Privacy Policy

Our privacy policy and how we use your data

Last Updated: 11 May 2026

Effective Date: 11 May 2026

This Privacy Policy explains how Cultiv8 Club Limited (“Cultiv8”, “we”, “us”, “our”) collects, uses, discloses, transfers and protects personal data when you use the Cultiv8 Club mobile application, website and related services (the “Service”). It is issued in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (“PDPO”) and reflects the six Data Protection Principles (“DPPs”) set out in Schedule 1 to the PDPO. It also serves as a Personal Information Collection Statement under DPP1(3).

If anything in this policy is unclear, please write to our Data Protection Officer (see clause 13).

1. Data Controller

The data user under the PDPO is:

Cultiv8 Club Limited
Business Registration Number: 78268965
Registered Address: 2/F, Tower 1, Tern Centre, 237 Queen’s Road Central, Sheung Wan, Hong Kong
Email: privacy@cultiv8.club

2. Children’s Personal Data — Special Notice to Parents

We recognise that children’s personal data deserve heightened protection in line with the guidance issued by the Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”). The Service is designed to be used by adults (parents and legal guardians) on behalf of children.

  • No child accounts. Children may not register or operate an account.
  • Parental consent. A parent or legal guardian must provide explicit consent before any child’s personal data is collected, and again before any new purpose of use is added.
  • Minimisation. We collect only the minimum child data needed to deliver the Service.
  • Parental control. Parents may access, correct, export or delete their child’s data at any time (see clause 7).
  • No marketing to children. We do not directly market to children and do not use children’s data for direct marketing.

If you believe a child has provided personal data without parental consent, contact privacy@cultiv8.club and we will delete it promptly.

Use of children’s images in Cultiv8 marketing. We will not use a photograph, video, or other image of any identifiable child in Cultiv8’s own marketing, promotional or public materials without obtaining separate, specific, written consent from the child’s parent or legal guardian for that use. Photographs uploaded by a Provider in the course of providing an Activity are processed under the consent the Provider has obtained from the parent for that purpose; we do not repurpose them for Cultiv8 marketing without the separate consent described above.

3. What Personal Data We Collect

3.1 Data you provide

  • Account data: name, email, password (hashed), phone number, language preference.
  • Profile data: profile photo (optional), city/area, role (parent / provider).
  • Child data: child’s first and last name, date of birth or age band, gender (optional), interests, allergies / medical notes you choose to share with a Provider, optional photo.
  • Provider data: business name, Business Registration Number, contact details, qualifications and insurance information you choose to upload, bank account details for payouts, tax information.
  • Booking and communications data: bookings, enrollments, messages with Providers, reviews, ratings, support tickets.
  • Payment data: transaction history, last four digits and card brand (full card numbers are handled by Stripe; we do not store them).
  • Consent records: the timestamps and versions of the Terms of Service, Privacy Policy and parental consent you accept (stored in terms_accepted_at, privacy_accepted_at, parental_consent_given_at).

3.2 Data we collect automatically

  • Device and technical data: device model, operating system, app version, language, time zone, IP address, crash logs, unique identifiers (e.g. IDFV, Android Advertising ID where you permit).
  • Usage data: screens viewed, features used, search queries, click and tap events, session duration.
  • Approximate location: derived from IP address, used for showing nearby activities.
  • Precise location: only with your explicit permission via OS prompt; used solely to show nearby activities and can be revoked at any time.
  • Cookies and similar technologies: on our website only — strictly necessary cookies and, with your consent, analytics cookies.

3.3 Data from third parties

  • Sign-in providers: if you sign in with Google or Apple, we receive your name, email, and a verified identifier.
  • Payment processors: Stripe and RevenueCat share transaction status, dispute information, and subscription state.
  • Push notification services: Apple Push Notification service and Firebase Cloud Messaging share delivery receipts.
  • Crash and analytics: Sentry shares crash diagnostics tied to a pseudonymous user id.

3.4 Sensitive data

We avoid collecting sensitive data. If you choose to provide medical or dietary information about a child to a Provider (for example, allergies), you do so voluntarily and consent to its disclosure to that Provider.

4. Purposes of Use (DPP1 & DPP3)

We collect and use personal data only for the following purposes, and we will obtain fresh consent before using it for any new purpose:

  1. Service delivery: creating and managing accounts; matching parents with activities; enabling bookings, payments, refunds, messaging, reviews, and growth tracking.
  2. Trust and safety: verifying identity where required, preventing fraud, abuse, money laundering and child-safety incidents, enforcing our Terms.
  3. Customer support: responding to enquiries, complaints, and incident reports.
  4. Improving the Service: analytics, quality monitoring, performance tuning, A/B testing — using pseudonymised or aggregated data wherever possible.
  5. Direct marketing (opt-in only): sending newsletters, product updates, and offers about the Service. See clause 5.
  6. Legal compliance: responding to lawful requests from authorities; defending and exercising our legal rights; complying with the PDPO, Trade Descriptions Ordinance (Cap. 362), Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), and other applicable laws.
  7. Corporate transactions: in connection with a merger, acquisition, restructuring or sale of assets, subject to equivalent confidentiality and protection.

We will not use personal data for any other purpose without obtaining your prescribed consent under the PDPO.

5. Direct Marketing (PDPO Part 6A)

We will only use your personal data for direct marketing if you have given your explicit, opt-in consent. The categories of data used are your name and contact details. The classes of marketing subjects are: (a) activities and offers from Cultiv8; (b) updates about new features; and (c) curated content (e.g. parenting tips).

You may opt out of direct marketing at any time, free of charge, by:

  • tapping the “unsubscribe” link in any marketing email;
  • toggling marketing off in Profile → Notifications;
  • writing to privacy@cultiv8.club.

We do not sell, trade, rent, or transfer your personal data to any third party for that third party’s direct marketing.

6. Disclosure and Sharing (DPP3)

We share personal data only as follows:

  • With Providers you book or message: enough information to enable the booking (parent name, child first name and age band, allergy/medical notes you share, contact channel).
  • With service providers we engage on our behalf: including Supabase (database and authentication, EU/US regions), Stripe (payments), RevenueCat (subscriptions), Apple App Store and Google Play, Sentry (error monitoring), Expo (push notifications), email and SMS delivery providers, cloud storage for images, and analytics vendors. These processors are contractually bound to use personal data only on our instructions and to protect it to a standard equivalent to ours.
  • With professional advisers: lawyers, auditors, insurers, where confidentiality is preserved.
  • With authorities: where required by law, court order, or regulatory request, or to protect life, safety or our legal rights.
  • In a corporate transaction: to a buyer or successor entity in connection with a merger, acquisition or sale, subject to equivalent confidentiality and protection.

We do not sell personal data. We do not disclose child data to advertising networks for targeted advertising.

7. Your Data Rights (DPP6)

Under the PDPO you have the right to:

  • Access the personal data we hold about you and your child, and request a copy in a readable form;
  • Correction of inaccurate, incomplete, or out-of-date personal data;
  • Deletion of personal data we no longer need or where we have no lawful basis to retain;
  • Withdraw consent for any purpose that relies on consent (including direct marketing);
  • Object to processing where law permits;
  • Data portability: receive a structured, commonly used, machine-readable copy of data you provided, where technically feasible;
  • Complain to the PCPD (see clause 12).

Submit a request at privacy@cultiv8.club. We will respond within 40 calendar days as required by section 19 PDPO. We may verify your identity and may charge a fee that is not excessive for fulfilling data access requests, in line with the PDPO.

Some rights are not absolute. For example, we may retain certain data where law requires (e.g. tax, anti-money-laundering, court orders) or for the establishment or defence of legal claims.

8. Data Retention (DPP2)

We retain personal data only for as long as necessary for the purposes for which it was collected. Indicative retention periods:

Data categoryRetention
Account profileDuration of account + 24 months after deletion (for fraud prevention and legal claims)
Child profileUntil parent deletes the child or closes the account
Bookings, payments, receipts7 years (Inland Revenue Ordinance Cap. 112 and accounting requirements)
Consent records7 years after withdrawal or account closure (to evidence consent)
Messages between Parent and Provider24 months after last activity
Reviews and ratingsIndefinitely, unless removed for breach of Terms
Marketing preferencesUntil you change them
Server logs and security events12 months
Crash reports (Sentry)90 days

When retention ends, data is securely deleted or anonymised.

9. Data Security (DPP4)

We take all practicable steps to protect personal data, including:

  • Encryption in transit using TLS 1.2+ for all network connections;
  • Encryption at rest for databases, backups, and object storage;
  • Row-Level Security (RLS) policies on our database to prevent unauthorised data access between accounts;
  • Access controls on the principle of least privilege, with role-based access and audit logging for administrators;
  • Two-factor authentication for internal admin tooling;
  • Secure development: code review, dependency scanning, periodic security testing;
  • Vendor due diligence for processors;
  • Incident response plan with defined roles and escalation paths.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in significant harm, we will notify affected users and, where appropriate, the PCPD, without undue delay and in line with PCPD breach-handling guidance.

To report a suspected security issue: security@cultiv8.club.

10. Automated Decisions and AI Features

Some features may use algorithmic or AI-assisted processing (for example, ranking, recommendations, fraud signals). These features assist humans and the Service — they do not make legally significant or similarly significant decisions about you without human involvement. You may request a review by a human of any decision that you believe affects you significantly by writing to privacy@cultiv8.club.

11. Cookies and Similar Technologies (Website Only)

Our mobile app does not use third-party advertising cookies. Our website uses:

  • Strictly necessary cookies for sign-in and security;
  • Analytics cookies (only with your consent via the cookie banner) to understand usage trends in aggregate.

You can manage cookie preferences via the banner or your browser settings.

12. Complaints

If you are not satisfied with our handling of your personal data, please first contact our Data Protection Officer (clause 13). You also have the right to complain to:

Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD)
12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong
Tel: (852) 2827 2827
Web: www.pcpd.org.hk

13. Privacy Officer / Contact

Privacy Officer
Cultiv8 Club Limited
Email: privacy@cultiv8.club

The PDPO does not mandate the appointment of a Data Protection Officer. We voluntarily designate a Privacy Officer as the single internal point of contact for data subjects, the PCPD, and our processors, as recommended by the PCPD Privacy Management Programme guidance.

For child-safety concerns: safety@cultiv8.club
For security disclosures: security@cultiv8.club

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes (such as new purposes of use or new categories of recipient) will be notified to you in advance by in-app message, push notification, or email, and where required by the PDPO we will seek your fresh consent. The current version and effective date are shown at the top of this page.

15. Language

This Privacy Policy is issued in English. We may provide translations (including Traditional Chinese) for convenience. In the event of conflict, the English version prevails to the extent permitted by law.

Acknowledgment of Consent

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. Where required by the PDPO, you are providing your explicit, voluntary and informed consent to the collection, use, and disclosure of your personal data — and, as parent or legal guardian, your child’s personal data — for the purposes described above.