Personal Information and Privacy Protection Policy

Issuance Date: 3 July 2024

Effective Date: 3 July 2024

HSBC Qianhai Securities Limited (“HSBC Qianhai”, “we” or “us”) take the confidentiality and security of personal information very seriously, and strive at all times to protect personal information and privacy of our customers and other related personal information subject (“you” or “Information Subject”) according to law. We therefore formulate this Personal Information and Privacy Protection Policy (this “Policy”) to help you understand the purposes, methods, and scope of personal information we collect and use, our practices regarding personal information and privacy protection, your rights and interests with regard to personal information and privacy and how to assert your rights and interests.

This Policy shall apply to personal information of you when you visit, browse, or use our website or mobile device application, apply for or use any product, device or services of us, handle any business or make any transaction with us as customer or on behalf of relevant corporate business customers (“Relevant Customers”), participate in any of our marketing events and surveys, and in any way contact or correspond with us in the context of personal/corporate business. We shall collect, use, store, disclose and protect your personal information in accordance with this Policy. We may separately issue specific personal information protection policy tailor made for specific channels, products, services, businesses and activities (such as the Personal Information and Privacy Protection Policy for HSBC Qianhai APP). The specific personal information protection policy so made shall apply in the specific scenarios as prescribed in such policy. If there is any discrepancy between this Policy and the other agreements entered into or other terms and conditions agreed between you and us, such other agreements or terms and conditions shall prevail. In the context of corporate business, we understand that you have agreed that Relevant Customers can use your personal information for the purpose described in this Policy, and therefore, we treat Relevant Customers as your authorized representatives related to your personal data processing activities.

This Policy has replaced the previous Personal Information and Privacy Protection Policy. Any reference to the Personal Information and Privacy Protection Policy in any document in relation to HSBC Qianhai’s business shall be deemed to be a reference to this Policy.

Please read through this Policy carefully and pay particular attention to the provisions that are bolded and underlined which we think have material impacts on your interests and/or deal with your sensitive personal information. The key points of this Policy are summarized as below:

For your convenience to understand the purpose and category of personal information we collect when you sign up for our service, we therefore explain them under the particular service scenario.
When you sign up for some particular services, we will collect your sensitive personal information after you give us express consent if required by applicable laws and regulations. Refusal on providing consent might affect you use related service, but will not affect you use other services we provided.
To provide the service per your or Relevant Customers’ request, we might need to share your personal information to a third party. We will carefully assess the legitimacy, propriety, and necessity of the data sharing with the third party. We will ask the relevant third party take all data protection measures required pursuant to applicable laws and regulations.

We fully understand how important your personal information means to you, and we will exert our effort to protect the security of your personal information. We have always been committed to maintain your trust and will stick to below principles to protect your personal information: Right and Responsibility Consistency, Explicit Purpose, Freely Given Consent, Minimum and Necessity, Assurance of information security, Participation, Fair and Transparency. We are also committed to take appropriate security measures to protect your information.

The table of content of this Policy is set out as below:

i. How We Protect Your Personal Information
ii. How We Collect Your Personal Information
iii. How We Use Your Personal Information
iv. How We Store Your Personal Information
v. How We Share, Transfer, Publicly Disclose and Entrusts Others with the Handling of Your Personal Information
vi. Special Circumstances for Information Processing
vii. How We Use Cookies and Similar Technologies
viii. Your Rights Relating to Personal Information
ix. How to Contact Us
x. Protection of Minors’ Personal Information
xi. Formulation, Effectiveness and Update of this Policy and Others

I. How We Protect Your Personal Information

Information security is our top priority. We will endeavour at all times to safeguard your personal information against unauthorized or accidental access, processing or damage. We maintain this commitment to information security by implementing appropriate security and managerial measures to secure your personal information. We will take responsibility in accordance with the law if your information suffers from unauthorized access, public disclosure, erasure or damage for a reason attributable to us and so impairs your lawful rights and interests.
Our website supports advanced encryption technology - an existing industry standard for encryption over the internet to protect your personal information. When you provide sensitive personal information through our website or applications, it will be automatically converted into codes so as to ensure secure transmission afterwards. Our web servers are protected behind “firewalls” and our systems are monitored to prevent any unauthorized access.
We maintain strict security system to prevent unauthorized access to your personal information. We exercise strict management over our staff members who may have access to your personal information, including but not limited to access control applied to different positions, contractual obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security related policies and procedures, and information security related training offered to staff.
We will not disclose your personal information to any third party, unless the disclosure is made to comply with laws, regulations and regulatory requirements or according to this Policy or other agreement (if any) or based on your or Relevant Customers’ separate consent or authorization. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and request them to abide this Policy when processing personal information.
For the security of your personal information, you take on the same responsibility as us. You shall properly take care of your personal information, such as your account information, identity verification information (e.g. user name, password, dynamic password, verification code, etc.), and all the documents, devices or other media that may record or otherwise relate to such information, and shall ensure your personal information and relevant documents, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, devices or other media. Once you think your personal information and/or relevant documents, devices or other media have been disclosed, lost or stolen, or may otherwise affect the security of your use of our products, devices or services, you shall notify us immediately so that we may take appropriate measures to prevent further loss from occurring.
We will organize regular staff training and drills on emergency response so as to let the relevant staff be familiar with their job duties and emergency procedures. If unfortunately personal information security incident occurs, we will adopt emergency plan and take relevant actions and remediation measures to mitigate the severity and losses in connection therewith. Meanwhile, we will, following the applicable requirements set out in law and regulation, inform you or Relevant Customers of the basic information of the security incident and its possible impact, the actions and measures we have taken or will take, suggestions for you to prevent and mitigate the risk, and applicable remediation measures. We will inform you or Relevant Customers about the security incident by email, mail, call, SMS, push notification or through other methods as appropriate in a timely manner. Where it is difficult to notify each Information Subject, we will post public notice in a reasonable and effective way. Meanwhile, we will report such personal information security incident and our actions in accordance with applicable law, regulation and regulatory requirements.

II. How We Collect Your Personal Information

Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Personal information includes name, birth date, ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, contact information, address, account information, property status, location and etc., Sensitive personal information refers to personal or property information that, once leaked or illegally provided or misused, may harm personal or property safety and will easily lead to infringement of the personal reputation, human dignity, physical or psychological health, or discriminatory treatment. Such information mainly includes ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, credit information, property information, transaction information, medical and health information, specific identity, financial account, individual location tracking etc. as well as any personal information of a minor under the age of 14 (i.e. Child).
For the purpose of complying with law, regulation and regulatory provision, or as required for us to provide you or Relevant Customers with various products and services and continuously improve our products and services, or in order to contact or communicate with you or Relevant Customers, understand the needs of you or Relevant Customers, build up, review, maintain and develop our relationship with you or Relevant Customers, we may receive and keep the personal information provided by yourself or by Relevant Customers, or, according to law, regulation, regulatory provision, your or Relevant Customers’ authorization or consent, collect, enquire, and verify by proper methods your and/or related parties’ personal information from/with members of the HSBC Group or other third parties (including but not limited to credit reference agencies, information service providers, relevant authorities, employers, counterparties, joint applicants, contact persons, close relatives and other entities/individuals). "HSBC Group" under this Policy means HSBC Holdings plc, and/or any of, its affiliates, subsidiaries, associated entities and any of their branches and offices (together or individually), and "member of the HSBC Group" has the same meaning.
The personal information we so collect may be in paper, electronic or any other forms.
When you visit, browse, use our website and/or applications as a visitor,we may collect information about the browser or device you use (such as IP address, operating system, and browser version), your browsing actions and patterns. We use Cookies and similar technologies to collect above information. You may disable Cookies by changing your settings (for details, please refer to Article VII of this Policy “How We Use Cookies and Similar Technologies”).
The technical information which cannot identify any individual will not be treated as personal information. However, when such technical information can identify the individual alone or in combination with other information, we will protect it as your personal information.
We may invite you to subscribe to our newsletter, updates, alerts or to participate in our marketing events or survey via our website and/or applications. If you accept relevant invitation, we may collect the information you provide to us by filling out contact forms or questionnaires, etc. The said information may include name, telephone number, mobile phone number, email, employer name, and job position etc. Refusal to provide such information will not affect your visiting, browsing or using our website and/or applications.
When you are our prospect or existing individual customer/investor, in order for us to provide you with our products/services and to handle relevant securities business, we may collect the following information upon your consent or authorization or in accordance with applicable laws and regulations:


Purposes or Functions (Products/Services/ Business)	Information We May Need to Collect
Account Management (including opening accounts, maintaining accounts, and updating of relevant information)	i. Personal identity information, including name (include former name or alias), gender, nationality, citizenship, type/number/validity period of ID certificate, occupation, telephone number, e-mail, contact information, birth date, place of birth, marital status, family status, place of residence (include contact address and permanent address), company/employer and job position, and any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal property information, including personal income, movable property (e.g. financial assets, etc.), indebtedness, investment, tax residence, taxpayer identification number, etc.; iii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iv. Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.; v. Personal credit information, including personal property and source of funds, credit transaction information, litigation and investigation information, penalty and any other information about personal credit status; vi. Personal financial transaction information, including transaction information retained during the provision of any brokerage, investment banking, asset management, payment and settlement or other financial services, and transaction information generated during your interaction with any third party institution like banks, fund houses, futures companies, stock exchanges, custodians, payment agencies, clearing houses and other financial institutions via us; vii. Personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.
Brokerage	i. Personal identity information, including name (include former name or alias), gender, nationality, citizenship, type/number/validity period of ID certificate, occupation, telephone number, e-mail, contact information, birth date, place of birth, marital status, family status, place of residence (include contact address and permanent address), company/employer and job position, and any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal property information, including personal income, movable property (e.g. financial assets, etc.), indebtedness, investment, tax residence, taxpayer identification number, etc.; iii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iv. Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.; v. Personal credit information, including personal property and source of funds, credit transaction information, litigation and investigation information, penalty and any other information about personal credit status; vi. Personal financial transaction information, including transaction information retained during the provision of any brokerage, investment banking, asset management, payment and settlement or other financial services, and transaction information generated during your interaction with any third party institution like banks, fund houses, futures companies, stock exchanges, custodians, payment agencies, clearing houses and other financial institutions via us; vii. Personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.
Securities Investment Advisory	i. Personal identity information, including name (include former name or alias), gender, nationality, citizenship, type/number/validity period of ID certificate, occupation, telephone number, e-mail, contact information, birth date, place of birth, marital status, family status, place of residence (include contact address and permanent address), company/employer and job position, and any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal property information, including personal income, movable property (e.g. financial assets, etc.), indebtedness, investment, tax residence, taxpayer identification number, etc.; iii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iv. Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.; v. Personal credit information, including personal property and source of funds, credit transaction information, litigation and investigation information, penalty and any other information about personal credit status; vi. Personal financial transaction information, including transaction information retained during the provision of any brokerage, investment banking, asset management, payment and settlement or other financial services, and transaction information generated during your interaction with any third party institution like banks, fund houses, futures companies, stock exchanges, custodians, payment agencies, clearing houses and other financial institutions via us; vii. Personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.
Investment Banking	i. Personal identity information, including name (include former name or alias), gender, nationality, citizenship, type/number/validity period of ID certificate, occupation, telephone number, e-mail, contact information, birth date, place of birth, marital status, family status, place of residence (include contact address and permanent address), company/employer and job position, and any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal property information, including personal income, movable property (e.g. financial assets, etc.), indebtedness, investment, tax residence, taxpayer identification number, etc.; iii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iv. Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.; v. Personal credit information, including personal property and source of funds, credit transaction information, litigation and investigation information, penalty and any other information about personal credit status; vi. Personal financial transaction information, including transaction information retained during the provision of any brokerage, investment banking, asset management, payment and settlement or other financial services, and transaction information generated during your interaction with any third party institution like banks, fund houses, futures companies, stock exchanges, custodians, payment agencies, clearing houses and other financial institutions via us; vii. Personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.
Asset Management	i. Personal identity information, including name (include former name or alias), gender, nationality, citizenship, type/number/validity period of ID certificate, occupation, telephone number, e-mail, contact information, birth date, place of birth, marital status, family status, place of residence (include contact address and permanent address), company/employer and job position, and any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal property information, including personal income, movable property (e.g. financial assets, etc.), indebtedness, investment, tax residence, taxpayer identification number, etc.; iii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iv. Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, net value of fund units and net value of holding position etc.; v. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status; vi. Personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.
Private Wealth Management	i. Personal identity information, including name (include former name or alias), gender, nationality, citizenship, type/number/validity period of ID certificate, occupation, telephone number, e-mail, contact information, birth date, place of birth, marital status, family status, place of residence (include contact address and permanent address), company/employer and job position, and any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal property information, including personal income, real property, movable property (e.g. financial assets, etc.), indebtedness, investment, tax residence, taxpayer identification number, etc.; iii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iv. Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.; v. Personal credit information, including personal property and source of funds, credit transaction information, litigation and investigation information, penalty and any other information about personal credit status; vi. Personal financial transaction information, including transaction information retained during the provision of any brokerage, investment banking, asset management, payment and settlement or other financial services, and transaction information generated during your interaction with any third party institution like banks, fund houses, futures companies, stock exchanges, custodians, payment agencies, clearing houses and other financial institutions via us; vii. Personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.
Apply to all above products/services/business	Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of business, or prevention and controlling related risk, e.g. time/location (including geographic location and network address) of transaction or service use, person information included in the customer documentation, personal information required for identifying or investigating any suspicious and unusual activity, correspondence or other communication records (including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc.; Personal information arising from customer investigation, e.g. personal information collected during customer due diligence, sanction or anti-money laundry checks.

The above information is the basic information we must collect to provide you with our products or services, to perform our contract with you and to comply with laws, regulations and regulatory requirements. If you refuse to provide those information (or the information so provided is incomplete, inaccurate or untrue), you will not be able to use our regular products or services.

When you are a connected person of our prospect or existing Relevant Customers (including corporate, enterprise, institution and other legal entities) (for the purpose of this Policy, connected person means any other person with whom our prospect or existing Relevant Customers have a relationship, including but not limited to, a director, supervisor or employee of a company, partners or members of a partnership, any shareholder, substantial owner, controlling person, or beneficial owner, trustee, settler or protector of a trust, account holder of a designated account, payee of a designated payment, representative, agent or nominee of the account holder, or the account holder’s principal where the account holder is acting on another’s behalf), we may collect the following information upon your or Relevant Customers’ consent or authorization:


Purposes or Functions (Products/Services Business)	Information We May Need to Collect
To provide securities products/services relating to Account Management (including opening accounts, maintaining accounts, and updating of relevant information) to Relevant Customers	i. Personal identity information, including name (include former name or alias), gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with Relevant Customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iii. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status.
To provide securities products/services relating to Brokerage to Relevant Customers	i. Personal identity information, including name (include former name or alias), gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with Relevant Customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iii. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status.
To provide securities products/services relating to Securities Investment Consultancy to Relevant Customers	i. Personal identity information, including name (include former name or alias), gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with Relevant Customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iii. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status.
To provide securities products/services relating to Investment Banking to Relevant Customers	i. Personal identity information, including name (include former name or alias), gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with Relevant Customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iii. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status.
To provide securities products/services relating to Asset Management to Relevant Customers	i. Personal identity information, including name (include former name or alias), gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with Relevant Customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iii. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status.
To provide securities products/services relating to Private Wealth Management to Relevant Customers	i. Personal identity information, including name (include former name or alias), gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with Relevant Customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iii. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status.
To provide securities products/services relating to Proprietary Trading to Relevant Customers	i. Personal identity information, including name (include former name or alias), gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with Relevant Customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person (“PEP”) and relevant information etc.; ii. Personal biometrics information, such as signature, handwriting, portrait, voice, face recognition information, etc.; iii. Personal credit information, including personal property and source of funds, litigation and investigation information, penalty and any other information about personal credit status.
Apply to all above products/services/business	Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of business, or prevention and controlling related risk, e.g. time/location (including geographic location and network address) of service use and trading, correspondence or other communication records (including video or audio records, call log and correspondence records and contents), person information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc.; Personal information arising from customer investigation, e.g. personal information collected during customer due diligence, sanction or anti-money laundry checks.

The above information is the basic information we must collect to provide Relevant Customers with our products or services, to perform our contract with you or Relevant Customers and to comply with laws, regulations and regulatory requirements. If you refuse to provide those information (or the information so provided is incomplete, inaccurate or untrue), you or Relevant Customers will not be able to use our regular products or services.

You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the relevant information for specific purposes or functions, for example, the personal information that you provide to us for the purposes of improving service experience, participating in our marketing activities or survey, making an appointment to open an account or for other business. You can choose not to provide such information. Your failure to provide such information will make you unable to participate or enjoy the corresponding convenience or functions, but will not affect your normal use of our other services.
Please understand that the securities services we provide are constantly evolving. If you or Relevant Customers choose to use any other service not listed above for which we have to collect your information, we will separately explain to you or Relevant Customers, the purposes, methods, and scope of personal information we collect etc., through reminders, alerts, interaction with you, agreements entered into with you or other appropriate method, and obtain your or Relevant Customers’ consent for that. We will use, store, disclose, and protect your information in accordance with this Policy and other agreements (if any) between you and us. If you or Relevant Customers choose not to provide certain information, you or Relevant Customers may be unable to use certain or part of the service, but your or Relevant Customers’ use of other services we provide will not be affected.

III. How We Use Your Personal Information

When you visit, browse, use our website and/or applications as a visitor, we may use your information for the following purposes:

i. to respond to your queries and requests;

ii. to provide you with information, products or services that you request from us or which we feel may interest you, subject to your prior consent;

iii. to perform contracts or agreements entered into between you and us;

iv. to allow you to interact with us at our website and/or applications;

v. to notify you about changes to our website and/or applications;

vi. to ensure the content of our website and/or application is presented in an effective manner on your device;

vii. to maintain proper and secure operation of website and/or applications as well as securities business, to prevent and control risk, or to detect and prevent misuse or abuse of our website, applications, products or services;

viii. to meet the compliance obligations of us or the HSBC Group, or to comply with any applicable laws and regulations that we and HSBC Group companies are subject to; and

ix. to make statistics and analysis of the use of our business, products, services or functions. But such statistics will not contain any of your personally identifiable information.
When you are our prospect or existing individual customer or a connected person of our Relevant Customers, we may use your information for the following purposes:

i. to provide you or Relevant Customers with products or services, to recognize or verify the identity of you and Relevant Customers, or to approve, manage, handle, execute or effect transactions requested or authorized by you or Relevant Customers;

ii. to comply with any Applicable Laws (“Applicable Laws” refer to any applicable statute, law, regulation, ordinance, rule, judgment, decree, voluntary code, directive, sanctions regime, court order applicable to any member of the HSBC Group, agreement between any member of the HSBC Group and an authority, or agreement or treaty between authorities and applicable to HSBC Qianhai or a member of the HSBC Group) and any order or requirement from any authority;

iii. to perform HSBC Qianhai’s and/or the HSBC Group’s compliance obligations (including regulatory compliance, tax compliance and/or compliance with any Applicable Laws or requirement of any authority), or to implement any policy or procedure made by HSBC Qianhai and/or the HSBC Group for the performance of compliance obligations;

iv. to ensure safe and stable financial services, prevention or prohibition of illegal or incompliant activities, to control or reduce risks, to detect, investigate and prevent any real, suspected or potential financial crime (including money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions, and/or violations, or acts or attempts to circumvent or violate any Applicable Laws relating to these matters) and to manage financial crime risk;

v. to enforce or defend HSBC Qianhai or any member of the HSBC Group’s rights, or to perform HSBC Qianhai or any member of the HSBC Group’s obligations;

vi. as required by or to fulfil HSBC Qianhai or the HSBC Group’s reasonable operational requirements (including for credit and risk management, data statistics, analysis, processing and handling, archiving and recording, system, product and service design, research, development and improvement, planning, insurance, audit and administrative purposes);

vii. subject to your or Relevant Customers’ authorization, market or promote relevant products or services to you or Relevant Customers, to assess your or Relevant Customers’ interests in relevant products or services, or to conduct market research or survey or satisfaction survey; and

viii. to obtain or utilize administrative, consultancy, telecommunications, computer, payment, data storage, processing, outsourcing and/or other products or services.
The above information collection and use in this Policy shall not impact our use of your information for the purposes as otherwise agreed between you or Relevant Customers and us.
If we use your personal information for the purposes other than the purposes of collection and use as set forth in this Policy or in other agreement between you or Relevant Customers and us, we shall inform you how we use this information and obtain consent from you or Relevant Customers before using your personal information for such additional purposes as per applicable laws and regulations.

IV. How We Store Your Personal Information

In principle, the personal information we collect and generate within the territory of the People's Republic of China (“the PRC”) will be stored in the territory of the PRC. Since we provide products or services through resources and servers across the world, which means that to the extent permitted by regulatory rules and applicable laws, your personal information may be transferred to the foreign jurisdiction, or be accessed from these jurisdictions. If we transfer your personal information overseas, we will comply with applicable laws and regulations related to cross border data sharing. Whether it is processed domestically or overseas, in accordance with applicable data protection legislation, your personal information will be protected by a strict code of secrecy and security which, HSBC Qianhai, other members of the HSBC Group, their staff and third parties are subject to.

We comply with Chinese laws and regulations on data storage. When we collect or process your information, we will, according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, and the purposes as set forth in this Policy, store your information for a period as minimum as necessary to fulfill the purposes of information collection. For example, in accordance with PRC Securities Law, PRC Anti-money Laundering Law, Administrative Measures for Client Due Diligence and Preservation of Clients' Identity Information and Transaction Records by Financial Institutions, Guidelines on Corporate Governance of Securities Companies, Anti-money Laundering Guidelines for Securities Companies, Administrative Measures on Securities Brokerage Services, Implementing Rules for the Administration of Securities Brokerage Services as well as other laws, regulations and regulatory documents, the relevant material, vouchers, records, documents and information shall be kept for at least 5 years, 20 years or even longer, depending on their usage in different business scenario and document nature.

After the retention period expires, we will destroy, delete or de-identify relevant information, or where the destruction, deletion or anonymization is not possible, store your personal information securely and separate it from other data processing. The exception is when the information needs to be retained according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, special agreement between you or Relevant Customers and us, or for settlement of indebtedness between you or Relevant Customers and us, or for record check or enquiry from you, Relevant Customers, regulators or other authorities.

V. How We Share, Transfer, Publicly Disclose and Entrusts Others with the Handling of Your Personal Information

Entrusted Processing and Sharing

For the purposes set out above in this Policy, we may provide or disclose all or part of your personal information to the following recipients under the preconditions that such provision or disclosure is necessary and is made with proper protective measures (please refer to Article I of this Policy “How We Protect Your Personal Information” for details) and the recipients may also, for the aforesaid purposes, use, process or further disclose the information they receive provided that corresponding protective measures are adopted pursuant to the applicable laws or our requirements:

i. any member of the HSBC Group;

ii. any contractor, subcontractor, agent, third party product or service provider, licensor, professional consultant, business partner, or associated person of the HSBC Group (including their employees, directors and officers);

iii. any regulator of HSBC Qianhai or any member of the HSBC Group or any other authority, or any organisation or individual designated by such regulators or authorities;

iv. anyone acting on your or Relevant Customers' behalf according to your or Relevant Customers' authorization or according to law, payment recipients, beneficiaries, correspondent and agent banks (e.g. those for CHAPS, BACS and SWIFT), securities/future exchanges, clearing houses, clearing or settlement systems, securities registration and clearing institution, swap or trade repositories, financial products quotation and service system, securities issuer, sponsor, underwriter, bond trustee, originator of asset-back securities (ABS), plan manager, fund manager, financial advisors, distributors, escrow bank, custodian bank, fund-raising account supervision agencies, fund registrars, IT service agencies, fund (outsourcing) service agencies, accounting/auditing/tax service providers of AMP and ABS, legal service providers, investment advisors, underlying fund sponsors/securities issuers, underlying funds/securities distributors, brokers, counterparts, upstream withholding agents, companies in which you or Relevant Customers have an interest in securities, or anyone making any payment to you or Relevant Customers;

v. any person or related party who has the right or obligation, acquires an interest or assumes risk, in or in connection with any product or service you or Relevant Customers receive from HSBC Qianhai, or any business you handle at HSBC Qianhai or any transaction you make with HSBC Qianhai;

vi. other financial institutions, industrial associations (include but not limit to Securities Association of China, Asset Management Association of China) or information service providers;

vii. any third party fund manager providing you or Relevant Customers with asset management services through us;

viii. any third party to whom we provide referral, agency or intermediary service;

ix. any party in connection with any business/asset transfer, restructure, disposal (including securitisation), merger, spin-off or acquisition transactions of HSBC Qianhai.

Subject to applicable laws and regulations, we will seek separate consent (if legally required) from you or Relevant Customers and notify you of the data sharing with the third parties, including the data recipient’s identity, contact information, purpose of processing, method of processing and the type of personal information.

In case of cross border personal data sharing, we will also conclude a data protection agreement with the offshore personal information recipient in the format of standard data protection clause issued by Cyberspace Administration of China as well as specify your relevant personal information subject’s right in your capacity as a third party beneficiary under said agreement pursuant to applicable laws and regulations, for example the manner and method of exercising your right towards the offshore personal information recipient. If you want to know more details about aforesaid data protection agreement, you may contact us to raise such request via the method listed in Article IX of this Policy “How to Contact Us”.
Transfer

Without separate consent from you or Relevant Customers, we will not transfer your personal information to any other company, organization or individual, exceptin the case of business/asset transfer, restructure, disposal (including securitization), merger, spin-off or acquisition transactions where the transfer is necessary. In such cases, we will inform you or Relevant Customers of the identity and contact method of the personal information recipient as per applicable laws and regulations as well as request said recipient to comply with this Policy. If the personal information recipient changes the purposes and methods of personal information processing activities under this Policy, it shall re-obtain the consent from you or Relevant Customers.
Public Disclosure

We will not disclose your personal information to the public unless we have your separate consent.

VI. Special Circumstances for Information Processing

We will process your personal information (such as information collection, storage, use, analysis, transfer, provision, disclosure) based on your consent. To the extent allowed by laws and regulations, we may process your personal information without your consent under the following circumstances:

Where it is necessary for entering into a contract or the performance of a contract to which you are the party.
Where it is necessary for compliance with a legal obligation to which we are subject.
Where it is necessary in order to protect your vital interests in an emergency or respond to public health emergencies.
Where it is within reasonable limits in order to carry out news coverage or media supervision for the public interest.
Where it is within reasonable range according to law to process the information has been legally made public or publicized by yourself.
Other circumstances stipulated by laws and regulations.

VII. How We Use Cookies and Similar Technologies

Your visit, browse, use of any of our website or mobile device applications may be recorded for analysis on the number of visitors to the site and/or applications, general use patterns and your personal use patterns and improving your experience. Some of this information will be gathered through the use of “Cookies” and similar technologies. Such technologies can enable our website or applications to recognize your device and store information about your use of website and/or applications so to provide continuous services to you and to tailor the content of our website/applications to suit your interests and, where permitted by you, to provide you with promotional materials based on your use patterns. We will be able to access the information stored on the Cookies and similar technologies for aforesaid purposes.
The information collected by Cookies is anonymous aggregated data, and contains no personal information such as name, address, telephone, email address etc.
Most local terminals are initially set to accept Cookies. You can manage or disable Cookies based on your own preference. Should you wish to disable the Cookies, you may do so by changing the setting on your local terminals. However, after changing the setting you may not be able to enjoy the convenience that Cookies bring, but your normal use of other functions of the local terminals will not be affected.Different local terminals offer different methods for setting changes, and you can find information on how to manage cookie settings on certain browsers via the following links.

VIII. Your Rights Relating to Personal Information

You have the right to request us to protect and secure your personal information in accordance with the provisions of the law, regulation and this Policy.
You have the right to check with us whether we hold your personal formation as well as to check and copy your personal information.
You have the right to change the scope of authorization or withdraw your consent. We will not further process the related information once you change your authorization. Please note the withdrawal of consent will not affect the lawfulness of processing based on consent given by you or Relevant Customers before its withdrawal.
You have the right and obligation to update your personal information with us to ensure that all the information is accurate and up-to-date. You have the right to request us to provide convenience for you to update your personal information with us and to correct any of your information that is inaccurate.
You have the right to request us to delete or otherwise properly dispose of your personal information that is beyond retention period in accordance with the applicable law and regulation, this Policy, and other agreement between you or Relevant Customers and us. If we cease our operation, we will stop collecting any personal data from you in a timely manner, delete or anonymize all your personal information, and inform you or Relevant Customers represented by you of such operation cessation via courier or public announcement, except as otherwise provided by laws and regulations or where the personal data deletion is technically not possible.
Nothing in this Policy will limit the other rights you should have as a Personal Information Subject under applicable laws and regulations.

IX. How to contact us

Requests for access to, copy, correction or deletion of personal information, for change/withdrawal of authorization or disposal of personal information beyond retention period, for a copy of this Policy, enquiries about our practices regarding personal information and privacy protection, or exercising other rights you are granted by the applicable laws and regulations, should be addressed to:
Data Privacy Manager
HSBC Qianhai Securities Limited
Unit 2201, 22/F, Qianhai Chow Tai Fook Finance Tower (Phase I), No. 66 Shu Niu Avenue, Nanshan Subdistrict
the Shenzhen Qianhai Shenzhen-Hong Kong Cooperation Zone,
Shenzhen, 518052, China
E-mail: ibcndmo@hsbcqh.com.cn
Tel: (86) 0755-88983493 (8:30am - 5:30pm, Monday to Friday during the working days)
For security purpose, you may need to provide the request in written form or use other methods to prove your identity. We may request you to verify your identity before processing your request.
Upon the receipt of your request, we will reply to you within 15 working days or shorter period as prescribed by law and regulation (if any).
We will not charge fees for the processing of your above-mentioned reasonable requests for checking, correcting or otherwise disposing of your personal information.

Notwithstanding the foregoing, we may reject your request that is illegal, noncompliant, or unnecessarily repeated, needs excessive technical means (for example, the need to develop information systems or fundamentally change current practices), brings risks to the legitimate rights and interests of others, is unreasonable or beyond technically impracticable requests.

We may not be able to respond to your request under any of the following circumstances:

i. where the request is in relation to our legal and financial compliance obligation under laws and regulations;

ii. where the request is in direct relation to state security or national defence security;

iii. where the request is in direct relation to public security, public sanitation, or major public interests;

iv. where the request is in direct relation to criminal investigations, prosecutions, trials, execution of rulings, etc.;

v. where there is sufficient evidence that you are intentionally malicious or abuse your rights;

vi. where the purpose is to protect you or other individual's life, property and other substantial legal interests but difficult to acquire your consent;

vii. where responses to your request will give rise to serious damage to your or any other individual or organisation’s legal rights and interests; or

viii. where the request involves any trade secret.
Unless we have your prior consent, we will not send you advertisement promotion message. If at any time you would like us to cease using or providing to others your personal information for advertisement promotion purpose, you are entitled to notify us and exercise your right of choice, not to receive such advertisement promotion any more. If you so choose to reject advertisement promotion message, please contact us by calling (86) 0755-88983493. After receipt of your request we will, as soon as practical (usually no later than 15 working days from your request), take actions to ensure no more advertisement promotion message should be sent to you.
You may supervise or make suggestions for our practices regarding personal information and privacy protection, and lodge complaints or demand compensation according to law against us or our staff for any infringement of your rights and interests in your personal information and privacy.
If you have any query, complaint, feedback, comment or suggestion, or have problem with automated decision results, please contact us. You may contact us through the contact information listed in this Policy, by calling our hotline. You may also visit our official website www.hsbcqh.com.cn to enquire t other contact information of us suitable for you.

X. Protection of Minors’ Personal Information

We pay particular attention to protection of the minors’ personal information. We have no intention to collect any minors’ personal information, unless it is agreed by their parents or guardians and it is necessary for the products or services offered to the minors (for example, the minors may be the heirs of our customers, etc.).
If you are under 18 years of age (including children under the age of 14), it is suggested that your parents or guardians should carefully read this Policy and any of your personal information should be provided only after seeking consent from them. Meanwhile, it is suggested that your use of our products and services should be under the guidance of your parents or guardians. If they do not agree you to provide your personal information or to use any of our products or services, you should immediately stop providing the information or stop using our products and services. Please notify us of such event as soon as possible, so as to allow us to take appropriate measures accordingly.
If you are under 18 years of age (including children under the age of 14), for those personal information we collect with the consent of your parents or guardians, we will only use or disclose such information to the extent allowed by law and regulation or expressly consented by your parents or guardians or necessary for protection of the minors’ interests.

XI. Formulation, Effectiveness, Update of this Policy and Others

The Policy is made by us and published at our websites and takes effect on the date of issuance. The Policy may be amended or updated from time to time, particularly in the events of major changes as follows:

i. Major changes in our service model, such as changes in the purpose of processing personal information, changes in the types of personal information being processed, the use methods of personal information, etc.;

ii. Major changes in our ownership structure, organisational structure, etc., such as changes as result of business adjustments, bankruptcy, mergers, etc.;

iii. Changes in the main objects of personal information sharing, transfer or public disclosure;

iv. Significant changes in your rights relating to personal information or in the methods to exercise such rights;

v. Changes of our contacts for personal information related requests/enquiries, changes of our contacts for complaint or feedback;

vi. Other major changes which may significantly impact your interests in personal information.
We will post the changes to the Policy or the updated Policy through pop-ups, announcements, etc. on our website.Changes to the Policy shall not diminish or limit the rights you should have as a personal information subject under applicable laws and regulations.
Where you provide to us personal information about another person, you should ensure that person acknowledges this Policy, tell him/her how we may collect and use his/her personal information and obtain the consent of such person. You should remind that person to read this Policy in advance and may also give him/her a copy of this Policy.
In case of discrepancy between the Chinese and English versions of this Policy, the Chinese version shall apply and prevail.