Privacy Policy and Personal Information Collection Statement (“Statement”)
Privacy Policy
1. In this Statement, the following terms shall have their respective meanings:
(a) "BCAN":
(i) means, in the context of Rafter Capital provision of the Stock Connect Northbound trading services, Broker-to-Client Assigned Number;
(ii) in the context of the SFC's Hong Kong investor identification regime and over-the-counter securities transactions reporting regime (when it comes into effect), has the meaning given to it in paragraph 5.6(b)(ii) of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (when it comes into effect);
(b) "CCASS Rules" means the General Rules of CCASS, as in force from time to time;
(c) "CID":
(i) means, in the context of Rafter Capital provision of the Stock Connect Northbound trading services, such identification information relating to you as SEHK may request from time to time under the Rules of the Exchange of SEHK;
(ii) in the context of the SFC's Hong Kong investor identification regime and over-the-counter securities transactions reporting regime (when it comes into effect), has the meaning given to it in paragraph 5.6(b)(iv) of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (when it comes into effect);
(d) "data subject", in relation to personal data, means the individual who is the subject of the data;
(e) "Rafter Capital" means Rafter Capital and its subsidiaries, holding companies, subsidiaries of those holding companies and other associated or related entities;
(f) "Rafter Capital", or "we" or "us" means Rafter Capital Limited;
(g) "GDCA" means Global Digital Cybersecurity Authority CO., Ltd (数安时代科技股份有限公司);
(h) "GDCA Agreement" means the GDCA Subscriber Agreement for Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong (粤港跨境电子交易 GDCA 数字证书用户协议), as amended and supplemented from time to time;
(i) "HKEX" means Hong Kong Exchanges and Clearing Limited;
(j) "Hong Kong" means the Hong Kong Special Administrative Region of the People's Republic of China;
(k) "Mainland China" means the People's Republic of China, excluding Hong Kong, the Macau Special Administrative Region and the Republic of China (Taiwan);
(l) "PDPO" means the Personal Data (Privacy) Ordinance (Cap. 486, Laws of Hong Kong);
(m) "personal data" means any data:
(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is practicable;
(n) "non-personal data" means any data not falling within the meaning of "personal data";
(o) "SEHK" means the Stock Exchange of Hong Kong; and
(p) "SFC" means the Securities and Futures Commission of Hong Kong.
2. Rafter Capital is committed to providing its clients with excellent securities services. Based on your service needs, we will collect and use different types of your personal data and non-personal data. We treat the use and confidentiality of our clients' personal data and non-personal data seriously.
3. The security and privacy of our clients' personal data and non-personal data is a matter of utmost importance for Rafter Capital. We are committed to protecting the privacy, confidentiality, and security of our clients' personal data and non-personal data; in the case of personal data by complying with the requirements of the PDPO through the implementation of the policies set out in this Statement.
4. Where our operations are subject to privacy legislation other than that of Hong Kong, this Statement shall apply so far as it is consistent with such other legislation.
5. Please note that this Statement may be amended from time to time without prior notice. You are advised that you need to check the latest version of this Statement on our websites on a regular basis.
Collection and Use of Personal Data
6. Rafter Capital may collect personal data provided voluntarily by visitors to this website/application.
7. Individual clients (which includes you) may be required to provide us with the following data:
(a) their personal data, including name, age, occupation, marital status, email address, telephone number, personal identity information, biometric data, photograph and video, electronic signature, address and other contact information, financial information, credit history, source of wealth, risk tolerance, investment experiences and objectives;
(b) transaction records;
(c) account balance and securities portfolio;
(d) IP address, browser type and version, time zone settings, browser plugin types, operating systems or platform and device data (including where the IMEI number of mobile device, wireless networks and general network data);
8. Rafter Capital may also obtain your personal data from publicly available sources of information, recording telephone conversations and/or communications by using electronic media, or from third party risk intelligence applications.
9. Your personal data and non-personal data will be recorded when you visit this website/application, used for the purposes of data analysis, including analyzing the number of visitors to the website/application. For further information on how we make use of cookies, please refer to our Cookie Policy.
10. We will only use the personal data we collect for the purposes set out in this Statement. If you do not supply the personal data requested, we may not be able to provide or continue to provide our services to you, including without limitation, providing you with trading services in respect of certain markets and/or products. Your personal data may be used for the following purposes:
(a) Providing you with our products or services (including the provision of financial advice);
(b) Verifying your identity as part of the initial and on-going Know-Your-Client (KYC) due diligence process and otherwise for the purposes of complying with anti-money laundering laws and regulations which we are subject to;
(c) Conducting matching procedures (as defined in s.2 of the PDPO, which broadly includes comparison of two or more sets of your personal data, for the purpose of taking actions adverse to your interests, such as declining an application);
(d) Conducting or arranging for you certification services recognized by the Electronic Transactions Ordinance (Cap 553) such as services provided by certification authorities in Hong Kong or other places (including but not limited to Mainland China) for client identity verification purposes, and specifically, if you are domiciled in Mainland China, for the purpose of applying for a certificate with the GDCA or such other certification authority as we consider appropriate;
(e) Dealing with service applications submitted by you, your guarantors or your security providers;
(f) Performing credit checks, verification procedures, data verification, due diligence and risk management processes;
(g) Assisting other financial institutions to conduct credit checks and collect debts;
(h) Assessing your and your guarantors' and security providers' credit worthiness;
(i) Designing financial and other related services and products for your use;
(j) Promoting and marketing certain services and products to you (please refer to the section entitled "Use of Data in Promotion and Direct Marketing" below for further details);
(k) Determining the amount of debt owed to us by you, your guarantors and/or your security providers ;
(l) Collecting debts from you, your guarantors and your security providers;
(m) Complying with any applicable laws, rules, regulations, court orders or the requests or requirements of any regulatory body;
(n)Enabling any of our actual or proposed transferees / assignees to assess any proposed merger, re-organization or other similar process;
(o) Any purposes allowed by applicable laws;
(p) Defending our rights or participating in any legal or administrative proceedings;
(q) Observing the requirements of the "Codes on Takeovers and Mergers and Share Buy-backs" (as amended from time to time) which are issued by the SFC and/or the laws and/or regulatory rules in Hong Kong and/or other places;
(r) Conducting marketing research, surveys and other similar activities;
(s) Generating unique internal identification numbers for organizational and reporting purposes and other forms of statistical analysis;
(t) When the SFC's Hong Kong investor identification regime or over-the-counter securities transactions reporting regime comes into effect (as the case may be), allowing SEHK to:
(i) ccollect, store, process and use your personal data (including CID and BCAN(s)) for market surveillance and monitoring purposes and enforcement of the Rules of the Exchange of SEHK;
(ii) disclose and transfer such information to the relevant regulators and law enforcement agencies in Hong Kong (including, but not limited to, the SFC) so as to facilitate the performance of their statutory functions with respect to the Hong Kong financial markets; and
(iii) use such information for conducting analysis for the purposes of market oversight;
(u) When the SFC's Hong Kong investor identification regime or over-the-counter securities transactions reporting regime comes into effect (as the case may be), allowing the SFC to:
(i) collect, store, process and use your personal data (including CID and BCAN(s)) for the performance of its statutory functions including monitoring, surveillance and enforcement functions with respect to the Hong Kong financial markets; and
(ii) disclose and transfer such information to relevant regulators and law enforcement agencies in Hong Kong in accordance with applicable laws or regulatory requirement;
(v) allowing each of SEHK and the relevant SEHK Subsidiaries (as defined in the Rules of the Exchange) to:
(i) collect, use and store your BCAN, CID and any consolidated, validated and mapped BCANs and CID information provided by the relevant China Connect Clearing House (as defined in the CCASS Rules) (in the case of storage, by any of them or via HKEX) for market surveillance and monitoring purposes and enforcement of the Rules of the Exchange;
(ii) transfer such information to the relevant China Connect Market Operator (as defined in the Rules of the Exchange) (directly or through the relevant China Connect Clearing House) from time to time for the purposes set out in paragraphs 10(w) and (x) below; and
(iii) disclose such information to the relevant regulators and law enforcement agencies in Hong Kong so as to facilitate the performance of their statutory functions with respect to the Hong Kong financial markets;
(w) allowing the relevant China Connect Clearing House (as defined in the CCASS Rules) to:
(i) collect, use and store your BCAN and CID to facilitate the consolidation and validation of BCANs and CID and the mapping of BCANs and CID with its investor identification database, and provide such consolidated, validated and mapped BCANs and CID information to the relevant China Connect Market Operator, SEHK and the relevant SEHK Subsidiary;
(ii) use your BCAN and CID for the performance of its regulatory functions of securities account management; and
(iii) disclose such information to the Mainland Chinese regulatory authorities and law enforcement agencies having jurisdiction over it so as to facilitate the performance of their regulatory, surveillance and enforcement functions with respect to the Mainland Chinese financial markets;
(x) allowing the relevant China Connect Market Operator to:
(i) collect, use and store your BCAN and CID to facilitate their surveillance and monitoring of securities trading on the relevant China Connect Market (as defined in the Rules of the Exchange) through the use of the China Connect Service (as defined in the Rules of the Exchange) and enforcement of the rules of the relevant China Connect Market Operator; and
(ii) disclose such information to the Mainland Chinese regulatory authorities and law enforcement agencies so as to facilitate the performance of their regulatory, surveillance and enforcement functions with respect to the Mainland Chinese financial markets; and
(y) Any functions related to the foregoing.
Disclosure of Personal Data
11. Personal data held by Rafter Capital will be kept confidential, but may be disclosed to the following persons for one or more of the purposes set out in paragraph 10:
(a) Any of our officers, employees, agents, contractors or third party service providers who provide administrative, credit data, debt collection, telecommunications, client verification, due diligence, computing, payment or other services related to our business operations to us (e.g. IT vendors, electronic storage vendors, biometric authentication service providers);
(b) Any member of the Rafter Capital;
(c) Any of your guarantors and security providers or prospective guarantors and security providers;
(d) Any person who owes a duty of confidentiality to Rafter Capital, including any member of the Rafter Capital;
(e) Any financial institution trading with or intending to trade with you, or any of your counterparties in a trade;
(f) Credit data service institutions or debt collecting institutions (where you owe us money or where there has been an event of default (howsoever described));
(g) Any actual or proposed assignee or transferee of Rafter Capital, or participant or sub-participant or transferee of Rafter Capital in respect of our rights against you;
(h) Any person or entity or data recipient who has already established or intends to establish any business relationship with Rafter Capital;
(i) Any certification authority whether in Hong Kong or other places (including but not limited to Mainland China);
(j) Any agencies in Hong Kong or other places for compliance with applicable laws, regulations, rules or guidelines regarding the automatic exchange of financial account information or the Foreign Account Tax Compliance Act promulgated by the United States; and
(k) Any local or foreign legal agency, regulatory body, government, tax authority, law enforcement agency, administrative or statutory agency, stock exchange or clearing house, or other self-regulatory agency or industry organization or group in Hong Kong or other places (including but not limited to Mainland China), and this includes the SEHK, the relevant SEHK Subsidiaries and the SFC.
12. Rafter Capital may transfer your personal data to a place outside Hong Kong in accordance with this Statement. Your personal data may not be afforded the same or similar level of protection as it is under the PDPO.
13. You acknowledge that, despite any subsequent purported withdrawal of consent by you, your personal data may continue to be stored, disclosed, transferred and otherwise processed for the purposes set out in this Statement, whether before or after such purported withdrawal of consent.
Use of Data in Promotion or Direct Marketing
14. Rafter Capital may use your personal data to send you information about products, services and other marketing materials that we think you might be interested in. You can choose to receive marketing and other promotional materials by email and/or direct mail. If you do not wish to receive such marketing materials, you may elect to opt-out at any time by contacting out Customer Services Department.
15. Rafter Capital intends to use your personal data for direct marketing purposes, for which we have to obtain your consent (which includes an indication of no objection). In this regard, please note that:
In this regard, please note that:
(a) Your name, contact details, product and service, investment portfolio information, trading patterns and conduct, financial background and statistics held by Rafter Capital from time to time may be used for direct marketing;
(b) The following categories of services, products and subjects may be marketed to you:
(i) Finance, insurance, securities, commodities, investment and related services and products and facilities;
(ii) reward, loyalty, co-branding or privileges programmes and related products and services;
(iii) financial or banking products and services offered by our business partners (the names of such partners will be provided to you); and
(iv) donations and contributions for charitable and/or non-profit making purposes;
(c) The above services, products and subjects may be marketed by Rafter Capital and/or the following persons:
(i) Any member of the Rafter Capital;
(ii) Third-party financial institutions, underwriters, securities, commodities and investment service providers;
(iii) Providers of third-party reward, loyalty, co-branding or privileges programme;
(iv) Our business partners (the names of such co-branding partners will be provided to you);
(v) Charitable and/or non-profit organizations;
(d) In addition to promoting the above services, products and subjects, Rafter Capital may provide the personal data mentioned in paragraph 15(a) to any of the persons as mentioned in paragraph 15(c) above for the purpose of promoting their services, products and subjects. In order for us to do so, we need to obtain your written consent (which includes an indication of no objection) for this purpose;
(e) If you do not wish Rafter Capital to use or provide your personal data to other persons for the direct marketing purposes set out in paragraph 15(d), please notify our Customer Service Department; and
(f) We may receive money or other property in return for providing your personal data to the other persons in paragraph 15(d) and, when requesting your consent or no objection we will inform you if we will receive any money or other property in return for providing the personal data to the other persons.
Providing Another Person's Personal Data
16. Where you provide to us personal data about another person, you must give to that person a copy of this Statement and, in particular, tell him/her that you have provided us with their personal data and how we may use his/her personal data.
Personal Data Protection Measures
17. Rafter Capital implements protective measures to safeguard and secure personal data to ensure it is protected against unauthorised or accidental access, processing, or erasure. These measures include the following:
Access or use of such data is limited to authorized staff or agents on a “need to know” basis and such data is accessed utilizing secured methods (e.g. personal data is encrypted when necessary);
We do not distribute your personal data to other persons except for conducting business activities, complying with applicable laws, protecting against fraud or making products and services that we believe may be in your interests;
The use and transfer of your personal data between members of the Rafter Capital is subject to strict internal security standards, confidentiality policies, privacy laws and other applicable laws;
We ensure that our employees fully comply with such standards, policies and laws; and
We will offer training to staff on proper handling of your personal data.
18. As we further develop new products and services, we will continue to make every effort to ensure that your personal data is properly used and protected.
Data Access and Correction Requests
19. According to and in accordance with the terms of the PDPO, you have the right to:
obtain information regarding the processing of your personal data and access the personal data which we hold about you;
subject to paragraph 13, withdraw your consent to our processing of your personal data at any time;
subject to paragraph 13, withdraw your consent to our processing of your personal data at any time;
request that we rectify your personal data if it is inaccurate or incomplete;
lodge a complaint with the Privacy Commissioner for Personal Data if you think that any of your data privacy rights have been infringed by us;
in relation to consumers’ credit record, be informed on request which items of personal data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the marking of an access and correction request to the relevant credit reference agency or debt collection agency; and
upon satisfactory termination of the credit by full repayment and on condition that there has been, within five years immediately before such termination, no material default under the credit as determined by Rafter Capital, instruct Rafter Capital to make a request to the relevant credit reference agency to delete from its database any personal account data relating to the terminated credit.
20. You may ask that we erase some or all of your personal data, but please note that we are under no legal obligation to do so.
21. If there is a change to any of the personal data that you have provided to us, please contact our Customer Service Department.
22. You should send requests for access to, and correction of, your personal data to us at:
Attention: Customer Service Department
Rafter Capital Limited
Address: Room 3527, Level 35, Infinitus Plaza
199 Des Voeux Rd Central, Sheung Wan
Email: rafter@racapm.com
*Please indicate your name and contact number for us to follow up with your request. You may be asked to provide additional information to authenticate your identity in order for us to follow up your request.
23. In accordance with the terms of the PDPO, Rafter Capital reserves the right to charge a reasonable fee for processing any data request.
24. Nothing in this statement shall limit your rights under the PDPO.
Retention Period of Personal Data
25. We will not keep personal data longer than is necessary for the fulfillment of the purpose for which it was collected. The retention period of personal data collected depends on circumstances by taken into consideration of different factors, including:
Usage: we have to continue to retain the personal data for such objective; and
Legal obligation: the minimum retention period of the personal data which is stipulated in the laws and regulations.
Note In case of any discrepancy between the English and Chinese versions of this Privacy Policy Statement, the English version prevails.