Privacy Policy

1. Controller

The controller responsible for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR) and, where applicable, the Hong Kong Personal Data (Privacy) Ordinance (PDPO) is:

LAGOON Limited
Casey Building, 2nd Floor38 Lok Ku RoadSheung Wan, Hong Kong
Email: info@lagoon-limited.com
Phone: +852 3171 1213

We have not designated an EU representative: our processing of EU personal data is occasional, limited in scale and involves no special categories of data, so the exemption in Art. 27(2) GDPR applies. We have also not appointed a data protection officer, as we are not required to do so.

2. Scope and how the GDPR applies

Although LAGOON Limited is established in Hong Kong, we offer this website and the Lagoon Order Portal to businesses in the European Union and the European Economic Area. Where we process the personal data of people in the EU/EEA in that context, the GDPR applies pursuant to its Article 3(2). For our operations in Hong Kong and mainland China, the Hong Kong PDPO and applicable local laws also apply.

3. Data we process, purposes and legal bases

a) Visiting the website. When you access this site, our hosting provider automatically processes technical data (e.g. IP address, date and time of the request, browser and device information, referrer URL) in server log data. This is necessary to deliver the site securely and reliably. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in a secure, functioning website).

b) Contact form. When you submit an enquiry we process the data you provide: name, company, email address, phone number (if given) and your message. We use it solely to handle and respond to your enquiry. Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract) and Art. 6(1)(f) GDPR (our legitimate interest in responding to business enquiries). To protect the form against automated abuse we use Cloudflare Turnstile (see section 5).

c) Order portal accounts. Access to the Lagoon Order Portal is granted by invitation. For account holders we process login and profile data (email address, display name, an optional profile picture, the assigned customer record and role) and the content created in the course of the business relationship (orders, order items, notes, and product images and article data made available to or uploaded by authorised users). We use this data to provide the portal, authenticate users, process orders and communicate with you. Legal basis: Art. 6(1)(b) GDPR (performance of the contract / pre-contractual measures) and Art. 6(1)(f) GDPR (secure operation of the portal).

d) Transactional emails. We send service emails such as enquiry confirmations, portal invitations, login links and password resets. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

e) AI image processing. Within the portal’s administration, product and garment images may be transmitted to a third-party AI service to generate cleaned or editorial product imagery (see section 6). These are product images; they are not intended to contain personal data of website visitors. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in efficient product presentation).

f) Legal compliance. Where we are required to retain or disclose data to comply with legal obligations, the legal basis is Art. 6(1)(c) GDPR.

4. Recipients

We do not sell personal data. We share data only with the service providers (processors) listed in section 6, who act on our instructions, and with public authorities where we are legally required to do so. Internally, data may be accessed by authorised staff at our offices in Hong Kong and Hangzhou (China) to the extent necessary for the purposes described above.

5. Cookies and similar technologies

We use only strictly necessary technologies — there is no advertising, profiling or web-analytics tracking on this site.

• Authentication cookies (Supabase). When you log in to the portal, a session cookie keeps you signed in. These cookies are strictly necessary and require no consent.
• Cloudflare Turnstile. The contact form uses a privacy-friendly “CAPTCHA” to distinguish humans from bots. It may store limited information in your browser for that purpose and does not track you across sites. Legal basis: Art. 6(1)(f) GDPR (security).

Because we set only strictly necessary and security technologies, no cookie-consent banner is required. Should we introduce analytics or marketing tools in future, we will obtain your consent beforehand (Art. 6(1)(a) GDPR, § 25 TTDSG/equivalent).

6. Service providers (processors)

We work with the following processors, each engaged under a data processing agreement. Where they process data outside the EU/EEA, the safeguards described in section 7 apply.

• Vercel Inc. (USA) — website hosting and content delivery, including server log data.
• Supabase, Inc. — database, authentication and file storage for the portal (accounts, orders, uploaded images). Data is hosted in the EU region (Frankfurt, Germany).
• Resend (Plus Five Five, Inc., USA) — delivery of transactional emails.
• Cloudflare, Inc. (USA) — Turnstile bot protection on the contact form.
• Google (Gemini API, Google Ireland Ltd. / Google LLC) — AI processing of product images. Image data is transmitted to Google to provide this feature; under Google’s Gemini API terms, content submitted via the API is not used to train Google’s models.
• Sentry (Functional Software, Inc.) — error and performance monitoring (technical error data, which may include IP address and request details). Data is processed in Sentry’s EU region (Germany).

7. International data transfers

Our portal database (Supabase) and error monitoring (Sentry) are hosted in the EU, so that data stays within the EU/EEA. Some other processors (Vercel, Resend, Cloudflare, Google) are located in the United States, and our own staff in Hong Kong and mainland China may access data — countries for which the European Commission has not issued an adequacy decision. Where personal data of EU/EEA individuals is transferred to such countries, we rely on appropriate safeguards within the meaning of Art. 46 GDPR — in particular the EU Standard Contractual Clauses — together with supplementary technical and organisational measures. You may request a copy of these safeguards using the contact details in section 1.

8. Retention

We keep personal data only as long as necessary for the purposes described above. Enquiries are retained for as long as needed to handle them and for any subsequent business relationship; portal and order data is retained for the duration of the business relationship. Thereafter we delete or anonymise the data, unless statutory retention obligations (e.g. accounting and tax law) require us to keep it for longer — as a rule for up to 7 years — in which case processing is restricted to that purpose.

9. Your rights

Subject to the conditions of the applicable law, you have the following rights regarding your personal data:

• Access to the data we hold about you (Art. 15 GDPR);
• Rectification of inaccurate data (Art. 16 GDPR);
• Erasure (Art. 17 GDPR);
• Restriction of processing (Art. 18 GDPR);
• Data portability (Art. 20 GDPR);
• Objection to processing based on legitimate interests (Art. 21 GDPR);
• Withdrawal of any consent given, with effect for the future (Art. 7(3) GDPR).

Under the Hong Kong PDPO you may, in particular, request access to and correction of your personal data. To exercise any of these rights, contact us using the details in section 1.

10. Right to lodge a complaint

If you believe our processing infringes data-protection law, you have the right to lodge a complaint with a supervisory authority. In the EU/EEA this is the authority of your habitual residence, place of work or the place of the alleged infringement. In Hong Kong, the competent authority is the Office of the Privacy Commissioner for Personal Data (PCPD).

11. Data security

We use appropriate technical and organisational measures to protect personal data against loss, misuse and unauthorised access, including encrypted transport (TLS), authenticated and role-based access to the portal, and strict access controls on stored files. No transmission over the internet can be guaranteed to be completely secure.

12. No obligation to provide data; no automated decisions

Providing personal data is generally voluntary; however, without the data marked as required we cannot respond to enquiries or grant access to the portal. We do not use the data for automated decision-making that produces legal effects concerning you within the meaning of Art. 22 GDPR.

13. Children

This website and the portal are directed at businesses and are not intended for children. We do not knowingly collect personal data from children.

14. Changes to this policy

We may update this Privacy Policy to reflect changes to our services or legal requirements. The current version is always available on this page; the date at the top indicates when it was last updated.