This Privacy Policy explains how we collect, use, store, and share personal data when you use our services. As a Hong Kong-based SaaS company providing commodity market analytics and consulting globally, we are committed to protecting your privacy in compliance with Hong Kong law and international standards (including the EU General Data Protection Regulation, “GDPR”). By accessing our website or services, you agree to the practices described in this Privacy Policy.

We may collect personal information that you provide directly, such as your name, contact details, company affiliation, billing information, and any preferences or details you submit when subscribing or contacting us. We also collect usage data automatically through cookies and similar technologies when you interact with our website or emails. This may include your IP address, browser type, pages visited, time spent, and referring URLs. Additionally, if you use our client dashboards or subscribe to email reports, we may record your login times, settings, and any actions (e.g. report downloads) for security and service improvement purposes. We do not intentionally collect data on children or sensitive personal data categories; our services are intended for business users and adults.

Your personal data is used only for legitimate business purposes. We use the information to:

• Provide and Improve Services: We process your data to set up and maintain your account, authenticate logins, deliver subscription content (like market reports or model outputs), and personalize your user experience on our dashboards. We also analyze usage trends to improve site navigation, content quality, and features.
• Communication: We use contact information to send service-related communications (e.g. welcome emails, password reset links, billing notices) and, with your consent where required, marketing updates or newsletters about new analytics, products, or promotions. You can opt-out of marketing emails at any time.
• Client Support and Consulting: If you inquire or engage us for tailored research or consulting, we will use the provided details and any information exchanged to perform the requested services and communicate findings or advice.
• Legal and Security: We may process data as necessary to comply with legal obligations and to enforce our terms of use. For example, we might use certain data to prevent fraud, secure our platform, or comply with lawful government requests.

Our legal bases under GDPR for processing personal data include your consent (for optional analytics cookies or marketing communications), fulfillment of a contract (providing subscription services you signed up for), and our legitimate interests (such as improving our services or ensuring IT security). In most cases, the legal basis is one of consent, legitimate interest, or the necessity to perform a contract, and we always balance our interests against your privacy rights. Where consent is required (for example, for certain analytics or third-party cookies), you will have the opportunity to grant or refuse consent, and you may withdraw consent at any time.

We use cookies and similar tracking technologies to enhance user experience and analyze web traffic. Cookies are small text files stored on your browser. Our website employs both first-party cookies (set by us) and third-party cookies (set by external providers) for various functions:

• Essential Cookies: These are necessary for our site to function (e.g. to keep you logged in or remember your preferences on the dashboard).
• Analytics Cookies: We utilize third-party analytics services, including Google Analytics, Facebook analytics tools (such as the Facebook Pixel), Yandex Metrica, and others, to understand how users engage with our site. These tools use cookies or similar means to collect information about your usage (for example, which pages you visit and how often). The data collected (such as IP address and device information) helps us compile aggregate statistics and improve our content and performance. We do not use this data to personally identify you, and we do not combine it with any personal details you provide separately. The information gathered by these third-party analytics may be transmitted to and stored on servers in other countries (e.g. the United States for Google, or locations chosen by Facebook/Yandex), and is subject to those third parties’ privacy policies. For instance, Google’s use of data collected through our site is governed by the Google Analytics Terms of Use and Google’s Privacy Policy. Similarly, Facebook and Yandex will handle information according to their own terms.
• Advertising and Tracking Pixels: We do not display third-party ads on our platform, but we may use tracking pixels or similar technologies in our marketing emails or on our site to measure the effectiveness of our communications (for example, to see if you opened an email or visited a link). Any such pixels will only collect limited data (like an email ID or cookie ID and time of action) and are used solely for our internal analytics and improvement of service.

Your Choices: Upon your first visit to our site, you may be presented with a cookie consent banner (especially if required by your jurisdiction) allowing you to accept or manage non-essential cookies. You can also control cookies through your browser settings: browsers typically allow you to refuse new cookies, delete existing cookies, or be notified when cookies are set. Please note that disabling cookies entirely may impact some functionality of our site (for example, the dashboard might not remember your custom settings when cookies are off). However, you will still be able to view most content even if you disable cookies. You can additionally opt-out of Google Analytics specifically by installing the Google Analytics Opt-out Browser Add-on, or by configuring your browser toreject Google Analytics cookies – for example, by disabling cookies, which will prevent Google Analytics from recognizing you on return visits. Likewise, you may use browser extensions or settings to block Facebook or Yandex trackers if desired. We honor Do Not Track (DNT) signals to the extent feasible, and if our site detects a DNT signal, non-essential tracking will be disabled for that session.

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. We only share data in the following circumstances:

• Service Providers: We use reputable third-party service providers to support our operations – for example, cloud hosting providers for our servers, payment processors for handling credit card transactions, email delivery services for sending newsletters, and analytics providers as mentioned. These third parties process data on our behalf and are contractually obligated to safeguard your information and use it only for the agreed-upon purpose. Where such providers are located outside of Hong Kong or your country, we implement appropriate safeguards for international data transfer (such as standard contractual clauses or reliance on adequacy decisions) to ensure your data remains protected.
• Business Partners: With your consent or at your direction, we may share information with business partners or affiliates. For instance, if as part of a consulting engagement you wish us to collaborate with a third-party expert or if we host joint events/webinars with a partner, we would share registration details as necessary and only as outlined to you when you sign up.
• Legal Compliance: We may disclose personal data if required to do so by law or legal process (for example, in response to a court order, subpoena, or regulatory request). We will also disclose data if we believe in good faith that it is necessary to cooperate with law enforcement or other authorities, to investigate fraud or security issues, or to enforce our Terms of Use and protect the rights, property, or safety of our company, our users, or the public.
• Corporate Transactions: If we undergo a business transaction such as a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that deal. We will ensure any successor entity honors the commitments in this Privacy Policy or provides you notice and an opportunity to opt out of the transfer of your personal information.

When we share data with third parties (including those in other jurisdictions), we remain accountable for its protection. We strive to only share the minimum amount of information necessary for the purpose and to anonymize or aggregate data where feasible (for example, we might share aggregate platform usage statistics with a prospective partner, but not personal details of individual users).

Because we serve a global client base, the personal data we collect may be transferred to and stored on servers in multiple jurisdictions. Primarily, our main data centers are [specify location if known, e.g. “in Hong Kong and Singapore”], and some data may be processed in the United States or European Union where our third-party service providers operate. When transferring personal data from the European Economic Area (EEA) or United Kingdom to other countries, we ensure that one of the recognized legal safeguards is in place. This may include: relying on a jurisdiction’s adequacy decision (if the destination country’s laws are deemed by regulators to provide sufficient data protection), using European Commission-approved Standard Contractual Clauses (SCCs) in our contracts with the data importer, or obtaining your explicit consent for the transfer in certain cases. Our goal is to ensure that your data receives a level of protection equivalent to that provided under applicable privacy laws in your region.

For transfers from Hong Kong, we similarly ensure compliance with any applicable requirements under the Personal Data (Privacy) Ordinance (PDPO) and related guidelines, even though Hong Kong’s PDPO currently does not mandate specific contract clauses for cross-border transfers (note: Section 33 of PDPO, dealing with cross-border restrictions, has not been brought into force yet as of the date of this Policy). We nonetheless treat all personal data with the same care, regardless of where it is stored or processed.

We employ robust security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit (SSL/TLS), firewalls and network monitoring, regular security assessments, and restricting access to personal data on a need-toknow basis for our staff and service providers. We also maintain internal policies and staff training on data protection and information security best practices. While we strive to use commercially acceptable means to protect your data, no system can be 100% secure. Therefore, we cannot guarantee absolute security; you transmit information to us at your own risk, but we do our best to mitigate risks and will promptly notify you (and relevant authorities, if applicable law requires) of any data breaches that compromise your personal data.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. For example, as long as you have an active subscription or account with us, we will keep your contact and account information. After you terminate services, we may retain certain data for a period to resolve disputes, enforce agreements, or comply with legal obligations (such as financial record-keeping). Usage data used for analytics is either deleted or anonymized after a reasonable period (e.g. we might keep site visit logs for [X] months). When we dispose of personal data, we do so securely (for instance, by using secure deletion methods for electronic files and shredding physical documents).

We respect your rights regarding your personal data. Depending on your jurisdiction, you may have some or all of the following rights:

• Access and Correction: You have the right to know whether we hold personal data about you and to request a copy of that data. You also have the right to request correction of any inaccuracies. Under Hong Kong’s PDPO, individuals have a legal right to access and correct their personal data held by an organization. We reserve the right to verify your identity before fulfilling access requests, and certain exemptions may apply (for example, if providing the data would disclose someone else’s personal information). If we refuse an access or correction request, we will provide you with reasons as required by law.
• Deletion (Right to Erasure): Subject to applicable law, you may request that we delete your personal data. For EU residents, the GDPR provides a right to erasure (“right to be forgotten”) in certain circumstances. We will honor such requests to the extent possible – for example, if the data is no longer necessary, you withdraw consent, or processing was unlawful – while also considering whether we need to retain any information for legal compliance (e.g. records of transactions for accounting).
• Objection and Restriction: You may have the right to object to certain processing activities or to ask that we restrict processing. For instance, EU users can object if processing is based on legitimate interests or for direct marketing. You can always opt-out of marketing emails by using the unsubscribe link provided. You can also disable cookies as described above to prevent certain data collection.
• Data Portability: For personal data you provided to us, in some jurisdictions (like the EU) you can request to receive that data in a structured, commonly used and machine-readable format, and have it transmitted to another data controller where technically feasible.
• Withdraw Consent: Where we rely on your consent to process data (such as for sending optional newsletters or using non-essential cookies), you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
• Automated Decision-Making: We do not make any significant decisions about you based solely on automated processing without human involvement. If that changes, and if required by law, we would inform you and provide any rights you have in relation to such decisions.

To exercise any of your rights, please contact us using the contact information provided below. We will respond to your request within a reasonable timeframe, and in any event within the timeframe required by law (e.g. within 40 days for Hong Kong PDPO requests, or one month for GDPR requests, with the possibility of an extension). Please note that certain rights may not be applicable in Hong Kong but may apply if you are in a region like the EU; we aim to honor all valid requests to the extent possible as part of our commitment to privacy.

Our website may contain links to third-party websites or integrations with third-party services (for example, a link to a partner’s site or an embedded video hosted on another platform). This Privacy Policy does not apply to those external sites or services. We are not responsible for the privacy practices of third-party sites. We encourage you to read the privacy policies of any external websites you visit via links on our site to understand how they collect and use your information. We do, however, carefully select our partners and links to ensure they have reasonable privacy and security standards.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make a material change, we will post a prominent notice on our website (for example, via a banner or notification) and indicate at the top of the policy the date of the latest revision. We encourage you to review this page periodically to stay informed of any updates. Your continued use of our services after any modification to the Privacy Policy will constitute your acknowledgment of the changes and agreement to abide by the updated policy.

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at info@albanyantree.com.
You may also have the right to lodge a complaint with a data protection authority. In Hong Kong, this is the Office of the Privacy Commissioner for Personal Data (PCPD). In the EU, you can contact your local supervisory authority. We would, however, appreciate the chance to address your concerns directly, so please feel free to reach out to us first. Your privacy is important to us, and we will do our utmost to resolve any issues to your satisfaction.