PRIVACY POLICY

What we collect, why, and for how long

VHISGuide doesn't sell data, doesn't track you across the web, and doesn't run ad retargeting. Here's exactly what we do collect, in plain English.

Effective 2026-05-05

1. What we collect

Each visit to vhisguide.com logs the following technical data:

  • The page path you visited (e.g. /medical-reserve, /insurers)
  • Approximate location (a 2-letter country code derived from your IP, e.g. HK, US)
  • Device summary (operating system + browser, e.g. "macOS · Chrome", "iOS · Safari")
  • IP address
  • Site events (e.g. PDF downloads, calculator case selection, disclaimer PIN entry)

Your browser also stores a small piece of local data (cookie / localStorage) so you don't need to re-enter the medical-reserve disclaimer PIN on every visit.

2. Why we collect it

  • Site improvement — to know which pages people use and which they don't.
  • Security — to detect abuse, brute-force PIN attempts, and large-scale scraping.
  • Aggregate analytics — monthly visitor counts, country breakdown, etc.

We do not use this data for ad retargeting, do not sell it to third parties, and do not pass it to any insurer.

3. What we don't collect

  • Name, email, phone — unless you proactively contact us via the contact page or WhatsApp.
  • Payment information (the site has no paid features).
  • Third-party trackers — no Facebook Pixel, no Google Analytics, no LinkedIn Insight Tag.
  • Cross-site tracking or browser fingerprinting.

4. Who has access

  • Leo Chan (site operator, FWD licensed agent IA #JF4352) — accesses aggregate data via Cloudflare Access login.
  • Cloudflare Inc. (server & analytics platform vendor) — acts as a data processor and stores the raw events under its own privacy policy.

5. How long we keep it

  • Analytics events (including IP, country, device) — retained by Cloudflare Analytics Engine for 90 days, then automatically deleted.
  • Browser local data (PIN unlock state) — until you clear your browser data, or until we rotate the PIN.
  • We do not maintain any other long-term database of visitor records.

6. Your rights under Hong Kong PDPO

Under the Personal Data (Privacy) Ordinance, you have:

  • Right of access (s. 18) — to ask what personal data we hold about you.
  • Right of correction (ss. 22, 24) — to correct inaccurate data.
  • Right of erasure (s. 26) — to ask us to delete your data.

To exercise any of these, email privacy@vhisguide.com with the approximate date / time / IP of your visits (if known). We'll respond within the 40-day statutory window.

7. Cookie summary

NamePurposeRetention
medical_reserve_consent_*Remembers that you've entered the medical-reserve disclaimer PIN, so you don't need to re-type it.Until cleared
CF_AuthorizationCloudflare Access auth token — used only on /admin/*, regular visitors never receive it.24 hours

8. Updates to this policy

If we change this policy (e.g. add a new analytics tool, change retention), we'll update the effective date at the top of this page. Material changes will be announced via a homepage banner for at least 7 days.

Questions? Email privacy@vhisguide.com or WhatsApp +852 5287 0900.

Frequently Asked Questions

What personal data does VHISGuide collect?
Each visit logs page path, IP-derived country code, OS + browser summary, IP address, and site events (e.g. PDF downloads). Your browser stores cookies / localStorage to remember your disclaimer acknowledgement. We do not actively collect name, email, or phone unless you proactively submit them via WhatsApp or the SUQ pre-screen form.
Is my quote or comparison data shared with insurance companies?
No. Quote, comparison, and claim-estimator calculations run in your browser or on VHISGuide's own servers — no personal data, age, gender, or plan selection is transmitted to insurance companies. The Health Questionnaire (SUQ) form goes only to Leo and is not shared with any third party.
What cookies does VHISGuide use?
Only necessary functional cookies / localStorage — to remember disclaimer acknowledgement (so we don't re-prompt), language preference, and recent calculator inputs. There are no third-party tracking cookies, no ad retargeting cookies, no Facebook Pixel, no Google Ads tag.
Can I access, correct, or delete my data?
Yes. Under Hong Kong's Personal Data (Privacy) Ordinance (PDPO), you may request access, correction, or deletion of any personal data we hold about you. Submit your request through the Contact page; we'll respond within a reasonable timeframe.