Privacy Policy

Statement on Personal Data Protection

Privacy Policy

How AppTrack Asia respects and is committed to protect personal data

This Privacy Policy sets out how AppTrack Asia Limited (collectively “AppTrack Asia”, “We”, “Our” or “Us”)) collects, uses and shares your personal information in connection with the use of AppTrack Asia’s services (as defined below and as provided on AppTrack Asia’s website and any other applications). This Privacy Policy applies only to personal information/data of users of our services (as defined below), e.g. students and other interested persons (collectively “Data Subject”, “User”, “You” or “Your”).


This privacy policy complies with the Personal Data (Privacy) Ordinance (Chapter 486) (“Ordinance”). Our aim is to build on the trust and confidence you placed on us. Accordingly, we have a duty to you to keep information about you, and your personal data confidential, secured and protected. Your personal data is classified as confidential by us and can only be disclosed by us where permitted by the Ordinance or where we are otherwise legally compelled to do so.

AppTrack Asia’s Data Protection Principles

In addition to our duty of confidentiality to you as Data Subject, we will at all times fully observe and comply with the Ordinance in collecting, storing, maintaining, using and processing your personal data. Therefore, we observe the following principles, save otherwise appropriately agreed by you:

  • collection of your personal data shall be for the purposes as defined below;
  • all reasonable steps will be taken to ensure that your personal data are accurate and will not be kept longer than necessary or will be destroyed in accordance with our internal retention period;
  • personal data will not be used for any purposes other than the data that were to be used at the time of collection or purposes directly related thereto;
  • your personal data will be protected against unauthorised or accidental access, processing or erasure (please find below a detailed description of how AppTrack Asia protects your personal data);
  • as described further below you, the Data Subject, have the right of access to and for correction of your personal data held by AppTrack Asia and your request for access or correction will be dealt with in accordance with the Ordinance.

What Personal Data Do We Collect

AppTrack Asia may collect the following (without limitation) types of personal information from you:

  • title, name, date of birth, age, university applicant/application numbers, nationality, gender, email and postal addresses and home and work telephone numbers;
  • transcripts;
  • employment details;
  • registration/application status: including but not limited to universities applied to, faculty and programme choices, ranking of choices, submission status, assigned counsellor or teachers, offers received, and offers accepted (i.e. final programme, faculty, college, and school attendance). Furthermore, please note that we also ask for your explicit consent in order to grant us the right to receive, collect, store, maintain, use and process your personal data stored with any university you have applied to with regards to the above;
  • education and professional qualifications;
  • user name/ID and password;
  • information when you, the Data subject, use our website (inclusive other applications) or other services or products (e.g. behavioural information, purchasing history, location information, browser details, IP addresses);
  • Performance related data: including but not limited to public and private test scores (historical and predicted grades), subjects and levels taken / to be taken, transcripts, behavioural ratings, reference letters, and all other information related to student’s performance that may be required for university applications, currently and in the future.


Why Do We Collect Your Personal Data

The purposes for which your personal data are collected and used may include (without limitation) one or more of the following purposes (“Purposes”):

  • for the supply of any services, products and/or other subjects (together, the “Services”) which we may offer to you, or you may require from us, from time to time;
  • for use of the online services available at any of our website(s) and/or through other telecommunication channels;
  • with your consent, for marketing or promoting any of the Services (e.g. sending you updates on our latest offers and promotions in relation to any of our Services from time to time);
  • for identification and verification purposes in connection with any of the Services that may be supplied to you;
  • for communicating with you by email, mail, fax, phone or other means, including contacting you regarding your enquiries;
  • for conducting research and/or analysis from time to time to better understand the country, regional, and global univerisity application market and individual as well as aggregate applicants’ data (including but not limited to success factors, demographics, score requirements, and any other variables related to the university application process)
  • for enhancing our existing Services;
  • for making disclosures when required by law, regulation, or court order of any jurisdiction and/or as requested by any government, law enforcement authority or administrative organisation within or outside The Hong Kong Special Administrative Region;
  • for any other incidental or associated purposes relating to the above. 

We will not knowingly or intentionally use, share or sell your personal data in ways which are unrelated to the above Purposes without your prior consent.

Transfer of Your Personal Data

AppTrack Asia may transfer your personal data to third parties such as cloud providers or servers to process, store and use the personal data as may be necessary for any of the Purposes. AppTrack Asia will disclose personal data when required by law including, without limitation, the Ordinance, court order or a request of law enforcement agencies or regulatory authorities. When transferring personal data to a third party, your personal data will only be transferred to such a third party that respects privacy and is under a duty to keep your data confidential.

If transfer of personal data outside Hong Kong is needed in order to carry out the Purposes or directly related purposes, for which the personal data were collected, the transfer will be performed in a manner in full compliance with the requirements under the Ordinance.

Security and Protection of Personal Data

A major challenge for any Software-as-a-Service (“SaaS”) product is to release secure products while maintaining a healthy speed to market. Our goal is, and always has been, to achieve the right balance between speed and security. Key principles guiding us are:

  1. Continual improvement We believe security is a journey, not a destination. We aim to ensure our improvements will always grow through operational efficiencies, automation, new technologies, and proven practices.
  2. Assurance through testing We only know it works if we test it. With regularly scheduled testing and continual improvements, we’re able to keep disaster recovery at a minimum.

Here are some of the methods we use to protect your data:

Encryption and Key Management

All data you send to AppTrack Asia (and vice versa) is encrypted in transit.

In its most basic form, encryption is the process of scrambling data to make it unintelligible. When data is encrypted, the sender and receiver (in this case, AppTrack Asia and you, the Data Subject) are the only people that can decrypt the scrambled information back to a readable condition. This is achieved by ‘keys’, which grant only the users involved access to modify the data to make it unreadable and then readable again.

Put more simply: encryption is like translating your information into a language only you, the Data Subject, and AppTrack Asia knows, and more importantly, a language which a cybercriminal cannot translate.

AppTrack Asia uses the Transport Layer Security (TLS) protocol. It allows both sides (AppTrack Asia and you, the Data Subject) to authenticate the Data Subject’s identities and prove that we are who we claim to be. It also encrypts our communication, ensuring no third-party can read or tamper with the data you, the Data Subject, sends to AppTrack Asia.

AppTrack Asia also supports Perfect Forward Secrecy (PFS). Consider PFS the cybersecurity equivalent of the Cone of Silence. In the encryption system we described above, your information is safe until an attacker gets hold of the server’s private key. Once the private key is no longer private, the attacker can now decrypt all historic data.

In Perfect Forward Secrecy, the key exchange is ephemeral. If a hacker got hold of AppTrack Asia’s private key, they still wouldn’t be able to read the Data Subject’s historic information.

And finally, AppTrack Asia’s infrastructure is implemented with industry-leading services like Amazon Web Services (AWS). AWS is SOC 1 audited, and encrypts all data sent to it.

Security Testing

AppTrack Asia’s approach to vulnerability management starts before a single line of code is written.

Our testing approach spans the planning, development, and testing phases, with each test building on previous work and getting progressively tougher.

In the development phase, we focus on code scanning to remove any functional and readily identifiable, non-functional security issues.

In the testing phase, our development and QA team switch to an adversarial approach, deliberately attempting to break features using automated and manual testing techniques.

AppTrack Asia uses the git revision control system. Changes to AppTrack Asia’s code begins in the development server, where it goes through a suite of automated tests. Once code pass the automated testing, the changes are then pushed to a staging server for other AppTrack Asia’s employees to test. Only code that has passed both rounds of tests can be deployed to our customer-facing platform.

We also add a specific security review for particularly sensitive changes and features. AppTrack Asia engineers have the ability to “highlight” critical updates and push them immediately to production servers, bypassing the staging phase.


We have a comprehensive backup regime.

In addition to platform-wide resiliency, we also have a comprehensive backup program. Daily automated backups are taken everyday and sent to secure SOC 1 audited data centers via Amazon S3. We run backup fire drills monthly to simulate a disaster and its data recovery procedures.

Operational Practices

As much as securing our product is a priority, we also understand the importance of being conscious of the way we conduct our internal day-to-day operations.

Support Access

AppTrack Asia’s customer success and support teams will only access personal data when necessary to resolve an open ticket or during the implementation process.

User Access

Being a SaaS solution, our customers are responsible for ensuring the appropriateness of user access to their data. We understand the classification of the data that goes into the system, and ensure users that have access to the system are authorized to access that data.

Role-based authentication makes it easy to align with access restrictions that may need to be imposed to comply with data handling and classification requirements.

We also encourage good password hygiene, which mitigates common threats like password guessing and malicious parties using leaked credentials.

Direct Marketing

If we intend to use your personal data (including your name and contact details) collected from you for direct marketing purposes (e.g. to send you marketing communications about news, offers or promotions in relation to the Services), we will first obtain your consent (or an indication of no objection) before doing so.

If we intend to provide your personal data (including your name and contact details) collected from you to third parties for their use in direct marketing, we will first obtain your consent (or an indication of no objection) before doing so.

You may opt-out from receiving marketing communications from us at any time, free of charge by:

  • writing to us at the address listed below “Access and Correction of Personal Data” or “How to Contact Us”.

Our Commitment to Children’s Privacy

Protecting the privacy of children is our primary concern. Hence, we will not knowingly collect or maintain personal data in our database from persons who are under 16 years of age without prior consent from a parent or guardian.

Linked Websites

We do not bear any responsibility as to the contents available on other websites or your personal data or information being collected by any other websites linked to our website. Linking or access to and use of such other websites is at your own risk and subject to any terms and conditions applicable to such access or use.


We use “cookies” in order to enhance your experience of our website. For the sake of clarification, a cookie is data sent from a website and stored in a user’s web browser while the user is browsing that website. Following, the browser sends the cookie back to the website server to notify the website of the user’s previous activities, preferences and browsing patterns. Cookies do not include your personal data. However, once you choose to furnish the website with your personal data, such data may be linked to data stored in the cookie. We only obtain this information when you choose to provide it to the website. If you do not wish to accept cookies, you can set your browser to disable cookies or inform you when they are set or stored.

Access and Correction of Personal Data

You can request for access to personal data and or update or correct your personal data by sending a request to our privacy officer by email at or in writing to Unit B, 28/f, Entertainment Building, 30 Queens Road Central, Hong Kong.

We will take reasonable steps to verify your identity before granting access or making corrections to your personal data to protect your privacy and identity.

No Limitation of Rights

Nothing in this Statement shall limit your rights under the Ordinance.

Notice to Users, Interested Persons and Others Relating to the Ordinance

From time to time, it is necessary for interested persons to supply us with data in connection with our provision of services. Failure to supply such data may result in our being unable to provide any Services.

Change to Statement on Personal Data Protection

We may change this Statement from time to time. We encourage you to check our Statement on Personal Data Protection occasionally to ensure that you are aware of the most recent version.

How to Contact Us

If you have any questions or concerns about AppTrack Asia’s Personal Data Protection including our data policies and practices, you may contact our data protection officer by email at or in writing to Unit B, 28/f, Entertainment Building, 30 Queens Road Central, Hong Kong.


By accessing this website and/or any of its pages, you are agreeing to the terms of our Statement on Personal Data Protection set out above.