AAIA.OS / Professional AI Enablement HK + SG · Spring 2026 Intake · Status: Open
Data Policy

Data Policy.

Last updated: 11 May 2026 · Version 1.0
Contents
  1. Scope and regulatory framework
  2. Roles and accountability
  3. Categories of data we process
  4. Lawful bases for processing
  5. Retention periods
  6. Third-party processors
  7. International data transfers
  8. Data subject rights
  9. Security measures
  10. Breach notification
  11. Complaints and supervisory authorities
  12. Updates to this policy
  13. Data Protection Officer

1. Scope and regulatory framework

This Data Policy describes how Asia AI Academy for Professionals ("AAIA") collects, uses, stores, and protects personal data of website visitors, workshop participants, prospective participants, corporate clients, instructors, contractors, and partners.

This policy operates alongside our Privacy Policy and is designed to comply with:

  • The Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong ("PDPO")
  • The Personal Data Protection Act 2012 of Singapore ("PDPA")
  • Other applicable data-protection laws in jurisdictions where we operate

2. Roles and accountability

AAIA is the data user (under the PDPO) and organisation (under the PDPA) responsible for the personal data we collect. Our service providers act as data processors on our behalf, under written contracts that impose confidentiality and security obligations.

We have appointed a Data Protection Officer who is responsible for overseeing data-protection compliance and acting as the point of contact for data subjects and supervisory authorities.

3. Categories of data we process

Category Examples Source
Identity Name, title, gender, date of birth Provided by the individual
Contact Email, phone, postal address Provided by the individual
Professional Company, role, industry, AI experience Provided by the individual
Transactional Workshop registration, payment confirmation, attendance records Generated through our services
Communications Emails, support tickets, feedback Provided by the individual
Technical IP address, browser type, device, referrer Automatically collected
Marketing Consent records, communication preferences, engagement metrics Provided / automatically collected

We do not collect special categories of data (such as race, religion, health, or biometric data) in the ordinary course of business. Where dietary requirements or accessibility needs are provided to deliver the workshop, this information is used solely for that purpose and deleted shortly after the event.

4. Lawful bases for processing

We process personal data on the following bases:

  • Performance of a contract — to deliver workshops you have registered for and to provide related services
  • Consent — for marketing communications, non-essential cookies, and any optional features (you may withdraw consent at any time)
  • Legitimate interests — to improve our programmes, prevent fraud, ensure site security, and operate our business, balanced against your interests and rights
  • Legal obligation — to meet tax, accounting, and regulatory record-keeping requirements

5. Retention periods

Data type Retention period Basis
Workshop registration and payment records 7 years after the workshop HK Inland Revenue requirements
Attendance records and certificates 5 years after the workshop Service evidence; CPD verification
Marketing list entries Until consent is withdrawn or 24 months of inactivity Consent
Support correspondence 24 months after closure Service quality, dispute records
Server logs and security logs 90 days Security and operational integrity
Cookies As stated in the cookie banner; up to 24 months for analytics Consent and configuration

When retention periods expire, we securely delete or anonymise the relevant data.

6. Third-party processors

We engage selected service providers to operate our website and deliver our services. Each processor is bound by a written agreement that includes confidentiality, security, and data-protection obligations. Categories of processor include:

  • Payment processing — to handle credit-card and bank-transfer payments
  • Email delivery — to send transactional and (with consent) marketing communications
  • Website hosting and content delivery
  • Analytics — to understand site usage with IP anonymisation
  • Customer support tooling
  • Accounting and tax services

A current list of named processors is available on request from our Data Protection Officer.

7. International data transfers

AAIA operates from Hong Kong and works with participants and partners in Singapore and other jurisdictions. Some of our service providers store or process data outside Hong Kong and Singapore. Where we transfer personal data internationally, we apply appropriate safeguards, including:

  • Contractual confidentiality and security obligations equivalent to those required under the PDPO and PDPA
  • Selection of providers operating in jurisdictions with comparable data-protection regimes where reasonably possible
  • Standard contractual clauses or equivalent legal mechanisms where required

8. Data subject rights

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate or incomplete data
  • Deletion — ask us to delete personal data, subject to legal retention obligations
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — limit our processing in certain circumstances
  • Objection — object to processing based on legitimate interests, or to direct marketing
  • Withdraw consent — withdraw consent at any time where processing is based on consent

To submit a request, contact AsiaAIAcademy@gmail.com with sufficient information to verify your identity and the right you wish to exercise. We aim to respond within 30 days. Requests are provided free of charge unless they are manifestly unfounded or excessive.

9. Security measures

We implement technical and organisational measures appropriate to the risks presented by our processing, including:

  • Encryption of data in transit (TLS) and at rest where appropriate
  • Role-based access controls and the principle of least privilege
  • Regular access reviews and offboarding procedures for staff and contractors
  • Vendor due diligence and contractual security requirements
  • Backup and disaster-recovery procedures
  • Staff training on data protection and information security
  • Logging and monitoring of access to systems containing personal data

10. Breach notification

In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

  • Investigate and contain the breach as quickly as reasonably practicable
  • Notify affected individuals and relevant supervisory authorities where required by law, including within the timelines specified by applicable regulations
  • Document the breach, our response, and the lessons learned

11. Complaints and supervisory authorities

If you believe we have not handled your personal data appropriately, please contact our Data Protection Officer in the first instance. If you remain dissatisfied, you have the right to lodge a complaint with the relevant supervisory authority:

  • Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD) — pcpd.org.hk
  • Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg

12. Updates to this policy

We may update this Data Policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified through the website or by email.

13. Data Protection Officer

For any questions about how we handle personal data, or to exercise any of your rights:

Data Protection Officer
Asia AI Academy for Professionals
Room A, 9/F, Seabright Plaza, 9-23 Shell Street
North Point, Hong Kong
Email: AsiaAIAcademy@gmail.com
Phone: +852 6702 9911

Note: This Data Policy is provided as a template starting point and reflects general principles under the Hong Kong PDPO and Singapore PDPA. Before publication, please review it with qualified legal counsel and adjust the retention periods, lawful bases, and processor list to reflect your actual operations.