Last Updated: 28th Of December, 2025
1. Introduction
Khap Limited (“we” or “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit chuzhao.co or purchase our products/services. It also explains your rights under various privacy laws. Khap Limited (Room 1502, 15/F, Nathan Centre, 580 Nathan Road, Mong Kok, HK) is the “data controller” for purposes of EU and UK data protection law, and the business (covered entity) for U.S. privacy law purposes. By using our website, you consent to the practices described in this Policy. If you do not agree with this Policy, please do not use our services. We mayupdate this Policy occasionally (see section 9 on changes).
2. Personal Data We Collect
We collect information that identifies, relates to, or could reasonably be linked with you (“Personal Data”). We collectthis information in several ways:
• Information You Provide Directly: When you place an order or register an account, you provide information such as your name, billing and shipping address, email address, phone number (optional), payment details(payment card number, which is processed by our payment processor – we do not store full card numbers), and any preferences or special requests. If you contact us (e.g., via email), we will collect the information contained in your correspondence. If you subscribe to our services, we may collect additional information suchas your account login credentials and any profile information you choose to provide.
• Information Collected Automatically: When you browse our site, we use essential cookies and similartechnologies to automatically collect certain data about your device and usage of our site. This may include your IP address, browser type, operating system, referring URLs, pages viewed, and dates/times of access. Wedo not use any analytics or advertising third-party trackers on our site at this time (no Google Analytics, no Facebook Pixel, etc.), so automatic data collection is limited to what is necessary for the website to function(e.g., session ID cookies to remember your cart). For instance, when you add an item to your cart, a cookie isstored to keep track of cart contents. These functional cookies do not require consent under EU law, as theyare necessary for providing the service you requested (e.g., adding items to cart). We do not profile you or track you across other sites.
• Information from Third Parties: If you use a third-party login (if we enable “Login with Google” or similar in future) or if you engage with us on social media, those services might send us certain information about you(according to their privacy settings and policies). For example, if you click an Instagram or Facebook ad for our product, those platforms may inform us of aggregate data like how many people clicked (but not personal identities unless you’ve given permission). Currently, we do not actively obtain personal data from third-party marketers or data brokers.
We do not intentionally collect sensitive personal data (such as race, ethnic origin, health information, or biometrics) or data about children. Our website and services are not directed to children under 13, and we do not knowingly collectpersonal information from children under 13 (or under 16 in the EU without parental consent). If you believe a childhas provided us with personal data, please contact us so we can delete it.
3. How We Use Your Personal Data
We use the collected personal data for the following purposes:
• To Fulfill Orders and Provide Services: We process your name, address, payment info, etc., to processtransactions, ship your orders, provide the subscription services you signed up for, and to communicate with you about your orders (e.g., order confirmations, shipping notifications). This is primarily to perform ourcontract with you or to take steps at your request before entering a contract (Article 6(1)(b) GDPR).
• Customer Service: If you contact us with a question, feedback, or need support, we will use your contact information and any information you give us to respond and resolve issues. We may also use your email to send important service or account-related announcements (for example, if there’s a recall or a major update about a product you purchased, or changes to our terms). Service communications of this nature are considerednecessary for the use of our service.
• Marketing Communications (Opt-in): With your consent, we may use your email address to send you ournewsletter, promotions, or updates about new products or services. We will only send you marketing emails ifyou have affirmatively subscribed (opted in) to such communications. You can unsubscribe at any time by clicking the “unsubscribe” link in any marketing email or by contacting us. We do not spam and we do not sell your information to third-party advertisers . Our marketing practices comply with laws like CAN-SPAM (in the U.S.) and, where applicable, GDPR/UK GDPR consent requirements for electronic marketing.
• Subscriptions & Account Management: If you have a subscription, we use your data to manage recurringbilling, to notify you of upcoming renewals, and to authenticate you when you log in to manage your account.
• Improving Our Services: We may use usage data (mostly aggregated or anonymized) to analyze how our site isused, in order to improve the user experience, fix technical issues, and tailor our offerings. For example, wemight look at aggregated data to see which product pages are most visited or identify confusion in the checkout process. When feasible, we use non-identifiable data for analytics. If we ever introduce more analytictools, we will update this policy and, if required, obtain consent.
• Legal Compliance and Protection: We may process personal data as necessary to comply with our legalobligations (e.g., record-keeping for tax, customs, or accounting purposes; responding to lawful requests by public authorities) . We also may process data to protect our rights, privacy, safety, or property, and/or that of you or others – for example, to detect and prevent fraud, security or technical issues, or if necessary to establish or defend legal claims.
Legal Bases for Processing (EU/UK visitors): We only process your personal data when we have a legal basis to do so under GDPR/UK GDPR. The bases we rely on are:
• Performance of a Contract: for data used to fulfill orders, process payments, and provide you with products/services you requested.
• Consent: for marketing emails or certain cookies (where applicable) – we will ask for your consent beforeprocessing your data for these purposes.
• Legitimate Interests: for uses necessary for our legitimate interests (or those of a third party) provided thoseinterests are not overridden by your data protection rights. For instance, our legitimate interests include improving our site’s functionality, preventing fraud, securing our IT systems, and understanding our customer base. If we rely on legitimate interest, we will ensure our interest is balanced against your privacy.
• Legal Obligation: when processing is required to comply with a law, such as retaining transaction records for tax audits or providing information to law enforcement if properly requested.
4. Cookies and Similar Technologies
Cookies: Cookies are small text files placed on your device when you visit a website. We use a minimal number of cookies on chuzhao.co. These include:
• Essential Cookies: These are necessary for core functionality, such as keeping items in your shopping cart, maintaining your session login, or remembering your cookie preferences. Without these, the site may notfunction correctly. They do not require consent.
• No Third-Party/Tracking Cookies: We do not currently use analytics cookies (like Google Analytics), advertising cookies, or social media cookies that track your behavior across other sites. This means we do not engage in behavioral advertising or cross-site tracking. If in the future we decide to use any non-essential cookies or similar tracking technologies, we will update this policy and implement a cookie consent banner in compliance with EU ePrivacy Directive/UK PECR and related guidelines .
Do-Not-Track Signals: Our site currently does not respond to “Do Not Track” browser signals, because we do notengage in tracking beyond the site. If industry standards on DNT evolve, we will re-evaluate our approach.
For completeness, if you navigate to external links (such as our Instagram or YouTube pages), those third-party sitesmight set their own cookies. Our Privacy Policy does not cover external sites – please refer to those sites’ policies.
Future Use of Cookies: If we introduce any analytics, advertising, or other non-essential cookies in the future, we willimplement a legally compliant cookie consent mechanism for EU/UK visitors before such cookies are activated. Customers will always have the option to refuse non-essential cookies.
5. How We Share Your Personal Data
We value your privacy. We do not sell your personal information to third parties (no selling of data for monetary gain or sharing for cross-context behavioral advertising, as defined under CCPA) . However, we do share certain data with thirdparties in the following contexts, as necessary to run our business or comply with law:
• Service Providers: We use trusted third-party companies to perform functions on our behalf. For example:
o Payment Processors: to securely handle credit card transactions (e.g., Stripe, PayPal). Your payment info is transmitted directly to them; we receive confirmation of payment and limited info (like last 4 digits of card, card type). These processors are PCI-DSS compliant and are contractually prohibitedfrom using your data for anything other than processing our transactions.
o Shipping Partners: to deliver your orders, we share your name and shipping address (and phone or email as needed for delivery updates) with postal services or courier companies (e.g., Hongkong Post, DHL, FedEx or local delivery partners). They use this data only for shipping and delivery communications.
o Cloud Storage and IT Providers: Our website and data may be hosted on third-party servers (for instance, our e-commerce platform or web host). These providers store data on our behalf (such asaccount info and order history) and are bound by confidentiality and security obligations.
o Email Service: We may use an email service (like an SMTP relay or marketing email platform) to sendcommunications. If you subscribed to our newsletter, your name and email might be stored in thatplatform to facilitate mailings. We ensure any such platform complies with applicable privacy laws(for example, some providers offer EU-hosted data storage).
All our service providers are chosen for their strong data protection practices. We have data processing agreements asneeded (especially for EU personal data) to ensure they protect your information according to our standards and applicable law.
• Affiliates and Corporate Transactions: If Khap Limited ever is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to anotherprovider, your information may be transferred as part of that transaction. We would ensure the new holder of your personal data continues to be bound by terms that are at least as protective as those in this Policy, and wewould notify you of the change either via the website or email.
• Legal Compliance and Protection: We may disclose personal data to courts, law enforcement, regulatoryauthorities, or other competent bodies when we believe disclosure is necessary to comply with a legalobligation or request (such as a court order or subpoena) , or to protect our rights or the rights of others. Examples include fraud prevention or investigating any potential violation of law or our Terms. We willcarefully review each request to ensure it has valid legal basis before disclosing information.
• With Your Consent: In cases where you have provided consent for us to share your info, we will do so in accordance with that consent. For instance, if we were to run a co-branded promotion and you consent to share your details with the third party running the promotion, we would share as consented. (This is merely an example; we currently have no such program).
We do not share your information with third parties for their own direct marketing purposes unless you have givenpermission.
6. International Data Transfers
We are a Hong Kong-based company. The personal data we collect from you will be stored and processed primarily in Hong Kong and possibly on servers located in other countries (for example, if our web hosting or email servers are located in the United States or the EU). If you are located in the European Economic Area (EEA), United Kingdom, or another region with data protection laws, please note that your personal data may be transferred to jurisdictions (like Hong Kong or the United States) that may not have the same level of data protection as your home country.
When we transfer personal data out of the EEA/UK, we will take steps to ensure appropriate safeguards are in place to protect your information in accordance with GDPR Chapter V requirements. These may include:
• Adequacy Decisions: Hong Kong is not currently subject to an EU adequacy decision, so we rely on othermechanisms as described below. (We note Hong Kong’s Personal Data (Privacy) Ordinance offers protection, but it is not recognized as adequate by the EU at this time.)
• Standard Contractual Clauses: We have standard data protection clauses (Standard Contractual Clauses, SCCs) in place with our service providers as required, obligating them to protect EU personal data in line with EU standards.
• Your Consent or Other Derogations: In certain cases, we may rely on your explicit consent for cross-bordertransfer (for instance, if you initiate a transaction that inherently requires your data be sent to a non-EU country), or another permitted derogation under Article 49 GDPR (such as transfer necessary for the performance of a contract with you, e.g., an international shipping label).
You can contact us for more information on the safeguards we implement for international transfers.
7. Data Retention
We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longerretention period is required or permitted by law. In general:
• Order and Transaction Data: We keep records of purchases, correspondence, and basic account information for at least the minimum period required by applicable law. For example, in Hong Kong and many jurisdictions, financial records must be kept for 7 years for tax and accounting purposes. Similarly, if you make a purchase, we retain details of that transaction to provide customer service and honor warranties/returns.
• Account Information: If you create an account, we retain your account data until you request deletion or after a period of inactivity. If you request account deletion, we will delete your personal information associated with the account (except data we are required to keep for legal reasons, which we will retain securely and limitaccess to).
• Subscriptions: If you have a subscription and cancel it, we will still retain the records of your subscription and payments for a period as needed for legal/accounting purposes.
• Marketing: If you have consented to receive marketing emails, we retain your contact info for that purpose untilyou unsubscribe or withdraw consent. Upon unsubscribe, we may keep your email on a suppression list to ensure we honor your opt-out going forward.
• Web Logs: Our server logs and security logs (which may include IP addresses) are generally retained for a short period (e.g. 90 days) unless reviewed for a specific investigation into suspicious activity, in which case relevant data might be kept until the issue is resolved.
When we no longer have a legitimate need to process your personal data, we will securely delete or anonymize it. Ifdeletion or anonymization is not possible (for example, because your personal data is stored in backups), then we willsecurely store it and isolate it from further processing until deletion is possible.
8. Your Rights and Choices
You may lodge a complaint with your local Data Protection Authority (“DPA”), such as the CNIL (France), Garante (Italy), ICO (UK), or the supervisory authority of the EU Member State where you reside.
Depending on your jurisdiction, you have certain legal rights with respect to your personal data. We are committed to honoring these rights. These may include:
For EU/EEA and UK Individuals (GDPR/DPA 2018):
• Right to Access: You have the right to request a copy of personal data we hold about you, and information abouthow we process it .
• Right to Rectification: You can ask us to correct inaccuracies in your personal data or complete data that isincomplete. You can also update some of your information by logging into your account, if you have one.
• Right to Erasure: You can request that we delete your personal data under certain circumstances (for example, ifit’s no longer necessary for us to retain it, or if you withdraw consent and no other legal basis applies). We willhonor valid requests to the extent required by law. Note that certain data cannot be deleted if we have a legalobligation to keep it (e.g. transaction history for financial reporting) or other overriding legitimate interest.
• Right to Restrict Processing: You have the right to ask us to suspend the processing of some of your data (e.g., if you contest the accuracy of the data or have objected to processing pending verification).
• Right to Data Portability: Where processing is based on your consent or a contract with you and carried out by automated means, you have the right to request a common electronic format of the data you provided to us, so you can transfer it to another provider if desired.
• Right to Object: You may object to our processing of your personal data where we rely on legitimate interests asour legal basis, and your situation has particular grounds that you believe override our interests. You also havean unconditional right to object to our processing of your personal data for direct marketing purposes – if youobject, we will stop processing for marketing.
• Right not to be subject to Automated Decisions: We do not engage in automated decision-making (includingprofiling) that produces legal or similarly significant effects on you. If we ever do, you would have the right to human intervention and to contest the decision.
To exercise your EU/UK data rights, please contact us at contact@chuzhao.co with your request. We may need to verify your identity to ensure we do not disclose or delete data improperly. We will respond within one month (or up to three months for complex requests, in which case we will inform you of the need for extension). There is no fee for making a request, except in cases of excessive or unfounded requests where we are permitted by law to charge a reasonable fee or refuse.
You also have the right to lodge a complaint with a supervisory authority: If you are in the EU/EEA, you can contact your country’s Data Protection Authority; if in the UK, the Information Commissioner’s Office (ICO). We encourageyou to contact us first so we can try to resolve your concerns directly.
For California Residents (CCPA/CPRA): If you are a California resident and the California Consumer Privacy Act (CCPA) applies to our processing of your data (note: CCPA generally applies to businesses with over $25 million in revenue or handling large volumes of Californians’ data; while Khap Limited may not meet those thresholds yet, westill aim to honor basic requests):
• Right to Know: You can request that we disclose what personal information we collect, use, disclose, and sell (we note that we do not sell personal info). You may request the specific pieces of information or the categories of information.
• Right to Delete: You can request deletion of personal information we have collected from you, subject to certainexceptions (similar to the erasure right above).
• Right to Opt-Out of Sale/Sharing: We do not sell personal information, and we do not share it for cross-contextbehavioral advertising. Therefore, there is no need to opt out on our site (as we don’t have such data flows). Ifthat changes, we will implement a “Do Not Sell or Share My Personal Information” link.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights (meaningwe won’t deny service, change pricing, or degrade service quality just because you made a data request).
To submit a California privacy request, you (or an authorized agent) may contact us at contact@chuzhao.co with “CCPA Request” in the subject. We will need to verify your California residency and identity (which may involve providing additional data or signing a declaration). We aim to respond within the statutory 45 days, or inform you of an extension if needed.
For Other Regions: If you reside in a jurisdiction with specific privacy rights not listed above (e.g., Canada, Australia, Brazil’s LGPD, etc.), please know that we respect all users’ privacy and will endeavor to fulfill requests to access, correct, or delete personal data as applicable. Contact us and we will inform you of what we can do under applicablelaw.
Email Preferences: As noted, you can always unsubscribe from marketing emails via the link in the email. Transactional/service emails (like order confirmations, password resets) are necessary and you cannot opt out of those ifyou use our services, except by not using the service.
9. Data Security
We implement appropriate technical and organizational security measures to protect your personal data againstunauthorized access, loss, alteration, or destruction. These measures include encryption of sensitive information (suchas using HTTPS/TLS for all data transfer on our site), firewalls, access controls restricting personal data to trained staff who need it for their job, and regular security assessments of our systems. Payment information is handled by PCI-compliant processors. We also maintain procedures to handle any suspected data breach, including notifying you and authorities when required by law.
Please note that, despite our efforts, no internet or email transmission is ever fully secure or error free. You are alsoresponsible for maintaining the confidentiality of your account password and for any access to or use of the site via your credentials. Notify us immediately if you believe your account has been compromised. We will never ask you for your password via email.
10. Third-Party Links
Our website might contain links to external websites or services that are not operated by us (for example, links to ourofficial pages on Instagram, or references to third-party reviews or resources). This Privacy Policy only applies to ourwebsite and services. Once you leave our site or interact with a third-party integration, that third party’s privacy policy will apply. We are not responsible for the content or privacy practices of third-party sites. We encourage you to review the privacy policies of any external sites you visit.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for otheroperational reasons. The “Last Updated” date at the top of this Policy indicates when it was last revised. If we make material changes (for example, if we start collecting additional personal data or using data in a new way that you mightnot expect), we will provide a more prominent notice of the change, such as by posting an alert on our homepage or emailing users who are affected, where required by law. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.
By continuing to use our website or services after any updates become effective, you acknowledge the revised Policy. Ifyou do not agree to the changes, you should stop using the site and can request us to delete your personal data ifapplicable.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:
• Email: privacy@chuzhao.co (or use contact@chuzhao.co if you prefer; please indicate it’s a privacy-relatedinquiry).
• Postal Mail: Data Protection Officer (or Privacy Team), Khap Limited, Room 1502, 15/F, Nathan Centre, 580 Nathan Road, Mong Kok, Kowloon, Hong Kong.
We will do our best to address and resolve your inquiries. If you feel we have not adequately addressed your concerns, you also have the right to seek further recourse with the appropriate data protection authority or regulator in yourjurisdiction.
