Privacy Policy

Effective Date: 20 January 2026

1. Introduction & Scope

This Privacy Policy explains how Hoaah Ventures Limited (“Hoaah”, “we”, “our”, or “us”) collects, uses, stores, and protects personal data when you access or use Cobolt Hub, including the website, applications, and related services (collectively, the “Services”).

We apply Hong Kong Special Administrative Region’s (HKSAR) Personal Data (Privacy) Ordinance (PDPO) as a baseline and reflect widely recognized data‑protection principles suitable for a global user base. Depending on where you access the Services, additional rights or requirements under local laws may apply.

This Privacy Policy applies to registered account holders (“Users”), non‑logged‑in individuals (“Visitors”), and individuals acting on behalf of a company or organization (such as authorized representatives or administrators).

The minimum age to use the Services is 18, or older where required by applicable law.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to the data handling practices described below.

Controller Identification. For the purposes of applicable data protection laws, Hoaah Ventures Limited is the controller of personal data processed in connection with Cobolt Hub. If we appoint a different controller for certain regions or services, we will identify that controller in a regional notice.

Regional Notices. Where required by law, we provide jurisdiction‑specific information (e.g., for the European Economic Area/United Kingdom or California). If applicable to you, such notices will be made available and form part of this Privacy Policy.

2. Information We Collect

We collect personal data that you provide directly, data generated through your use of the Services, and information captured via cookies or similar technologies. Collection is limited to what is reasonably necessary to operate, secure, and improve the Services.

2.1 Information You Provide

This includes personal data you choose to submit when creating an account, using features, or communicating with us. Users may provide:

• account and authentication information (such as name, work email address, and credentials)
• company‑related information submitted or managed on behalf of an organization, including personal data of authorized representatives
• messages, project inputs, and other content exchanged through the Services
• preferences and settings, including visibility, notification, and communication choices
• information provided in support or privacy inquiries

Users are responsible for ensuring they do not submit sensitive personal data unless necessary for legitimate business purposes.

2.2 Information Generated Through Use

Certain information is generated automatically as part of using the Services and helps us maintain functionality, reliability, and security. This may include:

• usage and interaction data, such as features accessed, actions taken, and timestamps
• device and technical information, such as browser type, operating system, and application context
• security and reliability data, including authentication activity, access attempts, error logs, and performance measurements

2.3 Cookies, Analytics and Similar Technologies

The Services use cookies and similar technologies to support core functionality and understand usage patterns. These technologies include:

• strictly necessary cookies required for authentication, session management, and security
• analytics and performance cookies used to understand service usage and improve functionality

Where required by law, analytics cookies are used only with your consent, managed through the cookie banner and browser settings. We use Google Analytics for usage analysis. In our own visit and engagement logs, we do not store IP addresses and record visits as anonymous events. For more detail on the cookies and similar technologies used, and how to manage your preferences, we may provide a separate Cookie Policy. If available, it will be linked from the Services.

3. How We Use Personal Data

This section explains how personal data is used to operate the Services, support collaboration and communications, maintain security, improve features, and meet legal obligations.

3.1 Service Operation and Delivery

We use personal data to operate core features: accounts, authentication, company profiles, projects, connections, collaboration, and messaging between authorized representatives. Your privacy, visibility, and notification settings apply across these features.

Some features use automated processing to organize and rank results (e.g., company search), based on relevance and interaction signals. These processes improve usability and do not produce legal or similarly significant effects on individuals, nor are they used for automated decision‑making about individuals.

We also use personal data to provide customer support, respond to inquiries, and administer updates, maintenance, and improvements to the Services.

3.2 Communications

We use contact and account information to send:

• essential service communications, including account verification, password resets, security alerts, service‑related updates, onboarding/operational messages, and in‑app notifications.
• marketing or product communications, such as newsletters or product updates, sent only where permitted by law and based on user choice, with an unsubscribe mechanism included.
• optional periodic summaries, such as weekly summaries, which Users can turn off through their settings.

3.3 Security, Integrity, and Abuse Prevention

We process personal data to protect the Services and Users: monitor access, detect misuse, prevent unauthorized use, maintain reliability, and respond to incidents. Where appropriate, we enforce usage rules and protect the rights, safety, and integrity of the Services.

3.4 Analytics and Service Improvement

We use analytics to understand usage and improve performance. Analytics rely on aggregated or pseudonymized data and may process technical identifiers and usage events. For non‑logged‑in Visitors, we record anonymous events and do not store IP addresses.

3.5 Legal, Compliance and Business Administration

We process personal data to meet legal, regulatory, and administrative requirements; respond to lawful requests; and support audits, compliance, reporting, and risk management. We also protect the rights, safety, and security of Hoaah and Users in connection with disputes or claims.

4. Legal Basis for Processing

We process personal data under:

• Contract — to provide the Services and requested features.
• Legitimate interests — to secure, maintain, and improve the Services, balanced against individual rights.
• Consent — where required by law (e.g., marketing communications, analytics/performance cookies).
• Legal obligations — to comply with applicable laws and regulatory requirements.

Where you withdraw consent, processing already performed remains lawful, and certain processing may continue where required to operate the Services or by law.

5. User Controls and Preferences

The Services provide controls over how personal data is displayed, summarized, and communicated. Some processing continues where necessary to operate the Services, protect security and integrity, or meet legal requirements.

5.1 Account and Profile Controls

You can manage personal and company information to keep records accurate and ensure authorized access.

• Update personal and company information you have provided
• Manage authorized representatives within company profiles
• Request account deletion using the account deletion feature within the Services

Account deletion removes your account and data from active use, subject to limited retention for security, compliance, or operational continuity.

5.2 Activity Tracking and Feed Controls

The Services record engagement signals (e.g., visits, bookmarks, likes) for counters, summaries, dashboards, and notifications.

You can influence how activity is presented (e.g., contribute to aggregated summaries, receive optional activity‑based emails). Where feasible, outputs for company admins are aggregated at the company level and are not intended to identify individual Users to other companies.

Depending on role and settings, some activity‑related information (e.g., engagement signals or representative status) may be visible to other Users or companies where relevant to collaboration or messaging.

Some activity processing continues where necessary to operate the Services, ensure reliability, or prevent misuse. These controls affect presentation and communication, not core processing.

5.3 Visibility, Stealth, and Notification Settings

Companies and authorized representatives can configure how the organization appears to others and how interactions are reflected.

• Adjust visibility/stealth for search, profile views, and specific company interactions
• Configure notification preferences
• Use role‑based access for sensitive actions (e.g., messaging or updates restricted to designated contacts). Direct messaging is limited to relationships between authorized contacts.

These settings determine which company‑level details, interactions, or engagement indicators are visible to others.

Essential Services and security notifications remain enabled.

5.4 Cookie and Analytics Preferences

As described in Section Cookies, Analytics and Similar Technologies, the Services use strictly necessary cookies to operate core functions such as security, authentication, and session management. Analytics and performance cookies are used primarily on the public website and landing pages before login to understand general usage and improve performance.

Where required by law, analytics and performance cookies are used only with your consent and can be managed through the cookie banner presented on first access to the website or through your browser settings.

Users cannot disable strictly necessary cookies, as they are required to operate the Services. If you decline analytics cookies, measurement of website usage may be limited, but core functionality will not be affected.

5.5 Limits of Controls

User controls affect presentation, summarization, and non‑essential communications. They do not remove processing required to:

• operate and maintain the Services
• ensure security, reliability, and abuse prevention
• comply with legal and regulatory obligations; or
• protect the rights, safety, and interests of Hoaah, Users, and others

6. Data Storage and Security

We apply technical and organizational measures to protect personal data and the integrity of the Services. Security safeguards described in this section apply across our processing activities.

6.1 Hosting, Location, and Service Providers

The Services are hosted in AWS Singapore and use AWS Simple Email Service (SES) for email delivery. Trusted service providers process personal data only to operate, support, or improve the Services and are bound by contractual confidentiality and security obligations.

6.2 Protection of Data in Transit and at Rest

We use transport‑level encryption (HTTPS/TLS) for data in transit and storage‑level encryption provided by our hosting environment for data at rest. Certain features—such as direct messages exchanged between companies—may also use application‑level encryption (AES‑256‑GCM).

6.3 Access Control and Authorized Use

Access to operational systems and personal data is role‑based and limited to authorized personnel on a need‑to‑know basis. Platform access is authenticated using secure mechanisms. Features with elevated sensitivity (e.g., company administration and messaging) are restricted to designated representatives in line with their roles.

6.4 Security Monitoring and Incident Management

We monitor the Services to identify and address security risks, detect misuse, and maintain availability. If a data security incident occurs, we assess, contain, and remediate it. Where required by law, we notify affected Users and/or authorities and take steps to mitigate potential impacts.

6.5 Shared Security Responsibilities

Security is shared. You are responsible for safeguarding account credentials, using secure devices and passwords, and notifying us promptly of suspected unauthorized access or other security issues. As the Services evolve, we may adjust safeguards, processes, and providers. Material changes to security practices will be reflected in this Policy.

7. Data Retention and Deletion

We retain personal data only as long as needed to operate the Services, meet legal or regulatory requirements, and protect system integrity and security.

7.1 Retention Principles

Retention periods depend on data type, context, and legal requirements. We review data periodically and delete, anonymize, or aggregate it when no longer needed.

7.2 Account Data and User‑Provided Information

Account‑related data is retained while an account is active. When you delete your account, personal data is removed from active use, with limited retention to complete ongoing processes, maintain security and integrity, comply with obligations, or resolve disputes.

7.3 Messages, Collaboration Data, and Company‑Related Records

If the user deleting an account is the sole representative and the company is removed, associated company data is removed from active use. If multiple authorized members remain, company‑level data (e.g., messages, projects, records) stays accessible to those members.

7.4 Logs, Security Records, and Backups

Operational logs and audit trails may be retained longer under restricted access. Backups may temporarily retain copies of data after deletion and are overwritten in line with backup and recovery processes.

7.5 Aggregated and Anonymized Data

We may retain data in aggregated or anonymized form for reporting, analytics, and service improvement. Information in this form is no longer associated with identifiable individuals and may be retained for longer periods to support trend analysis and product development.

8. Third-Party Services and Data Sharing

We do not sell personal data. We share personal data only where it is necessary to operate the Services, comply with legal obligations, or protect the rights and safety of Hoaah, Users, and others.

8.1 Service Providers

We use trusted third‑party service providers to support the operation of the Services. These providers process personal data only on our behalf and only as needed to deliver specific services.

Examples include providers that support:

• cloud hosting and infrastructure
• email delivery and communications
• analytics and performance monitoring; and
• security, logging, and system reliability

Service providers are bound by confidentiality and security obligations and may not use personal data for their own purposes. A current list of key service providers (sub‑processors) may be available on request and is subject to change.

Some regulated organizations may need to archive business communications. Cobolt Hub may enable integrations or mechanisms to support compliant archival, subject to law and contractual arrangements.

8.2 Analytics and Performance Tools

We use third‑party analytics tools (e.g., Google Analytics) to understand usage and measure performance. These tools may process technical information and usage events. Where required by law, analytics tools are used only with consent, which you can manage via cookie preferences. Internally, we record visit and engagement events without storing IP addresses.

8.3 Legal and Regulatory Disclosures

In limited cases, we may disclose personal data to:

• comply with laws, regulations, court orders, or lawful requests,
• respond to regulatory or law‑enforcement inquiries,
• protect the rights, safety, and security of Hoaah, Users, companies, or the public, or
• enforce our Terms and resolve disputes.

Where permitted by law, we limit disclosures to what is relevant and necessary.

8.4 Affiliates and Related Entities

We may also share personal data with affiliated entities to support or improve the Services, subject to the safeguards described in this Privacy Policy.

9. International Data Transfers

Personal data may be processed in locations outside the HKSAR to operate and support the Services. Transfers are protected by the safeguards described in Data Storage and Security and by appropriate contractual, technical, and organizational measures.

10. Your Rights

You may request access to personal data we hold about you and ask us to correct inaccuracies.

In some jurisdictions (e.g., EEA/UK under GDPR), you may have additional rights, such as deletion, restriction, objection (including to direct marketing), and portability of certain data. Where we rely on consent (e.g., marketing, analytics/performance cookies), you may withdraw consent at any time via the controls provided. Withdrawal does not affect prior processing and may affect feature availability.

10.1 How to Exercise Your Rights

Submit requests or privacy inquiries using the contact methods in the Contact Information section. We may take reasonable steps to verify identity and, where relevant, authority to act on behalf of a company.

We aim to respond within 30 days, or the timeframe required by applicable law.

10.2 Limits and Exceptions

We may refuse, limit, or charge a reasonable fee for manifestly unfounded or excessive requests, or where a request would adversely affect others’ rights and freedoms, or conflict with legal or security requirements.

11. Children’s Data

Cobolt Hub is intended for professional use and is not directed at children. The Services are for individuals aged 18 and over. If we become aware that an account was created by someone under the minimum age, we will disable the account and remove associated personal data from active use, subject to limited retention required for legal, security, or operational reasons.

12. Public Beta Data Handling

12.1 Scope and Purpose

During public beta, we process personal data only as needed to operate, support, secure, and improve the Services. Features may evolve; behavior and outputs can change to support performance, reliability, and usability. We do not expand purposes beyond what is described in this Policy.

12.2 Data Signals and Feedback

We may rely on aggregated or pseudonymized signals (e.g., clicks, navigation paths, error events, performance metrics) to assess feature behavior and user experience. You may choose to provide feedback (e.g., issues, recommendations, survey responses). Sensitive personal data should not be submitted unless necessary for legitimate business purposes.

12.3 Changes to Features and Outputs

Feature configurations, data flows, or outputs may be modified or removed where technically necessary to support stability, reliability, or product improvement. If a change materially affects how personal data is handled, we will reflect it in this Policy or provide a feature‑specific notice.

12.4 Security and Incidents

We apply reasonable technical and organizational measures suitable for production use during public beta. If a data security incident occurs, we assess, contain, and remediate, and—where required by law—notify affected Users and/or authorities. We take steps to mitigate potential impacts and adjust safeguards where risks are identified.

12.5 Transition After Public Beta

When public beta ends, we may adjust data handling to reflect final production standards. If adjustments materially change how personal data is handled, we will communicate them through this Policy or a feature‑specific notice. If a feature is discontinued, related data may be deleted or de‑identified within a reasonable period, subject to limited retention required for legal, security, or operational reasons.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in the Services, legal or regulatory requirements, or our data‑handling practices. Updates take effect as of the stated effective date. Where a change materially affects how personal data is handled, we will take reasonable steps to inform Users through the Services or other appropriate means.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region (HKSAR).

We apply HKSAR’s Personal Data (Privacy) Ordinance (Cap. 486) as a baseline framework for data protection. Because Cobolt Hub is used by individuals and companies in multiple jurisdictions, additional rights or obligations may apply under other applicable data‑protection laws in the regions where the Services are used.

Where such laws apply to our processing activities, we will handle personal data in accordance with applicable legal requirements.

For provisions governing dispute resolution and jurisdiction, please refer to Terms and Conditions.

15. Contact Information

15.1 Privacy Contact Details

If you have any questions, requests, or concerns regarding this Privacy Policy or our handling of personal data, please contact us at:

Hoaah Ventures Limited
Email: privacy@hoaah.com