Skip to content

Privacy Policy

Last Updated: 17 April 2026

AIcountant (hereinafter referred to as "the Company", "we", or "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486, hereinafter "PDPO").

1. Personal Data We Collect

Depending on the services we provide, we may collect the following types of personal data:

  • Name and identification document numbers
  • Contact phone number and email address
  • Company name and business registration details
  • Correspondence and residential address
  • KYC (Know Your Customer) documents, including passport copies, proof of address, etc.
  • Payment information (processed through the third-party payment platform Stripe; we do not directly store your credit card details)
  • Information submitted through our website contact forms or consultation forms
Note: KYC documents (proof of identity, proof of address, etc.) are mandatory data required by Hong Kong law. Enquiry data submitted through contact forms is provided voluntarily. Failure to provide mandatory documents will prevent us from providing the relevant service, but will not affect your ability to browse this website.

2. Purposes of Collecting Personal Data

We collect your personal data for the following purposes:

  • Providing company incorporation, company secretarial, accounting, and audit & tax services
  • Fulfilling statutory compliance obligations for anti-money laundering and counter-terrorist financing (AML/CFT), including customer due diligence (CDD)
  • Processing payments and issuing invoices
  • Communicating with you regarding service matters
  • Responding to your enquiries and providing customer support
  • Complying with applicable laws and regulations
  • Improving our services and website experience

3. Data Retention Period

We retain your personal data for as long as necessary for business purposes and as required by law:

  • General business records: retained for no less than 6 years after the end of the business relationship, in compliance with the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615, AMLO)
  • Accounting and tax records: retained for no less than 7 years as required by the Inland Revenue Ordinance (Cap. 112)
  • After the retention period expires, we will securely destroy or anonymise the relevant data

Marketing Communications

We will only send you marketing and promotional information via email, WhatsApp, or other electronic channels with your explicit consent. You may unsubscribe at any time by emailing privacy@aicountantgroup.com or clicking the unsubscribe link in our emails.

4. Data Security Measures

We implement the following technical and administrative measures to protect your personal data:

  • Encrypted Transmission: All website communications are encrypted using TLS (Transport Layer Security)
  • Encrypted Storage: Personal data is stored with AES-256 encryption
  • Access Control: Only authorised personnel can access customer personal data, with strict access permission management
  • Regular Review: Security measures are regularly reviewed and updated

5. Third-Party Service Providers

We use the following third-party service providers for business operations, who may have access to some of your personal data:

  • Stripe: Payment processing (protected by PCI DSS standards)
  • Supabase: Data storage and management
  • Resend: Email delivery service
  • Cloudflare: Network security and content delivery
  • Third-party AI service providers: For automated FAQ responses (chat assistant) and document recognition (accounting OCR module). AI service servers may be located overseas (including but not limited to the United States, EU, or other parts of Asia). Specific providers may be updated from time to time based on business needs. We apply the principle of data minimisation, transmitting only content necessary for the relevant function. See section 5.1 below for details.

We require all third-party service providers to comply with appropriate data protection standards and to process your personal data only to the extent necessary.

5.1 Cross-Border AI OCR Data Processing (Accounting Module)

When you use the accounting module's AI document recognition (auto-identifying receipts, invoices, statements, bank statements), we transmit the uploaded document to a third-party AI document recognition service for content extraction and automatic categorisation.

  • Processing scope: The full PDF or image is transmitted to the AI processing service for OCR + automatic categorisation.
  • Purpose: Auto-extract amounts, dates, merchant names, and transaction descriptions; auto-fill accounting entries, saving you manual data entry.
  • Cross-border processing: AI service servers are located overseas (which may include the United States, EU, or other parts of Asia). We select providers based on service quality, cost, and compliance considerations; specific providers may be updated based on business needs. All cross-border transmissions use TLS encryption.
  • Retention: AI service providers process data per their service terms and do not retain your data in principle, but actual retention behaviour is subject to the laws of the provider's jurisdiction.
  • Consent mechanism (via Terms of Service): By accepting the Privacy Policy and Terms of Service at account registration, you provide PDPO DPP3 explicit consent for the cross-border AI processing described above. Each document upload records a consent entry in our consent_records database as audit evidence.
  • Alternative: If you do not wish documents to be processed by AI, you can manually enter accounting entries instead. All accounting features remain fully available — you just lose the AI auto-fill convenience.
  • Withdraw consent: Email privacy@aicountantgroup.com; we will disable AI OCR on your account within 7 days and record the withdrawal timestamp in consent_records.

6. Your Rights

Under the PDPO, you have the following rights:

  • Right of Access: You have the right to request access to the personal data we hold about you. We will respond within 40 days of receiving your request.
  • Right of Correction: You have the right to request correction of inaccurate personal data
  • Right of Erasure: Upon verification of your identity, we will delete your personal data within 30 working days (except for records required to be retained by law).

To exercise these rights, please email privacy@aicountantgroup.com. A reasonable fee of up to HKD 200 may be charged for processing data access requests.

7. Use of Cookies

This website uses cookies and similar technologies to ensure proper functionality, analyse traffic and improve user experience. Below are the types of cookies we use:

7.1 Essential Cookies

These cookies are necessary for the website to function and cannot be disabled. They include:

  • Supabase Authentication Token — Maintains your login session (session duration)
  • Language Preference — Remembers your selected interface language (localStorage)
  • Cookie Consent Record — Records your cookie preference settings (persistent)

7.2 Analytics Cookies

Used to understand how visitors interact with the website, helping us improve our services. They include:

  • Google Analytics (GA4) — Anonymously collects data on page views, session duration, and traffic sources. Data is transmitted to Google servers in the United States. Retention period: up to 14 months.
  • Google Tag Manager (GTM) — Used to manage tracking codes on the website. GTM does not store personal data but controls the loading of other tracking tools (e.g., GA4, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel). Data sent to Google servers in the United States. Retention: session-level.
  • Microsoft Clarity — Anonymous heatmaps and session recordings to improve UX. Clarity auto-masks sensitive inputs (passwords, credit cards), but your form inputs (such as company name and email) may be recorded. Data sent to Microsoft servers in the United States. Retention: up to 13 months (metrics), 7 days (session recording). Cookies: _clck, _clsk, CLID.
  • Baidu Tongji (百度統計) (Simplified Chinese site only) — Visitor analytics. Data sent to Baidu servers in Mainland China. Retention: up to 2 years. Cookies: Hm_lvt_*, Hm_lpvt_*.

7.3 Marketing Cookies

Used to measure advertising effectiveness and deliver more relevant advertising content. They include:

  • Google Ads Conversion Tag — Tracks conversion actions following ad clicks. Data is transmitted to Google servers in the United States. Retention period: up to 90 days.
  • Meta/Facebook Pixel — Tracks ad interactions and website behaviour. Data is transmitted to Meta servers in the United States. Retention period: up to 180 days.
  • LinkedIn Insight Tag — Tracks LinkedIn ad effectiveness and identifies visitor industry/job function at an aggregated level (not individual identity). Data sent to LinkedIn servers in the United States. Retention: up to 90 days. Cookies: bcookie, li_sugr, lidc, UserMatchHistory.
  • TikTok Pixel (International) — Tracks TikTok ad conversions. Data may be sent to ByteDance servers in Singapore, the United States, or Mainland China. Retention: up to 180 days.
  • Douyin Pixel (Mainland China, Simplified Chinese site only) — Tracks Douyin ad conversions. Data sent to ByteDance servers in Mainland China. Retention: up to 180 days.

7.4 How to Manage Cookies

You can manage your cookie preferences through the following methods:

  • Website Settings: The cookie notice banner displayed on your first visit allows you to choose "Accept All" or "Essential Only"
  • Browser Settings: Most browsers allow you to manage or delete cookies in their settings. Please note that disabling essential cookies may affect website functionality.

To reset your cookie preferences, please clear the cookies and localStorage data for this website in your browser, then revisit the site.

7.5 Future Tool Extension Clause

We may from time to time add or replace third-party service providers to improve service quality and user experience. Any material change (including adding CRM, customer chat, email marketing platforms, advertising pixels, etc.) will be notified through:

  1. Update of the Cookie banner on the website
  2. Update of the "Last Updated" date of this policy
  3. Email notification to existing subscribed users (for material changes only, e.g., adding data transfer to Mainland China)

You have the right to opt out of data collection by new tools before activation. To query the current full list of third-party tools in use, please contact privacy@aicountantgroup.com. Policy changes are tracked in our public GitHub repository (aicountant-website), where all historical versions are accessible.

8. Cross-Border Transfer of Personal Data

Due to business operational requirements, your personal data may be transferred to locations outside Hong Kong for processing. The following is a summary of our third-party service providers and their data destinations:

Data CategoryService ProviderDestinationLegal Basis (PDPO)
User accounts + KYCSupabaseSingaporeDPP3 Contractual necessity
PaymentStripeIreland, United StatesDPP3 Contractual necessity
EmailResendUnited StatesDPP3 Legitimate interest
Network security / CDNCloudflareUnited StatesDPP3 Legitimate interest
AnalyticsGoogle Analytics / Tag ManagerUnited StatesDPP3 Consent
UX AnalyticsMicrosoft ClarityUnited StatesDPP3 Consent
AdvertisingMeta, Google, LinkedInUnited StatesDPP3 Consent
Advertising (Douyin / TikTok)ByteDanceMainland China, Singapore, United StatesDPP3 Consent + Express notice
Advertising / Analytics (Mainland)BaiduMainland ChinaDPP3 Consent + Express notice
AI chatbot + OCRThird-party AI service providersOverseas (US / EU / Asia)DPP3 Consent (via Terms of Service, see Section 5)

Data transferred to Mainland China: We obtain your explicit consent via the Cookie consent banner. If you do not wish to have your data transferred to Mainland China, please select "Essential Only" in the banner or email privacy@aicountantgroup.com to withdraw consent.

We will ensure that appropriate contractual and technical safeguards are in place during cross-border transfers to protect your personal data.

9. Children's Privacy

Our services are intended for persons aged 18 or above only. We do not knowingly collect personal data from minors. If we discover that we have collected personal data from a minor by mistake, it will be deleted immediately. If you believe we hold personal data of your child, please contact privacy@aicountantgroup.com, and we will address it within 7 days.

Legal basis: Under the Hong Kong Companies Ordinance (Cap. 622) Section 116, directors of Hong Kong companies must be aged 18 or above, naturally excluding minors from our services.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any significant changes will be published on this website with an updated "Last Updated" date. We recommend that you review this policy regularly to stay informed.

11. Contact Us

If you have any questions about this Privacy Policy, or wish to exercise your personal data rights, please contact us:

Back to top ↑