Privacy Policy

This Privacy Policy describes how Notey Limited (“we”, “us”, or “our”), a company based in Hong Kong and the owner of the ThinkTwice sensitivity-scanning service, collects, uses, discloses, and protects information in connection with our website, services, and related activities (collectively, the “Services”).

We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (“GDPR”) and other relevant legislation.

1. Information We Collect

We collect and process the following types of information:

a. Information You Provide

• Contact details, such as your name, email address, company name, and phone number.
• Account-related information, when you register or communicate with us.

• Content you submit for scanning (“Scan Content”). When you paste, upload, or provide a URL to ThinkTwice, we process only the content you intentionally submit to analyze potential sensitivities (e.g., China-related sensitivities). We have no rights in your Scan Content other than to process it to provide the Services.

b. Information Automatically Collected

• Usage data, such as access times, IP addresses, browser types, pages visited, and device information.
• Cookies and similar technologies, as described in our Cookie Policy.
• Service metadata and logs (e.g., timestamps, request IDs, file sizes, error codes) to operate, secure, and bill the Services; these logs do not include your Scan Content.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve our Services;
• To manage customer relationships and respond to inquiries;
• To monitor, troubleshoot, and analyze usage;
• To protect the security and integrity of our Services;
• To comply with legal obligations;
• For marketing communications, where permitted by applicable law.
• To perform sensitivity scans on Scan Content you submit. Scan Content is used solely to perform the requested analysis and deliver results; it is not used for advertising, sale, or unrelated model training.

Note: If Scan Content contains personal data, we handle it in accordance with applicable privacy laws (e.g., data minimization, purpose limitation) and do not retain it longer than necessary (see Section 6).

3. Legal Basis for Processing

If you are located in the EEA or UK, our legal bases include: consent; performance of a contract; compliance with legal obligations; and legitimate interests (e.g., improving and securing the Services). For ThinkTwice, the legal basis is typically contract performance and/or legitimate interests. Where required, we obtain consent (e.g., a clear pre-upload notice before you submit content).

4. Sharing of Information

We do not sell your personal information. We may share information in the following limited circumstances:

• To comply with legal obligations or in response to lawful requests by public authorities;
• With service providers and subprocessors who process data on our behalf in accordance with our instructions and applicable law;
• To protect the rights and safety of Notey Limited, ThinkTwice users, or the public;
• In connection with a business transaction, such as a merger, sale of assets, or acquisition.
• A current list of our subprocessors is available at XXX

4.1 Third-Party AI Processing (OpenAI)

To generate classifications/explanations for ThinkTwice, we transmit only the minimum necessary excerpts of your Scan Content to the OpenAI API acting as our subprocessor. OpenAI processes this data solely to provide the API service and for abuse monitoring. By default, OpenAI does not use API inputs/outputs to train its models. OpenAI may retain API inputs/outputs for up to 30 days for service operations and abuse detection, after which they are deleted unless law requires longer retention. 

No advertising or sale. We do not sell Scan Content or share it with advertisers.
No voluntary government sharing. We do not voluntarily disclose Scan Content to any government. 

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These include but are not limited to:

•  Encryption of data in transit
•  Access controls and role-based permissions
•  Network isolation and multi-CDN architecture
•  Regular audits and security monitoring via AWS CloudWatch and other tools

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Where applicable, you may request deletion of your personal data by contacting us (see Section 12).

Scan Content: By default, we do not permanently store Scan Content. Operational copies/caches used to complete your scan are deleted within 30 days after delivery of results, unless you or your organization choose to save a report or enable project history. Backups and system logs that incidentally reference requests (without Scan Content) roll off within 30 days.

Account and billing data: Retained while your account is active and for [up to 7 years] thereafter to meet legal and tax obligations.

OpenAI API: OpenAI may retain API inputs/outputs for up to 30 days for service operations and abuse monitoring; ZDR can be enabled for eligible endpoints/projects by agreement.

7. International Data Transfers

We are a company registered in Hong Kong S.A.R., China, and operate global infrastructure (hosted on AWS) to deliver our Services. Scan Content and operational data may be processed in jurisdictions outside your country of residence, including the United States and the European Union.

For personal data subject to the laws of the European Economic Area (EEA), United Kingdom (UK), or other jurisdictions with international data transfer restrictions, we implement appropriate safeguards, including the use of Standard Contractual Clauses, to ensure adequate protection of personal data in accordance with applicable legal requirements.

8. Your Rights

Subject to applicable laws, you may have the right to:

•  Access the personal data we hold about you;
•  Request correction of inaccurate or incomplete data;
•  Request deletion of your data;
•  Object to or restrict processing;
•  Withdraw consent where processing is based on consent;
•  Lodge a complaint with a supervisory authority.
•  To exercise these rights, please contact us using the information in Section 12.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance user experience, perform analytics, and deliver personalized content.

You can manage cookie preferences via your browser settings. For more details, please refer to our Cookie Policy.

10. Children’s Privacy

Our Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware of such collection, we will take steps to delete the information promptly.

11. Third-Party Services and Links

Our Services may link to third-party websites or include third-party integrations. We are not responsible for the privacy practices of such parties and encourage you to review their respective policies. Where our Services integrate third-party AI (e.g., OpenAI), we disclose this in Section 4.1 and obtain consent where required.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact:

Notey Limited (Attn: ThinkTwice Privacy Team)

Notey, 20/F, Lee Garden 3, 1 Sunning Road, Causeway Bay, Hong Kong 

Email: privacy@notey.com

Subject: Privacy Inquiry