Privacy Policy
Last updated: May 25, 2026 Version: 1.1
1. Introduction and Data Controller
This Privacy Policy explains how TZ Cloud Stream (Hong Kong) Limited, a company incorporated in Hong Kong ("we," "us," or "our") collects, uses, stores, and protects personal data in connection with the website at chinatransit.guide and any related services (collectively, the "Service").
We act as the data controller for personal data processed in connection with your use of the Service.
Contact: TZ Cloud Stream (Hong Kong) Limited RM 1507B, 15/F, Eastcore, 398 Kwun Tong Road, Kwun Tong, Hong Kong Email: [email protected]
2. Scope of This Policy
This Policy applies to all users of the Service. The Service is intended solely for users located outside of Mainland China. This service is not directed to users located in Mainland China. If you are located in Mainland China, please do not use this Service.
3. Legal Framework
We operate under the following primary legal frameworks:
| Framework | Applicability |
|---|---|
| Hong Kong Personal Data (Privacy) Ordinance (PDPO) (Cap. 486) | Primary applicable law; governs all personal data processing |
| GDPR / UK GDPR | Applies to personal data of users in the European Economic Area and United Kingdom |
| California Consumer Privacy Act (CCPA) / CPRA | Applies to personal data of California residents |
4. Personal Data We Collect
We apply a data minimisation principle. We collect only what is strictly necessary for the operation of the Service.
4.1 Data You Provide Directly
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address (entered at checkout or through optional sign-in flows) | PDF delivery; transactional communication; optional authentication support | Contract performance (GDPR Art. 6(1)(b)); PDPO Data Protection Principle 1 |
| Planned entry date (optional, entered at checkout) | Tailoring support context and itinerary-related guidance | Contract performance |
| Nationality and transit route (entered in eligibility checker) | Generating your eligibility assessment result | Legitimate interest in providing the core service function |
4.2 Data Collected via Payment Processor (Stripe)
Payments are processed through Stripe Checkout. Payment card details, billing address, and transaction records are processed by Stripe under their privacy policy. We receive only:
- A transaction or session identifier used to verify your purchase
- Your email address as provided at checkout, used to deliver the PDF and support delivery-related issues
We do not store full payment card details at any time.
4.4 Temporary Data
| Data | Retention | Purpose |
|---|---|---|
| Checkout email and delivery metadata | Retained only as needed for order support and fraud review | Sending the PDF and helping with resend requests |
4.5 Technical and Usage Data
If you have provided consent (where required), we may collect:
| Data | Purpose |
|---|---|
| IP address (truncated / anonymised) | Security monitoring; geolocation for feature restriction (see Section 9) |
| Browser type and version | Compatibility and error monitoring |
| Pages visited, events (e.g., form steps completed, checkout initiated) | Analytics to improve the Service (see Section 7) |
5. Data We Do Not Collect
We have made the following deliberate architectural decisions to minimise data collection:
- No phone numbers. We do not collect, request, or store mobile phone numbers at any point in the Service. This decision is permanent unless subject to a documented compliance review and privacy policy update.
- No passports or identity documents. We do not collect copies of passports or other identity documents.
- No payment card data. All payment data is handled exclusively by Stripe.
- No marketing emails without consent. We do not send marketing emails. Transactional communications (e.g., order delivery emails or optional sign-in links) do not require separate marketing consent.
- No behavioural profiling or retargeting. We do not build behavioural profiles of users for advertising purposes.
6. How We Use Your Personal Data
| Purpose | Legal Basis (GDPR) | Legal Basis (PDPO) |
|---|---|---|
| Providing and maintaining the Service | Contract performance (Art. 6(1)(b)) | DPP 1, DPP 3 |
| Verifying purchases and delivering the PDF | Contract performance (Art. 6(1)(b)) | DPP 1, DPP 3 |
| Sending PDF delivery and resend emails | Contract performance (Art. 6(1)(b)) | DPP 1, DPP 3 |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) | DPP 1, DPP 3 |
| Analytics and Service improvement (with consent) | Consent (Art. 6(1)(a)) | DPP 1 (with consent) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | DPP 3 |
| Responding to data subject requests | Legal obligation (Art. 6(1)(c)) | DPP 6 |
7. Analytics
7.1 We use Google Analytics 4 ("GA4") for analytics purposes.
7.2 For users in the European Economic Area and United Kingdom, analytics tracking scripts are loaded only after you have provided affirmative consent via our Consent Management Platform (CMP). You may withdraw consent at any time via the cookie preference centre.
7.3 If you do not provide consent, or if you withdraw consent, you can still access all core features of the Service, including the eligibility checker (read-only access is not conditioned on analytics consent).
7.4 We configure GA4 with IP anonymisation enabled. We do not enable Google Signals or cross-device tracking features.
8. Cookies and Similar Technologies
We use the following categories of cookies and similar technologies:
| Category | Examples | Consent Required? |
|---|---|---|
| Strictly Necessary | Session cookie (authentication state); cookie preference record | No |
| Analytics | GA4 measurement ID | Yes (EEA/UK); Cookie notice for others |
| Affiliate Tracking | Affiliate partner cookies (e.g., Airalo, Trip.com) loaded on click | Yes (EEA/UK) |
You can manage your cookie preferences at any time via the preference centre accessible in the footer of the Service.
9. Geolocation and Regional Restrictions
9.1 We use IP-based geolocation to implement the following restrictions for access from Mainland China IP addresses:
- The AI itinerary parsing feature is not rendered.
- Behavioural analytics, retargeting, and personalisation features are disabled.
- Affiliate tracking cookies are not loaded.
9.2 These controls are product-level measures. They do not constitute a legal determination of jurisdictional applicability. IP-based geolocation is not perfectly accurate.
9.3 If you are a user in the European Union or United Kingdom, your geolocation may be used to determine tax treatment at checkout and to display region-appropriate affiliate partners.
10. Data Sharing and Third-Party Processors
We share personal data with the following categories of third parties:
| Recipient | Role | Purpose | Data Shared |
|---|---|---|---|
| Stripe | Payment processor / Data Processor | Payment processing and checkout confirmation | Order data; email for receipt |
| Resend, Inc. | Email delivery / Data Processor | Sending PDF delivery and resend emails | Email address; download link |
| Google LLC (Analytics) | Analytics processor | Service analytics (with consent) | Anonymised usage events |
| Hosting / Database provider (e.g., Vercel) | Infrastructure processor | Storing order and delivery records | Order ID; email; delivery metadata |
| Cloudflare, Inc. | CDN / Security / R2 Storage | Content delivery; PDF storage; DDoS protection | IP address (truncated); PDF files |
We do not sell personal data. We do not share personal data with data brokers or advertising networks.
Cross-Border Data Transfers. Our infrastructure is hosted outside Mainland China (Singapore and/or US West regions). Where personal data is transferred from the European Economic Area or United Kingdom to a third country, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) as approved by the European Commission, and/or Data Processing Agreements (DPAs) with each processor.
11. Data Retention
| Data | Retention Period |
|---|---|
| Checkout email and delivery metadata | Retained only as needed for order support, resend requests, fraud review, or legal compliance |
| Analytics events | As per GA4 default retention settings (up to 14 months); not linked to identifiable users |
| Access logs | 30 days rolling, then deleted |
| Legal hold / dispute records | Duration of applicable statutory limitation period (minimum 6 years under Hong Kong law) |
12. Your Rights
12.1 Rights Under GDPR (EEA and UK Users)
If you are located in the European Economic Area or United Kingdom, you have the following rights:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | You may request a copy of all personal data we hold about you. We will respond within 30 days. |
| Right to Rectification (Art. 16) | You may request correction of inaccurate personal data. |
| Right to Erasure (Art. 17) | You may request deletion of your personal data. See Section 12.4 for the process. |
| Right to Restriction (Art. 18) | You may request that we restrict processing of your data in certain circumstances. |
| Right to Data Portability (Art. 20) | You may request your data in a structured, commonly used, machine-readable format. |
| Right to Object (Art. 21) | You may object to processing based on legitimate interests. |
| Right to Withdraw Consent | Where processing is based on consent (e.g., analytics), you may withdraw consent at any time. |
12.2 Rights Under CCPA (California Residents)
California residents have the right to know what personal information we collect, to delete personal information, to opt out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising these rights.
12.3 Rights Under Hong Kong PDPO (All Users)
Under the PDPO, you have the right to request access to and correction of your personal data held by us.
12.4 How to Exercise Your Rights
Submit a request to: [email protected]
To make a deletion request, we will:
- Delete or minimise checkout email and delivery metadata unless retention is required for fraud review or legal compliance.
- Respond to confirm completion within 30 days.
Note: If you ask us to delete your order-support records, we may no longer be able to resend delivery instructions for past purchases.
12.5 Right to Lodge a Complaint
If you are located in the European Economic Area, you have the right to lodge a complaint with the supervisory authority of your EU member state. If you are located in the United Kingdom, you may contact the Information Commissioner's Office (ICO). If you are located in Hong Kong, you may contact the Office of the Privacy Commissioner for Personal Data (PCPD).
13. Children's Privacy
The Service is not directed to children under 18 years of age. We do not knowingly collect personal data from children under 18. The Service's authentication flow requires users to confirm they are 18 years of age or older (or have parental permission). If we become aware that we have inadvertently collected personal data from a child under 18, we will delete that data promptly. Please contact us at [email protected] if you believe we have collected data from a child.
Note for GDPR users: Under GDPR, children under 16 years of age (or a lower age set by their EU member state) require verifiable parental consent to use online services. Under COPPA, children under 13 in the United States require verifiable parental consent.
14. Security
We implement technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:
- HTTPS encryption for all data in transit
- HttpOnly, Secure session cookies
- Server-side entitlement verification (client-reported payment status is never trusted)
- Data hosted in jurisdictions with adequate security standards (Singapore / US West)
- No storage of OAuth access tokens or refresh tokens
- No storage of payment card data
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
15. Changes to This Policy
We will notify you of material changes to this Policy by updating the "Last updated" date at the top and displaying a notice on the Service. We will not retroactively reduce your rights under this Policy without your consent.
16. Contact and Complaints
For questions or to exercise your rights, contact us:
TZ Cloud Stream (Hong Kong) Limited RM 1507B, 15/F, Eastcore, 398 Kwun Tong Road, Kwun Tong, Hong Kong Email: [email protected]
We aim to respond to all privacy requests within 30 calendar days.
This document is provided in English only. In the event of any discrepancy arising from translation, the English version shall prevail.