Privacy Policy

GLIA HONG KONG HOLDINGS CO., LIMITED (“Glia”, “we”, “our” or “us”) upholds a strong commitment to safeguarding the privacy, confidentiality, and security of your information. This Privacy Policy explains how we collect, use, retain, share, and protect your personal data when you use our website or the MyPBM application (together, the “Platform”).

This Privacy Policy is issued in accordance with the Personal Data (Privacy) Ordinance, Cap 486 of the laws of Hong Kong (the “Ordinance”). Where you are located in the United Kingdom or the European Economic Area, additional rights and protections apply under the UK General Data Protection Regulation and the Data Protection Act 2018, or the EU General Data Protection Regulation, respectively. Those additional rights are set out in Section 11 below.

The English version shall prevail in case of any discrepancy between the English version and any translation.

1. Who we are

The data user (or data controller, in the language of the UK GDPR and the EU GDPR) for the purposes of this Privacy Policy is:

Our Privacy Officer can be contacted by email at privacy@mypbm.app.

2. What the Platform is

The Platform helps you create, store, maintain, and present your own advance directive, and provides a library of educational reference material drawn from identified clinical sources. The Platform is not a medical device and does not diagnose, treat, cure, or prevent any medical condition. Please see our Compliance Disclaimer for more detail.

3. The personal data we collect

We collect and process the following categories of personal data about you.

Identification and contact data

Your name, email address, and, if you choose to provide them, your phone number and postal address. Where you include contact details for a healthcare agent, alternate agent, or other individuals in your advance directive, we also process that information.

Health-related data

The content of your advance directive, including the components of blood and blood-derived products you accept or refuse, any clinical alternatives you wish to record, and any other preferences you choose to document. This information is necessarily sensitive. We treat it with the additional care described in Section 5 below.

Account and authentication data

Your login credentials (stored in hashed form), account preferences, and a record of the compliance acknowledgements you have made within the Platform.

Technical data

Your IP address, device type, operating system, browser type and version, time zone setting, language preference, and similar technical details necessary for the Platform to function and remain secure.

Usage data

Information about how you use the Platform, including pages viewed, features used, and the timing of your interactions. This data is used in aggregate form to help us improve the Platform.

Communications data

A record of your correspondence with our support team and your preferences regarding receiving service announcements from us.

4. How we use your personal data

We use your personal data for the following purposes.

To provide the Platform

To create and manage your account, to enable you to draft, store, and present your advance directive, to synchronise your data across your devices, to deliver the clinical reference library, and to surface your declared preferences on the emergency display screen.

To maintain the Platform

To diagnose technical problems, to secure the Platform against unauthorised access, to back up your data, and to perform maintenance and updates.

To communicate with you

To send you service announcements, security notices, and updates to this Privacy Policy or to our Terms of Use. Where you have opted in, to send you product updates and educational content.

To improve the Platform

To understand how the Platform is used and to identify opportunities for improvement. Where we use your data for this purpose, we use aggregate or anonymised data wherever possible.

To comply with legal obligations

To comply with our legal, regulatory, accounting, and reporting obligations, and to respond to lawful requests from public authorities.

To defend or exercise legal rights

To establish, exercise, or defend legal claims, and to protect the rights, property, or safety of our users or others.

5. Our approach to health-related data

The Ordinance applies to all personal data that relates directly or indirectly to a living individual. It does not define a separate category of “sensitive” personal data, but we recognise that health-related information warrants additional care. We therefore apply the following measures to the health-related content of your advance directive, in addition to the measures that apply to all personal data.

• We collect health-related data only on the basis of your clear affirmative action when creating or updating your advance directive.
• We do not use health-related data for any purpose other than providing the Platform to you.
• We do not share health-related data with any third party for marketing, advertising, analytics, or any other unrelated purpose.
• Access to health-related data within our organisation is restricted to personnel with a legitimate need, who are bound by contractual confidentiality obligations.
• Where you are located in the United Kingdom or the European Economic Area, we rely on your explicit consent as the lawful basis for processing your health-related data, in accordance with Article 9(2)(a) of the UK GDPR or the EU GDPR as applicable.

6. When we share your personal data

We do not sell your personal data. We share your personal data only in the following circumstances.

Service providers acting on our behalf

We engage trusted service providers who process personal data on our behalf to help us operate the Platform. These include:

• Supabase, which provides our hosted database, authentication, and storage services. Supabase processes personal data on our instructions under a written data processing agreement. More information about Supabase’s privacy practices is available at https://supabase.com/privacy.
• Apple and Google, which distribute the mobile application to you and provide associated services such as push notifications and crash reporting. Their processing of your data is governed by their own privacy policies.
• Other processors engaged from time to time for specific functions such as email delivery and customer support. A current list is available on request by emailing privacy@mypbm.app.

At your direction

Where you choose to share your advance directive with a healthcare agent, a family member, a Hospital Liaison Committee, or a medical provider, we facilitate that sharing in accordance with your instructions.

Legal and regulatory obligations

Where disclosure is required by law, court order, or lawful request from a competent authority, or where we believe in good faith that disclosure is necessary to comply with our legal obligations or to protect the rights, property, or safety of our users or others.

Corporate transactions

In the context of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring or successor entity, which will be bound to continue processing your data in accordance with this Privacy Policy or a successor privacy policy with equivalent protections.

7. International transfers of personal data

We are based in Hong Kong. Our primary processor, Supabase, operates in multiple regions; we configure data residency to the region closest to our user base where this is available. As a result, your personal data may be transferred to, and processed in, countries outside your country of residence, including Hong Kong, the United States, the European Economic Area, and the United Kingdom.

Where we transfer personal data across borders, we put in place appropriate safeguards, including contractual commitments from our processors to process personal data in accordance with this Privacy Policy and applicable law. Where you are in the United Kingdom or the European Economic Area, we use the UK International Data Transfer Agreement, the UK Addendum to the Standard Contractual Clauses, or the EU Standard Contractual Clauses (as applicable) for transfers to jurisdictions not covered by an adequacy decision.

8. How long we keep your personal data

We retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy, or as required by applicable law.

• Your account data and advance directive content are retained for as long as your account remains active. If you delete your account, we will delete or anonymise your data within thirty days, subject to any legal obligation that requires us to retain it for longer.
• Compliance acknowledgements are retained as an immutable audit trail for the life of your account and for a further six years after account deletion, to support the defence of any legal claim.
• Technical and usage data are retained for up to twelve months in identifiable form, after which they are anonymised or deleted.
• Correspondence with our support team is retained for up to three years.

9. How we protect your personal data

We implement appropriate technical and organisational measures to safeguard your personal data against unauthorised access, use, disclosure, alteration, or destruction. These measures include:

• Encryption of personal data in transit using TLS 1.2 or higher.
• Encryption at rest for data stored in our primary database.
• Access controls that limit access to personal data to personnel with a legitimate need, each of whom is bound by contractual confidentiality obligations.
• Regular review of our security measures and of the security practices of our processors.
• Internal procedures for responding to suspected security incidents.

No method of transmission or storage is completely secure. While we take the protection of your personal data seriously, we cannot guarantee absolute security.

10. Your rights under the Ordinance

Subject to the Ordinance and to our verification of your identity, you have the following rights in relation to your personal data held by us.

The right of access

You may request confirmation of whether we hold personal data about you and, if so, a copy of that data. A request for access must be made using the Data Access Request Form (Form OPS003) prescribed by the Privacy Commissioner for Personal Data. A charge may be made to cover the reasonable cost of supplying the data.

The right to correction

You may request that we correct any personal data we hold about you that is inaccurate, incomplete, or out of date.

The right to erasure

You may request that we delete your personal data where it is no longer necessary for the purposes for which we collected it, or where you wish to withdraw your consent to our processing of it.

The right to withdraw consent

Where we rely on your consent, you may withdraw that consent at any time by using the self-service controls in the Platform or by contacting us at privacy@mypbm.app. Withdrawal of consent does not affect the lawfulness of processing based on that consent before its withdrawal.

How to exercise your rights

Requests should be made in writing to our Privacy Officer at privacy@mypbm.app. We will respond within forty days, as required by the Ordinance.

11. Additional rights for users in the UK and EEA

If you are located in the United Kingdom or the European Economic Area, the UK GDPR or the EU GDPR (as applicable) gives you additional rights, summarised below.

Lawful bases on which we rely

• Explicit consent (UK GDPR / EU GDPR Article 9(2)(a)) for the processing of health-related data.
• Consent (Article 6(1)(a)) for other processing based on your clear affirmative action, such as marketing communications where you have opted in.
• Contract (Article 6(1)(b)) for the processing necessary to provide the Platform to you under our Terms of Use.
• Legal obligation (Article 6(1)(c)) for processing required to comply with applicable law.
• Legitimate interests (Article 6(1)(f)) for limited processing such as the security of the Platform and the defence of legal claims, balanced against your rights and freedoms.

Additional rights

• The right to restrict processing in certain circumstances.
• The right to object to processing that is based on our legitimate interests.
• The right to data portability, namely to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.
• The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions.
• The right to lodge a complaint with a supervisory authority. In the United Kingdom, that is the Information Commissioner’s Office (ico.org.uk). In the European Economic Area, it is the supervisory authority of your country of residence.

Representative

We will appoint a UK representative and an EU representative as required by Article 27 of the UK GDPR and the EU GDPR where the scale of our processing of data subjects in those regions crosses the applicable thresholds. Where such representatives are appointed, their contact details will be published here.

12. Cookies and similar technologies

Our website uses cookies and similar technologies. For detail on how we use them and how you can control them, please see our Cookie Policy.

13. Children

The Platform is not directed at children under the age of eighteen. We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us at privacy@mypbm.app and we will take appropriate steps to delete it.

14. Direct marketing

We will not use your personal data for direct marketing without your express consent. Where you have consented, you may withdraw that consent at any time, either through the self-service controls in the Platform or by following the unsubscribe link in any marketing email we send you. We do not provide your personal data to third parties for their direct marketing purposes.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Where a change is material, we will notify you by email, by notification within the Platform, or by a prominent notice on our website, at least thirty days before the change takes effect, and will ask you to re-acknowledge the updated policy.

The current version number and effective date appear at the top of this page. You can also request previous versions from our Privacy Officer.

16. Contact us

If you have any questions about this Privacy Policy or about our handling of your personal data, please contact our Privacy Officer: