Legal

Privacy Policy

Last updated: May 2025

XCARDHK operates Hong Kong's premier certified trading card marketplace, specialising in PSA and BGS authenticated cards. We are committed to protecting your personal information and being transparent about how we collect and use your data. This Privacy Policy explains our practices in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO").

1. Information We Collect

We collect information you provide directly to us when you create an account, place an order, or contact us:

  • Account information: Name, email address, encrypted password
  • Purchase information: Billing address, delivery address, order history
  • Payment details: Processed securely via third-party PCI-DSS compliant providers — we do not store full card numbers
  • Communication data: Messages sent via our contact form, WhatsApp, or email
  • Usage data: Pages visited, search queries, items viewed, and browsing behaviour on our Platform
  • Device information: IP address, browser type, operating system (collected automatically)

2. How We Use Your Information

We use your information solely for legitimate business purposes:

  • Processing and fulfilling your orders for PSA/BGS graded cards
  • Sending order confirmations, shipping notifications, and delivery updates
  • Providing customer support and responding to enquiries
  • Sending promotional offers and market updates (only with your consent; you may opt out at any time)
  • Improving our Platform, product listings, and overall service quality
  • Preventing fraud and ensuring platform security
  • Complying with applicable Hong Kong laws and regulations

3. Information Sharing

We do not sell, rent, or trade your personal information to third parties. We only share your data in the following limited circumstances:

  • Shipping providers: SF Express (順豐) and HKPost receive your delivery address and contact number to fulfil shipments
  • Payment processors: Stripe and PayPal process payments under their own privacy policies; we receive only a transaction reference
  • Analytics providers: Aggregated, anonymised data may be used for Platform analytics (e.g. Google Analytics)
  • Legal requirements: We may disclose information if required by Hong Kong law, court order, or regulatory authority

4. Cookies & Tracking

We use cookies and similar tracking technologies to enhance your browsing experience on XCARDHK:

  • Essential cookies: Required for the Platform to function (shopping cart, login session)
  • Analytics cookies: Help us understand how visitors use the Platform (anonymised)
  • Marketing cookies: Used to show relevant advertisements (only with your consent)

You may disable non-essential cookies at any time via your browser settings or our cookie preferences banner. Disabling essential cookies may affect your ability to use the Platform.

5. Data Security

We take data security seriously and implement the following measures to protect your personal information:

  • SSL/TLS encryption for all data transmitted to and from our Platform
  • All payment processing handled by PCI-DSS Level 1 compliant providers
  • Regular security audits and vulnerability assessments
  • Access controls — only authorised staff may access customer data
  • Secure servers hosted on Shopify's infrastructure with built-in DDoS protection

Despite these measures, no internet transmission is 100% secure. We encourage you to use a strong, unique password for your XCARDHK account.

6. Data Retention

We retain your personal data for as long as necessary to provide our services and fulfil legal obligations:

  • Account data: Retained while your account is active; deleted within 30 days of a deletion request (subject to legal hold requirements)
  • Transaction records: Retained for 7 years as required under Hong Kong's Inland Revenue Ordinance and Companies Ordinance
  • Communication records: Retained for up to 2 years for customer service quality purposes
  • Analytics data: Anonymised data may be retained indefinitely

7. Your Rights Under the PDPO

Under Hong Kong's Personal Data (Privacy) Ordinance, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right of correction: Request correction of inaccurate or incomplete personal data
  • Right of erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Right to opt out: Opt out of direct marketing communications at any time
  • Right to complain: Lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) if you believe your rights have been infringed

To exercise any of these rights, please contact us. We will respond within 14 days.

8. Third-Party Links

Our Platform contains links to third-party websites including PSA (psacard.com), BGS (beckett.com), and eBay. These sites operate under their own privacy policies, for which XCARDHK is not responsible. We encourage you to review the privacy policy of any third-party site you visit.

9. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will notify you of material changes via email or a prominent notice on our Platform at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Platform after changes take effect constitutes your acceptance of the updated policy.

10. Contact Us

For any privacy-related queries, data access requests, or to exercise your rights under the PDPO, please contact us. We are committed to resolving all privacy concerns fairly and promptly, and will respond within 14 days.

You may also contact the Office of the Privacy Commissioner for Personal Data (PCPD) at pcpd.org.hk if you have unresolved concerns.