Privacy Policy
Privacy Policy (APAC Regional Site)
Last updated: 2026 March 13 APAC version
1. Introduction
APM respects the privacy of our consumers and visitors and recognizes the importance of protecting the data collected about them. We have established procedures that ensure your personal data is processed in a responsible manner in connection with your use of our web sites or APPs, your use of our connected products (if and when available), or when you visit our stores or visit our social media pages, in your jurisdiction. We respect your concerns about privacy and appreciate your trust and confidence in us.
This Privacy Policy explains when, how and why when it comes to processing your personal data in connection with us, and sets out your choices and rights in relation to that personal data.
This Privacy Policy applies to the APAC regional website operated by APM Monaco Limited, with data protection governed by the laws of Hong Kong, subject to mandatory local data protection laws in the place of user location.
Please note that the availability of our Website and services may vary depending on your location, as APM MONACO operates different official websites for different regions.
2. Who controls your personal data?
The Data Controller is APM Monaco Limited, a company incorporated in Hong Kong.
APM Monaco Limited acts as the Data Controller for the APAC regional website and related services.
3. How we process your personal data
All our data processing activities are based on stringent ethical principles and legal requirements. This section provides more detail on the types of personal data we collect from you, purpose of processing, and retention periods for each type of personal data. Where applicable, it also identifies the legal basis under which we process your data under applicable data protection laws. Personal data is processed in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (“PDPO”) and other mandatory local data protection laws where applicable. Unless otherwise required by law, such data will be retained only for as long as necessary to fulfill the relevant purpose and to comply with applicable legal or accounting obligations. The categories of data, purposes, retention periods and legal bases remain as set out below, unless otherwise required by applicable law.
(table content unchanged except legal‑basis interpretation under HK law)
|
Data |
Purpose of Processing |
Retention Period |
Legal Basis |
|
Registration data and log in data: first name, last name, email address, password |
To carry out customer management operations in relation to the creation of a customer account |
The above data is kept until the account is deactivated or after three years of inactivity |
Consent Contract performance |
|
Addresses: first name, last name, company, phone number, address, city, zip code, country, province |
Express delivery of your goods and bills |
The above data is kept until the account is deactivated or after three years of inactivity |
Consent Contract performance |
|
Location |
Obtain the current location of consumers to provide data about nearby stores |
The above data is not retained by APM |
Consent
|
|
Order-related data: transaction number, purchase details, purchase amount, purchase history, invoice payment data, product return
|
Prepare and send out customer orders / Receive and process customer returns |
The above data is kept until the account is deactivated or after three years of inactivity
The invoice is kept for 10 years in accordance with the applicable legal requirements |
Contract performance Legitimate interest
|
|
Credit and debit card data: credit card number, date of expiry of the credit card, visual cryptogram (which is immediately deleted) |
to process your payment by card and/or to provide consumer service to you |
The above data is not retained by APM |
Consent
Contract performance |
|
Order note Consumer service correspondence on questions, queries and complaints
|
If this is as a gift, please enter a special message for us to comply with your queries such as answering a question about our products customer relationship monitoring such as conducting satisfaction surveys and managing after-sales service complaints |
|
Contract performance Legitimate interest
|
|
Email address, WhatsApp
|
To provide you with a newsletter or join APM WONDERLAND PROGRAM. Managing customer reviews of products, services or contents |
|
Consent |
|
Behavioural web data: may include navigation on our website, date and time of visit and document referrer,user agent and IP address |
to optimise our services and improve your experience on our websites Audience measurement (Google Analytics), advertising |
1 months |
Consent |
4. Cookie notice
A cookie is a very small text file that websites visited by the user, send to the user’s computer or mobile device. APM MONACO processes different types of cookies. You may manage your preferences via the cookie banner or your browser settings.
APM implements reasonable technical and organizational measures to ensure that non‑essential cookies are not placed on the user’s device prior to obtaining consent.
Cookie processing is conducted in accordance with Hong Kong law and applicable local requirements.
5. With whom will your personal data be shared?
5.1 APM uses service providers who process your personal data on our behalf.
The services provided by third parties may include:authentication, hosting and maintenance services, analysis services, mail messaging services, delivery services, handling of payment transactions, payment providers, address and mail checks.
These third parties are our data processors and may only process personal data to the extent necessary in order to deliver their services. Our data processors are contractually obliged to treat such data in the strictest confidence. And We have signed "DPA" with the third parties.
5.2 Some of our data processors are situated outside the Hong Kong SAR.
(a) APM Monaco may share personal information with its affiliated companies and service providers, including group entities located outside the Hong Kong SAR, such as in European Union, Monaco or other jurisdictions, for purposes including customer relationship management, IT support, analytics, accounting, and group-level business operations. Cross‑border transfers are conducted with appropriate contractual and technical safeguards in accordance with Hong Kong law and applicable local requirements.
(b) For the performance of certain processing activities concerning your personal data as stated in this Privacy Policy, APM MONACO servers are located in Singapore, for customer relationship management purposes.
This includes the following data:
Identity, address and contact details: title, surname, name, address, delivery and billing address, e-mail address, telephone number;
Order-related data: transaction number, purchase details, purchase amount, purchase history, invoice payment data, product return.
5.3 As a global company, APM MONACO may further share such data to third-party recipients worldwide for business needs or after-sales services:
Other companies of the APM Group will receive your Basic Data and Order Data for after sales services.
Third parties service providers entrusted by APM group for technical services or other services connected to the sales:
n Transfer of personal data to Shopify Inc. servers in the United States from the APM website for hosting purposes. The website apm.mc is hosted by Shopify Inc., whose servers are located in the United States, thus implying the transfer of your personal data to the United States. This includes the following data: Identity, address and contact details: title, surname, name, address, delivery and billing address, e-mail address, telephone number; Order-related data: transaction number, purchase details, purchase amount, purchase amount, purchase history, invoice payment data, product return.
n Transfer of data for statistical purposes from Google Analytics to Google Inc. in the United States. The transfer concerns “Google Analytics” cookies to the company operating this module, namely Google Inc., located in Mountain View (USA).
n Aftership: FedEx, https://www.fedex.com/en-us/trust-center/global-privacy-policy.html
n Aftership: DHL, https://group.dhl.com/en/data-protection.html
n Aftership: Colissimo, https://www.colissimo.entreprise.laposte.fr/en/personal-data-policy
n Aftership: TNT Australia, https://www.tnt.com/express/en_au/site/privacy-policy.html
n public bodies, exclusively to meet legal obligations.
n court officers and public officers within the frameworl of their debt collection duties.
n financial institutions and professional account-keepers.
n the payment service provider, the delivery service provider.
n the chat service provider.
5.4 We may disclose your data to the extent that we are required to disclose or share your personal data in order to comply with legal obligations or directives of the court or other competent legal body, or to enforce or apply our privacy notice and other agreements; or to protect the rights, properties or security of APM or APM Group, our employees, consumers or others. This includes exchanging data with other companies and organizations with the aim of protecting against fraud and reducing credit risk.
5.5 Please note that the data you publish or disclose through your interaction with APM (e.g. personal data contained in images, stories, comments and videos that you submit) will become public data and may become available to visitors to the site as well as the public.
6. Security of your personal data
We are committed to maintaining the privacy and integrity of your Personal data no matter where it is stored or accessed. We protect your Personal data through the use of data security and access policies that limit unauthorized access to our systems, and technological protection measures.
6.1 Data Protection
(a) Take appropriate measures to protect data from unauthorized access, including:
Save sensitive data on server instead of PC or USB drive.
Lock PC screen when getting away from computer.
Lock paper documents with appropriate locker.
Printed documents must be taken away from printer immediately.
(b) Data operators should take responsibility for the data within his/her scope.
Assure accuracy of input data.
System configuration & data should be modified with associated approval. No arbitrary modifying allowed.
(c) Company staff should attend security awareness training every year.
6.2 System Access Control
(a) Strict purpose limitation: Only accessing data for which employee is authorized access.
(b) Do not share access privilege with others.
(c) Role-based models should be clearly defined and used for IT systems to grant access.
(d) End users should be granted access with the role that best matches and least privileged.
(e) Segregation of Duties (SoD) should be applied when granting multiple roles to user.
(f) Privilege access should be reviewed regularly.
6.3 data leakage prevention
(a) Employee is responsible for protecting company sensitive/confidential data & intellectual property against being leaked, either intentionally or unintentionally.
(b) Not exposing sensitive data to public via any unauthorized social media channel, including WeChat, What’s App, Weibo, Facebook, Twitter, etc.
6.4 Backup & Recovery
(q) Business data that should be backed up, including but not limited to: database, application configuration, source code, files, images, videos, etc.
(b) Data backup runs on daily basis and recorded.
(c) Incremental & full backup should be scheduled properly.
(e) At least have two backup copies, offline backup copy and off-site backup copy.
(f) Disaster Recovery Planning must be reviewed periodically and practiced, ensure the integrity and validity of backup copies.
(g) Perform Disaster Recovery test every year, provide detailed drill test report.
6.4 In the event of a data breach, we will notify relevant authorities and affected users where required under applicable Hong Kong law and mandatory local regulations.
7. Your rights
Data subject rights are exercised in accordance with Hong Kong law and mandatory local data protection laws in the user’s location.
You may exercise the following rights, subject to applicable law:
Right of access
Right to rectification
Right to restriction of processing
Right to data portability (where applicable)
Right to withdraw consent
Right to erasure (subject to legal retention obligations)
Right to lodge a complaint
Complaints may be lodged with the Office of the Privacy Commissioner for Personal Data (Hong Kong), or other competent authorities as required by applicable local law.
We will respond to requests within a reasonable timeframe in accordance with applicable law.
In addition, users in the Republic of Korea may have mandatory statutory rights under applicable Korean data‑protection laws, including rights relating to:
- access to personal data;
- correction or deletion of personal data;
- suspension of processing; and
- withdrawal of consent, where processing is consent‑based.
Requests will be handled within the timeframes required by applicable law.
8. Age restrictions and parental/guardian controls
The Platforms are not directed at anyone who we know to be a child in the relevant country of data collection (under age 18), nor do we collect any personal data from anyone who we know to be a child unless we have parental or guardian consent. Children should not use the Platforms and should not submit any personal data to us without parental or guardian consent.
Please contact us if you believe we have any personal data from any Child without such parental/guardian consent and acknowledgment so that we can promptly investigate and remove such personal data.
9. Complaints and Contact
If you have any questions or suggestions about the content of this Policy, or wish to exercise your rights or have other matters, you can contact Customer Service Center in customercare@apm.mc or contact Data Protection Officer in dpo@apm.mc by email. You can also write to the following address:
DATA PROTECTION OFFICER
APM Monaco Limited
with its registered office at 1/F, Hong Kong Diamond Exchange Building, 8-10 Duddell Street, Central, Hong Kong SAR
10. Changes to this notice
APM regularly reviews our privacy notice to keep it up to date and compliant with privacy and data protection principles. This privacy notice may be changed from time to time to keep pace with new developments and opportunities relating to the Internet and to stay in line with relevant data protection legislation. Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, may be notified to you by email.
11. AI Agent Use & Data Processing Notice
To ensure transparency and protect user rights, we clarify that the use of any artificial intelligence agent (“AI Agent”) to access or interact with our website does not constitute automatic data collection or automated decision-making by our brand. AI Agents include, but are not limited to: Third‑party generative AI tools (e.g., ChatGPT, Perplexity, Claude), browser extensions, automated scripts, AI shopping assistants, and our brand’s own AI assistant.
11.1. Third‑party AI Agent activity is not treated as data collection by the brand
When you use a third‑party AI Agent to browse, analyze, summarize, select products, or place orders:
Such activity is treated as user‑initiated via the AI Agent acting on your behalf;
We only process standard technical logs (IP, device type, timestamp) and do not identify or track AI Agents;
Any collection, analysis, or generation performed by the AI Agent is not part of our data processing activities;
We are not responsible for how third‑party AI Agents collect or use your data.
11.2. Actions of our brand’s own AI Agent are user‑initiated, not “automatic collection”
When you interact with our official AI assistant (e.g., embedded chatbot or consultation tool):
All content provided (messages, questions, preferences) is voluntary and user‑initiated;
The AI assistant does not collect additional personal information beyond what you provide;
Its data handling is fully governed by Privacy Policy;
It does not autonomously extract, predict, or process unrelated personal data.
11.3. Errors or misinformation generated by AI Agents are not attributable to the brand
If an AI Agent produces incorrect, misleading, outdated, or incomplete information that results in:
mistaken orders or incorrect personal details
misinterpretation of our policies
suggestions involving unauthorized sellers or invalid links
inaccurate descriptions of our products
Such content does not represent our brand, and we are not liable for any resulting harm or loss.
11.4. Orders placed by an AI Agent are considered valid user actions
If an AI Agent submits an order on your behalf:
The order is treated as a valid expression of your intent.
It is fully subject to our Terms & Conditions and return/refund policies.
You remain responsible for verifying all order details.
We bear no liability for errors caused by automated tools.
11.5. You are responsible for ensuring your AI Agent complies with applicable laws and our policies
You must ensure that your AI Agent:
Does not engage in unauthorized scraping
Does not bypass or interfere with our security systems
Does not input false, incomplete, or misleading information
We may restrict access or take protective action if AI Agent behavior threatens our systems, violates our terms, or infringes others’ rights.
Nothing in this section shall exclude or limit any rights of consumers that cannot be excluded or limited under applicable consumer protection law
