What we collect, why, and for how long

Each visit to vhisguide.com logs the following technical data:

• The page path you visited (e.g. /medical-reserve, /insurers)
• Approximate location (a 2-letter country code derived from your IP, e.g. HK, US)
• Device summary (operating system + browser, e.g. "macOS · Chrome", "iOS · Safari")
• IP address
• Site events (e.g. PDF downloads, calculator case selection, disclaimer PIN entry)

Your browser also stores a small piece of local data (cookie / localStorage) so you don't need to re-enter the medical-reserve disclaimer PIN on every visit.

• Site improvement — to know which pages people use and which they don't.
• Security — to detect abuse, brute-force PIN attempts, and large-scale scraping.
• Aggregate analytics — monthly visitor counts, country breakdown, etc.

We do not use this data for ad retargeting, do not sell it to third parties, and do not pass it to any insurer.

• Name, email, phone — unless you proactively contact us via the contact page or WhatsApp.
• Payment information (the site has no paid features).
• Third-party trackers — no Facebook Pixel, no Google Analytics, no LinkedIn Insight Tag.
• Cross-site tracking or browser fingerprinting.

• Leo Chan (site operator, FWD licensed agent IA #JF4352) — accesses aggregate data via Cloudflare Access login.
• Cloudflare Inc. (server & analytics platform vendor) — acts as a data processor and stores the raw events under its own privacy policy.

• Analytics events (including IP, country, device) — retained by Cloudflare Analytics Engine for 90 days, then automatically deleted.
• Browser local data (PIN unlock state) — until you clear your browser data, or until we rotate the PIN.
• We do not maintain any other long-term database of visitor records.

Under the Personal Data (Privacy) Ordinance, you have:

• Right of access (s. 18) — to ask what personal data we hold about you.
• Right of correction (ss. 22, 24) — to correct inaccurate data.
• Right of erasure (s. 26) — to ask us to delete your data.

To exercise any of these, email privacy@vhisguide.com with the approximate date / time / IP of your visits (if known). We'll respond within the 40-day statutory window.

If we change this policy (e.g. add a new analytics tool, change retention), we'll update the effective date at the top of this page. Material changes will be announced via a homepage banner for at least 7 days.