Privacy Policy

PRIVACY POLICY

2 Feb 2026

Bright Moon Global Capital Limited (the “Company”, “we”, “us” or “our”)

Content

1. INTRODUCTION

  1. Bright Moon Global Capital Limited is committed to protecting the privacy, confidentiality, and security of personal data entrusted to us.
  2. This Privacy Policy explains how we collect, use, store, transfer, and protect personal data in accordance with the Personal Data (Privacy) Ordinance (Cap. 486, Laws of Hong Kong) (the “PDPO”) and its Data Protection Principles (DPP1–DPP6).
  3. This Policy applies to personal data relating to individuals who interact with us, including our clients, prospective clients, users of our websites/apps, counterparties, suppliers, representatives, beneficial owners and controllers (where applicable), and any other individuals whose personal data we handle in the course of our business operations.

2. WHAT IS PERSONAL DATA?

  1. “Personal Data” has the meaning given under the PDPO and refers to any data relating directly or indirectly to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained.
  2. Personal data does not include data that has been anonymised so that no individual can be identified.

3. TYPES OF PERSONAL DATA WE COLLECT

Depending on the nature of our relationship and dealings with you, we may collect and hold the following categories of personal data:

3.1 Identification and Contact Data

  1. Full name, date of birth, nationality
  2. Identification document details (e.g., passport / HKID) (where required)
  3. Proof of address and contact details (email, phone number, mailing address)

3.2 Account / Service Usage Data (Apps / Websites / Systems)

  1. Account identifiers, login and authentication data
  2. Device information (device type, operating system, browser type)
  3. IP address, access time, pages/screens visited, clickstream or interaction logs
  4. App events, crash logs, performance and diagnostic data (where applicable)

3.3 Transaction, Payment, and Commercial Data (If Applicable)

  1. Bank account or payment instrument details (typically via payment processors, where applicable)
  2. Transaction references, settlement-related information, invoices and billing data
  3. Service subscription records and service history

3.4 Corporate, Representative and Due Diligence Data (If Applicable)

Where we are required to conduct onboarding, contractual due diligence, or compliance checks (e.g., bank onboarding, TCSP-related engagements, regulated counterparties), we may collect:

  1. Employer or company affiliation, title/role, authorisation evidence
  2. Beneficial ownership / control information (e.g., directors, shareholders) (as applicable)
  3. Risk assessments, screening outcomes (sanctions/PEP/adverse media) (as applicable)

4. SPECIAL CATEGORIES OF DATA

  1. The PDPO does not separately define “sensitive personal data”. However, certain types of personal data, by their nature or the context in which they are processed, may require a higher level of care and protection.
  2. Such data may include, where relevant, information relating to criminal records, regulatory or compliance matters, or other information collected in connection with risk management and integrity checks.
  3. We will only collect and process such personal data where it is appropriate and lawful to do so, including where:
    1. such collection or processing is required or permitted under applicable laws, regulations, or regulatory guidance;
    2. it is reasonably necessary for the purposes of risk management, fraud prevention, security, or compliance; and/or
    3. the data has been provided to us voluntarily and in a lawful manner in the course of our interactions with you or persons authorised to act on your behalf.
  4. Where such data is collected, we will apply appropriate technical and organisational safeguards commensurate with the nature of the data and the purposes for which it is processed.

5. HOW WE COLLECT PERSONAL DATA

We may collect personal data through the following channels.

5.1 Directly From You

  1. We may collect personal data directly from you when you:
    1. register for, access, or use our apps, websites, platforms, or services;
    2. submit enquiries, applications, documents, forms, or supporting materials;
    3. enter into agreements with us or otherwise engage us for services;
    4. communicate with us through email, telephone, messaging platforms, video conferences, in-person meetings, or other means; or
    5. voluntarily provide information to us in the course of business, contractual, or compliance-related interactions.
  2. The personal data collected will be limited to what is reasonably necessary for the relevant purposes and handled in accordance with this Privacy Policy.

5.2 From Your Devices and Online Interactions

  1. When you access or use our apps or websites, we may automatically collect certain technical, usage, and interaction data, including through cookies or similar technologies, for the purposes of system security, functionality, analytics, and service improvement.
  2. Such data may include, where applicable:
    1. IP address and general location information;
    2. device type, operating system, browser type, and language settings;
    3. access times, pages or screens viewed, features used, and interaction logs;
    4. diagnostic, performance, and error data.
  3. This information is generally collected in an aggregated or pseudonymised form and is not used to identify you personally unless required for security, troubleshooting, or compliance purposes.
  4. You may configure your browser or device settings to manage or disable cookies and similar technologies. Please note that disabling cookies may affect the availability or functionality of certain features of our apps or websites.

5.3 From Third Parties (Where Permitted by Law)

  1. Where permitted or required by applicable laws and regulatory requirements, we may obtain personal data about you from third parties, including but not limited to:
    1. service providers and technology vendors, such as cloud hosting providers, data storage providers, analytics providers, cybersecurity vendors, and customer support systems;
    2. professional advisers, including legal advisers, auditors, accountants, and compliance consultants;
    3. counterparties, financial institutions, and business partners, in connection with onboarding, contractual arrangements, operational processes, or risk management;
    4. publicly available sources, registries, databases, and official records;
    5. screening and due diligence providers, including providers of sanctions, politically exposed persons (PEP), adverse media, and fraud prevention databases; and
    6. governmental, regulatory, or law enforcement authorities, where disclosure or collection is required or permitted by law.
  2. Personal data obtained from third parties will be handled in accordance with this Privacy Policy and applicable legal and regulatory requirements.

5.4 Personal Data About Other Individuals

  1. Where you provide us with personal data relating to another individual (including, without limitation, directors, shareholders, beneficial owners, authorised representatives, employees, or related persons), you represent and warrant that:
    1. you are authorised to disclose such personal data to us;
    2. the relevant individual has been informed of this Privacy Policy or has otherwise been notified in accordance with applicable laws; and
    3. the personal data is accurate, complete, and lawfully provided.
  2. We may collect, use, disclose, and process such personal data for the purposes set out in this Privacy Policy without taking further steps to notify the relevant individual, to the extent permitted by law.

5.4 Anonymity and Pseudonymity

  1. Where practicable and lawful, you may interact with us anonymously or by using a pseudonym, particularly in connection with general enquiries.
  2. However, anonymity or pseudonymity may not be possible where:
    1. we are required to verify identity to comply with legal, regulatory, or contractual obligations (including anti-money laundering, counter-terrorist financing, sanctions, or fraud prevention requirements);
    2. identity verification is necessary to provide services, manage accounts, or ensure system security; or
    3. it is otherwise impracticable for us to deal with you without identification.
  3. In such cases, we will inform you of the requirement to provide identifying information.

6. PURPOSES OF USE

We may use personal data for the following purposes:

  1. Provision and administration of services: account creation, user support, service delivery, system operations.
  2. Security and fraud prevention: identity verification (where applicable), authentication, detecting suspicious activities, protecting systems and users.
  3. Compliance and risk management: meeting legal and regulatory obligations, responding to lawful requests, conducting audits and investigations.
  4. Service improvement: analytics, troubleshooting, quality assurance, product development and testing.
  5. Communications: responding to enquiries, notifications about service changes, contractual communications.
  6. Legal and contractual: enforcing agreements, managing disputes, and handling legal proceedings.
  7. Business operations: internal reporting, governance, and corporate transactions (e.g., restructuring) subject to applicable safeguards.

7. DIRECT MARKETING

  1. Where permitted by applicable laws and regulations, we may use your personal data to send you communications relating to our products, services, updates, or events that may be of interest to you.
  2. Such communications may be made through various channels, including email, telephone, messaging platforms, or other electronic or physical means, in accordance with applicable legal requirements.
  3. You have the right at any time to opt out of receiving direct marketing communications from us, free of charge, by:
    1. using the unsubscribe function provided in the relevant communication (where available); or
    2. contacting us using the contact details set out in Section 11.
  4. Upon receipt of an opt-out request, we will cease using your personal data for direct marketing purposes within a reasonable time and in accordance with applicable legal requirements.
  5. We do not sell, rent, or otherwise provide personal data to third parties for their own direct marketing purposes.

8. DISCLOSURE TO THIRD PARTIES

  1. We may disclose personal data on a need-to-know basis, where permitted or required by law, to:
    1. Service providers: IT, cloud hosting, analytics, customer support, security vendors, data storage, professional advisers.
    2. Banks / financial institutions / counterparties: for onboarding, settlement, operational requirements, or due diligence (where applicable).
    3. Regulators / law enforcement / courts: where required by law or to respond to lawful requests.
    4. Affiliates: entities within our corporate group (if applicable), for legitimate business purposes, with appropriate safeguards.
    5. Assignees / successors: in connection with corporate transactions (e.g., merger, acquisition, reorganisation), subject to confidentiality and PDPO-compliant protections.
  2. We take reasonable steps to ensure that third parties handle personal data with appropriate safeguards, including confidentiality and security obligations.

9. TRANSFER OF PERSONAL DATA OUTSIDE HONG KONG

  1. We may store or process personal data in jurisdictions outside Hong Kong (for example, where our cloud service providers or support teams operate).
  2. Where personal data is transferred outside Hong Kong, we will take reasonable steps to ensure a level of protection comparable to that required under the PDPO, including through contractual, technical, and organisational safeguards, unless such transfer is otherwise permitted or required by law.

10. DATA SECURITY AND RETENTION

10.1 Security Measures

We maintain reasonable technical and organisational measures to protect personal data, including:

  1. access controls and role-based permissions;
  2. encryption in transit and/or at rest (where appropriate);
  3. logging and monitoring of system access;
  4. secure development and change management practices (where applicable).

10.2 Retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, including to meet legal, regulatory, accounting, and operational requirements, and thereafter securely delete or anonymise it.

11. ACCESS AND CORRECTION

  1. You may request access to or correction of your personal data held by us in accordance with the PDPO.
  2. We may require verification of identity and sufficient information to locate the relevant data. We will respond within a reasonable time and in accordance with applicable legal requirements.

12. COMPLAINTS

If you have a complaint about our handling of personal data, please contact us. We will investigate and endeavour to resolve your complaint promptly and fairly.

13. CONTACT DETAILS

Bright Moon Global Capital Limited

Address: Unit 6806B-07,Level 68, International Commerce Center1 Austin Road West, Kowloon, Hong Kong

Email: cs@brightmoontech.com

14. CHANGES TO THIS PRIVACY POLICY

We may update this Policy from time to time. The latest version will be published on our website/app. Continued use of our services after an update constitutes acknowledgement of the updated Policy.