1.1. ConEdu Limited ("we," "our," or "us") operates the online platform known as ConEdu Platform (the "Service"). Our Service is designed to assist local professionals in Hong Kong with the enrollment and recording of Continuing Professional Development activities. For the purposes of this policy, the term "Continuing Professional Development (CPD)" is used inclusively to refer to all forms of continuing education and training, including but not limited to Continuing Medical Education (CME), Continuing Nursing Education (CNE), and Continuing Education in Midwifery (CEM).

1.2. We are deeply committed to protecting the privacy and security of your personal data. This Privacy Policy Statement outlines our policies and practices concerning the collection, use, retention, transfer, security, and access of your personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO").

1.3. By using our Service, you consent to the data practices described in this statement.

We adhere to the following core data protection principles:

• Data Minimization: We only collect personal data that is strictly necessary and adequate for the specified purposes.

• Transparency: We are open about what data we collect and why.

• Security: We implement robust technical and organizational measures to protect your data.

• Respect for Your Rights: We facilitate your legal rights to access and correct your data.

A. Personal Data You Provide Directly:

• Account Information: To create an account and use our Service, we typically collect your full name, email address, and a password of your choice. We may also collect your professional field, qualification number(s) (e.g., for a professional body), and contact details (such as a business address or phone number) if essential for CPD reporting.

• Event-Specific Information: For the enrollment in certain CPD activities, the respective CPD Provider may request additional information to complete your registration or tailor the event. This may include details such as your current workplace, job title, or department. The specific data requested will be clearly indicated at the point of enrollment for that particular activity. Provision of such information is voluntary and is processed to fulfill your enrollment request at the direction of the CPD Provider.

• Compliance Documentation: In order to verify your eligibility to practice and to fulfill specific compliance requirements set by your employer, CPD administrator or professional body, you may be requested to upload a copy of your current practising certificate or other professional license (collectively, "Compliance Documentation") to your account profile. The request for such documentation will be initiated based on a requirement from your designated Compliance Monitor (as defined in Section 7.4 below). Provision of Compliance Documentation is voluntary but may be necessary for the Compliance Monitor to complete their verification process. We process this data strictly as instructed by you and for the sole purpose of facilitating this compliance verification.

• CPD Records: The primary function of our Service is to allow you to record and manage your CPD activities. This includes details you input, such as course names, dates, durations, providers, and learning outcomes.

• Communications: When you contact our customer support, we collect the information you provide, which may include your name, email address, and the content of your communication.

B. Personal Data Collected Automatically:

• Technical Data: When you visit our website, our web servers automatically collect and log information such as your IP address, browser type and version, operating system, referral source, pages visited, visit times, and other browsing behavior. This data is aggregated and analyzed to help us understand website traffic, improve user experience, and ensure system security. It is not used to identify individuals directly.

• Cookies and Similar Technologies: We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are small files stored on your device. We use them for:

  • Essential Operations: To enable core functionalities like user login and session management.

  • Performance: To understand how users interact with our website so we can improve it.

  • Functionality: To remember your preferences and settings.

• You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of our Service.

C. Payment Processing Information:

• l For fee-based CPD activities or premium platform features, all payment transactions are processed securely through our designated third-party payment service providers (e.g., Stripe, PayPal). We do not collect, process, or store your full payment card details, bank account numbers, or other sensitive payment information on our servers. The payment information you provide is transmitted directly to and handled by the third-party payment gateway in accordance with their privacy policy and security standards. We may receive and retain non-sensitive transaction data from the payment provider (such as payment confirmation, transaction ID, date, and amount) for the purposes of order fulfillment, accounting, and records.

5.1. We will only retain your personal data for as long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

5.2. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.

5.3. You may request the deletion of your account and associated data at any time by contacting us. We will securely delete or anonymize your data upon verification of your request, subject to any overriding legal obligations to retain it.

5.4. Your Compliance Documentation will be retained only for as long as is strictly necessary to fulfill the specific compliance verification purpose for which it was uploaded, or as required by the Compliance Monitor under your instruction. Upon the expiration of your practising certificate or the termination of your relationship with the relevant Compliance Monitor, we will, upon your request or as per our data retention schedule, securely delete or anonymize such documentation, unless we are obliged to retain it for a longer period under applicable laws.

6.1. We implement a range of security measures to maintain the safety of your personal data. These measures include, but are not limited to:

• Technical Measures: Use of encryption (e.g., SSL/TLS) for data in transit, secure network infrastructure with firewalls, and regular security monitoring and vulnerability assessments.

• Organizational Measures: Restricted access to personal data on a "need-to-know" basis for our employees and contractors, who are bound by confidentiality obligations. Regular training for staff on data protection.

6.2. While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee its absolute security.

6.3. In the unlikely event of a security breach that compromises the confidentiality of your Compliance Documentation or other highly sensitive personal data, we will, in accordance with our legal obligations and as appropriate, notify you and the relevant authorities without undue delay, describing the nature of the breach, the categories of data affected, and the recommended steps you may take to protect yourself.

7.1. We may disclose your personal data to the following parties under strict confidentiality agreements and only where necessary:

• CPD Providers: When you enroll in a CPD activity, we will share your name, professional qualification number, and course attendance information with the respective CPD Provider to facilitate your participation and official record-keeping.

• Regulatory Authorities: CPD Providers will use the information we provide to submit your CPD completion records to the relevant authorities (e.g., Supplementary Medical Profession Council and The Nursing Council of Hong Kong) to fulfill the requirements of the mandatory CPD scheme. We act as a data processor on behalf of the CPD Providers in this context.

• Legal Obligations: We may disclose your data where required to do so by law, or in response to valid requests by public authorities (e.g., a court or a government agency).

• Service Providers: We engage trusted third-party companies (e.g., cloud hosting services) to help us operate our Service. These parties are bound by strict data processing agreements and cannot use your data for their own purposes.

• Legal Obligations: We may disclose your data where required to do so by law, or in response to valid requests by public authorities (e.g., a court or a government agency).

7.2. In certain professions and circumstances, you may be required to demonstrate your CPD compliance and/or your valid professional practising status to your employer or a designated professional administrator (the "Compliance Monitor") in order to fulfill employment or regulatory obligations and maintain your professional practice rights.

• Condition for Disclosure: We will only disclose your (i) CPD records, progress reports, or related information, and/or (ii) your uploaded Compliance Documentation (e.g., practising certificate) to a Compliance Monitor upon your explicit, prior, and informed consent. This consent will be obtained through a clear and separate authorization process within the Service.

• Purpose of Disclosure: The disclosure is made strictly for the purpose of allowing the Compliance Monitor to monitor your CPD progress, verify your professional practising status, verify compliance with mandatory or employment-related CPD and licensing requirements, and facilitate internal reporting necessary for you to continue performing your professional duties.

• Scope of Disclosure: The specific information shared will be clearly defined at the time of your consent. We will only disclose the minimum data necessary for the stated compliance monitoring purpose.

• Our Role: In such instances, we act as a data processor, facilitating the sharing of your CPD data and Compliance Documentation based on your direct instruction. The Compliance Monitor, as the recipient of your data, is responsible for handling it in accordance with applicable data protection laws and any separate agreement they may have with you.

• Withdrawal of Consent: You have the right to withdraw your consent for future disclosures to a Compliance Monitor at any time through your account settings or by contacting us. Withdrawal will not affect the lawfulness of any disclosure made prior to your withdrawal.

7.3. We do not sell, trade, or otherwise transfer your personally identifiable information to external third parties for their direct marketing purposes.

7.4. As we are based in Hong Kong, your data is processed within Hong Kong. Should we need to transfer data outside Hong Kong in the future, we will ensure a similar level of data protection is in place, as required by the PDPO.

8.1. How We Use Your Data for Marketing

• We would like to use your name and email address to provide you with information about our services, including the latest CPD courses, platform feature updates, and industry events that may be relevant to your professional development.

8.2. Voluntary Nature of Provision

• Providing your personal data for direct marketing is voluntary. Your decision to not consent will not affect your eligibility to use our core CPD services (e.g., enrolling in and recording courses).

8.3. Your Right to Opt-Out

• You have the right to request that we stop using your personal data for direct marketing at any time, free of charge. Every marketing email we send will contain a clear and easy-to-use "unsubscribe" link. Clicking this link will promptly stop all future marketing communications from us. You may also make an opt-out request in writing to our Data Protection Officer.

8.4. Our Use of Your Data

• We do not rent, sell, or provide your personal data to any external third parties for their direct marketing purposes. All direct marketing activities will be conducted by ConEdu Platform only.

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically for any changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact our designated Data Protection Officer:

Email: info@conedu.com.hk

Mailing Address: Room A, 9/F, Garment Centre 576-586 Castle Peak Road Kowloon, Hong Kong

9.1. Under the PDPO, you have the right to:

• Request access to a copy of the personal data we hold about you.

• Request correction of any inaccurate or incomplete personal data.

• Withdraw consent for the use of your data, where consent was the legal basis for processing. Withdrawal may affect our ability to provide certain services.

• Inquire about our data policies and practices.

9.2. In addition to the general rights described in this section, you may, at any time, view or delete the Compliance Documentation you have uploaded through your account. Please note that deleting a document which is currently being used in an active compliance verification process may impact the Compliance Monitor's ability to complete the verification and may result in you being unable to fulfill the relevant professional requirements.

9.3. To exercise these rights, please submit a written request using the contact details below. We may require you to verify your identity before processing your request. We will endeavour to respond to your request within 40 days as stipulated by the PDPO.