Privacy Policy

HelperLinked is a B2B technology marketplace platform operated by Phoenyx Capital Limited, a company incorporated in Hong Kong. The Platform is used by licensed employment agencies, training schools, and sourcing partners to manage helper profiles, cases, and placement workflows.

Phoenyx Capital Limited is NOT a licensed employment agency and does not independently collect, process, or use helper or client personal data for its own recruitment or placement purposes.

2.1 Data Uploaded by Agencies (processed on Agency's behalf)

• Helper profiles: full name, passport number, nationality, date of birth, gender, religion, education, address, contact details, employment history, skills, photographs, and any other information the Agency elects to upload
• Client and employer records: full name, HKID number, address, household composition, contact details, income information
• Case records: placement contracts, service fees, stage history, document checklists, ImmD form data, notes and correspondence

2.2 Platform Account Data (collected by HelperLinked as data controller)

• Registration data: agency name, registered address, licence number, contact name, email address, phone number
• User account data: name, email address, role, hashed password, login timestamps
• Usage data: IP addresses, browser/device information, pages accessed, feature usage logs, audit trail entries
• Support communications: email and WhatsApp correspondence with our team

2.3 Marketplace Profile Data

Where Agencies elect to share helper profiles on the Platform marketplace, those profiles (as uploaded by the Agency) become accessible to other registered agencies and partners. HelperLinked does not add to or modify such profiles. The uploading Agency is responsible for ensuring the helper's informed consent to marketplace sharing.

3.1 Helper and Client Data (processed as data processor for Agencies)

• Hosting and displaying helper profiles within the Platform and, where authorised, on the marketplace
• Generating ImmD forms (ID 988A, ID 988B) and other documents pre-populated from profile data
• Supporting case management, document checklist tracking, and placement workflow management
• Enabling PDF export and profile sharing features as directed by the Agency

3.2 Platform Account Data (collected as data controller)

• Creating and managing user accounts and agency tenancies
• Authenticating users and enforcing role-based access controls
• Providing customer support and responding to enquiries
• Security monitoring, fraud prevention, and system integrity
• Product analytics (aggregated, non-identifiable) to improve Platform features
• Compliance with legal obligations and regulatory requests

Agency-uploaded data: The Agency, as data controller, is solely responsible for establishing a lawful basis for collecting and processing helper and client personal data, including obtaining explicit, informed consent from each helper before uploading their profile to the Platform and, separately, before sharing their profile on the marketplace. HelperLinked relies on the Agency's representation that such consent has been obtained.

Platform account data: We process Agency registration and user account data on the basis of: (a) performance of the contract between us; (b) our legitimate interests in operating and securing the Platform; and (c) compliance with applicable legal obligations.

Important: HelperLinked does not verify that Agencies have obtained valid consent from helpers before upload. Agencies are solely and exclusively responsible for ensuring PDPO compliance in respect of all data they upload.

5.1 Within the Platform Marketplace

Where an Agency elects to list a helper profile on the Platform marketplace, that profile will be accessible to other registered agencies and partners using the Platform. This sharing occurs only at the explicit direction of the uploading Agency. HelperLinked acts as a conduit for this sharing and does not independently control whether or how receiving agencies use the information.

5.2 Legal and Regulatory Disclosure

We may disclose data to the Hong Kong Immigration Department, Labour Department, Police, courts, or other regulatory or law enforcement authorities where required or permitted by applicable law. We will endeavour to notify affected Agencies of such disclosure where legally permitted.

5.3 Third-Party Service Providers

We use trusted third-party infrastructure providers (including cloud hosting and storage providers) to operate the Platform. These providers process data only as necessary to deliver their services and are bound by confidentiality and data processing obligations. We do not sell personal data to third parties.

5.4 No Marketing Use

The Platform does not integrate with third-party advertising, analytics, or tracking services that would share personal data for marketing purposes. We do not use helper or client data for advertising.

Helper and client profile data: Retained for a minimum of 7 years (2,555 days) from the date of case closure or account termination, whichever is later, in line with regulatory record-keeping requirements and potential legal proceedings. After the retention period, personal data fields are anonymised and associated documents are permanently deleted.

Account and user data: Retained for the duration of the account and for 30 days following account termination, after which it is permanently deleted, subject to any longer retention required by law.

System logs and audit trails: Retained for 12 months from creation, after which they are anonymised or deleted.

Support correspondence: Retained for 3 years from the date of communication.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including:

• Encryption of sensitive data fields (including HKID, passport numbers, and email addresses) at rest using AES-256-GCM
• Mandatory HTTPS/TLS for all data in transit
• Role-based access controls limiting data access to authorised personnel
• Immutable audit logs of all data access and modification events
• Regular security reviews and access control audits

No security system is impenetrable. In the event of a data breach affecting your data, we will notify you as required by applicable law and cooperate with any investigation.

Under the PDPO, you (and helpers whose data you hold as controller) have the following rights:

• Right of Access: To request confirmation of whether personal data is held and to obtain a copy of it (subject to applicable exemptions under the PDPO).
• Right of Correction: To request correction of inaccurate personal data.
• Right to Object to Direct Marketing: To object at any time to use of personal data for direct marketing purposes. We do not use Platform data for direct marketing without separate consent.
• Right to Withdraw Consent: Where processing is based on consent, to withdraw that consent at any time (without affecting the lawfulness of prior processing).

To exercise rights in relation to data uploaded by an Agency, the request should ordinarily be directed to the Agency (as data controller). Where appropriate, we will assist Agencies in responding to data subject requests as part of our processor obligations.

To submit a DSAR or data correction/deletion request directly to HelperLinked:

• Email our Data Protection Officer at helperlinkedteam@gmail.com with the subject line “DSAR Request”
• Include: your full name, the Agency your data is associated with, and a description of your request
• We will acknowledge within 7 days and respond substantively within 40 days as required under the PDPO
• We may request proof of identity before processing any request

Note: Where HelperLinked acts as data processor, your request will be forwarded to the relevant Agency (data controller) for resolution. We will confirm the referral within 7 days.

For all privacy enquiries, DSAR requests, or concerns regarding data handling, contact our Data Protection Officer:

Phoenyx Capital Limited — Data Protection Officer
Email: helperlinkedteam@gmail.com
WhatsApp: (852) 6399 8911

The Platform's infrastructure is hosted on servers located in the region specified in our infrastructure provider's terms. If data is processed outside Hong Kong, we ensure that appropriate safeguards are in place consistent with PDPO requirements, including contractual protections with processing partners. We do not intentionally transfer helper or client personal data to jurisdictions without adequate data protection standards without Agency instruction.

We may update this Privacy Policy periodically. Material changes will be communicated to registered users via email or in-platform notice at least 14 days before taking effect. Continued use of the Platform following the effective date of any update constitutes your acceptance of the revised Policy. The date of most recent revision is shown at the top of this page.

If you believe your rights under the PDPO have been violated, you may lodge a complaint with the:

Office of the Privacy Commissioner for Personal Data (PCPD)
Hotline: (852) 2827 2827  ·  Website: www.pcpd.org.hk