私隱政策聲明 Privacy Policy Statement (PPS)

Society of True Light Limited (真光社有限公司) Last Updated: June 5th, 2026

1. Scope and Data Protection Officer

This Statement explains how Society of True Light Limited (“the Company”) collects, holds, uses, and discloses personal data, in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) and its six Data Protection Principles. It applies to personal data of members, donors, beneficiaries, staff, volunteers, contractors, and others whose data the Company processes.

The Company Secretary is the Data Protection Officer for the Company and is the contact point for individuals exercising rights under the Ordinance and for the Privacy Commissioner.

Contact: admin@true-light.asia

2. Data we hold

We hold personal data in the following categories:

  • Member records — identification, contact, membership history.
  • Donor records — identification, contact, payment channel, donation history.
  • Beneficiary records — identification, contact, and counselling intake records relating to services delivered.
  • Personnel records — staff employment and remuneration records.
  • Volunteer records — identification, contact, assignment history.
  • Contractor and service-provider records — contact, contract, and payment records.
3. Purposes and use

Personal data is collected only for a lawful purpose related to a Company function, and is used only for that purpose or a directly related purpose. Any new use requires the individual’s prescribed consent.

Beneficiary data is used only for delivering services and related quality, safety, and statutory reporting. Beneficiary data is never used for fundraising or marketing.

4. Retention

Data category

Retention after the relationship ends

Member records

7 years (or longer where the Articles or law require)

Donor records

7 years (and per Inland Revenue Department requirements for section 88 receipts)

Beneficiary intake and counselling notes

7 years (or longer where clinical guidance requires)

Personnel records

7 years

Event attendance lists

2 years

Website analytics logs

12 months

After the retention period, data is deleted or anonymised.

5. Access and correction

Any individual may make a Data Access Request under section 18 or a Data Correction Request under section 22 of the Ordinance by writing to admin@true-light.asia. The Data Protection Officer acknowledges the request within 7 days and responds within the 40-day statutory deadline. The Company may charge a fee not exceeding the cost of compliance.

6. Transfers and overseas hosting

The Company shares personal data with a third party only where necessary and under contractual protection requiring at least equivalent protection.

The Company stores personal data in cloud workspaces (including Google Workspace) and uses third-party payment and email-delivery providers. These providers may process data on servers located outside Hong Kong. By providing personal data to the Company, you understand that data may be transferred to and stored in such locations.

7. Direct marketing

The Company uses personal data for direct marketing (including donation appeals and newsletters) only with the individual’s prior consent under Part 6A of the Ordinance. You may withdraw consent at any time by writing to admin@true-light.asia.

8. Website analytics and cookies

The Company’s website collects anonymous visit data (such as IP address, browser type, pages viewed) for analytics. Where cookies or third-party analytics tools (such as Google Analytics) are used, this is disclosed in the website’s cookie notice. Personal data is collected through the website only when you voluntarily submit it (for example, through a contact form or donation form).

9. Children’s data

Where the Company provides services to a person under 18, the Company will seek the consent of a parent or guardian before collecting or using the minor’s personal data, except where the service itself is one the minor is entitled to access directly under Hong Kong law.

10. Security

The Company holds personal data in managed cloud workspaces with two-factor authentication on every Company account. Access to beneficiary data is restricted to the staff and committee members directly working with that beneficiary.

11. Breach response

If the Company becomes aware of a suspected or actual personal-data breach, the Data Protection Officer is notified within 24 hours. The Company will notify affected individuals and the Privacy Commissioner where the breach poses a real risk of significant harm, and will keep a written incident record for seven years.

12. External links

This website may link to third-party websites. The Company is not responsible for the privacy practices of those external sites.

13. Changes to this Statement

The Company may update this Statement. The Last Updated date above reflects the most recent revision. Material changes are notified by a prominent notice on this page.

1. 範圍及保障資料主任

本聲明說明真光社有限公司(「本社」)按照《個人資料(私隱)條例》(第486章)及其六項保障資料原則,如何收集、持有、使用及披露個人資料。本聲明適用於本社處理之會員、捐款人、服務受益人、員工、義工、承辦商,以及其他相關人士之個人資料。

本社之公司秘書為本社之保障資料主任,亦為個人資料當事人行使條例下權利之聯絡人,並為與私隱專員公署聯絡之代表。

聯絡電郵: admin@true-light.asia

2. 我們持有之資料

本社持有以下類別之個人資料:

  • 會員紀錄 — 身份、聯絡資料及會籍歷史。
  • 捐款人紀錄 — 身份、聯絡資料、付款渠道及捐款歷史。
  • 服務受益人紀錄 — 身份、聯絡資料,以及與所提供服務有關之輔導及接案紀錄。
  • 員工紀錄 — 員工聘用及薪酬紀錄。
  • 義工紀錄 — 身份、聯絡資料及服務分派紀錄。
  • 承辦商及服務供應商紀錄 — 聯絡資料、合約及付款紀錄。
3. 目的及用途

本社僅為與本社職能有關之合法目的收集個人資料,並僅將資料用於該目的或與其直接相關之目的。任何新用途均須取得當事人按條例所訂明之同意。

服務受益人之資料只用於提供服務,及與服務質素、安全及法定匯報相關之用途。服務受益人之資料絕不會用於籌款或市場推廣。

4. 保留期

資料類別

關係終止後保留期

會員紀錄

7 年(如組織章程或法律有更長要求則從其規定)

捐款人紀錄

7 年(並按稅務局有關第88條收據之要求)

服務受益人接案及輔導紀錄

7 年(如臨床指引有更長要求則從其規定)

員工紀錄

7 年

活動出席紀錄

2 年

網站分析紀錄

12 個月

保留期屆滿後,資料會被刪除或匿名化處理。

5. 查閱及更正

任何人士均可按條例第18條提出查閱資料要求,或按第22條提出更正資料要求,請電郵至 admin@true-light.asia。本社之保障資料主任會於7 日內確認收到要求,並於法定 40 日期限內作出回覆。本社可就遵從要求之成本收取合理費用。

6. 資料轉移及境外儲存

本社僅在必要時與第三方分享個人資料,並會以合約規定第三方提供至少同等程度之保障。

本社使用雲端工作平台(包括 Google Workspace)儲存個人資料,並使用第三方付款及電郵發送服務供應商。該等供應商可能在香港境外之伺服器上處理資料。當閣下向本社提供個人資料時,即表示閣下明白資料可能會被轉移至上述地方並在當地儲存。

7. 直接促銷

本社僅在取得當事人事先同意之情況下,按條例第6A部使用個人資料作直接促銷用途(包括捐款呼籲及通訊)。閣下可隨時電郵至 admin@true-light.asia 撤回同意。

8. 網站分析及 Cookies

本社網站會收集匿名瀏覽資料(例如 IP 地址、瀏覽器類別、瀏覽頁面)作分析用途。若網站使用 Cookies 或第三方分析工具(例如 Google Analytics),會於網站之 Cookie 聲明中披露。本社只會在閣下自願提交個人資料時(例如透過聯絡表格或捐款表格)方會經網站收集該等資料。

9. 未成年人士之資料

如本社為18歲以下人士提供服務,會於收集或使用該未成年人士之個人資料前,徵詢其家長或監護人之同意;但若該服務根據香港法律屬該未成年人士可自行使用者,則屬例外。

10. 保安

本社於設有雙重認證之雲端工作平台上儲存個人資料。服務受益人之資料只供直接負責該個案之員工及委員會成員查閱。

11. 資料外洩應變

若本社知悉懷疑或實際發生個人資料外洩事件,會於24小時內通知保障資料主任。如有關事件對受影響人士構成重大傷害之實質風險,本社會通知受影響人士及私隱專員公署,並會保存書面事故紀錄達七年。

12. 外部連結

本網站或會連結至第三方網站。本社不就該等外部網站之私隱做法負責。

13. 本聲明之修訂

本社可不時修訂本聲明。以上之「最後更新」日期反映最近一次修訂。如有重大修訂,本社會於本頁張貼明顯告示。