JoinMeal Privacy Policy (Hong Kong, PDPO-Compliant) v1.0

1. Personal Information Collection Statement (PICS) (Important)

When you use the Service, we may collect personal data from you. This PICS explains:

• What we collect: the categories listed in Section 3.
• Whether provision is mandatory: some data is required to provide the Service (see Section 4). If you do not provide mandatory data, we may be unable to create/maintain your account or provide certain features.
• Purposes of collection/use: set out in Section 6 (and directly related purposes).
• Classes of transferees: described in Section 8 (e.g., other users as part of core functionality; service providers; marketing/advertising partners where applicable; legal/safety disclosures).
• Your PDPO rights: access and correction are described in Section 12.

2. Scope

This Privacy Policy applies to personal data we process in connection with:

• Our mobile app and related services (including in-app chat, posting/joining group orders, reporting, and customer support);
• Our website (if any); and
• Communications with us (e.g., support emails).

This Privacy Policy does not apply to third-party platforms, restaurants/merchants, couriers, payment institutions, or other third-party services you may access via links or references in the Service. Their privacy practices are governed by their own policies.

3. Personal Data We Collect

We may collect the following categories of personal data, depending on what you provide and how you use the Service:

3.1 Account and Profile Data

• HKUST email address (for verification and login)
• Nickname and avatar
• Any optional profile details you choose to provide

3.2 Group Order and Activity Data

• Posts you create (e.g., merchant/platform name, order cutoff time, pickup point, notes)
• Records of group orders you join
• Your interactions (views, clicks, “interested” indicators, participation status)

3.3 In-App Communications and User Content

• Chat messages, attachments, and related metadata (e.g., timestamps; sender/recipient account identifiers)
• Reports you submit and follow-up communications

3.4 Device, Log, and Technical Data

• IP address
• Device identifiers and device model / OS version
• App version, language settings, time zone
• Diagnostic data (crash logs, performance logs)
• Security logs and anti-abuse signals

3.5 Location-Related Data

• Pickup location/building information you manually enter
• Precise or approximate device location only if you grant permission (subject to OS/device capabilities)

We may derive approximate location (e.g., city/district-level) from your IP address for security and contextual features. Precise device location is collected only if you grant permission.

3.6 Customer Support and Contact Data

• Email content when you contact us
• Information you choose to provide to help resolve issues (e.g., screenshots)

3.7 Cookies / Similar Technologies (If We Operate a Website)

• Cookies or similar technologies used for sign-in, preferences, analytics, and security (we may provide a separate cookie notice if applicable)

4. Mandatory vs Optional Data

• Mandatory: HKUST email address (account creation/verification); basic device/log data reasonably required for security, fraud prevention, and operation of the Service; and any information you submit that is necessary to complete an action you initiate (e.g., required fields for a group-order post).
• Optional: Nickname/avatar and other profile fields; preferences; and precise location data (only collected if you grant permission). You may use the Service without granting precise location permission, although some features may be less convenient.

5. How We Collect Personal Data

We collect personal data:

• Directly from you (registration, profile, posts, chat, reports, support emails);
• Automatically from your device/app (logs, crash reports, device info, security signals);
• From other users when they interact with you (e.g., mentions in chat, reports involving your account); and
• From partners only where applicable and lawful (typically aggregated or non-identifying campaign performance data).

6. Purposes of Use (Why We Use Your Data)

We use personal data for the following purposes (and directly related purposes):

6.1 Provide and Operate the Service

• Create and manage accounts; verify HKUST eligibility
• Enable posting/joining group orders and in-app communication
• Provide notifications and service messages related to group orders and the Service

6.2 Safety, Security, and Fraud Prevention

• Detect, investigate, prevent, and take action against spam, scams, impersonation, harassment, and other harmful behavior
• Enforce our Terms of Service and platform rules
• Protect users and the integrity of the Service

6.3 Content Moderation, Complaints, and Dispute Handling

Review reported content, investigate suspected violations, preserve evidence, and handle complaints, disputes, and appeals where necessary.

6.4 Analytics and Service Improvement

• Understand usage trends and improve features, performance, and user experience
• Debug issues and improve reliability

6.5 Personalized Recommendations, Advertising, and Promotions

• Personalize recommendations (e.g., relevant group orders)
• Display advertisements and measure performance
• Run JoinMeal promotions and joint promotions with partner merchants/partners

6.6 Direct Marketing (Push Notifications and Email) (See Section 13)

Send marketing communications via push notifications and/or email (where permitted and in compliance with PDPO).

6.7 Legal and Compliance

• Comply with applicable laws, court orders, and lawful requests
• Establish, exercise, or defend legal claims

7. In-App Chat Review and Content Moderation (Important)

To maintain safety, trust, and compliance, we may, to the extent reasonably necessary:

• Scan and review in-app chat and Content using automated tools and/or human reviewers;
• Investigate reports and suspected violations; and
• Remove or restrict Content, suspend accounts, and preserve records as evidence.

Access to chat review and moderation tools is restricted to authorized personnel and/or contracted service providers bound by confidentiality and security obligations. Moderation and safety review are intended to reduce risk and improve compliance and do not guarantee any user’s integrity or any transaction outcome.

8. Sharing and Disclosure

We do not sell your personal data. We may share or disclose personal data in the following circumstances:

8.1 With Other Users (Service Functionality)

• Your nickname/avatar and group-order-related information may be visible to other users.
• Content you post is shared according to Service logic.
• In-app messages are shared with intended recipients.

8.2 With Service Providers (Processors)

We may share personal data with vendors that help us operate the Service. These may include providers for:

• Infrastructure, hosting, and content delivery;
• Authentication, messaging, and email delivery;
• Analytics, crash/performance monitoring; and
• Customer support tooling.

They are required to protect data and use it only under our instructions.

8.3 With Advertising / Marketing Partners (If Applicable)

If we run advertisements, promotions, or co-marketing, we may share:

• Aggregated or de-identified campaign performance data; and/or
• Where you choose to participate in a Partner promotion or event (e.g., redemption, registration, eligibility verification, fulfillment, or customer support for that activity), the minimum necessary information to administer that activity (such as participation or redemption status), subject to appropriate safeguards and user choices as applicable.

We do not share your HKUST email address or other directly identifying information with Partners for their independent direct marketing or for third-party advertising targeting, unless you separately consent or such sharing is otherwise required or permitted by law.

8.4 For Legal Reasons and Safety

We may disclose personal data if we believe in good faith that disclosure is necessary to:

• Comply with law, court orders, or lawful requests;
• Protect the rights, property, or safety of users, JoinMeal, or the public; or
• Investigate fraud or security incidents.

8.5 Business Transfers

If we are involved in a merger, acquisition, reorganization, or asset sale, personal data may be transferred as part of that transaction, subject to appropriate confidentiality and notice where required.

9. Cross-Border Transfers (Including Our Main Vendors/Regions)

Your personal data may be stored or processed outside Hong Kong, including in locations where our service providers operate.

Based on our current setup, our main providers may process/store data in or through:

• Cloudflare — Asia-Pacific (APAC) region (content delivery, security, and related infrastructure)
• Railway — Singapore (application hosting and infrastructure)
• Resend — Tokyo (email delivery infrastructure)
• Firebase — locations may vary depending on configuration and Google’s infrastructure (region may be unspecified unless selected)

Where cross-border transfers occur, we take reasonable steps consistent with PDPO principles to protect personal data, such as:

• Contractual and organizational safeguards with vendors;
• Access controls and least-privilege practices; and
• Encryption in transit (and at rest where appropriate/available).

10. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy and directly related purposes, including service provision, security/fraud prevention, dispute handling, and legal/compliance obligations.

Retention is determined based on factors such as:

• Whether you maintain an active account;
• The need to investigate or prevent fraud/abuse; and
• Whether we must keep records to comply with legal obligations or to establish, exercise, or defend legal claims.

When personal data is no longer required, we will delete or anonymize it in accordance with our internal retention procedures, unless retention is required or permitted by law.

11. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal data, including:

• Access controls and least-privilege practices
• Encryption in transit (where supported)
• Monitoring and logging for security
• Secure development and change management practices

No method of transmission or storage is 100% secure. You should also protect your account and device.

12. Your Rights (Access and Correction) (PDPO)

Subject to the PDPO and applicable exemptions, you may request:

• Access to the personal data we hold about you; and/or
• Correction of inaccurate personal data.

To submit a request, email info@receipt-fly.com with:

• Your account email (HKUST email),
• The type of request (access and/or correction), and
• Sufficient details to help us locate the relevant data.

We may verify your identity before processing the request. For data access requests, we may charge a reasonable fee where permitted by the PDPO. We aim to respond within a reasonable time in accordance with the PDPO.

13. Direct Marketing (Push Notifications and Email)

We may use your personal data for direct marketing only in compliance with the PDPO.

13.1 What We May Market

We may send you marketing communications about:

• JoinMeal features, updates, and promotions; and/or
• Partner merchant/partner offers, discounts, and campaigns relevant to students.

13.2 What Data We May Use

For direct marketing, we may use your:

• Contact information (e.g., HKUST email address) and/or an in-app/push notification token/identifier associated with your device (where available);
• Basic account information (e.g., nickname); and
• General usage signals (e.g., broad interest categories or interaction history), where available and appropriate.

13.3 Consent / Indication of No Objection and Opt-Out

Where required under the PDPO, we will provide the required notice and obtain your consent or indication of no objection (as applicable) before sending direct marketing.

You may opt out of direct marketing at any time at no charge by:

• Using in-app controls (if available), or
• Emailing info@receipt-fly.com.

After we receive your opt-out request, we will stop using your personal data for direct marketing as soon as reasonably practicable.

14. Children

The Service is intended for HKUST students and is not directed to children. If you believe a child has provided personal data without appropriate authorization, please contact us and we will take appropriate steps.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time and notify you via in-app notice, announcement, or other reasonable means. The updated version becomes effective as of the “Effective Date” above.

16. Contact Us

If you have questions, requests, or complaints about this Privacy Policy or our handling of personal data, contact: