Personal Information Collection Statement (PICS)

In accordance with Data Protection Principle 1 of the Hong Kong PDPO, this statement informs you of our practices regarding the collection of personal data when you use the Claims System.

1. Kinds of data collected

• Identity and contact details (name, email, phone, HKID).
• Bank account details for reimbursement.
• Claim information including category, amount, incident date, description, and supporting documents (which may include medical records).
• Technical logs (IP address, user-agent, timestamps).

2. Purposes of collection

• Identity verification and account administration.
• Claim submission, assessment, approval, payment and dispute resolution.
• Fraud detection and regulatory compliance.
• Audit trail for PDPO DPP 4.

3. Employer / group owner access

If you are covered under a group policy, your employer (group owner) may view aggregated category-level amountsof claims you submit, for the purpose of managing the policy's limit usage. Your employer cannot view claim descriptions, medical records, or other documents you submit.

4. Transferees

• Our claim handlers and administrators, for claim processing.
• Our data hosting provider (Supabase — ap-southeast-1).
• Our email delivery provider (Resend).
• Our anti-malware scanning provider.
• Regulators or law enforcement where required by law.

5. Mandatory data

Data marked as required on forms is mandatory for processing your claim. Without it we may not be able to assess or pay your claim.

6. Access and correction

Under PDPO you have the right to request access to and correction of your personal data. Please contact our Data Protection Officer (see the Privacy Policy) to make such a request. We aim to respond within the PDPO statutory limit of 40 days.