Terms and conditions

Privacy Policy

Privacy Policy

Version 1.6 – Effective Date: November 2025  |  Supersedes Version 1.5 (April 2025)

1. Introduction and Who We Are

This Privacy Policy is issued by Kinnara Limited, a company incorporated in Hong Kong (BR No: 76606042), having its registered address at Unit 2, LG 1, Mirror Tower, 61 Mody Road, Tsim Sha Tsui, Hong Kong (“Kinnara”, “we”, “our”, or “us”).

Kinnara operates as a data controller in respect of personal data we collect about users of the Website (kinnara.asia, kinnara.capital, and associated Kinnara web assets). For certain services we provide to listing agents and developers (such as listing management performed on their instructions), we may act as a data processor under a separate data processing agreement (DPA). A copy of our standard DPA is available on request at [email protected].

Our services are not directed at children under 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us immediately and we will delete it promptly, unless retention is required by applicable law.

2. Scope and Applicable Laws

This Policy explains how we collect, use, store, disclose, and protect your personal data in accordance with the following applicable laws, each to the extent it applies to our processing activities:

  • Hong Kong: Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), including the 2021 amendments introducing doxxing offences (Part VIA)
  • European Union / United Kingdom: EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR / Data Protection Act 2018, to the extent Kinnara offers services to EU/UK residents
  • Australia: Privacy Act 1988 (Cth) as amended by the Privacy and Other Legislation Amendment Act 2024, and the Australian Privacy Principles (“APPs”)
  • Indonesia: Personal Data Protection Law (Law No. 27 of 2022) (“PDP Law”), in full force from October 2024
  • Thailand: Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)
  • Singapore: Personal Data Protection Act 2012 (No. 26 of 2012) as amended 2020 (“PDPA SG”)
  • Malaysia: Personal Data Protection Act 2010 (“PDPA MY”)
  • Philippines: Data Privacy Act 2012 (Republic Act No. 10173) (“DPA PH”)
  • Vietnam: Decree on Personal Data Protection No. 13/2023/ND-CP (“PDPD”), effective 1 July 2023
  • California, USA: California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), to the extent applicable

Where laws conflict, we will apply the most protective standard that is practicable in the circumstances.

3. Personal Data We Collect

“Personal data” (or “personal information”) means any information that identifies or could reasonably identify you. We collect the following categories:

  • Identity data: name, date of birth, nationality, passport or national ID details, and other government-issued identification
  • Contact data: email address, telephone number, postal address
  • Account data: username, password (hashed), account preferences, and communication history
  • Transaction and commercial data: reservation history, deposit payments, property interests, and related correspondence
  • KYC and compliance data: identity verification results, sanctions and PEP screening results, source-of-funds and source-of-wealth information, and biometric data (liveness/selfie verification, processed by our third-party KYC provider Personr.co)
  • Usage and technical data: IP address, browser type, device identifiers, pages viewed, navigation paths, and session data
  • Geolocation data (coarse): IP-based regional location for localisation and fraud prevention
  • Communications data: enquiries, support requests, and other correspondence you submit to us
  • Marketing preferences: your opted-in or opted-out marketing preferences

We collect special category or sensitive personal data (such as biometric data for KYC) only where required by law (AML/CTF compliance) or with your explicit consent. We do not sell personal data to third parties.

4. How We Collect Personal Data

We collect personal data:

  • Directly from you — when you register an account, submit an enquiry, pay a deposit, or complete KYC verification
  • Automatically — when you visit the Website, through cookies, log files, and similar tracking technologies (see Section 8)
  • From third parties — including identity verification providers (Personr.co), payment processors, sanctions-screening databases, and public sources, where legally permissible
  • From listing agents and developers — where they provide us with data about prospective buyers or enquirers in connection with a listed property

Where reasonable and practical, we collect personal data directly from you.

5. Lawful Basis for Processing and Notice at Collection

The table below summarises our processing activities, lawful bases, and applicable retention periods. For GDPR/UK GDPR purposes, our lawful bases are as specified in the table. For PDPO purposes, all collection is for the purposes stated below. For Indonesian PDP Law purposes, processing is based on the legal bases specified (consent, contract, legal obligation, or vital interest).

Data Category Examples Purpose Lawful Basis (GDPR) Sold / Shared? Retention
Identity & Contact Name, email, phone, address Account management, service delivery, communications, security Contract; Legitimate interests; Legal obligation No sale; No sharing except service providers Account life + 5 years
Transaction & Commercial Reservations, payments, property interests Transaction processing, fraud prevention, compliance Contract; Legal obligation; Legitimate interests (fraud) No 7 years (AML/tax)
KYC & Compliance Passport, biometrics, PEP/sanctions results AML/CTF compliance, identity verification, regulatory obligations Legal obligation; Public interest No 5–7 years (jurisdiction-dependent)
Usage & Technical IP, browser, pages viewed, logs Analytics, security, service improvement Legitimate interests (security); Consent (analytics/ads where required) Shared for cross-context ads only with your consent 24 months
Geolocation (coarse) IP-based region Localisation, fraud prevention Legitimate interests; Legal obligation (fraud) No 24 months
Marketing Preferences Opt-in/opt-out records Direct marketing (with consent where required) Consent; Legitimate interests (where permitted) No Until opt-out + 1 year

We do not “sell” personal data. “Sharing” for CPRA purposes (cross-context behavioural advertising) occurs only with your consent via our cookie banner, and you may opt out at any time including via Global Privacy Control (GPC) signals.

6. How We Use Your Personal Data

We use your personal data to:

  • provide, operate, and secure the Website and our services
  • process reservations, deposits, and related transactions
  • verify your identity and comply with AML/CTF, sanctions, and anti-fraud obligations
  • communicate with you, provide customer support, and send transactional notifications
  • send direct marketing with your consent, or where otherwise permitted by applicable law
  • improve our platform, products, and user experience through analytics
  • comply with legal, regulatory, and contractual obligations
  • detect, investigate, and prevent fraud, security incidents, and other harmful activity
  • conduct limited profiling for fraud detection and listing relevance (see Section 9)

7. KYC Verification and Identity Data

To protect the integrity of our services and to comply with applicable AML, CTF, and customer due-diligence requirements, we may require you to complete a KYC verification process before reserving or purchasing any property or engaging with transaction-related services.

We use Personr.co, an independent third-party identity verification provider, to collect and process identity information securely. As part of this process, Personr.co may collect:

  • passport details and other government-issued identification
  • biometric data for liveness/selfie verification
  • sanctions-list, PEP, and adverse-media screening results
  • any additional data required to satisfy applicable AML/CTF or fraud-prevention regulations

KYC data is transmitted using secure, encrypted methods. Kinnara does not store copies of identity documents beyond what is required under AML/CTF, financial reporting, or regulatory obligations. Where retention is required, KYC data is stored securely with strictly limited access and retained for 5–7 years depending on jurisdiction. Personr.co acts as a data processor under a contractual data-protection agreement. You may review their privacy practices at personr.co. We may change our KYC provider from time to time; equivalent protections will always apply.

KYC is mandatory where required by applicable law. If you do not complete verification, or if verification is unsuccessful, we may be unable to provide certain services, finalise reservations, or complete transactions.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (including pixels, web beacons, and local storage) on the Website. Cookies are small text files placed on your device that help us operate the Website, understand how it is used, and deliver relevant content.

We do not associate usage information with identifiable individuals unless you are logged in or have consented to analytics or advertising cookies. Where required by applicable law (including in the EU, UK, and Thailand), we obtain your explicit consent before placing non-essential cookies. You may update your cookie preferences at any time via our Cookie Preferences tool.

Cookie categories we use:

  • Strictly necessary – required for core functionality including security and session management. These cannot be disabled.
  • Preferences – remember your choices such as language and region.
  • Analytics / performance – help us measure and improve the Website (e.g., Google Analytics). Set with consent where required.
  • Advertising / marketing – personalise ads or measure ad performance. Set only with your explicit consent.

We honour Global Privacy Control (GPC) signals as an opt-out of cross-context behavioural advertising sharing where required by applicable law. You may also disable cookies via your browser settings; doing so may affect Website functionality.

9. Automated Decision-Making and Profiling

We use limited automated profiling for fraud detection (e.g., flagging unusual transaction patterns) and listing relevance ordering. We do not make decisions that produce legal or similarly significant effects on you solely by automated means, without human review. EU/UK users may request human review of any automated decision, object to profiling, and obtain meaningful information about the logic involved, under Articles 21–22 of the GDPR. If you wish to exercise these rights, contact [email protected].

10. Who We Share Your Personal Data With

We may share your personal data with:

  • Service providers and processors: IT infrastructure, cloud hosting, payment processors, analytics providers, and identity verification providers (including Personr.co) operating under written data processing agreements
  • Listing agents and developers: where necessary to facilitate a specific property enquiry or transaction you have initiated, and to the extent required to complete KYC or regulatory obligations
  • Professional advisers: lawyers, accountants, auditors, and insurers acting under duties of confidentiality
  • Regulatory and law enforcement authorities: where required by applicable law, court order, or regulation, including AML/CTF reporting obligations under applicable law in each jurisdiction
  • Business transaction parties: in the event of a merger, acquisition, or sale of assets, to the extent necessary for due diligence, subject to confidentiality obligations
  • Affiliated entities: within the Kinnara group for internal administrative purposes, subject to appropriate intra-group agreements

We do not sell personal data to third parties. We require all third-party processors to operate under written agreements imposing appropriate data protection, security, and confidentiality obligations, and to return or securely delete personal data upon termination of services.

11. International Data Transfers

Given Kinnara’s operations across Asia-Pacific, personal data may be transferred to, stored, or processed in Hong Kong, Indonesia, Thailand, Singapore, Malaysia, Australia, the United States, the EU/UK, and other jurisdictions where our service providers operate.

Where a transfer involves a jurisdiction that does not provide a level of data protection equivalent to the originating jurisdiction, we implement appropriate safeguards, which may include:

  • GDPR/UK GDPR: EU Standard Contractual Clauses (SCCs, 2021 version); UK International Data Transfer Agreement (IDTA) or addendum; adequacy decisions where available; supplemental technical measures (encryption in transit and at rest)
  • PDPO (HK): contractual protections requiring overseas recipients to maintain standards comparable to the PDPO Data Protection Principles
  • Australian APPs: compliance with APP 8, including contractual obligations on overseas recipients comparable to the APPs
  • Indonesian PDP Law: coordination with the Badan Siber dan Sandi Negara (BSSN) framework for cross-border transfers as required
  • Thai PDPA: reliance on adequacy standards or contractual protections as recognised by Thailand’s PDPC
  • Singapore PDPA: compliance with the Transfer Limitation Obligation under the PDPA SG, including contractually binding the overseas recipient to comparable standards

12. Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. When data is no longer required, it is securely deleted or anonymised. Indicative retention periods are:

  • Account data: duration of account plus 5 years for compliance and record-keeping
  • Transaction and KYC data: minimum 5–7 years to satisfy AML/CTF, tax, and property-transaction obligations (varying by jurisdiction)
  • Usage / analytics data: 24 months
  • Marketing preference records: until opt-out, plus 1 year as evidence of compliance
  • Correspondence and support records: 3 years from last contact, or as required by applicable law

13. Security

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, use, disclosure, alteration, or destruction. These include encryption in transit and at rest, access controls, audit logging, and periodic security assessments. We require our service providers and processors to implement equivalent measures.

No system is 100% secure. In the event of a personal data breach that poses a material risk to affected individuals, we will notify affected users and relevant supervisory authorities within the following timelines:

  • EU/UK GDPR: within 72 hours of becoming aware (Art. 33–34)
  • Singapore PDPA: within 3 calendar days of assessing the breach is notifiable (s. 26D)
  • Indonesia PDP Law: within 14 calendar days of becoming aware of the breach
  • Thailand PDPA: within 72 hours to the PDPC where feasible
  • Australia Privacy Act: as soon as practicable after becoming aware of an eligible data breach (Notifiable Data Breaches scheme, s. 26WK)
  • Hong Kong PDPO: voluntary notification in accordance with PCPD guidance; we follow the PCPD’s recommended practice of notification without undue delay
  • Philippines DPA: within 72 hours of becoming aware of a personal data breach to the National Privacy Commission (NPC)

14. Direct Marketing

We may use your contact details to send you information about property listings, market updates, and Kinnara services that may be of interest to you, subject to the following:

  • Hong Kong (PDPO Part 6A): we will use your personal data for direct marketing only with your prior express consent. You have the right to opt out at any time at no charge, by emailing [email protected] or clicking the unsubscribe link in any marketing email. We will give effect to your opt-out within 10 business days.
  • EU/UK (GDPR): we rely on your consent or, where permitted, legitimate interests for direct marketing. You may object at any time.
  • Australia: we comply with the Spam Act 2003 (Cth) and include an unsubscribe mechanism in all commercial electronic messages.
  • Singapore: we comply with the Singapore PDPA Do Not Call (DNC) Registry obligations and will not contact you by telephone for marketing purposes if you are listed on the DNC Registry, unless you have given us specific consent.
  • Thailand: direct marketing is conducted only with your prior consent as required under the Thai PDPA.
  • Indonesia: we obtain consent for electronic marketing as required under the Indonesian Electronic Information and Transactions Law (ITE Law) and the PDP Law.

You may opt out of all marketing communications at any time by contacting [email protected] or using the unsubscribe mechanism in any communication. Opt-out of marketing does not affect the delivery of transactional or service communications.

15. Your Rights

Depending on your jurisdiction, you have the following rights in respect of your personal data. To exercise any right, contact [email protected] with “Privacy Rights Request” in the subject line. We will verify your identity before processing any request and will respond within the applicable statutory timeframe.

15.1 Hong Kong (PDPO, Cap. 486)

  • Access (DPP6): request a copy of personal data held about you. We may charge a reasonable fee in accordance with the PDPO.
  • Correction (DPP6): request correction of inaccurate personal data.
  • Opt-out of direct marketing (Part 6A): at any time, at no charge.
  • Response time: 40 days from receipt of a valid request (extendable with notice).
  • Supervisory authority: Office of the Privacy Commissioner for Personal Data (PCPD), www.pcpd.org.hk, +852 2827 2827.

15.2 European Union / United Kingdom (GDPR / UK GDPR)

  • Access, rectification, and erasure (“right to be forgotten”)
  • Restriction of processing and objection (including to legitimate interests processing)
  • Data portability (where processing is by automated means based on consent or contract)
  • Withdrawal of consent at any time (without affecting prior lawful processing)
  • Rights regarding automated decision-making (Art. 21–22)
  • Response time: one month from receipt (extendable by two months for complex requests with notice).
  • EU representative: where required under Art. 27 GDPR, Kinnara will designate a representative in the EU. Contact [email protected] for current details.
  • Supervisory authority: your local EU data protection authority, or the ICO (UK) at ico.org.uk.

15.3 Australia (Privacy Act 1988, APPs, 2024 amendments)

  • Access to and correction of personal information (APP 12–13)
  • Erasure / deletion (as introduced under the 2024 amendments)
  • Explanation of decisions that significantly affect you
  • Complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
  • Response time: 30 days from receipt.
  • We conduct Privacy Impact Assessments for high-risk processing activities where required under the 2024 amendments.

15.4 Indonesia (PDP Law No. 27/2022)

  • Access to your personal data and information about its processing
  • Correction and updating of inaccurate personal data
  • Deletion or destruction of personal data
  • Withdrawal of consent at any time (without affecting prior lawful processing)
  • Objection to automated decision-making
  • Portability of personal data in a readable electronic format
  • Response time: as soon as practicable, and within any statutory period prescribed under implementing regulations.
  • Supervisory authority: Badan Siber dan Sandi Negara (BSSN) / Ministry of Communication and Information Technology (Kominfo).

15.5 Thailand (PDPA B.E. 2562)

  • Access and copy of personal data
  • Rectification of inaccurate data
  • Erasure or anonymisation
  • Restriction of processing
  • Data portability
  • Objection to processing, including for direct marketing
  • Withdrawal of consent
  • Response time: 30 days from receipt.
  • Supervisory authority: Personal Data Protection Committee (PDPC), Thailand, www.pdpc.or.th.

15.6 Singapore (PDPA SG 2012, as amended 2020)

  • Access to personal data and information about how it has been used or disclosed
  • Correction of personal data that is inaccurate or incomplete
  • Data portability (for applicable data and organisations)
  • Withdrawal of consent (with reasonable notice; withdrawal may affect our ability to provide services)
  • Response time: 30 business days from receipt (extendable with notice).
  • Supervisory authority: Personal Data Protection Commission (PDPC), www.pdpc.gov.sg.

15.7 Malaysia (PDPA MY 2010)

  • Access to personal data
  • Correction of personal data
  • Withdrawal of consent (with reasonable notice)
  • Objection to processing for direct marketing
  • Response time: 21 days from receipt.
  • Supervisory authority: Department of Personal Data Protection (JPDP), www.pdp.gov.my.

15.8 Philippines (Data Privacy Act 2012)

  • Access to personal information
  • Rectification of inaccurate data
  • Erasure or blocking of personal data
  • Objection to processing
  • Data portability
  • Damages for processing in violation of the DPA PH
  • Response time: as prescribed by the National Privacy Commission (NPC).
  • Supervisory authority: National Privacy Commission (NPC), www.privacy.gov.ph.

15.9 Vietnam (Decree 13/2023)

  • Knowledge of and consent to processing
  • Access and correction of personal data
  • Erasure of personal data (subject to legal retention requirements)
  • Restriction of processing
  • Objection to processing
  • Complaint to the Ministry of Public Security (MPS) / Department of Cybersecurity and Hi-tech Crime Prevention (A05)

15.10 California (CCPA/CPRA)

  • Know: what personal information is collected, used, disclosed, or sold
  • Delete personal information (subject to exceptions)
  • Correct inaccurate personal information
  • Opt out of sale or sharing of personal information (we do not sell; sharing for cross-context ads is consent-based)
  • Limit use of sensitive personal information
  • Non-discrimination for exercising privacy rights
  • Response time: 45 days from receipt (extendable with notice).
  • You may appoint an authorised agent; we require proof of authorisation.
  • Supervisory authority: California Privacy Protection Agency (CPPA).

16. Appeals and Complaints

If you are dissatisfied with our response to a privacy rights request, you may appeal by emailing [email protected] with “Privacy Appeal” in the subject line. We will respond within 30 days and inform you of any further remedies available under your local law, including the right to escalate to the relevant supervisory authority listed in Section 15.

For verification of identity prior to processing access or deletion requests, we will typically request: email confirmation from your registered address; and, for sensitive requests, a signed declaration or such other verification as is proportionate to the nature of the request and the rights being exercised.

17. Prohibition on Doxxing and Unlawful Disclosure

The 2021 amendments to the PDPO introduced criminal offences relating to the disclosure of personal data without the data subject’s consent where the disclosure is intended to cause, or is likely to cause, specified harm to the data subject (“doxxing”, Part VIA). Any user who submits content to the Website that contains the personal data of another individual must ensure they have a valid legal basis for doing so. Kinnara reserves the right to remove any content that it reasonably believes constitutes doxxing or an unlawful disclosure of personal data, and to report such conduct to the PCPD or relevant law enforcement authorities.

18. Disclosures Required by Law

We may disclose personal data to regulatory bodies, law enforcement agencies, courts, or government authorities where required or authorised by applicable law, including AML/CTF reporting obligations in each jurisdiction in which we operate. We will provide affected individuals with notice of any such disclosure where we are legally permitted to do so.

19. Changes to This Policy

We review and update this Privacy Policy regularly to reflect changes in technology, applicable law, and our business practices. The version number and effective date at the top of this page will indicate any update. For material changes affecting your rights, we will provide at least 14 days’ advance notice by email (where we hold a current address) and by posting a prominent notice on the Website.

20. Contact and Privacy Officer

For any questions about this Policy or to exercise your privacy rights, contact us at:

In Hong Kong, the designation of a privacy officer is a voluntary best-practice measure under PCPD guidance and is not a statutory requirement under the PDPO. Kinnara nonetheless maintains a dedicated privacy contact to ensure all requests are handled promptly and in accordance with applicable law.

This Policy was last reviewed for legal compliance in April 2026. Kinnara recommends that users bookmark this page and check periodically for updates.