Privacy Policy
Version 1.5 – Effective Date: November 1, 2025
The following Privacy Policy is for Kinnara Limited ("Company," "we," "our," or "us") and its affiliates, collectively referred to herein as "Kinnara."
Our commitment to protect your privacy
We understand that the personal information you provide is sensitive and private. We are committed to protecting your privacy and ensuring you feel secure whenever you engage with us. This policy explains how we collect, use, and safeguard your personal information in compliance with Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), the EU/UK General Data Protection Regulation (GDPR/UK GDPR) where applicable, California’s Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Australia’s Privacy Act 1988 (as amended by the 2024 reforms), and—where applicable—Indonesia’s Personal Data Protection Law (Law No. 27 of 2022) and Thailand’s Personal Data Protection Act B.E. 2562 (2019).
Our services are not intended for children under 18 (or the age of majority where you live). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it promptly unless retention is required by law.
Site usage information and cookies
When you access our Site ("Kinnara.asia," "Kinnara.com," or other Kinnara web assets), we may use embedded software (such as JavaScript) and place small data files ("cookies") on your device to collect information about page views, navigation paths, activities on each page, time spent, and overall Site performance.
We do not associate this usage information with identifiable individuals unless you log in or you provide consent to analytics/advertising cookies through our consent banner; in those cases some data may be linked to your account. You may decline cookies via your browser settings. Doing so may impact your experience using our Site and services.
Where required (e.g., EU/UK/Thailand), we obtain your explicit consent before placing any non‑essential cookies (e.g., analytics or marketing). You can update your choices at any time in our Cookie Preferences. We honor Global Privacy Control (GPC) signals for opt‑out of “sharing” (CPRA) where legally required.
Cookie categories
- Strictly necessary – required for core functionality (security, session management).
- Preferences – remember choices such as language and region.
- Analytics / performance – help us measure and improve the Site.
- Advertising / marketing – personalize ads or measure ad performance (set only with your consent where required).
Personal information
"Personal information" (or "personal data") means information that identifies, relates to, describes, or could reasonably be linked with you. We collect special categories (GDPR sensitive data) only with your explicit consent or where required by law.
Notice at Collection (California) / Article 13 (GDPR)
| Category (CPRA/GDPR) | Examples | Source | Purpose | Sold/Shared? | Retention | Lawful Basis (GDPR) |
|---|---|---|---|---|---|---|
| Identifiers | name, email, phone, IP | You; your device | account, service delivery, security, support | No sale / No sharing (unless you enable ad cookies) | Account life + 5 yrs (legal) | Contract; Legitimate interests; Legal obligation |
| Commercial info | reservations, payments | You; processors | transactions, fraud prevention, compliance | No | 7 yrs (AML/tax) | Contract; Legal obligation; Legitimate interests (fraud) |
| Internet activity | pages viewed, logs, device info | Your device | analytics, security, service improvement | “Shared” for cross‑context ads only if you consent | 24 months (analytics) | Consent (ads/analytics where required); Legitimate interests (security) |
| Geolocation (coarse) | IP‑based region | Your device | localization, fraud | No | 24 months | Legitimate interests; Legal obligation (fraud) |
| Sensitive PI (if any) | KYC data where required | You; verification providers | AML/KYC compliance | No | 7 yrs (compliance) | Legal obligation; Public interest (where applicable) |
We do not “sell” personal information. “Sharing” under CPRA refers to cross‑context behavioral advertising. We only engage in “sharing” with your consent via our cookie banner, and you may opt out at any time (including via supported GPC signals).
Why we collect your personal information
- Provide and secure our website and services.
- Communicate with you and provide support.
- Comply with legal obligations (e.g., AML, tax, consumer protection).
- Improve our products, services, and user experience.
- Conduct marketing with your consent where required.
Automated decision‑making and profiling
We use limited profiling (e.g., fraud detection, listing relevance/ordering). We do not make decisions producing legal or similarly significant effects solely by automated means without human involvement. EU/UK users may request human review, object to profiling, and obtain meaningful information about the logic involved where applicable.
Our roles
Kinnara acts as a data controller for personal data we collect about platform users (e.g., accounts, payments, support). For certain services provided to developers/agents (e.g., listing management performed on their instructions), we act as a data processor under a data processing agreement (DPA) that includes confidentiality, security, sub‑processor, transfer, and deletion obligations. A copy of our DPA is available on request at [email protected].
Contact & Privacy Office
For privacy questions or to exercise rights, email [email protected] or write to: Privacy Office, Kinnara Limited. (In Hong Kong, our “privacy officer” is a voluntary designation and not a statutory PDPO requirement.)
How we collect your personal information
Where reasonable and practical, we collect personal information directly from you. We may also collect information from third parties where legally permissible.
KYC Verification and Identity Data
To protect the integrity of our services and to comply with applicable Anti-Money Laundering (“AML”), Counter-Terrorism Financing (“CTF”), and customer due-diligence requirements, we may require you to complete a Know Your Customer (“KYC”) verification process before reserving, purchasing, or engaging with any of our products or services.
We use Personr.co, an independent third-party identity verification provider, to securely collect and process identity information. As part of this process, Personr.co may request and process:
- Passport details (all nationalities supported)
- Government-issued identification
- Biometric information for liveness/selfie verification
- Sanctions-list, PEP, and adverse-media screening results
- Any additional data required to satisfy applicable AML/CTF or fraud-prevention regulations
Your identity information is processed solely for verifying your identity, meeting regulatory obligations, preventing fraud or unauthorised activity, and supporting risk-management requirements.
KYC is mandatory where required by law or by our compliance obligations. If you do not complete verification, or if verification is unsuccessful, we may not be able to provide certain services, finalise reservations, or complete transactions.
How We Use and Store KYC Data
KYC data collected through Personr.co is transmitted using secure, encrypted methods. Kinnara does not store copies of your identity documents unless required under statutory AML/CTF, financial reporting, property-transaction, or regulatory obligations.
Where retention is required, KYC data is stored securely and access is strictly limited. KYC information may be used to:
- verify your identity and eligibility to transact
- comply with AML/CTF and financial-crime regulations
- comply with property-transaction and land-ownership requirements
- prevent fraud, misrepresentation, or unauthorised activity
- meet obligations under agreements with developers, financial institutions, or regulatory bodies
We retain KYC data only for as long as necessary to meet legal, regulatory, or operational requirements (typically 5–7 years, depending on jurisdiction).
Third-Party KYC Provider
Personr.co acts as a data processor on our behalf. Their processing of your information is governed by contractual data-protection obligations and their own privacy and security standards. You may review their privacy practices at personr.co.
Personr.co may process KYC information using systems or databases located in jurisdictions outside your home country (e.g., international sanctions-list providers). Where required, we and Personr.co implement appropriate safeguards for all international transfers.
We may change our KYC provider from time to time. When we do, equivalent protections and controls will apply.
Disclosures of personal information
We may disclose personal information to: (i) service providers and vendors (IT infrastructure, payments, analytics); (ii) organizations involved in managing or administering your account; (iii) associated businesses that market relevant products/services to you where permitted or with your consent; (iv) your authorized representatives; (v) authorities as required by law (including AML/CTF); (vi) investors, agents, advisers, or entities with a legitimate interest in our business. We require third‑party processors to operate under written agreements with appropriate data‑protection and security obligations and to delete or return personal data upon termination of services.
International transfers
Your information may be processed in Hong Kong, Indonesia, Thailand, Australia, the EU/UK, the United States, and other locations where our service providers operate. For EU/UK data we rely on adequacy decisions where available, Standard Contractual Clauses (plus the UK Addendum/IDTA where applicable), and supplemental safeguards (e.g., encryption in transit and at rest). For Hong Kong data, we ensure comparable protection to PDPO standards for transfers outside Hong Kong, including contractual safeguards with overseas recipients. For Australia, we comply with APP 8 regarding cross‑border disclosures.
California disclosures
- We do not “sell” personal information as defined under CCPA/CPRA.
- When you request deletion, we will instruct relevant third parties to delete your personal information, subject to exceptions under the law.
- We do not discriminate against you for exercising your privacy rights.
Security
We implement appropriate technical and organizational measures (e.g., encryption in transit, access controls, logging, periodic assessments). No method is 100% secure; however, we take reasonable steps to reduce risks. Where a breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and notify supervisory authorities where required (e.g., GDPR within 72 hours).
Retention
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws (e.g., tax and AML). We determine retention based on the category of data, statutory requirements, limitation periods, and our operational needs. When data is no longer required, we will delete or anonymize it.
Direct marketing
We may use your personal information to provide information about market activities, offers, organizational updates, or new products and services. For Hong Kong users, we will use your data for direct marketing only with your prior consent (PDPO Part 6A) and you may opt out at any time. For EU/UK residents, we will obtain consent where required. For California residents, you have the right to opt out of targeted advertising and profiling.
Access, correction & appeals
You may request access to and correction of your personal information. We will verify your identity before fulfilling requests and may refuse requests in circumstances permitted by law (e.g., legal privilege, the rights of others, manifestly unfounded or excessive requests). Response timelines: generally within one month (GDPR/UK, extendable by two months with notice) or 45 days (California, extendable with notice). If you disagree with our response, you may appeal by emailing [email protected] with “Appeal” in the subject. We will respond within 30 days and inform you of further remedies available under your local law.
GDPR/UK rights
- Access, rectification, erasure.
- Restriction and objection (including to processing based on legitimate interests).
- Data portability.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your supervisory authority.
Australia (Privacy Act 1988, as amended 2024)
- Enhanced rights including erasure and explanation of decisions that significantly affect you.
- We conduct Privacy Impact Assessments for high‑risk processing where required.
- We cooperate with the OAIC and comply with its enforcement powers and guidelines.
Opt‑out signals
We honor Global Privacy Control (GPC) signals as an opt‑out of “sharing” for cross‑context advertising where legally required.
Verification & authorized agents (California)
We will verify your identity (e.g., email confirmation, signed declaration) before fulfilling access/deletion requests. You may appoint an authorized agent; we may require proof of authorization.
Supervisory contacts
You may contact: Hong Kong PCPD, EU/UK supervisory authorities, the Australian OAIC, or the California CPPA/Attorney General, as applicable. We will provide contact details upon request.
Further information
For further information, contact [email protected].
Changes to this policy
We regularly review and update this Privacy Policy to reflect changes in technology, legal requirements, and business practices. Updates will be posted on our Site. If changes materially affect your rights, we will provide advance notice where feasible (e.g., 30 days) via email or a prominent Site notice.