Privacy Policy

1. Definitions
   1.1 Unless otherwise defined in this Privacy Policy, all capitalized terms used herein shall have the meanings ascribed to them in the General Terms. All rules of interpretation set forth in the General Terms shall apply to this Privacy Policy unless the context requires otherwise.
    

   "Authorized User" means a Customer or an Alliance Partner, or their designated representatives, who have been granted specific authorization by the Company to access and utilize the CAP Portal pursuant to the CAP Portal Terms.

   "CAP Portal" means the Customer and Alliance Partner Portal, being the online platform provided by the Company for Customers and Alliance Partners to access certain services, information, and resources.

   "CAP Portal Content" means any information, documents, images, videos, materials, or other content available on, downloadable from, or obtained through the CAP Portal, whether by viewing, downloading, copying, or any other means.

   “Company” means NTT Com Asia Limited and its affiliates, as applicable, collectively referred to as "we," "us," or "our" throughout this Privacy Policy. For the purposes of data controller identification under applicable data protection law, the principal data controller is NTT Com Asia Limited. Where any affiliate of NTT Com Asia Limited independently processes personal data as a separate data controller, that affiliate's own privacy notice will apply to such processing.

   “Personal Data” means any data relating directly or indirectly to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained and in a form in which access to or processing of the data is practicable, as defined under the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong.

   “User” means collectively Website Users and Authorized Users.

   “Website” means the Company’s public-facing website located at www.ntt.com.hk and www.oceanintels.ai, including any subdomains thereof, but excluding the CAP Portal.

   "Website User" means any individual or entity accessing or using the Company's public-facing website, without logging into the CAP Portal.

   "Website Content" means any information, documents, images, videos, materials, or other content available on or obtainable through the Website, excluding CAP Portal Content.

   1.2 The headings in this Privacy Policy are for convenience only and have no legal or contractual effect.

   1.3 This Privacy Policy governs the collection, use, disclosure, and processing of personal data in connection with the access and use of the Company's website, including the CAP Portal. This Privacy Policy shall be read in conjunction with the CAP Portal Terms and the General Terms and Conditions. In the event of any inconsistency between this Privacy Policy and the aforementioned documents, this Privacy Policy shall prevail in respect of matters relating to personal data protection.

    

    

2. Collection of Personal Data
   2.1 NTT Com Asia Limited and its affiliates, as applicable (the “Company”) collects personal data in strict compliance with Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) and this Privacy Policy, primarily to facilitate your use or subscription of our Website, products, services, and/or other support.
   
   2.2 The types of personal data we may collect include, but are not limited to, your name, contact details, preferences related to our services and products, and information necessary for service provision and support.
   
   2.3 The collection of personal data serves several purposes:
   a) To provide the products, services, and support you have requested or subscribed to, where only necessary personal data will be collected;
   b) To enhance your user experience, including the use of anonymous aggregated data for website content and functionality improvement;
   c) For processing and use by any third party service providers that offer administrative, payment gateway, financing, professional, or other services to the Company;
   d) For processing and use by any banking, financial, or other institution with which you have or propose to have dealings;
   e) For processing and use by debt collection or credit reference agency or similar provider of debt collection or credit information services to the Company;
   f) For processing and use by entities to which the Company transfers or proposes to transfer its interests and/or obligations under relevant contract, arrangement, or transaction between you and the Company, or otherwise in respect of you or any product or service provided by the Company to you;
   g) For processing and use by governmental authorities or the court as required by applicable laws or court order;
   h) For essential system administration and troubleshooting purposes, involving the collection of technical logs;
   i) For marketing and promotional activities, with your consent and providing an option to opt-out mechanism;
   j) For the transfer and processing of your personal data, such as name, contact details, transaction details, and product/service preferences, by the Company to its affiliates and business partners in Hong Kong or other jurisdictions (collectively, the “Related Entities”), as reasonably necessary for the Related Entities to provide member support, process your transactions, make product/service recommendations, administer contests, projects (including situations where you sign up for or participate in projects conducted by any Related Entity), and promotions in which you participate, perform administrative functions, enable your registration and account creation on platforms, portals, or apps operated by any Related Entity, and/or facilitate your attendance at e-learning sessions or other activities on websites, portals, or apps maintained by such Related Entity;
   k) To facilitate access and use of the CAP Portal for Authorized Users; and
   l) For processing by artificial intelligence, machine learning, and automated analytical systems — to the extent that Personal Data is processed using AI tools, automated analysis, or algorithmic systems, whether operated locally by the Company or provided by Cloud-based third-party AI service providers, for purposes including service optimisation, anomaly detection, predictive analytics, and automated report generation. Where required by applicable law, the Company will obtain your express consent prior to such processing, or will rely on an applicable alternative lawful basis as set out in Clause 4 of this Privacy Policy. Where the Company proposes to use your Personal Data for a new AI-related purpose not covered by this Privacy Policy, the Company will notify you of the new purpose and, where required by applicable law, seek your consent before commencing such processing.
   
   2.4 The Company may collect the following types of Personal Data through the Website and CAP Portal:
   (a) Login credentials and authentication information;
   (b) User preferences and settings;
   (c) Usage data, including but not limited to, pages visited, features used, and time spent on the Website or CAP Portal;
   (d) Device information, including IP address, browser type, and operating system; and
   (e) Any other information voluntarily provided by the user through the Website or CAP Portal.
   
   2.5 The Company distinguishes between data processing practices for the public-facing Website and the CAP Portal as follows:
   (a) Public Website: Collects limited Personal Data, primarily for analytical and functional purposes.
   (b) CAP Portal: Collects more extensive Personal Data, including account information and usage data, to provide personalized services to Authorized Users.
   
   Authorized Users should refer to the CAP Portal Terms for additional information on data processing related to CAP Portal usage.
   
   
   2.6 The Company may use certain Personal Data to send you updates, announcements, and recommendations relating to the Company's products and services ("Marketing Communications"). The following particulars are provided pursuant to Part VIB of the Personal Data (Privacy) Ordinance (Cap. 486):
   (a) the classes of Personal Data to be used for this purpose are: name, job title, business email address, and business telephone number;
   (b) the classes of subjects of the Marketing Communications are: the Company's telecommunications services, data centre and colocation services, managed network services, cloud connectivity, cybersecurity services, AI solutions, and related products and services offered by the Company or its affiliates; and
   (c) you have the right to request the Company to cease using your Personal Data for the above purpose at any time, free of charge. To exercise this right, please contact the Data Protection Manager at dpm@ntt.com.hk. The Company will comply with any such request within a reasonable time.
   
   2.7 Where the Company's customers are corporate entities or organisations, authorised representatives of those entities may, in the course of establishing or managing their account with the Company, provide the Company with personal data of their colleagues, employees, or other contacts (such as names, job titles, business email addresses, and telephone numbers). By providing such personal data, the corporate customer warrants that it has appropriate authority, and has taken all necessary steps under applicable data protection law, to share that personal data with the Company for the purposes described in this Privacy Policy.
   
   2.8 The Company processes personal data provided by corporate customers pursuant to Clause 2.7 on the basis of its legitimate interests in delivering services, maintaining customer relationships, and communicating relevant product and service updates to account contacts, having assessed that those interests are not overridden by the rights and freedoms of the individuals concerned. Individuals whose personal data has been provided by a corporate customer in this manner retain the right to object to, or opt out of, any such processing at any time by contacting the Data Protection Manager at dpm@ntt.com.hk, and the Company will comply with any such request without charge.
   
   
3. Use and Disclosure of Personal Data
   3.1 Personal data collected by the Company is accessed, stored, and processed in line with PDPO requirements.
   
   3.2 Disclosure of personal data is limited and may include sharing with:
   a) Parties you engage with our Website;
   b) The Company’s affiliates, agents, contractors, other telecommunication network providers, and other third party service providers necessary for business operations and service delivery;
   c) Business partners involved in providing services to you;
   d) Entities in the event of a transfer of the Company’s interests and/or obligations under any contract with you or in connection with a product or service provided to you;
   e) Law enforcement, regulatory bodies or the Court, as required by law.
   
   
   3.3 Personal Data processed by the Company may be transferred to, and stored or processed in, jurisdictions outside Hong Kong, including in connection with Cloud-based artificial intelligence services and third-party processors. Where Personal Data is transferred outside Hong Kong, the Company will take reasonable steps to confirm that the recipient provides a level of protection of Personal Data that is at least comparable to the protection afforded under the PDPO. Where Personal Data of individuals in the European Economic Area or the United Kingdom is transferred to third countries, such transfer will be subject to appropriate safeguards in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) Chapter V, including standard contractual clauses or other approved transfer mechanisms.
   
   3.4 The Company may collect and process different types of personal data for Website Users and Authorized Users. Authorized Users should refer to the CAP Portal Terms for additional information on data processing related to CAP Portal usage.
   
   3.5 Personal Data collected through the Website or CAP Portal may be integrated with other Company systems for the purposes of providing services, account management, and internal analytics. Such integration shall be subject to appropriate technical and organizational measures to ensure the security and confidentiality of the Personal Data.
   
   3.6 The Company may engage third-party service providers to assist in operating the Website and CAP Portal. These service providers may have access to Personal Data collected through the Website or CAP Portal solely for the purpose of performing their functions and are contractually bound to maintain the confidentiality and security of the data.
   
   
4. Artificial Intelligence and Automated Processing
   4.1 The Company may use artificial intelligence, machine learning models, and automated analytical tools to process Personal Data for the purposes described in Clause 2.3(l) above. Such processing may be carried out using systems operated locally by the Company or by Cloud-based AI service providers located outside Hong Kong, including in jurisdictions such as the United States, Singapore, or member states of the European Union. Where such processing involves the transfer of Personal Data outside Hong Kong, the Company will apply appropriate safeguards as described in Clause 3.3.
   
   4.2 Where the Company relies on your consent as the lawful basis for AI-related processing of your Personal Data, such consent will be:
   (a) sought separately and specifically for the AI processing purpose concerned;
   (b) voluntary and capable of being withdrawn at any time without detriment to your continued access to the Company’s core services; and
   (c) obtained through a dedicated consent notice or mechanism presented to you at the relevant point of interaction, including through the CAP Portal where applicable.
   
   Withdrawal of consent may be effected at any time by written notice to the Company at the contact details set out in Clause 15. Withdrawal of consent does not affect the lawfulness of any processing conducted prior to withdrawal.
   
   4.3 Where consent is not the applicable legal basis for AI-related processing, the Company will rely on one of the following, as applicable and as permissible under applicable law:
   (a) performance of a contract to which you are a party, or steps taken at your request prior to entering into a contract;
   (b) compliance with a legal obligation to which the Company is subject; or
   (c) the legitimate interests of the Company or a third party, where such interests are not overridden by your fundamental rights and freedoms.
   
   The applicable legal basis will be identified and documented prior to the commencement of such processing.
   
   
   4.4 Where the Company engages a third-party Cloud-based AI service provider to process Personal Data on its behalf, the Company will:
   (a) carry out due diligence on the provider’s technical and organisational measures prior to engagement;
   (b) enter into a data processing agreement imposing obligations on the provider that are equivalent to those applicable to the Company under the PDPO and, where applicable, the GDPR;
   (c) limit the provider’s access to and use of Personal Data to the specified AI processing purpose; and
   (d) prohibit the provider from using Personal Data for its own model training or other independent purposes, unless your express consent has been separately obtained for such use.
   
   4.5 The Company may use AI tools and automated systems, including generative AI services provided by Cloud-based third-party providers, to assist in drafting, tailoring, and optimising communications sent to customers and their representatives. The purpose of such processing is to enable the Company to communicate in a manner that is relevant, timely, and suited to the recipient's account profile and business relationship with the Company. Personal data used for this purpose may include account information, service history, and communication preferences. All such AI-assisted communications are subject to human review prior to dispatch. Processing for this purpose is carried out on the basis of consent obtained through the Company's online consent mechanism or, where applicable, the Company's legitimate interests as described in Clause 2.8. Individuals retain the right to object to or opt out of such processing at any time as described in Clauses 5.3 (d) and (e).
   
   
5. User Rights under PDPO
   5.1 Under the PDPO, data subjects are entitled to certain rights, which the Company respects and upholds. These rights include:
   (a) Requesting access to personal data held by the Company;
   (b) Seeking correction of any personal data that is inaccurate or incomplete;
   (c) Receiving information on the Company’s policies and practices regarding personal data;
   (d) Objecting to the use of personal data for direct marketing; and
   (e) Requesting the deletion of personal data, subject to legal and operational requirements.
   
   5.2 To exercise these rights, you shall submit a written request to our designated Data Protection Manager. The Company may charge for processing your access request as permitted under the PDPO. The Company is committed to honouring valid data subject rights request under the PDPO within legally mandated timeframe. We may charge a reasonable fee for processing such requests, as permitted under the PDPO.
   
   5.3 Exercise of Rights under PDPO. In addition to the rights specified in Clause 5.1, users may exercise the following rights specifically in relation to Personal Data collected through the Website and CAP Portal:
   (a) The right to be informed about the purposes of use of their Personal Data;
   (b) The right to request erasure of their Personal Data, subject to legal and operational requirements;
   (c) The right to object to the use of their Personal Data for direct marketing purposes;
   (d) The right to withdraw consent for specific data processing activities, where consent was the legal basis for such processing; and
   (e) The right to object to processing of your Personal Data for AI-driven profiling or analysis, where such processing is based on the Company’s legitimate interests.
   
   To exercise these rights, users shall follow the procedure outlined in Clause 5.2.
   
   
6. Data Security
   6.1 The Company employs robust technical and organizational measures to safeguard personal data against unauthorized processing, loss, destruction or damage.
   
   6.2 Key security safeguards include:
   a) Rigorous access controls and authentication protocols;
   b) Comprehensive policy controls on data access;
   c) Regular cybersecurity training for staff.
   
   6.3 Despite our stringent security measures, the Company cannot guarantee absolute security of personal data. The Company does not warrant that personal data will be entirely secure from unauthorized access or disclosure.
   
   6.4 The Company's liability for security breaches, unauthorized disclosure, or data misuse is limited to the maximum extent permitted by law. The Company shall not be liable for any form of damages resulting from cybersecurity incidents. This limitation of liability supersedes any conflicting provision in this Privacy Policy.
   
   6.5 The Company shall not under any circumstances be liable for any direct, indirect, incidental, consequential, special, exemplary or punitive damages arising out of or in connection with any cybersecurity breach or data leakage incident.
   
   6.6 Users are responsible for maintaining the security of their account credentials and must promptly notify the Company of any unauthorized use of their account or any other breach of security.
   
   
7. Data Retention
   7.1 Personal data is retained only as long as necessary for its intended purposes. The Company adheres to legal, regulatory, and contractual retention requirements, ensuring data is not kept beyond necessary periods.
   
   7.2 In the event of data correction or deletion requests by data subjects, the Company reserves the right to retain necessary personal data for compliance with legal obligations or for the establishment, exercise, or defense of legal claims. This data will be retained strictly in accordance with the PDPO and other relevant laws and regulations.
   
   7.3 The Company shall retain Personal Data collected through the Website and CAP Portal for the following periods:
   (a) For the duration of the user's active account plus 7 years following account closure;
   (b) For 3 years from the date of collection;
   (c) For the duration of the user's active account plus 30 days following account closure; and
   (d) Until the user withdraws consent or opts out of marketing communications.
   
   Notwithstanding the foregoing, the Company reserves the right to retain data for longer periods where necessary for legal, regulatory, or operational requirements.
   
   
8. Cookies and Local Storage
   8.1 The Company utilizes cookies and local storage technologies on the Website and CAP Portal for the following purposes:
   (a) To enhance user experience and functionality;
   (b) To analyse usage patterns and improve our services;
   (c) To remember user preferences and settings; and
   (d) To facilitate secure login and authentication processes for Authorized Users.
   
   8.2 Users (both Website Users and Authorized Users) may manage their cookie preferences through their browser settings. However, disabling certain cookies may impact the functionality of the Website or CAP Portal.
   
   
9. Third Party Services
   9.1 The Company may engage third-party service providers to assist in operating the Website and CAP Portal. These service providers may have access to Personal Data collected through the Website or CAP Portal solely for the purpose of performing their functions and are contractually bound to maintain the confidentiality and security of the data.
   
   9.2 Whenever the Company shares your personal data with third parties, such as service providers, business partners, or other related third parties, the Company ensures such parties are obligated to protect your data in compliance with the PDPO. We will require all such third parties to maintain the confidentiality and security of the personal data they process on our behalf, prevent its misuse, and process it only in accordance with our specified purposes and in line with the applicable legal framework. This includes third-party service providers that offer administrative, payment gateway, financing, professional, or other services to the Company.
   
   
10. Modifications
    10.1 Our Privacy Policy may be updated at any time without prior notice to reflect changes in our data processing practices or relevant laws. Amendments will be effective immediately upon posting on our Website.
    
    10.2 The Company will notify you of any significant changes that affect the processing purposes or the categories of personal data processed. Notification will be provided through our website and, where feasible, via direct communication to you, such as email. We encourage you to review our Privacy Policy regularly to stay informed of how we are protecting your information.
    
    10.3 The Company will endeavour to communicate significant changes to the Privacy Policy to affected users, when feasible, via email or website notification. However, it is ultimately the responsibility of the users to stay informed about changes by regularly checking our Website.
    
    10.4 Users’ continued use of the Company’s services after any changes to the Privacy Policy constitutes their acceptance of the revised terms. If users do not agree to the amended Privacy Policy, they should cease using the Company’s services.
    
    10.5 For Authorized Users, changes to this Privacy Policy may also be communicated through the CAP Portal.
    
    
11. Relationship to General Terms
    11.1 The Company's General Terms and Conditions ("General Terms") are incorporated by reference into this Privacy Policy as if fully set forth herein. All provisions of the General Terms apply to this Privacy Policy and the parties’ rights and obligations hereunder. This includes without limitation provisions relating to intellectual property, trademarks, disclaimers, limitations of liability, indemnification, governing law and other relevant terms in the General Terms. Authorized Users are additionally bound by the CAP Portal Terms in respect of their access to and use of the CAP Portal.
    
    11.2 In the event of any conflict between the General Terms and this Privacy Policy, the terms of this Privacy Policy shall prevail solely with respect to the collection, use, disclosure, and other processing of personal data by the Company. For all other purposes, including use of any other Company services, products, or websites, the General Terms shall control.
    
    
12. Order of Precedence
    12.1 Unless otherwise defined in this Privacy Policy, all capitalized terms used herein shall have the meanings ascribed to them in General Terms. In the event of any conflict or inconsistency between the definitions in this Privacy Policy and those in the General Terms, the definitions set forth in this Privacy Policy shall prevail solely for the purposes of construing the provisions of this Privacy Policy. All rules of interpretation set forth in the General Terms shall apply to this Privacy Policy unless the context requires otherwise.
    
    
13. Language
    13.1 This Privacy Policy is written in the English language. Any translation into any other language shall be for convenience only and shall have no legal effect. In the event of any inconsistency between the English language version and any translation, the English language version shall prevail.
    
    
14. Governing Law and Jurisdiction
    14.1 This Privacy Policy shall be governed by and construed in accordance with the laws of Hong Kong.
    
    14.2 Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Hong Kong.
    
    
15. Contact Us
    15.1 For any request concerning access to or correction of personal data, as well as any inquiries about this Privacy Policy, please direct your communication as set out below:

By Post

NTT Com Asia Limited

6 Chun Kwong Street, Tseung Kwan O Industrial Estate, Tseung Kwan O, New Territories, Hong Kong

Attn.: Data Protection Manager

By Email

Data Protection Manager at dpm@ntt.com.hk