Legal
Privacy Policy
Updated 2026-06-13 (DRAFT)
About this Policy
SPOTMIND Limited ("Spotreel", "we") is the data user responsible for personal data collected through the Spotreel service. This policy explains how we handle your personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486, "PDPO") and its six Data Protection Principles (DPPs). For users in mainland China, please also read our PIPL Notice.
Data We Collect (DPP1)
We collect: (a) account data — email, display name, and authentication identifiers; (b) billing data — subscription tier and payment-processor tokens (we do not store full card numbers); (c) viewing telemetry — watch history, progress and interactions used to deliver and improve the service; (d) device and log data — IP address, device and browser type; and (e) creator/partner KYC data where you apply for a marketplace role. We collect only what is necessary and lawful for the purposes below.
Purposes of Use (DPP1 & DPP3)
We use personal data to: provide sign-in and account management; process subscriptions and creator payouts; personalise recommendations; provide customer support; ensure safety, prevent fraud and abuse; and comply with legal obligations. We will not use your data for a new purpose materially different from the above without your consent.
Direct Marketing (PDPO s.35)
We will not use your personal data in direct marketing without your consent, and we will provide an opt-out in every marketing message. You may withdraw consent to direct marketing at any time, at no charge, by emailing privacy@spotmind.co or using the in-app settings.
Third Parties & Processors
We share data only with service providers acting on our instructions, including: payment processing (Stripe), media delivery / CDN (Bunny.net), and AI dubbing/translation tooling (AIVOX) for creator-submitted content. A current list of categories of processors is maintained at [PROCESSOR LIST — PLACEHOLDER]. We do not sell your personal data.
Cross-Border Transfer (PDPO s.33)
Some processors may store or process data outside Hong Kong (e.g. [JURISDICTIONS — PLACEHOLDER]). Where data is transferred outside Hong Kong we take reasonable steps and apply contractual safeguards so that it is afforded a level of protection comparable to the PDPO.
Retention & Accuracy (DPP2)
We keep personal data only for as long as necessary to fulfil the purposes above or as required by law. Indicative retention periods: account data — for the life of the account plus [PERIOD — PLACEHOLDER]; billing records — [PERIOD — PLACEHOLDER, e.g. 7 years for tax]; viewing telemetry — [PERIOD — PLACEHOLDER]. We take reasonable steps to keep data accurate and to erase or anonymise it when no longer needed.
Security (DPP4)
We apply reasonable technical and organisational measures — encryption in transit, access controls, and least-privilege practices — to protect personal data against unauthorised access, processing, loss or destruction.
Your Rights — Access & Correction (DPP6)
You have the right to request access to and correction of your personal data, and to request a copy or deletion. To make a Data Access or Correction Request, or to export or delete your data, email privacy@spotmind.co. We will respond within 40 calendar days as required by the PDPO. A small, prescribed fee may apply to data-access requests.
Contact & Complaints
Data protection contact: privacy@spotmind.co / [DATA PROTECTION CONTACT NAME — PLACEHOLDER], SPOTMIND Limited, [REGISTERED OFFICE ADDRESS — PLACEHOLDER], Hong Kong SAR. If you are not satisfied with our response you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), at pcpd.org.hk.