Privacy Policy
Last Updated: 18 April 2026 · Effective: 18 April 2026
1. Introduction
This Privacy Policy explains how Ipsura AI (“Ipsura”, “we”, “us”, or “our”) collects, uses, stores, and protects your personal data when you access or use the Ipsura AI workflow engine and our corporate website (collectively, the “Service”).
We are committed to protecting your privacy and handling your personal data in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (“PDPO”). This policy applies to all users of the Service, including waitlist subscribers, Alpha Design Partners, and visitors to our website.
2. Data Controller
The data controller responsible for your personal data is:
- Company: Ipsura AI
- Data Protection Contact: legal@ipsura.com
3. Data We Collect
Data We Currently Collect
At this stage, the Service collects the following personal data:
- Email addresses — collected via the waitlist signup form on our website
Data We Will Collect in Future
When the Service launches beyond the Alpha phase, we anticipate collecting additional data types, including:
- Insurance policy documents (PDFs, scanned images)
- Personally identifiable information (PII) extracted from bilingual document parsing
- Client records ingested via email, SFTP, or direct upload
- Usage data and interaction logs within the platform
4. How We Use Your Data
We process your personal data for the following purposes:
- Service delivery — to provide, operate, and maintain the Service
- Communication — to send updates about the Alpha program, product launches, and service changes
- Product improvement — to analyse usage patterns and improve the Service
- Legal compliance — to comply with applicable laws, regulations, and legal processes
5. Legal Basis for Processing
Under the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong, we process your personal data on the following legal bases:
- Consent — when you voluntarily provide your email address via the waitlist signup form, you consent to our processing of that data for the stated purposes
- Legitimate interest — we may process data to improve the Service, ensure security, and enhance user experience, where such processing does not override your rights
- Legal obligation — we may process data where required to comply with applicable laws, regulations, or court orders in Hong Kong
6. Data Sharing & Sub-processors
We share personal data with the following third-party sub-processors for infrastructure and service delivery purposes:
- Supabase— database hosting and user authentication. Data is stored on Supabase's managed infrastructure.
- Vercel— application hosting and content delivery network (CDN). Data is processed through Vercel's edge network.
Each sub-processor is bound by its own privacy policy and data processing agreements. We do not sell your personal data to third parties.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data at rest and in transit (TLS 1.2+)
- Role-based access controls limiting data access to authorised personnel
- Regular security reviews of our infrastructure and sub-processors
- Secure development practices throughout the software lifecycle
While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
8. Data Retention & Deletion
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our standard retention period is 24 months from collection, or until you request deletion.
You may request deletion of your personal data at any time by contacting us at legal@ipsura.com. Upon receiving a valid deletion request, we will remove your data within a reasonable timeframe, unless retention is required by law.
10. Your Rights Under PDPO
Under the Personal Data (Privacy) Ordinance of Hong Kong, you have the following rights in relation to your personal data:
- Right of access — you may request a copy of the personal data we hold about you
- Right of correction — you may request correction of any inaccurate or incomplete personal data
- Right of deletion — you may request deletion of your personal data, subject to any legal obligations requiring retention
To exercise any of these rights, please contact us at legal@ipsura.com. We will respond to your request within 40 days, as required by the PDPO.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Notify affected users via email where practicable
- Post the updated policy on our website
Your continued use of the Service after any changes to this policy constitutes your acceptance of the updated terms.
12. Contact Information
For all enquiries regarding this Privacy Policy, data protection practices, or to exercise your rights under the Personal Data (Privacy) Ordinance (PDPO), please contact our compliance desk at: legal@ipsura.com