ExpatTax Privacy Policy

Effective date: 22 September 2020

INTRODUCTION
This Privacy Policy uses the same terminology and abbreviations as defined in our Terms of Service document. This Privacy Policy governs the processing of personal data about Users collected through the Platform. The information on Users that is collected through the Platform is divided into personal data and non-personal data, depending on whether the information can identify the User as a specific person.

DATA CONTROLLER
CAPITAL TAX LIMITED with its registered headquarters at Suite 2603, Office Tower, Convention Plaza, 1 Harbour Road, Wan Chai, Hong Kong (‘we’, ‘us’, ‘our’, and ’ExpatTax’) is responsible for compliance with the principles relating to processing of your personal data through the Platform. You can contact us for any questions regarding your privacy through our contact form available at https://expattax.com/contact/.

DEFINITIONS
In addition to the definitions provided for in the Terms, the following words and abbreviations shall have the meaning provided herein:

  • controller” means an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • personal data” means any information relating to an identified or identifiable natural person (‘User’, ‘you’, and ‘your’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of ExpatTax; and
  • personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

TYPES AND PURPOSES OF PERSONAL DATA THAT WE PROCESS
During your interaction with the Platform or with us directly, we collect your personal data. To ensure our compliance with data minimisation principles, we collect only a minimal amount of personal data and make sure that your personal data is used for limited purposes indicated in this Privacy Policy.

I. Contact form
When you contact us through the contact form available on the Platform, we collect your:

  • Name;
  • Email address;
  • Phone number; and
  • Any information that you decide to provide in your message.

We use such personal data to reply to your enquiry, to provide you with the requested information, and improve our business. The legal bases on which we rely when processing your personal data are (i) ‘pursuing our legitimate business interests’ (i.e., to grow, analyse and improve our business) and (ii) ‘your consent’ (for optional personal data).

II. Request for a quote
When you request us to provide you with a quote for our services, we collect your:

  • First name;
  • Last name;
  • Email address;
  • Phone number; and
  • General information regarding your income.

We use such personal data to process your request, provide you with the requested quote, and comply with our legal obligations. The legal bases on which we rely when processing your personal data are (i) ‘pursuing our legitimate business interests’ (i.e., to promote our business, seek new clients, and comply with legal obligations) and (ii) ‘your consent’ (for optional personal data).

III. Email communication
When you contact us by email, we collect your:

  • Name;
  • Email address; and
  • Any information that you decide to provide in your message.

We use such personal data to reply to your email, to provide you with the requested information, and grow and improve our business. The legal bases on which we rely when processing your personal data are (i) ‘pursuing our legitimate business interests’ (i.e., to grow, analyse and improve our business) and (ii) ‘your consent’ (for optional personal data).

IV. Browsing the Platform
When you browse the Platform, we automatically collect your:

  • IP address; and
  • Cookie-related data.

We use such data to analyse your use of the Platform, create statistics reports, and promote the Platform. The legal bases on which we rely when processing your personal data are (i) ‘pursuing our legitimate business interests’ (i.e., to grow, analyse and improve our business and ensure the safety and integrity of the Platform) and (ii) ‘your consent’ (for cookie-related data). For more information on our use of cookies, please refer to the section “Cookies” below. We will not use your IP address under our legitimate interest for any other purpose. If we need your IP address for other purposes, we will rely on other legal grounds or explain the new legitimate interest prior to commencing the processing.

V. Our Services
When you use our tax preparation services, we process your:

  • Name;
  • Email address;
  • Address;
  • Bank account details;
  • Social security number;
  • Tax ID number;
  • Information about your income and tax declarations.

We use such data to (i) perform the services requested by you and (ii) send you updates regarding  your orders and our Services. The legal basis on which we rely when processing your personal data is ‘performing our contractual obligations.’

Sensitive data
We do not collect or use any special categories of personal data (“sensitive data”) from you, unless you decide, at your own discretion, to provide such data to us. Sensitive data is information that relates to your health, religious and political beliefs, racial origins, membership of a professional or trade association, or sexual orientation.    

COMMERCIAL COMMUNICATION
We will use your email address to send you information about changes to the Platform, introduction of the new services or general news about our Platform. We have a legitimate interest in keeping you informed about the services you subscribed to and to promote our new services which we believe you might be interested in. If you have not previously concluded a service contract with us, we will ask you to provide us with your opt-in consent to receive commercial emails. You can unsubscribe from our commercial emails at any time free of charge by following the ‘unsubscribe’ link in the email. Please note that you cannot decline service-related informational notices that are necessary to update you about your orders, privacy, security, and other important matters. We will not use legitimate interest to send you advertising emails for any third-party services.

SECURITY OF PERSONAL DATA
We have implemented security procedures and measures to ensure appropriate protection of the personal data we process, against any misuse, unauthorized access, disclosure, or modification. The security measures used by us include secured networks, strong passwords, encryption, and limited access to your personal data by our staff and contractors. In addition, we make sure that third parties that process your personal data on our behalf (our data processors) adhere to the highest industry-related security standards.

We acknowledge that the safety of your personal data is one of the highest priorities and therefore only authorized processors have access to your information. Although we take all appropriate measures in respect to keeping your personal data secure, you understand that no data security measures in the world can offer 100% protection. If we ever find or suspect a personal data breach we will without delay, within seventy-two (72) hours after becoming aware of it, notify the appropriate supervisory authority about the breach and Users where necessary.

CHILDREN PRIVACY
The Services are intended for a general audience and are not targeted at children. We take children’s online safety very seriously, and if we ever learn that the personal data collected belongs to a child, we will immediately remove any such personal data. If you are younger than 18, you are not allowed to register or use the Platform.

COLLECTION AND USE OF NON-PERSONAL DATA
The Platform automatically collects a series of general data and information when a User or automated system calls up the Platform. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the internet site, (6) the internet service provider of the accessing system, and (7) any other similar data and information that may be used in the event of attacks on our information technology systems.
We collect this information for breach investigation purposes. When using this information, we do not draw any conclusions about the User. Rather, this information is needed to (1) deliver the content of our Platform correctly, (2) optimize the content of our Platform as well as its advertisement, (3) ensure the long-term viability of our information technology systems and website technology, (4) analyse your use of the Platform, and (5) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. The anonymous data of the server log files are stored separately from all personal data provided by a User.
Aggregate and de-identified data. In case your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you, we will handle such aggregated data as personal data. If your personal data is aggregated or de-identified in a way that it can no longer be associated with an identified or identifiable natural person, it will not be considered personal data and we may use it for any business purpose.
Disclosure of non-personal data. Your non-personal data may be disclosed to third parties for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving the Services, responding to lawful requests from public authorities or developing new products and services.

STORAGE AND TRANSFER OF PERSONAL DATA
Your personal data will be stored on secure servers controlled and maintained in accordance with sufficient privacy safeguards. We may store or transfer information on Users, including personal data, to processors located outside of European Union, provided that such processors implement appropriate and suitable safeguards regarding the security of personal data that are consistent with this Privacy Policy and the applicable data protection laws. For example, we will make sure that the jurisdiction in which the recipient third party is located guarantees an adequate level of protection for your personal data or we conclude an agreement with the respective third party that ensures such protection (e.g., a data processing agreement based pre-approved standard contractual clauses). The disclosure of your personal data is limited to the situations when such data is required for the following purposes:

  • Ensuring the proper operation of the Platform;
  • Delivering the Services requested by you;
  • Providing you with the requested information;
  • Pursuing our legitimate business interests;
  • Enforcing our rights, preventing fraud, and security purposes;
  • Carrying out our contractual obligations;
  • Law enforcement purposes; or
  • If you provide your prior consent to such a disclosure.

Disclosure required by law. When we prepare and submit your tax returns, we share your personal data with IRS and state tax offices as necessary for the performance of our contract with you (we will obtain your prior consent beforehand). In some instances, we may be obliged to comply with court orders and government requests and provide information or parts of it to authorized bodies.
Successors. In case the Platform is sold partly or fully, we will provide your personal data to a purchaser or successor entity and request the successor to handle your personal data in line with this Privacy Policy.
Payment processing. All payments related to the Services are processed by our third-party payment processor Stripe and local banks (collectively, the “Payment Processors”). The Payment Processors are solely responsible for handling your payments. Please note that the Payment Processors may collect from you some personal data, which will allow them to make the payments requested by you (e.g., your name, credit card details, or your bank account information). The Payment Processors handle all the steps in the payment process, including data collection and data processing. We have access to some of your payment data that is necessary to maintain our accountancy records. Please note that the Payment Processors take the security of your payment transactions very seriously and make sure that their infrastructure is safe and secure.

RETENTION PERIOD
We store your personal data in our systems only for as long as such personal data is required for the purposes described in this Privacy Policy or until you request us to delete your personal data, whichever comes first. After your personal data is no longer necessary for its purposes and there is no other legal basis for storing it, we will immediately securely delete your personal data from our systems. For example, if you use our Services, we will store your personal data for as long as you have an active service contract with us. After your service contract is terminated, we will immediately delete your personal data that does not have to be stored under the applicable laws.
Retention required by law. In instances when we are obliged by law to store your personal data for certain period of time (e.g., for business records or accountancy purposes), we will store your personal data for the time period stipulated by the applicable law and delete the personal data as soon as the required retention period expires. The duration of storage is determined by the usual statue of limitation for the claims pertaining to the tax filings and returns. If you want us to delete your personal data prior to the expiry of the storage limitation you will need to release us from any liability that may arise from our provision of the Services, in which case we will no longer have a legitimate interest in holding your personal data.
Retention of non-personal data. We will retain your non-personal data for as long as necessary for the purposes described in this Privacy Policy. This may include storing non-personal data for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.

USER’S RIGHTS
You have the right to manage your personal data processed by us. Subject to any exemptions provided by law, you have the right to:

  • Request access to any data held about you by ExpatTax in a commonly used and machine-readable format. Where we are required to provide a copy of personal data this will be free of charge, however, any further copies requested may be subject to reasonable fee based on administration costs;
  • Transmit your personal data to another data controller (free of charge), where such personal data is processed on the basis of consent or contractual performance, unless in doing so, it would adversely affect the rights or freedoms of other Users or others e.g. including trade secrets or intellectual property;
  • Prevent the processing of your personal data or withdraw their consent at any time in certain circumstances;
  • Ask to have inaccurate personal data amended;
  • Erase your personal data where data is no longer required for the original purpose or where you have withdrawn your consent and no other lawful processing grounds apply;
  • Object to the processing of your personal data in certain circumstances;
  • Be notified where your personal data is subject to automated decision making i.e. profiling, including the logic involved, as well as the significance and the envisaged consequence of such processing for you and object to such profiling in certain circumstances.

You may exercise these rights by contacting us through our contact form available at https://expattax.com/contact/. We will reply to your request without undue delay and no later than 2 weeks.
Where we stop processing personal data or delete User’s personal data, it will possibly mean that that particular User is unable to continue using or contributing to the provision of some of our Services, and they shall be notified accordingly.
Where a User requests to rectify or erase (except data required by any legal obligations) their personal data or restrict any processing of such personal data, we may be required to notify certain Third-Parties to whom such personal data has been disclosed of such request.
Launching a complaint. If you would like to launch a complaint about the way in which we handle your personal data, we kindly ask you to contact us first and express your concerns. After you contact us, we will investigate your complaint and provide you with our response as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your supervisory authority, without prejudice to any other administrative or judicial remedy, in particular in the EU member country of your habitual residence or place of the alleged infringement.

COOKIES
We use cookies on the Platform. In this section you can find general information about cookies, the list of cookies that we use, the purposes for which we use them, and instructions on how to disable cookies.
About cookies. A cookie is a small piece of data typically consisting of letters and numbers. When you visit a website, the website may send a cookie to your browser. Subsequently, the browser may store the cookie on your computer or mobile device for certain period of time. Cookies are designed to allow the recognition of your device and collection of certain information about your use of a website. Thus, over time, cookies allow websites to “remember” your actions and preferences. There are several types of cookies, namely, (i) persistent cookies, which remain valid until deleted by you, (ii) cookies that remain valid until their expiration date, and (iii) session cookies that are stored on a web browser and remain valid until the moment the browser is closed. Cookies may also be (i) first-party cookies (set by the website itself) and (ii) third-party cookies (placed by third-party websites). Depending on their purpose, cookies can be:

  • Technical (strictly necessary) cookies that are essential to ensure the correct functioning of a website, and to provide the services requested by you;
  • Preference cookies that record information about the choices that you make on a website;
  • Marketing cookies that help to reach the right customers, analyse the productivity of marketing campaigns, and offer you personalised advertisement; and
  • Statistics cookies that help to generate statistical reports about how you use websites.

Cookie consent. When you visit the Platform for the first time, we may ask you to provide us with your consent to our use of cookies via a cookie consent banner (e.g., if you are based in the EU). If you do not provide your consent, we will not serve you our marketing cookies. Please note that we may not be able to provide you with the best possible user experience if not all cookies are enabled.
Disabling cookies. When we ask you to provide your consent to our use of non-essential cookies, you have the freedom not to provide such consent. If you would like to refuse our use of non-essential cookies, you can do it at any time by declining cookies in your browser or device. For more information, you can consult the cookie management instructions of your browser:

Google Analytics. To analyse your use of the Platform, we use Google Analytics, the business analytics service provided by Google LLC located in the United States (“Google”). Google generates statistical information by means of cookies and creates reports about your use of the Platform. The cookies served by Google Analytics are anonymous first-party cookies that do not allow us to identify you in any manner. The information generated by cookies will be transmitted to and stored by Google on servers in the United States. To ensure your privacy, your IP address will be anonymised and Google will not combine your IP address with other information Google holds about you. Thus, Google will not be able to identify you. In certain cases (e.g., when required by law or when third parties conduct services on behalf of Google), Google may transfer the information to third parties. For more information about Google Analytics’ privacy practices, please visit https://support.google.com/analytics/answer/6004245. If you would like to opt out from Google Analytics, you can do so by installing a Google Analytics opt-out browser add-on available at https://tools.google.com/dlpage/gaoptout?hl=en.
Google ReCAPTCHA. We have implemented reCAPCHA on the Platform, the service provided by Google, to verify whether you are a human being and not a robot. It helps to protect the Platform against spam and abuse. The reCAPTCHA analysis takes place in the background. When you use reCAPCHA, Google will collect some personal and non-personal data from you, such as: (1) all cookies set to your browser by Google in the last 6 months; (2) information about your mouse clicks; (3) CSS information; (4) date; (5) browser language; (6) any plug-in installed in the browser; and (7) javascript objects. Such data is sent to Google located in the United States. We have a legitimate interest in protecting the Platform from abusive automated crawling and spam. For more information about Google reCAPTCHA and Google’s privacy policy, please visit the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/v3.html.

GENERAL PROVISIONS
Refusal to provide personal data. Some Services will not be available to you if you do not provide requested personal data, for example, if you do not provide your name and email, we cannot send you a quote. Different Services may require additional information which will be requested at the time of requesting the specific Service.
Your feedback. We may keep records of any questions, complaints or compliments made by you and the response if any are made. Whenever you contact us, we shall collect any information which you chose to provide. We shall store and use this information only for the purpose of responding to your inquiries. Information contained within the inquiry, free from any personal data, will be stored on our servers for the purpose of improving our Services and providing the best customer support possible.
Selling personal data. We do not sell or rent personal data to any third-party.

TERM AND CHANGES TO THE PRIVACY POLICY
This Privacy Policy enters into force on the effective date indicated at the top of the Privacy Policy and remains valid until terminated or updated by us.
We reserve the right to change our Privacy Policy at any time. The current version of Privacy Policy is available on the Platform. You are encouraged to periodically check our Privacy Policy. For significant material changes in the Privacy Policy or, where required by the applicable law, we may seek your consent.

CONTACT
Any enquiries about the Privacy Policy and our data protection practices should be addressed to us by using the following contact details:

Contact form: https://expattax.com/contact/

Postal address for communication: Capital Tax Limited, Suite 1001 10/F Miramar Tower, 132 Nathan Road, Tsim Sha Tsui, Hong Kong

[END]