// 1. Data Controller

The data controller responsible for your personal data is:

lbhongdafood.com
Bristol & Bath Science Park
United Kingdom
Email: contact@lbhongdafood.com
Email (privacy inquiries): contact@lbhongdafood.com

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU GDPR, our representative in the European Union can be contacted at contact@lbhongdafood.com.

// 2. Scope of this Policy

This Privacy Policy applies to all information collected through:

  • The lbhongdafood.com corporate website (the "Site"), including all sub-pages.
  • All mobile applications published by lbhongdafood.com on the Apple App Store, Google Play Store, Huawei AppGallery, Samsung Galaxy Store, Amazon Appstore, Microsoft Store, and any other application distribution platform (collectively, the "Apps").
  • All related services, customer-support channels, and developer tools provided by us (the "Services").
  • Email, social-media, and messaging interactions initiated by you with our support or business team.

By accessing, installing or using any of our Services, you confirm that you have read and understood this Privacy Policy.

// 3. Core Privacy Principles

  • Data minimisation – we collect only what is strictly necessary to deliver the feature you requested.
  • Local-first processing – by default, all personal content (lists, notes, photos, recordings, budgets, inventory) is stored locally on your device using platform-provided secure storage (e.g. iOS Data Protection, Android EncryptedSharedPreferences, App Sandbox, Keychain).
  • No advertising profiling of children – our Apps are not directed at children and we do not knowingly serve personalised advertising to anyone under 18.
  • No sale of personal data – we do not sell, rent, lease or trade personal information for money or value.
  • Transparent processing – every category of data, every purpose, every third party and every retention period is listed below.
  • Defence in depth – encryption in transit (TLS 1.3) and at rest (AES-256), sandboxed processing, hardened network policies.

// 4. Information We Collect

4.1 Information you voluntarily provide

  • Account identifiers (name, email) – only when you sign up for an account or opt-in to cloud sync.
  • Support correspondence (emails, bug reports, in-app feedback) and any attachments you choose to include.
  • Newsletter subscription data (email address and language preference).
  • Survey responses and product-research feedback that you explicitly submit.

4.2 Information collected automatically

  • Device metadata: device model, OS version, locale, time zone, app version, build number.
  • Usage analytics (aggregated, IP-truncated): feature usage frequency, screen views, crash logs, performance metrics, anonymised session duration.
  • Diagnostic data: stack traces, error codes, network response codes – never the content of your local files.
  • Approximate country/city derived from anonymised IP address (subnet truncated to /24 for IPv4 and /48 for IPv6).

4.3 Information collected from third parties

  • App-store receipt verification (anonymous, opaque tokens validated via Apple/Google servers).
  • Crash and performance telemetry from Firebase Crashlytics and Apple MetricKit (opt-in where required).

4.4 Information we DO NOT collect

  • The actual content of your local files, notes, budgets, photos, recordings, document vaults, or inventory items.
  • Your contacts, call logs, SMS, microphone audio, camera images, GPS coordinates, or biometric data unless you explicitly grant per-feature permission.
  • Persistent device identifiers (IDFA, GAID) for advertising purposes – we deliberately avoid this and rely only on contextual advertising.
  • Information about your religious beliefs, political opinions, health, sexual orientation, trade union membership, or any other special-category data.

// 5. Legal Bases for Processing (GDPR)

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

  • Contract (Art. 6(1)(b)) – to provide the Services you have requested, process purchases and deliver customer support.
  • Legitimate interest (Art. 6(1)(f)) – to secure, optimise and improve our Services, prevent fraud, and maintain accurate analytics in aggregate form.
  • Consent (Art. 6(1)(a)) – for non-essential cookies, marketing communications, and any optional feature that processes personal data beyond what is strictly required.
  • Legal obligation (Art. 6(1)(c)) – to comply with applicable laws, court orders, tax/accounting duties, and lawful government requests.

// 6. Cookies and Similar Technologies

We use a minimal set of cookies and local-storage items. We do not use any third-party advertising cookies. Cookies are categorised as follows:

  • Strictly necessary: session_id, csrf_token – required for security and cannot be disabled.
  • Functional: lang_pref, theme – remember your preferences.
  • Analytics (opt-in, IP-anonymised): _lbhf_analytics – aggregated, non-identifying usage data.
  • Marketing: none. We do not set marketing or retargeting cookies.

You can change your preferences at any time via our in-app consent banner, the cookie settings link in our footer, or your browser's privacy controls. We honour Global Privacy Control (GPC), Do Not Track (DNT), and Apple ATT signals.

// 7. Advertising, Monetisation & Ad SDKs

Our Apps are free to download and may be supported by advertising. All advertising is contextual – we do not allow interest-based behavioural targeting, retargeting, or the creation of cross-app user profiles by our ad partners. We do not allow our advertising partners to collect persistent device identifiers (IDFA/GAID/ODIN) for the purpose of building advertising profiles. Below is a complete, exhaustive list of advertising technologies and monetisation platforms that may be integrated into our Apps. Each entry is followed by the data it processes, its privacy-policy URL, and the opt-out controls available to you.

7.1 Google AdMob (primary monetisation partner)

  • Provider: Google Ireland Limited / Google LLC.
  • Privacy Policy: policies.google.com/privacy
  • Partner Privacy: AdMob Privacy
  • Ad Formats: Banner ads (320×50, 300×250, 728×90, smart banner), Interstitial ads (full-screen static and video, with frequency caps), Rewarded video ads (user-initiated, opt-in only), Native ads (in-feed contextual), App-open ads (splash-screen contextual), and Native advanced.
  • Data Processed: device advertising ID (only after explicit user consent via Apple's App Tracking Transparency framework), IP address (truncated), device make/model, OS version, locale, approximate location (country-level), ad-impression events, click events, crash diagnostics.
  • Compliance: certified by IAB Tech Lab's Transparency & Consent Framework (TCF v2.2), Google EU User Consent Policy, Children's Online Privacy Protection Act (COPPA), GDPR, CCPA/CPRA.
  • Children: ad requests are tagged as tagForChildDirectedTreatment = false and tagForUnderAgeOfConsent = false; we do not serve personalised ads to users under 18.
  • Opt-out: Google Ads Settings · in iOS Settings → Privacy → Tracking · in Android Settings → Google → Ads.

7.2 Google AdSense & Google Ad Manager (web)

  • Provider: Google Ireland Limited.
  • Privacy Policy: policies.google.com/privacy
  • Formats: display banner, in-feed native, in-article, matched content, vignette.
  • Compliance: TCF v2.2, GDPR, CCPA/CPRA, NAI Code of Conduct, DAA Self-Regulatory Principles.
  • Opt-out: Google Ads Settings · NAI Opt-Out.

7.3 Meta Audience Network (Facebook)

  • Provider: Meta Platforms Ireland Limited.
  • Privacy Policy: facebook.com/privacy/policy
  • Formats: banner, interstitial, rewarded video, native, in-stream video.
  • Data: device advertising ID (with consent), event data, conversion events.
  • Compliance: GDPR, CCPA, ePrivacy Directive, EU Meta Consent Flow.
  • Opt-out: Facebook Ad Preferences → Ad Preferences · Audience Network → Opt-out of Audience Network.

7.4 Unity Ads

  • Provider: Unity Technologies Finland OY / Unity Technologies SF.
  • Privacy Policy: unity.com/legal/privacy-policy
  • Formats: interstitial, rewarded video, banner, playable ads, AR ads.
  • Data: device ID, IP, device make/model, OS version, locale, ad events, crash data.
  • Compliance: GDPR, CCPA, COPPA, EDAA / TCF v2.2, IAB Europe.
  • Opt-out: Unity Privacy Choices · iOS ATT · Android Ad ID reset.

7.5 AppLovin (MAX & SparkLabs)

  • Provider: AppLovin Corporation.
  • Privacy Policy: applovin.com/privacy
  • Formats: banner, MREC, native, interstitial, rewarded, playables, app-open.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2.
  • Opt-out: applovin.com/optout · platform ATT / Ad ID controls.

7.6 Chartboost

  • Provider: Chartboost, Inc. (a Zynga company).
  • Privacy Policy: chartboost.com/privacy
  • Formats: interstitial, rewarded video, banner, native, MoreApps wall.
  • Compliance: GDPR, CCPA, COPPA, DAA, TCF v2.2.
  • Opt-out: chartboost.com/opt-out · platform controls.

7.7 Vungle (Liftoff)

  • Provider: Liftoff Mobile, Inc. (operating Vungle).
  • Privacy Policy: vungle.com/privacy
  • Formats: interstitial, rewarded, banner, native, playable.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2.
  • Opt-out: vungle.com/opt-out · platform controls.

7.8 ironSource (now Unity)

  • Provider: ironSource Ltd. (a Unity company).
  • Privacy Policy: is.com/privacypolicy
  • Formats: interstitial, rewarded video, banner, native.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2.
  • Opt-out: ironSource Privacy Choices · platform controls.

7.9 Tapjoy

7.10 InMobi

  • Provider: InMobi Technology Services Pvt. Ltd.
  • Privacy Policy: inmobi.com/privacy-policy
  • Formats: banner, interstitial, rewarded video, native, video.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2, DAA.
  • Opt-out: inmobi.com/opt-out · platform controls.

7.11 Pangle (ByteDance)

  • Provider: ByteDance Pte. Ltd.
  • Privacy Policy: pangle.io/privacy-policy
  • Formats: banner, native, interstitial, rewarded video, splash.
  • Compliance: GDPR, CCPA, PIPL, TCF v2.2.
  • Opt-out: pangle.io/opt-out · platform controls.

7.12 Mintegral

  • Provider: Mintegral International Sdn. Bhd. (a Mobvista company).
  • Privacy Policy: mintegral.com/en/privacy-policy
  • Formats: banner, native, interstitial, rewarded video, splash, playable.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2, EDAA.
  • Opt-out: mintegral.com/en/optout · platform controls.

7.13 Digital Turbine (AdColony & Fyber)

7.14 AdColony (DSP & Exchange)

  • Provider: AdColony, Inc. (a Digital Turbine company).
  • Privacy Policy: adcolony.com/privacy-policy
  • Formats: interstitial (Instant-Play™ HD), rewarded video, banner, native, playable, Aurora™ HD video.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2, DAA, IAB Europe.
  • Opt-out: AdColony Opt-Out · platform controls.

7.15 Start.io (StartApp)

7.16 Liftoff (formerly Vungle) Monetisation

  • Provider: Liftoff Mobile, Inc.
  • Privacy Policy: liftoff.io/privacy-policy
  • Formats: interstitial, rewarded video, banner, native, playables.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2.
  • Opt-out: Liftoff Opt-Out · platform controls.

7.17 Moloco

  • Provider: Moloco, Inc.
  • Privacy Policy: moloco.com/privacy-policy
  • Formats: programmatic banner, native, video, rewarded.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2.
  • Opt-out: Moloco Opt-Out · platform controls.

7.18 Yahoo (Verizon Media) & AOL

7.19 Microsoft Advertising (Bing / Xandr / UET)

  • Provider: Microsoft Corporation (Microsoft Advertising, Xandr, MSN).
  • Privacy Policy: privacy.microsoft.com
  • Formats: banner, native, video, rewarded, app-install ads.
  • Compliance: GDPR, CCPA, COPPA, TCF v2.2.
  • Opt-out: Microsoft Ad Settings.

7.20 Criteo

7.21 Amazon Publisher Services / Amazon Ads

  • Provider: Amazon.com, Inc.
  • Privacy Policy: amazon.com/privacy
  • Formats: display, video, native, app install, header bidding.
  • Compliance: GDPR, CCPA, TCF v2.2, IAB Europe.
  • Opt-out: Amazon Ad Preferences · platform controls.

7.22 Taboola

7.23 Outbrain

7.24 Smaato

  • Provider: Smaato, Inc.
  • Privacy Policy: smaato.com/privacy
  • Formats: banner, native, video, interstitial, rewarded.
  • Compliance: GDPR, CCPA, TCF v2.2.
  • Opt-out: Smaato Opt-Out.

7.25 PubMatic

7.26 Index Exchange

7.27 OpenX

7.28 Rubicon Project (Magnite)

7.29 TripleLift

7.30 Teads (Teads SDK)

  • Provider: Teads (Teads Holding Co.).
  • Privacy Policy: teads.com/privacy-policy
  • Formats: outstream video, in-read, rewarded, display.
  • Compliance: GDPR, CCPA, TCF v2.2, EDAA, IAB Europe.
  • Opt-out: Teads Opt-Out.

7.31 TikTok Audience Network (Pangle / ByteDance)

7.32 Twitter (X) MoPub (now defunct, but historically integrated)

  • Provider: X Corp. (formerly Twitter, Inc.) – MoPub was sunset in 2022 and we no longer use it.
  • Privacy Policy: x.com/en/privacy

7.33 Smaato & Smaato SSP

  • Provider: Smaato, Inc.
  • Privacy Policy: smaato.com/privacy
  • Formats: programmatic, header bidding, display, video.
  • Compliance: GDPR, CCPA, TCF v2.2, IAB Europe.
  • Opt-out: Smaato Opt-Out.

7.34 InMobi Exchange & InMobi Mediation

7.35 Verizon Media (Yahoo) Native & Video

7.36 ad-lib Digital

  • Provider: ad-lib Digital Advertising Technology & Software Industry Inc.
  • Privacy Policy: ad-lib.io/privacy-policy
  • Formats: programmatic display, video, native.
  • Compliance: GDPR, CCPA, TCF v2.2.
  • Opt-out: ad-lib.io Opt-Out.

7.37 Ogury

7.38 Adikteev & re-engagement platforms

7.39 Firebase AdMob & Google Mobile Ads SDK

7.40 Smart AdServer, Equativ & LiquidM

  • Provider: Equativ (formerly Smart AdServer & LiquidM).
  • Privacy Policy: equativ.com/privacy-policy
  • Formats: programmatic display, video, native, CTV.
  • Compliance: GDPR, CCPA, TCF v2.2, EDAA.
  • Opt-out: Equativ Opt-Out.

7.41 Wunderkind (BounceX)

7.42 Quantcast

7.43 Lotame

7.44 LiveRamp & ATS (Authenticated Traffic Solution)

7.45 Tappx (Header Bidding & Mediation)

7.46 Adverty (In-game & AR advertising)

7.47 Pixalate (Fraud prevention & brand safety)

7.48 HUMAN (White Ops) & bot/fraud prevention

7.49 IAS (Integral Ad Science)

7.50 DoubleVerify

7.51 General Ad-SDK compliance summary

Every ad SDK integrated into our Apps complies with the following baseline rules:

  • No collection of personal data from children under 13 (COPPA) or under 16 (EU/UK).
  • No precise geolocation (lat/long); only coarse country/city is permitted.
  • No collection of health, biometric, contact, calendar, SMS, or microphone data.
  • IP addresses are truncated by the SDK before any further processing.
  • All ad partners have signed the EU Standard Contractual Clauses (SCCs) where required.
  • All ad partners support the IAB Europe TCF v2.2 consent string.
  • All ad partners honour Apple App Tracking Transparency (ATT) and Android Advertising ID resets.
  • All ad partners support the Limited Ad Tracking (LAT) signal.

// 8. App Store Specific Compliance

8.1 Apple App Store & App Tracking Transparency (ATT)

Our iOS Apps use Apple's AppTrackingTransparency framework. We will only access the IDFA after you have explicitly granted permission via the iOS system prompt. If you decline, we will serve only contextual advertising, with no cross-app tracking. The first time an ad is requested, the App will display Apple's standard ATT prompt. You can change your choice at any time in iOS Settings → Privacy → Tracking.

8.2 Apple Privacy Nutrition Labels (App Store Connect)

All our Apps declare accurate, complete and up-to-date information in the "App Privacy" section of the App Store, including: contact info, identifiers, usage data, diagnostics, and purchase data categories, with the purposes of Third-Party Advertising, Analytics, Product Personalisation, and App Functionality.

8.3 Apple "Data Used to Track You" definition

We do not link user or device data with third-party data for advertising purposes, and we do not share data with a data broker. Therefore, the only data declared under "Data Used to Track You" is the IDFA (with explicit consent).

8.4 Google Play Data Safety Form

All our Android Apps declare accurate information in the Google Play Console "Data Safety" section, including: whether data is shared, whether data is collected, the security practices in place (encryption in transit, encryption at rest, opt-out option, data deletion option), and the data retention period.

8.5 Google Play Families Policy & Designed for Families

Apps intended for children are categorised as such in Google Play and have no ad-personalisation enabled. Mixed-audience Apps (suitable for both children and adults) do not serve personalised ads to users identified as under 18.

8.6 Huawei AppGallery, Samsung Galaxy Store, Amazon Appstore, Microsoft Store

The same privacy standards apply across every distribution platform. Where a platform offers an advertising ID system (e.g. Huawei OAID), we honour its reset and opt-out controls.

// 9. Children's Privacy (Age Restrictions)

9.1 Minimum age

Our Services are not directed to children under 13 years of age (or under 16 in the EEA/UK, under 14 in Spain, under 14 in South Korea, under 18 in certain U.S. states such as California, Virginia, Connecticut, Colorado, Utah, Texas, Oregon, Montana, Delaware, New Jersey, Pennsylvania, Iowa, Indiana, Tennessee, Florida, Kentucky, Maryland, Minnesota, New Hampshire, Rhode Island). We do not knowingly collect personal data from anyone below the minimum age threshold. If we learn that we have inadvertently done so, we will delete the data immediately.

9.2 COPPA (Children's Online Privacy Protection Act, USA)

For U.S. children under 13 we operate in strict compliance with COPPA. We do not collect any personal information from children under 13. Our Apps are not designed to attract an audience under 13. Ad requests initiated from under-13 users are tagged accordingly and are eligible only for contextual ads from COPPA-certified vendors.

9.3 GDPR-K & Article 8

For EU/UK children under 16, processing is based on consent given or authorised by the holder of parental responsibility, in accordance with Article 8 of the GDPR.

9.4 Verifiable parental consent (VPC)

If we ever need to collect personal data from a child, we will use a verifiable parental consent mechanism (knowledge-based authentication, credit-card verification, government-ID check, or signed consent form) in line with FTC COPPA Rule and equivalent EU/UK guidance.

9.5 Age-gating

Where a feature requires age verification, we provide a neutral age-gate screen before any data is collected. Users below the minimum age are blocked from the data-collecting features.

9.6 Right to erasure for minors

Parents or guardians may at any time request access to, correction of, or deletion of their child's personal data by writing to contact@lbhongdafood.com.

// 10. International & Regional Compliance

10.1 United Kingdom – UK GDPR & Data Protection Act 2018
Registered with the Information Commissioner's Office (ICO). Lawful bases as set out in Section 5. You have the right to lodge a complaint with the ICO at ico.org.uk.

10.2 European Union – GDPR (Regulation 2016/679)
Compliant with all six lawful bases, the seven GDPR principles, and all data-subject rights. EU representative contactable at contact@lbhongdafood.com.

10.3 United States – CCPA / CPRA (California)
We do not sell or share personal information for cross-context behavioural advertising. California residents have the right to know, delete, correct, and limit use of sensitive personal information. Submit requests to contact@lbhongdafood.com. Authorised agent requests accepted with verifiable proof of authorisation. We respond within 45 days.

10.4 United States – Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MOCCPA, Delaware DPDPA, New Jersey, Pennsylvania, Iowa, Indiana, Tennessee, Florida, Kentucky, Maryland, Minnesota, New Hampshire, Rhode Island
Honoured uniformly: right to access, delete, correct, portability, opt-out of sale/profiling, appeal right.

10.5 Canada – PIPEDA & Quebec Law 25
Compliant. Open and transparent privacy management. Privacy Officer contact: contact@lbhongdafood.com.

10.6 Australia – Privacy Act 1988 & Australian Privacy Principles (APPs)
Compliant. Notifiable Data Breaches scheme respected. OAIC complaints accepted.

10.7 New Zealand – Privacy Act 2020
Compliant with the 13 Information Privacy Principles (IPPs).

10.8 Singapore – PDPA
Compliant with the Personal Data Protection Act 2012, including Do-Not-Call (DNC) registry.

10.9 Japan – APPI
Compliant with the Act on the Protection of Personal Information.

10.10 South Korea – PIPA
Compliant with the Personal Information Protection Act.

10.11 China – PIPL
Compliant with the Personal Information Protection Law of the People's Republic of China, including data localisation requirements where applicable.

10.12 India – DPDP Act 2023
Compliant with the Digital Personal Data Protection Act. Consent-based processing. Data Fiduciary obligations respected.

10.13 Brazil – LGPD
Compliant with the Lei Geral de Proteção de Dados. ANPD oversight recognised.

10.14 South Africa – POPIA
Compliant with the Protection of Personal Information Act.

10.15 Switzerland – nFADP
Compliant with the revised Federal Act on Data Protection.

10.16 Other jurisdictions
Argentina (AAIP), Colombia (SIC), Mexico (LFPDPPP), Turkey (KVKK), Israel (PPL), Thailand (PDPA), Indonesia (PDP Law), Malaysia (PDPA 2010), Philippines (DPA 2012), Vietnam (PDPD), Saudi Arabia (PDPL), UAE (DIFC DPL), Nigeria (NDPR), Kenya (DPA), Egypt (PDPL), Morocco (CNDP), Tunisia (INPDP), and any other jurisdiction with an applicable data-protection regime. We extend GDPR-equivalent protections globally.

// 11. How We Use Your Information

  • To deliver the features you request and operate our Services.
  • To remember your preferences, settings and consent choices.
  • To provide customer support and respond to your enquiries.
  • To detect, prevent and address fraud, security incidents, abuse and violations of our terms.
  • To improve our Services through aggregate analytics, A/B testing (with consent) and crash diagnostics.
  • To send you service announcements, security alerts and administrative messages (transactional, no marketing consent needed).
  • To send you marketing communications (newsletter, product updates) – only with your prior opt-in consent, with one-click unsubscribe in every message.
  • To comply with legal obligations and lawful government requests.

// 12. Disclosure of Information

We do not sell personal data. We share data only as follows:

  • Service providers (hosting, email, analytics, customer support, error tracking) bound by written data-processing agreements and confidentiality undertakings.
  • Advertising partners listed in Section 7, only the data described in their respective sub-sections, and only after consent where required.
  • App-store providers (Apple, Google) – only what is strictly required for receipt validation, licensing and crash reporting.
  • Legal and regulatory authorities – only when we have a good-faith belief that disclosure is necessary to comply with a law, court order, or valid legal process; to protect our rights, your safety or the safety of others; or to detect and prevent fraud or security incidents.
  • Corporate transactions – in the event of a merger, acquisition or sale of assets, with notice to you and continued protection under this Policy.

// 13. International Data Transfers

Personal data may be transferred to, stored and processed in countries other than your own. Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Module 1, 2 and 3 as applicable) and the UK International Data Transfer Agreement (IDTA).
  • Adequacy decisions recognised by the European Commission, the UK ICO, or the Swiss FDPIC.
  • Explicit consent for transfers where no other safeguard is available.
  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Recipient assessment, TOMs (Technical and Organisational Measures), and transfer impact assessments (TIAs).

// 14. Data Retention

We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements.

  • Account data: lifetime of the account + 12 months after deletion.
  • Support tickets: 36 months.
  • Analytics: 24 months (aggregated thereafter).
  • Server logs: 30 days (rotated, then deleted).
  • Marketing consent: until you withdraw consent.
  • App-store receipts: 10 years (tax-law requirement).
  • Local data on your device: remains until you delete the App, uninstall, or clear App data.

// 15. Your Rights

You have the following rights. To exercise any of them, write to contact@lbhongdafood.com. We respond within 30 days (GDPR) or 45 days (CCPA) – free of charge, although we may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests.

  • Right of access – obtain a copy of the personal data we hold about you.
  • Right to rectification – correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") – request deletion of your data.
  • Right to restriction of processing – pause processing while a complaint is investigated.
  • Right to data portability – receive your data in a structured, machine-readable format (JSON, CSV).
  • Right to object – object to processing based on legitimate interest or for direct marketing.
  • Right to withdraw consent – at any time, without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making – including profiling, where it produces legal or similarly significant effects.
  • Right to lodge a complaint – with your local data-protection authority (e.g. ICO, CNIL, BfDI, Garante, AEPD, AP, DSK, ODI).
  • Right to opt out of sale/sharing (CCPA) – we do not sell, so no opt-out is required; nevertheless, you can still confirm by contacting us.
  • Right to opt out of "profiling in furtherance of decisions that produce legal or similarly significant effects" – honoured.
  • Right to opt out of "sensitive personal information" processing – we do not collect sensitive personal information, but we honour the right.

// 16. Security

We implement industry-standard technical and organisational measures to protect personal data, including:

  • AES-256 encryption of personal data at rest.
  • TLS 1.3 encryption of personal data in transit (HSTS, OCSP stapling, modern cipher suites).
  • Two-factor authentication, hardware-key support, and role-based access control for all internal systems.
  • Independent third-party security audits and penetration tests (annually).
  • Bug-bounty programme via responsible disclosure.
  • Continuous vulnerability scanning and dependency monitoring (Snyk, npm audit, OWASP Dependency-Check).
  • Documented incident response plan with 72-hour notification commitment for breaches affecting personal data (GDPR Art. 33, CCPA, etc.).
  • Privacy-by-design and privacy-by-default practices throughout the product development lifecycle.

// 17. Third-Party Links

Our Services may contain links to third-party websites, stores, services, or applications that we do not own or control. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before submitting any personal data to them.

// 18. DMCA, Takedowns & Copyright

lbhongdafood.com respects the intellectual-property rights of others. If you believe that material made available through our Services infringes your copyright, please send a DMCA notice to contact@lbhongdafood.com with the following information:

  • An electronic or physical signature of the person authorised to act on behalf of the copyright owner.
  • A description of the copyrighted work that you claim has been infringed.
  • The URL or location of the allegedly infringing material on our Services.
  • Your contact details: address, telephone, email.
  • A statement that you have a good-faith belief that the use is not authorised.
  • A statement, made under penalty of perjury, that the above information is accurate and that you are the copyright owner or are authorised to act on the copyright owner's behalf.

// 19. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this Policy reflects when the latest changes were made. Where a change is material, we will notify you via the App (in-app notice) and/or by email (if you have an account), and where required by law we will request your renewed consent. Continued use of the Services after a change indicates that you accept the updated Policy.

// 20. Contact & Data Protection Officer

For any questions, concerns, complaints or data-subject requests relating to this Privacy Policy or our processing of your personal data, please contact us:

lbhongdafood.com – Data Protection Officer
Bristol & Bath Science Park
United Kingdom
Email: contact@lbhongdafood.com
Email (privacy): contact@lbhongdafood.com
Email (business support): support@lbhongdafood.com

We will respond to your request as soon as possible, and in any event within the time limits set by applicable law (typically 30 days under GDPR, 45 days under CCPA).

If you are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority. In the UK, this is the Information Commissioner's Office (ico.org.uk).