Privacy Policy – msrvdfs.com

1 Introduction and Scope

This Privacy Policy (the “Policy”) explains how COMMERCE FLOW LIMITED (the “Company”) collects, uses, stores, shares, and protects personal information (the “Personal Information”) of users (the “User”) who access or use msrvdfs.com (the “Website”) and the Company’s products and services (collectively, the “Services”). This Policy applies to all Personal Information collected by the Company through the Website, during interactions with the Company’s customer service team (via email, phone, or chat), through mobile applications (if applicable), and during the User’s purchase or use of the Services. The Company is committed to complying with the Personal Data (Privacy) Ordinance (Cap. 486) of the Hong Kong Special Administrative Region (“PDPO”) and other applicable data protection laws to ensure the confidentiality, integrity, and security of the User’s Personal Information. By accessing or using the Website or Services, the User acknowledges that they have read and understood this Policy and consent to the collection, use, and disclosure of their Personal Information as described herein.

2 Types of Personal Information Collected

The Company collects two categories of Personal Information: Personal Identification Information (information that can identify an individual) and Non-Identifiable Information (information that cannot be used to identify an individual on its own).

2.1 Personal Identification Information

The Company collects Personal Identification Information only when the User provides it voluntarily or when it is necessary to provide the Services. This includes:

Account Registration Information: Information provided when creating an Account, such as full name, email address, phone number, date of birth (for age verification, if required), and password (stored in encrypted form).

Order and Payment Information: Information provided when placing an Order, such as shipping address (including street name, city, postal code, and country), billing address (if different from the shipping address), payment method details (such as credit card number, expiration date, and security code—note that the Company does not store full credit card details; these are processed by third-party payment service providers in compliance with Payment Card Industry Data Security Standard (PCI DSS)), and bank account information (if using bank transfer as the payment method).

Identity Verification Information: Information requested to verify the User’s identity, such as a copy of a government-issued identification document (passport, national ID card, or driver’s license) or proof of address (utility bill or bank statement), which may be required for high-value orders, to comply with anti-money laundering laws, or to resolve disputes.

Communication Information: Information from communications between the User and the Company, such as email content, chat logs, phone call recordings (with prior notice to the User), and feedback provided through surveys or review forms.

2.2 Non-Identifiable Information

The Company also collects Non-Identifiable Information to improve the Website and Services, analyze user behavior, and enhance the User’s experience. This includes:

Device and Technical Information: Information about the User’s device and internet connection, such as device model, operating system, browser type and version, screen resolution, IP address, internet service provider (ISP), and mobile network information.

Usage Information: Information about how the User interacts with the Website, such as the pages visited, the time spent on each page, the order of page visits, the links clicked, the search queries entered, the products viewed or added to the shopping cart, and the actions taken (such as placing an Order or subscribing to a newsletter).

Location Information: General geographic information derived from the User’s IP address (such as country or city), unless the User explicitly grants permission to collect precise location data (via mobile device settings), which is used only to provide location-based services (such as displaying local shipping options).

Aggregated Information: Information that is aggregated and anonymized, such as the number of users who visited a specific product page, the average order value for a particular region, or the most popular shipping methods. Aggregated Information does not identify any individual User and may be used for business analysis, marketing, or sharing with third parties.

3 Methods of Collecting Personal Information

The Company collects Personal Information through the following methods:

Direct Collection: The User provides Personal Information directly to the Company, such as when registering for an Account, filling out the checkout form, contacting customer service, participating in a survey, or subscribing to marketing communications.

Automated Technologies: The Company uses cookies, web beacons, pixels, and similar tracking technologies (collectively, “Cookies”) to collect Non-Identifiable Information and enhance the User’s experience on the Website. Cookies are small text files stored on the User’s device that allow the Website to recognize the User’s browser, remember preferences (such as language or currency settings), and track usage patterns. The Company uses two types of Cookies:

Necessary Cookies: These Cookies are essential for the Website to function properly. They enable basic features such as logging in, maintaining the shopping cart, and processing orders. The User cannot disable Necessary Cookies through browser settings, as doing so will prevent the Website from working correctly.

Analytics and Marketing Cookies: These Cookies collect information about the User’s browsing behavior to analyze how the Website is used, improve the Website’s performance, and deliver personalized marketing content. Examples include Cookies used by Google Analytics to track page views and user sessions, and Cookies used to remember the User’s product preferences for targeted ads. The User can disable these Cookies through their browser settings (instructions for disabling Cookies are available on the Website’s “Cookie Settings” page), but this may limit the functionality of the Website or result in less relevant marketing content.

Third-Party Sources: The Company may receive Personal Information from third-party service providers, such as:

Payment Service Providers: Providers such as PayPal or Stripe may share information about payment transactions (such as payment confirmation or transaction status) to process Orders and prevent fraud.

Social Media Platforms: If the User logs in to the Website using a social media account (such as Facebook or Google), the social media platform may share basic profile information (such as name, email address, and profile picture) with the Company, as authorized by the User.

Shipping Partners: Logistics providers such as DHL or FedEx may share delivery status information (such as delivery confirmation or failed delivery attempts) to update the User on their Order.

Data Verification Services: Third-party services may provide information to verify the User’s identity or address, to comply with legal requirements or prevent fraudulent activities.

4 Purposes of Using Personal Information

The Company uses Personal Information only for the purposes disclosed in this Policy or as otherwise communicated to the User at the time of collection. These purposes include:

Providing and Maintaining the Services: To process and fulfill Orders (including verifying payment information, preparing products for shipment, and arranging delivery), manage the User’s Account (including updating Account details and resolving Account issues), and provide customer service support (including responding to inquiries, resolving complaints, and providing technical assistance).

Improving the Website and Services: To analyze user behavior and preferences (using Non-Identifiable Information) to identify areas for improvement, such as optimizing the Website’s layout, enhancing the checkout process, or adding new features. The Company may also use feedback provided by the User to improve product quality or service standards.

Marketing and Promotional Activities: To send the User information about products, services, promotions, discounts, or events that may be of interest to them. This includes email newsletters, promotional emails, and targeted ads on the Website or third-party platforms (such as social media). The User may opt out of receiving marketing communications at any time by clicking the “unsubscribe” link in marketing emails or updating their Account preferences.

Ensuring Security and Preventing Fraud: To verify the User’s identity, detect and prevent fraudulent activities (such as unauthorized access to Accounts, fake orders, or payment fraud), and protect the Company’s and the User’s interests. This may include checking the User’s information against third-party fraud prevention databases or using automated systems to flag suspicious transactions.

Complying with Legal and Regulatory Requirements: To comply with applicable laws, regulations, and legal processes (such as responding to subpoenas, court orders, or requests from government authorities), and to fulfill reporting obligations under laws related to tax, customs, or anti-money laundering.

Communicating with the User: To send the User important updates and notifications, such as Order confirmations, shipping alerts, Account updates, changes to this Policy or the Terms of Service, and information about security breaches that may affect the User’s Personal Information. These communications are necessary for the provision of the Services and cannot be opted out of.

5 Disclosure of Personal Information to Third Parties

The Company does not sell, rent, or lease the User’s Personal Information to third parties for marketing purposes. The Company may disclose Personal Information to third parties only in the following circumstances:

Service Providers: The Company shares Personal Information with third-party service providers who perform services on the Company’s behalf. These providers include:

Payment Service Providers: To process payment transactions, verify payment details, and ensure compliance with PCI DSS.

Shipping Partners: To arrange delivery of products, provide shipping tracking information, and confirm delivery.

IT Service Providers: To host the Website, manage data storage, provide cybersecurity services, and maintain the Company’s technical systems.

Customer Service Providers: To handle customer inquiries, process refund and return requests, and provide multilingual support.

Marketing Service Providers: To send marketing communications, manage email campaigns, and deliver targeted ads (only if the User has consented to receive marketing materials).

All service providers are required to sign a confidentiality agreement that prohibits them from using the User’s Personal Information for any purpose other than providing the requested services, and to implement appropriate security measures to protect the information.

Legal and Regulatory Authorities: The Company may disclose Personal Information to government agencies, courts, or regulatory bodies if required by law (such as to comply with a subpoena or court order), to protect the Company’s legal rights, or to prevent harm to the User or others.

Business Transfers: In the event of a merger, acquisition, sale of assets, or other business reorganization, the User’s Personal Information may be transferred to the acquiring entity or new owner as part of the business assets. The Company will notify the User of such a transfer prior to the completion of the transaction, and the acquiring entity will be required to comply with this Policy.

With User Consent: The Company may disclose Personal Information to third parties if the User provides explicit written consent. For example, if the User requests to share their Order information with a family member for delivery purposes, the Company will do so only with the User’s permission.

6 Security of Personal Information

The Company takes the security of the User’s Personal Information seriously and implements a range of technical, administrative, and physical security measures to protect it from unauthorized access, use, disclosure, alteration, or destruction. These measures include:

Technical Measures: The Company uses encryption technology (such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS)) to protect Personal Information transmitted between the User’s device and the Website. The Company also uses firewalls, intrusion detection and prevention systems, and antivirus software to protect its servers from cyberattacks. Personal Information stored on the Company’s servers is encrypted using industry-standard encryption algorithms, and access to the servers is restricted to authorized personnel only.

Administrative Measures: The Company limits access to Personal Information to employees, contractors, and service providers who need the information to perform their job functions. All personnel with access to Personal Information receive regular training on data protection laws, security protocols, and the Company’s privacy policies. The Company also conducts regular audits and reviews of its security practices to identify and address potential vulnerabilities.

Physical Measures: The Company’s physical facilities (such as warehouses and data centers) are secured with access controls (such as keycards, biometric scanners, and security guards) to prevent unauthorized entry. Backup copies of Personal Information are stored in secure, off-site locations, and the Company has a disaster recovery plan in place to ensure that data can be recovered in the event of a natural disaster, cyberattack, or other emergency.

Despite these measures, no method of transmitting or storing data is completely secure. The Company cannot guarantee the absolute security of the User’s Personal Information, and the User acknowledges that they provide Personal Information at their own risk. The User should take steps to protect their own information, such as using a strong password for their Account, keeping their password confidential, and logging out of their Account when using a public device.

7 User Rights Regarding Personal Information

Under the PDPO and other applicable data protection laws, the User has the following rights with respect to their Personal Information:

Right to Access: The User has the right to request access to the Personal Information that the Company holds about them, including details of how the information is collected, used, and disclosed. To exercise this right, the User must submit a written request to the Company’s data protection officer and provide proof of identity (such as a copy of a government-issued ID). The Company will respond to the request within 40 calendar days of receiving it.

Right to Correction: The User has the right to request correction of any Personal Information that is inaccurate, incomplete, or outdated. The User can update most Account information (such as email address or shipping address) directly through their Account on the Website. For other corrections, the User must submit a written request with supporting evidence (such as a copy of a utility bill for address correction), and the Company will respond within 40 calendar days.

Right to Erasure: The User has the right to request the erasure of their Personal Information in certain circumstances, such as when the information is no longer necessary for the purpose for which it was collected, the User withdraws consent, or the information was collected unlawfully. The Company may refuse the request if erasure would conflict with legal obligations or legitimate business interests. The User can request erasure by submitting a written request to the data protection officer.

Right to Withdraw Consent: The User has the right to withdraw consent for the Company to use their Personal Information for certain purposes (such as marketing). Withdrawing consent does not affect the lawfulness of the Company’s use of the information before consent was withdrawn. The User can withdraw consent by unsubscribing from marketing emails, updating Account preferences, or submitting a written request.

Right to Data Portability: The User has the right to request a copy of their Personal Information in a structured, machine-readable format, so that it can be transferred to another data controller (such as another e-commerce platform). The Company will provide the information in a format such as CSV or JSON within 40 calendar days of receiving the request.

8 Retention of Personal Information

The Company retains the User’s Personal Information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The retention period for different types of Personal Information is as follows:

Account Information: Retained for 2 years after the User’s Account is closed, unless the User requests erasure earlier or legal requirements dictate a longer retention period.

Order and Payment Information: Retained for 7 years after the completion of the Order, to comply with tax and accounting laws.

Marketing Information: Retained until the User unsubscribes from marketing communications or requests erasure.

Identity Verification Information: Retained for 5 years after the last interaction with the User, to comply with anti-money laundering laws.

After the retention period expires, the Company will securely delete or anonymize the Personal Information so that it can no longer identify the User.