HKMPFSimple

Privacy Policy

Last updated: November 12, 2025

Privacy Policy

Last Updated: November 12, 2025

This Privacy Policy describes how we collect, use, and handle your personal information in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong ("PDPO").

PDPO Compliance Statement

We are committed to complying with the PDPO and protecting the privacy of our users. This policy explains how we handle personal data, including Hong Kong Identity Card (HKID) numbers, in accordance with the six Data Protection Principles outlined in the PDPO.

Information We Collect

Account Information

  • Name (English and Traditional Chinese)
  • Email address
  • Password (encrypted)
  • Organization details

Employee Data (MPF System)

  • Employee name (English and Traditional Chinese)
  • Hong Kong Identity Card (HKID) number
  • Monthly salary information
  • Employment start date
  • Employment status
  • Voluntary contribution percentages

System Information

  • IP addresses (for audit logging)
  • Browser user agent
  • Access timestamps
  • Action logs for compliance

How We Protect HKID Numbers

Critical Security Measures:

  1. Encryption at Rest: All HKID numbers are encrypted using AES-256 encryption before storage in our database. The encryption key is stored separately and securely.

  2. Hashing for Duplicate Detection: We use SHA-256 hashing to detect duplicate HKID entries without storing the HKID in plain text.

  3. Access Control: HKID numbers are only decrypted for:

    • Authorized users viewing employee details (logged in audit trail)
    • CSV export for MPF trustee submission (logged in audit trail)
    • No other access is permitted

  4. Audit Logging: Every access to HKID data is logged with:

    • User who accessed the data
    • Timestamp of access
    • IP address
    • Purpose of access (view or export)
    • User agent information

  5. Masked Display: HKID numbers are displayed in masked format by default (e.g., "Z123456(X)" shown as "****456(X)")

Purpose and Use of Personal Data

We collect and use personal data for the following purposes:

  1. MPF Compliance: Calculate and manage Mandatory Provident Fund contributions as required by Hong Kong law
  2. Payroll Processing: Process monthly payroll runs and generate contribution records
  3. Trustee Reporting: Export data to MPF trustees in required formats
  4. Audit Trail: Maintain compliance records as required by PDPO
  5. System Security: Protect against unauthorized access and fraud
  6. Legal Compliance: Meet regulatory requirements under Hong Kong law

Data Retention

  • Active Employees: Data retained while employment is active
  • Terminated Employees: Data retained for 7 years after termination (as required by MPF regulations)
  • Audit Logs: Retained for 7 years for compliance purposes
  • Payroll Records: Retained for 7 years as required by Hong Kong tax law

Your Rights Under PDPO

Under the PDPO, you have the right to:

  1. Access: Request access to your personal data we hold
  2. Correction: Request correction of inaccurate personal data
  3. Data Portability: Receive a copy of your data in a structured format
  4. Deletion: Request deletion of your data (subject to legal retention requirements)
  5. Object to Processing: Object to certain types of data processing
  6. Audit Log Access: Request audit logs showing who accessed your HKID data

Data Access Requests

To exercise your rights under PDPO, please contact us at:

Data Protection Officer Email: [Your Contact Email] Response Time: Within 40 days as required by PDPO

Data Security Measures

We implement industry-standard security measures:

  • Encryption: AES-256 encryption for sensitive data at rest
  • Transport Security: TLS 1.3 for data in transit
  • Access Control: Role-based access control (RBAC)
  • Audit Logging: Comprehensive logging of all sensitive operations
  • Regular Audits: Security audits and penetration testing
  • Data Backup: Regular encrypted backups with secure storage

Third-Party Services

We may use third-party services for:

  • Database Hosting: Supabase or Neon (PostgreSQL)
  • Email Delivery: Resend or Postmark
  • Error Monitoring: Sentry
  • Payment Processing: Stripe or PayPal

These services are GDPR/PDPO compliant and process data under strict data processing agreements.

International Data Transfer

Your data is primarily stored and processed in:

  • Hong Kong (preferred)
  • Singapore (backup)
  • Other jurisdictions with adequate data protection

We ensure appropriate safeguards are in place for any international transfers as required by PDPO.

Cookies and Tracking

We use essential cookies for:

  • Session management
  • Authentication
  • Security features

We do not use third-party advertising or tracking cookies.

Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors.

Data Breach Notification

In the event of a data breach affecting personal data, we will:

  1. Notify affected users within 72 hours
  2. Report to the Privacy Commissioner for Personal Data if required
  3. Take immediate steps to contain and remediate the breach
  4. Provide guidance on protective measures

Employer Responsibilities

As an employer using our MPF system:

  1. You are the data controller for your employees' data
  2. You must obtain employee consent for data processing
  3. You must inform employees about HKID encryption and audit logging
  4. You are responsible for data accuracy
  5. You must comply with PDPO requirements for employee data

Changes to This Policy

We may update this Privacy Policy to reflect:

  • Changes in legal requirements
  • New features or services
  • Security improvements

Material changes will be notified via:

  • Email to registered users
  • In-app notifications
  • Updated "Last Updated" date

Complaints

If you have concerns about our data handling practices, you may:

  1. Contact our Data Protection Officer (details above)
  2. File a complaint with the Privacy Commissioner for Personal Data:

We process personal data based on:

  • Contractual Necessity: To provide MPF compliance services
  • Legal Obligation: To comply with MPF Ordinance and PDPO
  • Legitimate Interest: For fraud prevention and system security
  • Consent: For optional features or communications

Contact Information

For privacy-related inquiries:

Data Protection Officer [Your Company Name] Email: [Your Contact Email] Address: [Your Hong Kong Address]

Governing Law

This Privacy Policy is governed by the laws of the Hong Kong Special Administrative Region.

Disclaimer: This service calculates MPF contributions based on MPFA guidelines. While we implement strong security measures, employers remain responsible for data accuracy and compliance with MPF regulations. Please verify all calculations with your MPF trustee.

HKMPFSimple© 2025