Privacy Policy

1. Who we are

Norwell is a business consulting firm incorporated and operating in Hong Kong. Our registered office is at 7/F, Alexandra House, 18 Chater Road, Central, Hong Kong. We provide structured consulting engagements in the areas of organisational health, franchise readiness, and compensation architecture.

For the purposes of the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), Norwell is the data controller in respect of personal data collected through this website and in the course of our client engagements.

2. Data we collect

We collect personal data in the following circumstances:

• Contact form submissions — name, company name, email address, phone number (optional), and the content of your message.
• Client engagements — business contact details, role information, and data relevant to the scope of work you have commissioned.
• Website analytics — anonymised usage data collected via third-party tools (see Section 6).
• Communications — emails or calls initiated by you may be retained for correspondence records.

We do not collect sensitive personal data (as defined under the PDPO) through this website.

3. How we use your data

We use the personal data we collect for the following purposes:

• Responding to enquiries submitted via our contact form.
• Conducting scoping conversations and managing client engagements.
• Sending relevant communications about our services where you have expressed interest.
• Maintaining internal records of client relationships and completed work.
• Improving the usability and content of our website based on aggregated, anonymised analytics data.
• Meeting legal or regulatory obligations that apply to our operations in Hong Kong.

We do not use your personal data for automated decision-making or profiling.

4. Legal basis for processing

Under the PDPO, we rely on the following bases for processing your personal data:

• Contractual necessity — processing required to enter into or perform a consulting engagement.
• Legitimate interests — responding to enquiries, maintaining client records, and improving our service.
• Consent — where you have explicitly opted in to receive particular communications.
• Legal obligation — where processing is required to comply with applicable law.

5. Data sharing

We do not sell, rent, or trade personal data to third parties. We may share personal data in the following limited circumstances:

• Service providers — third-party vendors who support our operations (e.g., website hosting, email delivery, analytics), bound by appropriate data processing agreements.
• Professional advisors — legal counsel, accountants, or auditors where disclosure is necessary.
• Legal requirements — where disclosure is required by law, court order, or regulatory authority in Hong Kong.

Any third parties with whom we share data are required to handle it in accordance with applicable data protection laws.

6. Cookies and tracking

Our website uses cookies and similar technologies. For a detailed explanation of the cookies we use, how they work, and how to manage your preferences, please refer to our Cookie Policy.

Where analytics or marketing cookies are used, they are activated only after you have provided consent through our cookie banner.

7. Data retention

We retain personal data only for as long as is necessary for the purposes described in this policy, or as required by applicable law:

• Enquiry records — retained for 12 months from the date of the enquiry where no engagement follows.
• Client engagement records — retained for 7 years following the conclusion of the engagement, in accordance with standard Hong Kong record-keeping requirements.
• Marketing consent records — retained until you withdraw consent or until the data is no longer relevant.

When data is no longer required, it is deleted or anonymised in a secure manner.

8. Your rights

Under the PDPO, you have the following rights in respect of your personal data:

• Access — the right to request a copy of the personal data we hold about you.
• Correction — the right to request that inaccurate or incomplete data is corrected.
• Objection — the right to object to the use of your data for direct marketing purposes.
• Complaint — the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) if you believe your data has been handled improperly.

To exercise any of these rights, please contact us using the details in Section 10. We will respond to all requests within 40 days, in accordance with PDPO requirements.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Our website uses HTTPS encryption for all data transmitted through the contact form.

While we take reasonable steps to protect personal data, no method of transmission over the internet is entirely secure. If you have concerns about a specific transmission, you are welcome to contact us directly by telephone.

10. Contact us

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to make a complaint, please contact us:

You may also contact the Office of the Privacy Commissioner for Personal Data at www.pcpd.org.hk.