Privacy Policy

This Privacy Policy explains how Axiom Holdings Limited (“Axiom”, “we”, “us”) collects, uses, stores, and shares personal data in connection with our website at axiomhk.co, our consulting services, and any software products or integrations we operate (collectively, the “Services”).

Axiom Holdings Limited is a company registered in Hong Kong. For the purposes of the Personal Data (Privacy) Ordinance (Cap. 486) and applicable international data protection laws (including the EU GDPR and UK GDPR where relevant), Axiom is the data controller of the personal data described below.

1. Information we collect

1.1 Information you give us

• Contact form submissions. When you complete the contact form on axiomhk.co we collect your name, email address, optional company name, and the message you provide.
• Engagement information. When you engage us for consulting or software work, we process contact details, billing information, and any materials you share with us in the course of the engagement.
• Correspondence. Records of emails and other messages you send to us.

1.2 Information collected automatically

• Usage data. Standard server logs including IP address, user agent, referrer, and timestamp, used solely for security, abuse prevention, and aggregate performance monitoring.

We do not use analytics or advertising cookies on axiomhk.co. We do not sell personal data.

1.3 Information from Meta Platforms (WhatsApp Business Platform)

Where a customer of an Axiom product connects their WhatsApp Business Account to our platform via Meta's Embedded Signup flow, we process data received from Meta under Meta's published WhatsApp Business Platform terms.

Data handling:When a customer signs up via Embedded Signup, we receive their WhatsApp Business Account ID and phone number ID via Meta's official OAuth flow. We store encrypted tokens only; no end-user message content leaves our encrypted Neon database. Data is deleted on clinic offboarding or within 30 days of account deauthorisation, whichever is sooner.

Message content routed through the WhatsApp Business Platform is processed in transit only for the purpose of delivering the service the customer has configured. We do not mine, analyse, or use message content for training models or any purpose unrelated to delivering the service.

2. How we use personal data

• To respond to enquiries submitted via the website.
• To deliver, operate, and improve our consulting engagements and software products.
• To comply with legal, tax, accounting, and regulatory obligations.
• To protect our Services from fraud, abuse, and security threats.

Our legal bases for processing personal data include performance of a contract, our legitimate interests in running and improving our business, compliance with legal obligations, and—where required—your consent.

3. How we share personal data

We share personal data only in the following circumstances:

• Service providers. Reputable vendors who process data on our behalf under contract, including email delivery (Resend), hosting (Vercel), database (Neon), and authentication providers. Each is bound by confidentiality and data-protection obligations consistent with this policy.
• Meta Platforms, Inc. Where you use features built on the WhatsApp Business Platform, data is exchanged with Meta in accordance with its terms.
• Legal and safety. Where required by law, court order, or to protect the rights, property, or safety of Axiom, our clients, or the public.
• Corporate transactions. In connection with a merger, acquisition, or sale of assets, subject to appropriate safeguards.

4. International transfers

Our service providers operate globally. Where personal data is transferred outside Hong Kong or the European Economic Area, we rely on appropriate safeguards, including Standard Contractual Clauses and vendor data-processing agreements.

5. Data retention

• Contact form submissions are retained for up to 24 months, or longer where needed to conclude an engagement.
• Client engagement records are retained for the duration of the engagement and for a further period required by applicable accounting, tax, and professional standards (typically seven years in Hong Kong).
• WhatsApp Business integration data (including access tokens and account identifiers) is deleted within 30 days of the customer offboarding or deauthorising the integration, whichever is sooner.
• Server logs are retained for up to 90 days.

6. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+), encryption at rest for credentials and access tokens, the principle of least privilege for internal access, and logging for security-sensitive operations. No system can be perfectly secure; we continuously work to reduce risk and respond promptly to incidents.

7. Your rights

Subject to applicable law, you have the right to request access to, correction of, or erasure of your personal data; to object to or restrict our processing; and to data portability. Where processing relies on consent you may withdraw consent at any time.

To exercise any of these rights, email hello@axiomhk.co. We will respond within one month in line with applicable law. You also have the right to lodge a complaint with your local data protection authority, including the Office of the Privacy Commissioner for Personal Data, Hong Kong.

8. Children

Our Services are not intended for children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “last updated” date at the top of this page. Continued use of the Services after changes take effect constitutes acceptance of the revised policy.

10. Contact

Axiom Holdings Limited
Hong Kong SAR
Email: hello@axiomhk.co