Privacy Policy

1. Who We Are

KH Academy (Knowledge Hub Academy) is a digital education business based in Hong Kong SAR that sells AI courses and toolkits globally. Our website is www.kh-academy.com and our learning platform is at app.kh-academy.com.

For privacy inquiries, contact us at info@kh-academy.com.

2. What Data We Collect

Information you provide

• Account information — your name and email address, provided when you sign up for a free account or purchase a product
• Payment information — billing details processed securely by Stripe; we do not store your full card number on our servers

Information collected automatically

• Authentication tokens — session tokens stored in your browser to keep you logged in
• Basic usage data — pages visited, product access timestamps, and login activity to maintain your account and deliver purchased content
• Device and browser information — browser type, operating system, and screen size collected through standard HTTP headers for site functionality

Information we do not collect

• We do not use tracking cookies, advertising pixels, or analytics trackers
• We do not collect location data beyond what is provided by your IP address
• We do not collect biometric data or sensitive personal data

3. How We Use Your Data

We use your personal data only for the following purposes:

• Account creation and management — creating your account, generating login credentials, and maintaining your access to purchased products
• Purchase fulfillment — processing your payment and granting access to the digital products you buy
• Credential delivery — sending your login details (email and temporary password) to your email address after signup or purchase
• Product access — authenticating you when you log in and serving the content you have purchased
• Transactional emails — sending purchase confirmations, password resets, and essential account notifications
• Customer support — responding to your questions or requests

We do not use your data for profiling, targeted advertising, or automated decision-making.

4. Third-Party Services

We share data with the following third-party service providers, only to the extent necessary for them to perform their functions:

We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers or data brokers.

5. Cookies and Local Storage

We use minimal browser storage:

• Authentication tokens — a session token stored to keep you logged in. This is essential for the site to function and is not used for tracking.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. There are no cookie consent banners because we have no optional cookies to consent to.

6. Data Retention

• Account data (name, email) — retained for as long as your account is active, so you can continue to access products you have purchased
• Payment records — retained as required by applicable tax and financial regulations (typically 7 years)
• Transactional emails — email sending logs are retained by Resend per their retention policy

If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law.

7. Data Security

We take reasonable measures to protect your data, including:

• HTTPS encryption on all connections
• Passwords are hashed before storage — we never store plaintext passwords
• Payment data is processed entirely by Stripe and never touches our servers
• Access to production systems is restricted to authorized personnel

No method of transmission over the internet is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

8. Hong Kong PDPO Compliance

As a Hong Kong-based business, we comply with the Personal Data (Privacy) Ordinance (PDPO), Cap. 486, of the Laws of Hong Kong. In accordance with the PDPO's Data Protection Principles:

• Purpose limitation — we collect data only for the purposes stated in this policy and use it only for those purposes
• Data minimization — we collect only the data necessary to provide our services
• Accuracy — you can update your account information at any time by contacting us
• Data security — we implement appropriate security measures to protect your data
• Transparency — this policy openly describes our data practices
• Access and correction — you have the right to request access to and correction of your personal data held by us, as provided under the PDPO

To make a data access or correction request, email info@kh-academy.com. We will respond within 40 days as required by the PDPO.

9. GDPR Compliance (EU Customers)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional rights and information apply to you under the General Data Protection Regulation (GDPR):

Lawful basis for processing

• Contract performance — processing your data is necessary to create your account, deliver the digital products you purchase, and provide customer support (Article 6(1)(b))
• Legal obligation — retaining financial records as required by tax law (Article 6(1)(c))
• Legitimate interests — maintaining site security and preventing fraud (Article 6(1)(f))

Your rights under GDPR

You have the right to:

• Access your personal data and receive a copy
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten"), subject to legal retention requirements
• Restrict processing in certain circumstances
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email info@kh-academy.com. We will respond within 30 days.

International data transfers

Your data may be processed outside the EEA by our service providers (Stripe, Resend, Vercel). These transfers are safeguarded by the providers' compliance with applicable data transfer mechanisms, including Standard Contractual Clauses where required.

10. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@kh-academy.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or by posting a notice on our website. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

Your continued use of our services after any changes constitutes acceptance of the updated policy.

12. Contact Us