Privacy Policy

Effective Date: March 30, 2025

Healthy Delight International Limited (trading as Floww 源穴, hereinafter “Floww“, “we“, “us” or “our“) is committed to protecting the privacy of individuals and complying with all applicable privacy laws in Hong Kong. This Privacy Policy explains our policies and practices regarding the collection, use, disclosure, and protection of personal data. We handle personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) and other relevant laws.

By using our website or services, you agree to the collection and use of your personal data as described in this Policy.

Scope and Applicability

This Privacy Policy applies to the website www.floww.com.hk (the “Site”) and all services provided by Floww in Hong Kong. It governs how we collect, use, and share personal data from customers, website users, and others who interact with our services in Hong Kong. The Policy covers personal data collected through our Site, at our physical premises, through booking and contact forms, and via any other interactions you have with Floww within Hong Kong.

Please note that this Policy applies only to Floww’s operations in Hong Kong. Our website may be accessible from outside Hong Kong, but our services are intended for Hong Kong residents and are provided solely in Hong Kong. If you do not agree with this Privacy Policy, please refrain from using our Site or services.

Personal Data Collection

We collect various types of personal data from and about you when you use our Site or services. “Personal data” in this Policy means any information relating to an identified or identifiable individual. The types of personal data we may collect include:

  • Identity and Contact Information: For example, your name, email address, telephone number, and other contact details that you provide when making an inquiry, booking an appointment, or registering on our Site.
  • Booking and Appointment Details: Information related to any bookings or services you request from us, such as the date and time of your appointment, the type of service or treatment, special requests or preferences, and any relevant medical or health information you voluntarily provide for us to better deliver the service.
  • Payment Information: If you make payments for our services (for instance, future online payments through Stripe), we will collect information necessary to process the payment. Credit card and payment details that you submit online will be processed by our third-party payment processor (e.g. Stripe) and not stored on our servers. We may retain non-sensitive payment details such as the transaction reference number, payment amount, and billing name for record-keeping purposes, but we do not store full card numbers or security codes.
  • Usage Data and Analytics: When you visit our Site, we automatically collect certain technical and usage information. This may include your IP address, device type, browser type, browsing actions on our Site (such as pages viewed and links clicked), and other data obtained through cookies and similar tracking technologies. We use services like Google Analytics, Google Ads, and Facebook Pixel which may collect usage data about your interactions with our Site. (See Cookies and Tracking Technologies below for more details.)
  • Cookies and Online Identifiers: We may collect information stored in cookies, web beacons, and other tracking technologies that are set on your browser or device. These identifiers help us recognize you on subsequent visits, remember your preferences, and gather information about how our Site is used (e.g. whether you are a returning visitor).
  • Customer Communications: If you contact us by email, phone, social media, or through the Site (for example, by submitting an inquiry or feedback form), we will collect the information you provide in those communications. This may include your name, contact details, and the content of your message, as well as our subsequent correspondence with you.
  • CRM and Account Information: We may maintain a customer profile for you in our Customer Relationship Management (CRM) system or internal records. This can include your contact details, service history (e.g. past appointments or purchases), communication preferences, and notes on your interactions with us. If our website offers user account registration in the future, we would also collect login credentials and any profile information you choose to provide.

We collect personal data directly from you (for example, when you fill in forms on our Site or at our premises, or when you communicate with us). In some cases, we may also collect data automatically (such as through cookies when you browse our Site). We will always aim to limit the personal data collected to what is necessary for the purposes described in this Policy.

Where we ask you to provide personal data, it is generally voluntary. However, certain information may be mandatory for specific services (for example, we need contact details to schedule an appointment). We will inform you at the time of collection whether the provision of personal data is obligatory or voluntary and the consequences of not providing obligatory data (e.g. we may not be able to fulfill a booking without the necessary details).

Purpose of Data Use

We use the personal data we collect for clear and lawful purposes in connection with our business as a wellness and massage service provider. The purposes for which Floww may use your personal data include:

  • Service Delivery and Operations: To provide our wellness, massage, and related services to you. For example, we use your information to schedule and confirm your appointments, perform the requested treatments or services, and manage the logistics of service delivery (such as allocating staff or treatment rooms).
  • Booking Management: To manage and administer bookings and appointments. This includes sending you booking confirmations and reminders (by email, SMS, or phone), processing any changes or cancellations you request, and keeping records of your appointments.
  • Communication: To communicate with you regarding your use of our services. We may send you service-related communications such as appointment reminders, follow-up messages after your visit (e.g. to inquire about your experience or provide aftercare advice), and responses to any inquiries or requests you submit. We also use your contact information to notify you of any issues affecting our services (for example, unexpected closures or changes in schedule).
  • Payments and Transactions: To process payments for our services and handle billing. If you pay online via Stripe (or a similar payment gateway), your payment data is used to complete the transaction and ensure we receive payment. We also use payment and transaction data for accounting, invoicing, refund processing, and record-keeping in compliance with financial regulations.
  • Marketing and Promotional Communications: With your consent, we may use your contact details (such as email or phone number) to send you marketing materials and promotional communications. These may include newsletters, special offers, new service announcements, event invitations, or wellness tips. We will only use your personal data for direct marketing if you have agreed to such use (for example, by subscribing to our newsletter or ticking a consent box), or if otherwise permitted by law. You can opt out of marketing communications at any time (see User Rights below).
  • Analytics and Service Improvement: To analyze and understand how our services and website are used, so that we can improve them. We use data collected (including via Google Analytics and similar tools) to monitor website traffic, usage patterns, and the effectiveness of our marketing campaigns. This helps us troubleshoot problems, optimize the performance and design of our Site, and enhance the quality of our services. For example, understanding which pages are most frequently visited or how users navigate our Site can inform website improvements, and analyzing booking trends can help improve scheduling and service offerings.
  • Advertising and Retargeting: To support our advertising efforts on third-party platforms. We may use data from cookies (like Google Ads and Facebook Pixel) to create audiences for advertising, show you relevant ads on external platforms (such as reminding you of services you viewed on our Site), and measure the success of our advertisements (e.g. seeing if an ad resulted in a booking). All such activities are done in compliance with applicable laws and with appropriate consent for the use of cookies/advertising identifiers.
  • Customer Relationship Management (CRM): To maintain and improve our relationship with you as a customer. This includes storing your service history and preferences to personalize your experience (for example, knowing your preferred therapist or any health conditions to consider), managing loyalty or referral programs if any, and providing customer support. By keeping accurate records, we can serve you better (such as speeding up the booking process or tailoring recommendations for future services).
  • Security and Fraud Prevention: To ensure the security of our website, systems, employees, and other customers. We may use personal data (like IP addresses or login attempts) to monitor for and prevent fraudulent, abusive, or unlawful activities on our Site or premises. This can include detecting and mitigating cybersecurity threats, enforcing our terms of service, and taking action against wrongdoings or threats to the safety of individuals.
  • Legal and Regulatory Compliance: To comply with our legal obligations under Hong Kong law and any other applicable regulations. For instance, we may use and retain personal data for complying with tax laws, fulfilling business record-keeping requirements, handling insurance claims, or responding to lawful requests by authorities. If you exercise your data privacy rights under the PDPO, we will use your data as necessary to fulfill those requests.
  • Other Purposes with Consent: If we ever need to use your personal data for a purpose not originally stated at the time of collection, we will notify you and obtain your consent before such use, unless the new purpose is required or permitted by law. For example, if we wish to use your testimonial or experience in our marketing materials, we would seek your permission.

We will only use your personal data for the purposes described above or for purposes that are directly related to those original purposes. If we need to use your data for any unrelated purpose, we will obtain your consent or ensure that such use is otherwise legally permissible under Hong Kong law.

Legal Basis for Processing

Under Hong Kong’s PDPO and related laws, we ensure that we have a lawful basis or permissible ground to collect and use your personal data. Our processing of your personal data is justified by one or more of the following legal bases:

  • Consent: In situations where you have given consent to the collection or use of your personal data, we will process your data based on that consent. For example, we rely on your consent to send you marketing emails or text messages, and to use certain cookies or tracking technologies for analytics and advertising (as required by law or industry practice). You have the right to withdraw your consent at any time (see User Rights below), and we will stop the related processing going forward.
  • Contractual Necessity: We process certain personal data because it is necessary to fulfill our contract with you or to take steps at your request before entering into a contract. In other words, when you request services from us, we must use your personal data to provide those services. For instance, we need to use your name and contact information to schedule your appointment and communicate with you about it, and we need your payment information to process the transaction. Without this data, we would not be able to provide the services you have asked for.
  • Compliance with Legal Obligations: We may process your personal data when necessary for us to comply with a legal or regulatory obligation. This includes using or retaining data as required by Hong Kong laws (such as maintaining transaction records for tax and accounting purposes, responding to official requests from law enforcement or regulatory agencies, or handling matters related to insurance or healthcare regulations if applicable). In such cases, the law imposes a duty on us to process or retain the data for certain purposes and timeframes.
  • Legitimate and Permitted Purposes: We may also process your personal data for purposes that are within our legitimate interests as a business, provided such processing is fair and not inconsistent with the original purpose of collection. Hong Kong’s PDPO allows a data user to use personal data for the purpose for which it was collected or a directly related purpose. This means that some processing is justified by its direct connection to the primary purpose. For example, after providing you a service (primary purpose), we might use your contact information to send a satisfaction survey or to follow up on your recovery (a directly related purpose), even if you did not specifically request it. We will always ensure that these uses are relevant and properly within the expectations set when your data was collected. If we ever need to use your data for a new purpose that is not directly related, we will seek your consent.

In summary, Floww will not collect or use your personal data unless it is lawful to do so. We primarily rely on your consent and on the need to perform our services (which constitute a contract with you) as the main justifications for processing. Where appropriate, we also ensure compliance with any legal duties and only pursue our legitimate business interests in ways that do not override your rights and freedoms as a data subject. We will never use your personal data in a way that is contrary to the PDPO or other applicable laws.

Disclosure of Personal Data

We treat your personal data with care and confidentiality. We do not sell or rent your personal data to third parties for their own marketing purposes. However, in the course of running our business, we may need to share or disclose your personal data to certain trusted third parties or under particular circumstances, as outlined below:

  • Within Healthy Delight/Floww: Your personal data may be shared within our organization, including with authorized employees, representatives, and staff of Healthy Delight International Limited/Floww who need to access the data to perform their duties (such as our scheduling team, therapists, customer service staff, accounting personnel, and management). All such personnel are bound by confidentiality obligations and this Privacy Policy.
  • Service Providers and Data Processors: We use third-party companies and service providers to support our operations and deliver services on our behalf. We only share the necessary information with them and require that they protect your data and use it solely for the purposes we specify. These third parties include:
    • Payment Processing: When you make an online payment, your payment details (such as credit card information) are handled by our payment processor, Stripe. Stripe will process your payment information securely in accordance with its own privacy and security policies. We share information like your name, contact, and purchase amount with Stripe to process the transaction, and Stripe confirms back to us whether payment was completed. (Please refer to Stripe’s privacy policy for details on how they handle your payment data.)
    • Website Analytics: We use Google Analytics to gather statistics on site usage. Google Analytics may set cookies or other trackers in your browser to collect usage data (e.g. pages visited, time spent, how you arrived at the site). This information is transmitted to Google and aggregated for us to analyze how the website is used. The data shared with Google does not include your name or direct contact information, but it may include your IP address and device identifiers. Google acts as a data processor for us, meaning it uses the data only to provide insights and reports about our website traffic.
    • Advertising Partners: We utilize third-party advertising services, such as Google Ads (including tools like Google Ads conversion tracking) and Facebook (via the Facebook Pixel), to help us with marketing. These platforms may receive certain information when you visit our Site (for example, the fact that you visited or took a specific action) through cookies or pixels integrated into our pages. This allows us to create targeted advertising campaigns and measure their effectiveness (for instance, to see if our Facebook ad led you to book a session). The information shared with these partners typically consists of online identifiers and event data (like a page view or booking event) rather than direct personal contact details, and it is used in accordance with the partners’ own privacy policies.
    • Customer Relationship Management (CRM) and IT Providers: We may use cloud-based CRM software or data hosting services to store and manage our customer data and communications (for example, an online booking system or an email newsletter platform). If we do, personal data (like your contact information and booking history) will be stored on their secure servers. These providers act under our instructions to process the data for CRM purposes, such as organizing customer information, sending appointment reminders or newsletters (if you subscribed), and maintaining backup databases. We ensure any such provider has a proper data protection agreement in place and adequate security measures.
    • Email and Communications Services: If we send emails or SMS messages to you (such as marketing newsletters or service notifications), we might use third-party communication services or gateways. For example, we might use an email marketing service to manage our mailing list. These services would process your email address or phone number solely to send out our communications and not for their independent use.
  • Business Partners (with Consent): From time to time, we might partner with other businesses or wellness practitioners for joint events, promotions, or services. We will only share your personal data with such partners if you have been informed and consented to that sharing (for example, if you sign up for a co-hosted wellness workshop and agree that we can share your contact info with the co-organizer for event coordination). In those cases, we will identify the partner and the data to be shared at the time of obtaining your consent.
  • Legal Requirements and Safety: We may disclose your personal data when required to do so by law or legal process, or when we believe in good faith that such disclosure is necessary to: (i) comply with a legal obligation, court order, or request from a government or law enforcement authority; (ii) enforce our Terms and Conditions or other agreements; (iii) investigate or assist in preventing security threats, fraud, or other malicious activity; or (iv) protect the rights, property, or safety of Floww, our customers, our employees, or the public. For example, if we receive a lawful subpoena or regulatory inquiry regarding a customer, we may be obligated to provide the requested data. Similarly, if a customer were to pose a threat or become injured at our premises, we might share relevant information with the police or medical professionals for safety reasons.
  • Business Transfers: If Floww or Healthy Delight International Limited is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of business assets, or transition of service to another provider, your personal data may be transferred as part of that transaction. Such a transfer would only occur if the receiving party agrees to protect your personal data in a manner consistent with this Privacy Policy and applicable law. We would notify you (for example, via a notice on our website or email) of any change in ownership or use of your personal data, as well as any choices you may have regarding your personal data in such an event.
  • With Your Consent: Apart from the situations above, if we ever need to share your personal data with any other third party, we will notify you and obtain your consent before doing so. You have the right to refuse such sharing if it falls outside the scope of this Privacy Policy.

Whenever we share your personal data with third parties, we strive to only disclose the minimum amount of information necessary for the specific purpose. All third-party service providers acting on our behalf are contractually obligated to keep your personal data confidential, to use it only for the services they are providing to us, and to handle it in accordance with applicable data protection laws. We also take steps to ensure that any overseas transfers of personal data (for example, to the servers of a cloud service provider located outside Hong Kong) are done in compliance with Hong Kong’s data privacy requirements – for instance, by using providers in jurisdictions with adequate data protection laws or by implementing contractual safeguards.

Data Security Measures

We understand the importance of safeguarding your personal data and have implemented appropriate security measures to protect it against unauthorized or accidental access, disclosure, alteration, loss, or destruction. These measures include, but are not limited to:

  • Technical Security: Our website uses encryption protocols such as Secure Sockets Layer (SSL) to protect data transmitted over the internet (you can verify this by the presence of “https” and a lock icon in your browser’s address bar when you interact with our Site). We store electronic personal data on secure servers or encrypted databases that have firewall protection. Passwords and other sensitive information are stored using secure hashing or encryption. We regularly update our software and systems to address security vulnerabilities and use anti-malware tools to prevent unauthorized access.
  • Organizational and Physical Security: Access to personal data within our organization is restricted on a need-to-know basis. Only authorized personnel (such as staff members who handle bookings, or managers who need the information for business or legal reasons) are granted access to systems or files that contain personal data. Our employees are trained on the importance of data privacy and security. For any physical records (e.g., paper forms you may fill at our center), we store them in secure areas and restrict access. We also have procedures in place to handle and investigate any suspected data breaches or security incidents.
  • Secure Payment Processing: For online payments handled by Stripe, we rely on Stripe’s secure payment gateway. Stripe is PCI-DSS (Payment Card Industry Data Security Standard) compliant, which means it adheres to high security standards for processing payment card information. When you enter payment details on our Site, that information is transmitted directly to Stripe over encrypted connections; we do not see or store your full card details.
  • Vendor Due Diligence: We carefully select third-party service providers and require them to have appropriate security measures. For example, our IT and hosting providers are expected to use encryption and industry best practices to protect data, and our analytics and advertising partners (Google, Facebook, etc.) are large companies with established security protocols. We review their compliance with privacy and security standards (such as ISO certifications or compliance with relevant regulations) when applicable.
  • Continuous Improvement: We periodically review our data collection, storage, and processing practices to ensure they are in line with current best practices for security. We also monitor our systems for potential vulnerabilities and attacks, and we update our security measures in response to new threats or guidance from security professionals.

Despite our efforts to protect your personal data, please be aware that no method of transmission over the internet, or method of electronic storage, is completely secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. You can also play a part in protecting your data by using strong passwords, keeping your login credentials confidential (if applicable), and notifying us immediately if you suspect any unauthorized use of your personal data or any security breach related to Floww.

If we become aware of an actual data breach that compromises your personal data, we will act promptly to contain and investigate the incident. We will also notify you and the relevant authorities in accordance with Hong Kong laws and regulations.

Cookies and Tracking Technologies

Our Site uses cookies and similar tracking technologies to distinguish you from other users, provide certain functionalities, analyze our traffic, and support our marketing initiatives. This section explains how we use these technologies and your choices regarding them.

What are Cookies?
Cookies are small text files that a website saves on your computer or mobile device when you visit the site. They allow the website to remember your actions and preferences (such as login, language, font size, and other display preferences) over a period of time, so you don’t have to re-enter them whenever you come back to the site or browse from one page to another. Cookies can also enable tracking of your browsing session for analytics or advertising purposes. Other technologies similar to cookies include web beacons (pixel tags), local storage, and SDKs for mobile apps – but for simplicity, we refer to all of these as “cookies” in this Policy.

How We Use Cookies:
Floww uses cookies to improve your experience on our Site and to collect information about how our Site is used. In particular, we use the following types of cookies and tracking technologies:

  • Strictly Necessary Cookies (Session Cookies): These cookies are essential for you to browse our website and use its features. They are typically session cookies which are temporary and only last for the duration of your browsing session. For example, if our Site has a login or a multi-step booking form, session cookies might keep you logged in as you navigate through pages or remember the selections you’ve made (so you don’t have to re-enter information when moving to the next step). Without these cookies, certain services or functionality on the Site may not be accessible or may not work properly. Session cookies are deleted from your device once you close your browser.
  • Preference Cookies: These cookies allow our Site to remember information you have entered or choices you’ve made (such as your preferred language, region, or other settings) to provide a more personalized experience. They may be persistent cookies that remain on your device for a set period even after you close your browser, so that when you return to our Site, it remembers your preferences. For instance, if our Site is available in multiple languages and you choose Traditional Chinese or English, a cookie might save that preference so you don’t have to select it each time.
  • Analytics Cookies: We use analytics cookies to collect information about how visitors use our Site. The primary tool we use for this purpose is Google Analytics. Analytics cookies gather data such as the pages you visit, the time spent on each page, the referring site (if you came to us via a link), and your general geographic location (e.g., city level). This information helps us understand user behavior on our Site and improve our content and layout. For example, analytics cookies can tell us which pages are popular, identify trends in usage, and identify if users are encountering errors on certain pages. The cookies set by Google Analytics may remain on your device for between 24 hours up to 2 years (Google uses both session and persistent cookies for analytics). The data collected through these cookies is aggregated and anonymized; we do not use it to identify you personally. Google Analytics also provides us with aggregated demographic and interest data (if available) to help us tailor our services, but this data is not attributable to any individual.
  • Advertising Cookies: We utilize cookies and pixels from third-party advertising networks (such as Google and Facebook) to assist with our marketing and advertising efforts. For example, the Google Ads cookies and Facebook Pixel on our Site collect data about your visit (such as which pages you viewed or actions you took) which can be used to: (a) show you targeted advertisements on Google, Facebook, or their partner sites/apps that are more relevant to your interests (for instance, an ad for a special offer on our massage services might appear on your Facebook feed if you visited our Site); and (b) measure conversions from our ads (e.g., the Facebook Pixel tells us if someone who clicked on our Facebook ad later made a booking on our Site, helping us gauge the ad’s effectiveness). These advertising cookies may track your browsing activity across different websites and apps over time, building a profile of your interests. The information collected is used in accordance with the respective third-party’s privacy policies. For example, data from Google Ads cookies is used per Google’s Privacy Policy, and data from Facebook is used per Facebook’s Data Policy. Advertising cookies on our Site are typically persistent cookies that remain on your device until they expire or you clear them.
  • Third-Party Cookies: As mentioned, some cookies on our Site are placed by third parties acting on our behalf or in partnership with us. We have integrated third-party tools (like Google Analytics and Facebook Pixel), so when you use our Site, these third parties may set their own cookies on your browser. We do not have direct control over the information collected by these third-party cookies, but we use them to enhance our services (analytics and advertising as described). Other third-party cookies might come from embedded content on our Site, such as a YouTube video or a social media “share” button, if we have those features (they would allow those third-party sites to record that you viewed their content on our Site). We will inform you where such third-party cookie collection occurs and direct you to their privacy policies for more information.

Your Choices and Managing Cookies:
You have the right to choose whether to accept cookies. Here are several ways you can manage or disable cookies and tracking technologies:

  • Browser Settings: Most web browsers automatically accept cookies by default, but you can usually modify your browser settings to decline some or all cookies, or to prompt you before accepting a cookie from the websites you visit. For example, you can typically find cookie settings in the “Options” or “Preferences” menu of your browser. Please note that if you disable all cookies, our Site (and many other sites) may not function properly. Essential features, like the booking form or login, might not work without certain necessary cookies. Therefore, we recommend allowing at least the strictly necessary cookies for the site to operate.
  • Cookie Banner/Consent (if applicable): If our website presents you with a cookie consent banner or tool when you first visit, you can use that mechanism to customize your cookie preferences. For instance, you might be given the option to accept all cookies, reject non-essential cookies, or pick and choose categories (like disallowing advertising cookies but permitting analytics). We will remember your choice by setting a preference cookie. (If you later want to change your selection, you may need to clear your cookies or use a provided settings link to readjust your preferences.)
  • Opt-Out of Analytics: To specifically opt out of Google Analytics tracking, Google provides an Google Analytics Opt-out Browser Add-on. You can install this add-on in your browser, which prevents Google Analytics from collecting information on your visits to websites that use it. The add-on is available at https://tools.google.com/dlpage/gaoptout. Keep in mind this is a browser-specific opt-out; if you use multiple browsers or devices, you’ll need to install it on each one as applicable.
  • Opt-Out of Personalized Ads:
    • For Google Ads: You can control how Google uses information collected by its advertising cookies by visiting Google’s Ads Settings (https://adssettings.google.com). There, you can opt out of personalized ads from Google (meaning Google will stop showing you ads based on your interests or browsing patterns, though it will still show you generic ads or ads not based on cookies). Google is also part of industry opt-out schemes like the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA), so you can visit their consumer opt-out pages (http://optout.networkadvertising.org or http://optout.aboutads.info) to opt out of interest-based advertising from all participating companies.
    • For Facebook: You can adjust your ad preferences on Facebook so that you limit the use of third-party data for ad targeting. Log into your Facebook account and navigate to Settings & Privacy > Settings > Ads > Ad Settings. There you can manage settings such as ads based on data from partners (which would include data from the Facebook Pixel on external sites like ours). You may also use the online choices opt-out links (like the DAA’s opt-out) to opt out of Facebook and other companies’ interest-based ads more broadly. Facebook also allows you to review and clear your “Off-Facebook Activity,” which is the data that Facebook collects from sites like ours through the Pixel.
  • Do Not Track Signals: Some web browsers have a “Do Not Track” (DNT) feature that signals to websites that you do not wish to be tracked across sites. Currently, there is no universal standard for how websites should respond to DNT signals. While we respect your privacy, our Site’s systems may not recognize or respond to every DNT signal automatically. We recommend using the other opt-out methods described here to control cookies and trackers.

Please be aware that completely disabling cookies or tracking technologies might affect your ability to use certain features of our Site or services. For example, if you reject all cookies, our site might not remember your booking in progress or retain your login session, requiring you to re-enter information or log in again on each page. We therefore advise users to disable only non-essential cookies if they have privacy concerns, while keeping essential ones enabled for functionality.

By using our Site without disabling or rejecting cookies, you consent to our use of cookies and similar technologies as described in this Policy. We will assume that you are okay with cookies unless you take action to disable them via the methods described above. If you have any questions about our use of cookies, you can also contact us using the information provided in the Contact Information section of this Policy.

User Rights

As a user of our services and a data subject under Hong Kong law, you have certain rights regarding your personal data. Floww is committed to honoring your rights and facilitating your exercise of them. The following is a summary of your key data privacy rights:

  • Right of Access: You have the right to request access to the personal data we hold about you. This is known as a “Data Access Request” under the PDPO. Upon request, and after verifying your identity, we will inform you whether we hold any of your personal data and provide you with a copy of such data, as required by law. We will also give you information about how the data has been used or disclosed by us in the relevant period, to the extent required by the PDPO. Please note that the PDPO allows us to refuse access under certain limited circumstances (for example, if providing the data would likely prejudice an investigation, or if it contains personal data of other individuals that cannot be separated). Also, as permitted by law, we may charge a reasonable fee to cover the administrative cost of processing a Data Access Request. We will inform you of any fee before proceeding with the request, and we will respond to your request within the time period prescribed by law (currently 40 days in Hong Kong) or as soon as reasonably possible.
  • Right to Correction: If you believe that any personal data we hold about you is incorrect, inaccurate, or outdated, you have the right to request correction or update of that data. This is referred to as a “Data Correction Request” under Hong Kong law. Upon verifying your identity and validating the requested change, we will correct the information in our records, and (if applicable) notify any third parties to whom the data was disclosed so they can update their records as well. We strive to keep your personal data accurate and up-to-date, and we encourage you to inform us of any changes, for example, if you change your contact number or email address, or if there’s a spelling mistake in your name in our system. There is no fee for requesting corrections.
  • Right to Deletion (Erasure): You may request that we delete or erase your personal data in certain circumstances. For example, if you no longer use our services and wish for us to remove your details, or if the data we hold is no longer necessary for the purposes for which it was collected, you can ask us to delete it. We will evaluate such requests on a case-by-case basis. While Hong Kong’s PDPO does not explicitly grant a broad right of erasure in the same way as some other jurisdictions (like the EU’s GDPR), we respect your request and will comply if there are no legal or legitimate grounds for us to retain the data. Situations where we might not be able to fully delete data include where we need to keep records to comply with a legal obligation (e.g. retaining transaction records for a minimum period as required by tax law), to resolve disputes, or to exercise or defend legal claims. In such cases, we will inform you of the reason we cannot fulfill the deletion request and, if possible, block the data from further use. Otherwise, if no such impediment exists, we will erase your personal data and inform you once completed.
  • Right to Opt-Out of Direct Marketing / Withdraw Consent: You have the absolute right to opt out of our direct marketing communications at any time. If you have previously given consent to receive newsletters, promotional emails, SMS messages, or other marketing communications from us, you can withdraw that consent whenever you choose – no questions asked. To opt out, you can use the “unsubscribe” link or instructions provided in our marketing emails or messages. Alternatively, you may contact us directly (via email or phone) and let us know that you do not wish to receive further marketing communications. Once you opt out or withdraw your consent, we will remove you from our marketing distribution list and stop sending you promotional materials. Please note that even if you opt out of marketing messages, we may still send you transactional or service-related communications (for instance, appointment confirmations, important notices about your booked services, or responses to your inquiries), as those are not marketing in nature. If you have allowed us to use certain data for marketing (like cookies for targeted ads), you can also adjust your preferences as described in the Cookies section above.
  • Right to Withdraw Consent (General): Where we rely on your consent to process personal data (for example, for optional uses like marketing or certain data sharing), you have the right to withdraw your consent at any time. This is not limited to marketing; it could apply to other scenarios where you explicitly consented to a particular use of your data. To withdraw consent, simply contact us with your request (specifying which consent you are withdrawing). Once we receive your withdrawal of consent, we will cease the processing of your data for the specific purpose(s) you had earlier consented to, unless there is another lawful basis that we can rely on (we will let you know if that’s the case). Withdrawal of consent will not affect the legality of any processing we carried out based on your consent before you withdrew it.

Exercising Your Rights:
To exercise any of the above rights, please contact us using the contact details provided in the Contact Information section at the end of this Policy. Kindly specify the right you wish to exercise and provide us with enough information to process your request (for example, the email address or phone number that you provided to us, so we can locate your records). For data access or deletion requests, we may ask you to verify your identity (such as by providing a copy of your ID or other verification information) to ensure that we do not disclose or remove data to the wrong person. This is to protect your privacy and security.

We will respond to your request as soon as practicable and in any event within the timeframe required by law. If we need more time to respond (for example, if the request is complex or involves a large volume of data), we will inform you of the extension and the reason.

Please note that some of the rights above are subject to legal exceptions. If we refuse to action any part of your request, we will provide you with a written explanation of the reasons, except where we are not required to do so under applicable law.

We also inform you that under Hong Kong law, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) if you believe your data privacy rights have been violated. We would, however, appreciate the chance to address your concerns first, so we invite you to contact us with any complaint and we will do our best to resolve it to your satisfaction.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required or permitted by law. In determining the retention period for different categories of data, we take into account the purpose(s) for which we collected the data, the nature of the data, our legal and regulatory obligations, and the potential need to reference the data for dispute resolution or future service needs. Our data retention practices are as follows:

  • General Customer Data: If you are a customer of Floww, we will retain your basic personal details (such as your name and contact information) and your service/booking history for the duration of our customer relationship, and for a reasonable period after it ends. For example, if you have not used our services for a while, we might still keep your data on file for a few years in case you return, to have your service history available. Keeping past service records can also be important for customer service (e.g., if you have a query about a past appointment) or for our operational analysis (e.g., to track business performance). We will periodically review the data we hold, and if we notice that you have not engaged with us for a long period (and there’s no other need to keep your data), we may anonymize or delete your information.
  • Marketing Data: If you have consented to receive marketing communications, we will retain the personal data necessary for that purpose (e.g., your email for newsletter, or phone number for SMS) until you opt out or withdraw your consent. Once you unsubscribe or ask to be removed from marketing, we will promptly remove your contact from our marketing list and stop using it for that purpose. However, we may keep a record of your contact details on a suppression list to ensure we honor your opt-out and do not accidentally send you marketing in the future.
  • Transaction and Payment Records: We retain transactional records (e.g., invoices, receipts, payment confirmations) in accordance with Hong Kong’s legal, tax, and accounting requirements. For instance, under the Inland Revenue Ordinance and other regulations, businesses may need to keep financial records for a minimum of 7 years. Therefore, if you have made payments or purchases with us, the related records (which may include your name, the service or product, date, and amount paid) could be kept for up to 7 years from the transaction date, or longer if required by law. These records are maintained securely and access is restricted to authorized finance/accounting personnel or auditors.
  • Legal Compliance and Disputes: If we are under a legal obligation to retain data (for example, due to a court order, ongoing investigation, or as part of legal proceedings), we will retain the data for as long as required. Similarly, if a dispute or claim is anticipated or ongoing relating to you or your use of our services, we may retain relevant information until the issue is resolved and for a period thereafter as necessary to ensure we have an adequate record (this is based on the statute of limitations and our legitimate interest in defending our legal rights).
  • Web Analytics Data: Data collected via Google Analytics and similar tools is stored by Google in aggregate form, and we typically have access to historical analytics reports. This data does not personally identify you and may be kept indefinitely for trend analysis. However, raw logs or IP addresses that could be considered personal data are either not collected or are anonymized/aggregated by our analytics tools after a short period. For example, Google Analytics anonymizes IP addresses by default in many cases and provides us only aggregated data.
  • Backup and Archival: Personal data may reside in our system backups or archives. If we remove data from our live systems, it might still exist in backup files until those backups are cycled out or deleted. All backups are stored securely. If we restore data from a backup, we will take steps to ensure that any data that had been deleted in the live system (per a valid deletion request or our retention policy) is not unjustifiably restored or is re-deleted after restoration.

When personal data is no longer required for the purposes for which it was collected, and we are not otherwise legally required to keep it, we will either securely delete it or anonymize it (so that it can no longer be associated with you). Anonymization may involve removing personal identifiers and aggregating data so it can be used for statistical purposes without identifying any individual.

In summary, our goal is to not keep personal data for longer than necessary. We manage our records to adhere to this principle. If you have specific questions about our retention periods for certain types of data, you are welcome to contact us for more information.

Third-Party Links

Our Site and communications may contain links to websites, plug-ins, or resources operated by third parties (for example, a link to our social media pages, partner websites, or reference articles). Please be aware that this Privacy Policy does not apply to those third-party websites or services. Once you leave our Site or are redirected to a third-party website/application, your activities and data are governed by that third party’s own privacy policy and terms, not ours.

We have no control over and assume no responsibility for the content, privacy practices, or policies of any third-party sites or services. We provide these links solely for your convenience or information. We encourage you to exercise caution and review the privacy statements of any third-party site you visit before providing any personal data to them. This includes any third-party social media platforms that host our official pages or groups.

For example, if you click on a link to book via a partner’s platform or to read an article on another site, the information you provide or that is collected by that site will be subject to their policies. If you connect with us on social media (such as Facebook or Instagram), those interactions are governed by the privacy policy of the respective platform.

We are not responsible for the protection and privacy of any information which you provide whilst visiting third-party sites. We do, however, welcome any feedback about linked websites (for instance, if a link is broken or if you have concerns about a site we link to). This can help us ensure that we only maintain links that are valuable and appropriate for our users.

Policy Updates

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, operational requirements, or legal obligations. When we make changes, we will post the updated Policy on this page and update the Effective Date at the top of the Policy accordingly.

Notification of Changes: In the case of significant changes to this Policy (especially any changes that affect how we collect or use personal data), we will take additional steps to notify you. This may include posting a prominent notice on our website’s homepage, or if appropriate, sending you a notification via email or other contact information you have provided us. For minor or routine updates (such as clarifications or improvements in wording), simply updating the Policy with a new effective date may be deemed sufficient notice.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data. It is important that you keep your contact information with us up-to-date so that we can reach you if needed regarding changes to this Policy or other important matters.

If you continue to use our Site or services after an updated Privacy Policy has been posted, it will signify your acceptance of the changes. In any event, we will not use your personal data in a materially different manner than stated in the Policy at the time of collection without obtaining your consent, unless such use is otherwise required or permitted by law.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please do not hesitate to contact us. We are here to help and address any issues you may have.

Contact Details for Floww (Healthy Delight International Limited):

  • Company Name: Healthy Delight International Limited (Trading as Floww 源穴)
  • Address: G/F, 135 Queen’s Road East, Wan Chai, Hong Kong
  • Telephone: +852 2682 3232 / +852 9255 1500
  • Email: info@floww.com.hk

When reaching out to us, please provide attention to the “Privacy Officer” or mention that your inquiry is regarding privacy/data protection, so we can route your query to the appropriate personnel. We will endeavor to respond to all legitimate inquiries as soon as possible, and at latest within the timeframes provided by law (if applicable).

Thank you for reading our Privacy Policy. We value your trust in Floww and are dedicated to protecting your personal data while providing you with quality wellness services.