in memory during the request and discarded immediately after the response is returned.
  • Server logs: Retained for up to 90 days for security and operations purposes, then deleted or anonymised.
  • Analytics data: Aggregated and anonymised; no individual-level retention.

When data is no longer required, it is securely deleted or anonymised in a manner that prevents reconstruction.

🔗 6. Third-Party Processors and International Transfers

We use a limited number of third-party service providers to operate our services. Where personal data is processed by a third party on our behalf, we take reasonable steps to ensure they provide equivalent protections:

  • Cloudflare, Inc. (USA): Provides website hosting (Cloudflare Pages), content delivery network (CDN), DNS, and privacy-preserving web analytics. Data may be processed on Cloudflare infrastructure globally. See Cloudflare's Privacy Policy.
  • AI inference providers: Our classification API uses large language model (LLM) inference. Input data submitted to API endpoints (food descriptions, symptom descriptions, food images) is transmitted to AI model providers for inference. These providers operate under their own data processing agreements. We do not transmit personally identifiable information to AI providers; inputs should not contain individual patient names or identification numbers.

Some of these processors may be located outside Hong Kong. Where personal data is transferred internationally, we take reasonable steps to ensure that the recipient provides protections that are substantially similar to the PDPO requirements.

We do not sell, rent, or exchange personal data with any third party for marketing purposes. We do not allow third-party advertising networks to place trackers on our services.

🍪 7. Cookies and Tracking Technologies

Our website does not use first-party session or persistent cookies for tracking or profiling. Cloudflare Web Analytics, our analytics provider, uses a privacy-preserving approach that does not set individual tracking cookies or fingerprint users across sites.

Cloudflare may set technical cookies (e.g. __cf_bm) that are strictly necessary for bot management and security. These are not used for advertising or cross-site tracking.

If you access third-party links from our site (e.g. seniordeli.com, dysphagia.cn), those sites operate under their own cookie and privacy policies.

🔒 8. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • TLS encryption for all data in transit (HTTPS enforced via Cloudflare);
  • Restricted access controls for systems holding personal data;
  • No persistent storage of API inputs beyond the request lifecycle;
  • A published responsible disclosure policy at careez.org/security/.

No system is completely immune from security risks. In the event of a data breach affecting personal data, we will notify affected individuals and the Office of the Privacy Commissioner for Personal Data (PCPD) in accordance with applicable law.

9. Your Rights Under the PDPO

Under the PDPO, Hong Kong data subjects have the right to:

  • Access: Request a copy of personal data we hold about you (Section 18, PDPO).
  • Correction: Request correction of inaccurate personal data (Section 22, PDPO).
  • Objection: Object to the use of your personal data for direct marketing (Section 35G, PDPO). We do not currently engage in direct marketing.
  • Erasure / deletion: Request deletion of data we hold about you, where we have no lawful basis for retaining it.

To exercise any of these rights, please contact our Data Protection Officer using the contact details in Section 11 below. We will respond within 40 days as required by the PDPO.

If you have concerns about our data handling, you may also contact the Office of the Privacy Commissioner for Personal Data (PCPD): www.pcpd.org.hk.

👶 10. Children's Privacy

Our services are directed at care facilities, healthcare professionals, and social enterprise partners. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

📬 11. Contact and Data Protection Officer

For privacy enquiries, data access/correction requests, or to raise a concern about our data handling practices, please contact our Data Protection Officer:

[email protected]
Subject: Privacy / PDPO Request — CareEZ
We aim to acknowledge requests within 5 working days and respond fully within 40 days.

Correspondence may also be directed to our registered address in Hong Kong. Please contact us by email in the first instance for the current address.

🔄 12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. The "Last updated" date at the top of this page indicates when the Policy was last revised. Material changes will be notified via a notice on our website.

Continued use of our services after the revised Policy is posted constitutes acceptance of the updated terms.