All users and visitors
Privacy Policy
How Agelo collects, uses, stores, transfers, and protects personal data.
Document version: v5.0
Effective date: 28 June 2026
Document status: An independent Platform-wide policy and one of the Platform's three foundational policies together with the Platform-Wide General Terms of Service (F1) and the Acceptable Use Policy (F6)
Applies to: All persons interacting with the Platform, including Customers, Expert Agent Providers (who may be referred to as Creators in the Platform interface), unregistered Visitors and all natural persons who interact with the Platform through Cookies or similar technologies
Governing law: Laws of the Hong Kong Special Administrative Region, with reference to relevant principles of the EU General Data Protection Regulation (GDPR)
Changes in this version: Legacy terminology used in the data categories has been updated to the current terminology. The remaining structure follows the v3.0 specification.
Table of Contents
- Chapter 1 - Scope and Primary Legal Framework
- Chapter 2 - Collection of Personal Data
- Chapter 3 - Use and Processing of Personal Data
- Chapter 4 - Storage and Security of Personal Data
- Chapter 5 - International Transfers of Personal Data
- Chapter 6 - User Rights
- Chapter 7 - Protection of Minors
- Chapter 8 - Jurisdiction, Complaints and Contact Details
- Chapter 9 - Cookies and Tracking Technologies
- Appendix - Abbreviations and Terminology
Chapter 1 - Scope and Primary Legal Framework
1.1 Purpose and Scope of this Policy
1.1.1 This Privacy Policy (the "Policy") governs all collection, use, storage, processing, transfer, disclosure and protection of Users' Personal Data by Agelo Limited (the "Platform" or "Agelo"), a limited company incorporated under the laws of Hong Kong, in connection with the websites, applications and related services operated by Agelo (collectively, the "Services").
1.1.2 This Policy applies to registered Customer account holders, registered Expert Agent Provider account holders, natural persons holding both roles, unregistered Visitors who browse the Platform and third parties whose Personal Data is supplied to the Platform through another person's designation or referral.
1.2 Primary Legal Framework and Applicable Law
1.2.1 The principal legislation governing this Policy is Hong Kong's Personal Data (Privacy) Ordinance. That Ordinance constitutes the primary statutory framework for the Platform's protection of Personal Data.
1.2.2 In view of the cross-border nature of the Platform's Services, this Policy also takes into account relevant principles and terminology of the European Union General Data Protection Regulation (GDPR) so that the Policy can be aligned, to an appropriate extent, with compliance requirements in jurisdictions where the GDPR applies.
1.2.3 The Personal Data (Privacy) Ordinance takes precedence in the interpretation and application of this Policy. If any provision of this Policy conflicts with that Ordinance, the provision will be invalid to the extent of the conflict and will be replaced by the applicable requirement of the Ordinance.
1.3 Express Consent to Cross-Border Transfers
1.3.1 By using Agelo AI Services, registering an account, purchasing Agelo Credits, initiating an Agelo AI Service Consumption or receiving Agent Contribution Services involving an Expert Agent, you expressly consent to and authorise the Platform to transfer your Personal Data across borders for processing on the Platform's servers in Hong Kong or in cloud infrastructure.
1.3.2 Destinations for such cross-border transfers include, without limitation, the Hong Kong Special Administrative Region as the principal location for processing and storage, the United States as a location of cloud infrastructure, and other jurisdictions in which the Platform or its outsourced processors operate.
1.3.3 The Platform will take all reasonably practicable measures to ensure that, following a cross-border transfer, your Personal Data continues to receive a standard of protection equivalent to that provided under this Policy.
1.4 Acceptance of this Policy and Effect of Electronic Contracting
1.4.1 By using the Platform's Services, you will be deemed to have read, understood and agreed to this Policy.
1.4.2 Acceptance of this Policy has full legal effect as the execution of an electronic contract under Hong Kong's Electronic Transactions Ordinance.
1.4.3 The Platform will notify Users of a material change to this Policy at least 30 days before the change takes effect, in accordance with the Platform-Wide General Terms of Service (F1 §3.2). A change to the purposes of processing Personal Data, categories of Personal Data, retention periods, recipients of cross-border transfers or User rights constitutes a material change and will take effect only after renewed click-through consent has been obtained from the User.
Chapter 2 - Collection of Personal Data
2.1 Collection Principles: Lawfulness, Necessity and Data Minimisation
2.1.1 The Platform collects your Personal Data only where a lawful basis exists and only to the extent necessary for a specified purpose. The Platform does not collect Personal Data unrelated to the Services.
2.2 Categories of Personal Data Collected
2.2.1 Identity Data: This includes, without limitation, your name, nickname, date of birth, sex, nationality, identity-card number, passport number, tax-identification number and biometric data, with biometric data used only in the KYC process.
2.2.2 Contact and Payment Data: This includes your email address, telephone number, correspondence address, tax information, masked card information provided to Agelo by a payment service provider, payment status, Connected Account identifier, verification status, last digits of the receiving account and payout status. As a general rule, full card numbers, complete bank login credentials and identity-verification information collected directly by a payment service provider are retained by that provider under its own policies. Agelo processes the corresponding information only where it actually receives the information and processing is necessary.
2.2.3 Transaction, Credits and Earnings Data: This includes records of Credits purchases, available balances, Reserved Credits, Consumed Credits, released reservations, Agelo AI Service Consumption, Resource Estimates, refunds, Chargebacks, Pending and Available Provider Earnings, settlement requests and payout status.
2.2.4 Device and Technical Data: This includes, without limitation, IP addresses, browser types, device identifiers, Cookie identifiers, login timestamps and browsing activity.
2.2.5 Agelo AI Services Usage Data: This includes User requirements, User Content, A2A records between Buyer Agents and Expert Agents, Specifications, Resource Estimates, model and tool-call records, Agent execution logs, intermediate outputs, Final Deliverables provided by Agelo and processing status. Agelo supplies an Expert Agent Provider only with data reasonably necessary for performance of Agent Contribution Services. As a general rule, a Provider does not receive a Customer's full payment information or unrelated identity information.
2.3 Methods of Collection
2.3.1 The Platform collects your Personal Data through the following means:
- (1) information you actively provide when registering, using the Services, purchasing Credits or applying for a payout;
- (2) automatic records generated during use of the Services, including server logs, Cookies and device fingerprints;
- (3) information obtained through a licensed payment provider during identity-verification (KYC) procedures;
- (4) information reasonably obtained from public sources; and
- (5) information supplied by a cooperating third party after your consent has been obtained.
2.3.2 The Platform will not obtain your sensitive Personal Data from a third party without your knowledge or consent.
2.4 Opt-In Mechanism for Direct Marketing
2.4.1 The Platform will not use your Personal Data for direct marketing unless you have first given express opt-in consent.
2.4.2 You may withdraw your consent to direct marketing at any time. Withdrawal does not affect the lawfulness of processing carried out on the basis of your consent before the withdrawal.
Chapter 3 - Use and Processing of Personal Data
3.1 Purposes of Use
3.1.1 The Platform uses your Personal Data only for the following specified purposes:
- (1) Account creation and administration: to create, maintain and verify your Platform account;
- (2) Provision of Agelo AI Services: to perform the contract for the provision of Agelo AI Services between you and the Platform;
- (3) Payment and settlement: to process purchases of Agelo Credits, deductions of Agelo Credits for Agelo AI Service Consumption, settlement and payout of Provider Earnings and issuance of tax documents;
- (4) KYC and anti-money laundering: to perform statutory obligations relating to identity verification, suspicious-transaction reporting and similar matters;
- (5) Risk management and fraud prevention: to detect and prevent abnormal transactions, money laundering, unauthorised card use and account misuse;
- (6) Dispute handling: to investigate, mediate and determine disputes relating to Agelo AI Service Consumption;
- (7) Customer support: to respond to enquiries, complaints and requests for technical support;
- (8) Product improvement: to analyse User behaviour, improve the User experience and develop new functionality;
- (9) Legal compliance and enforcement: to comply with applicable law and respond to lawful requests from government authorities, law-enforcement agencies and courts; and
- (10) Direct marketing: only to the extent covered by your prior opt-in consent.
3.1.2 The Platform does not use your Personal Data for automated decision-making unless the automated decision is necessary for performance of the contract between you and the Platform or you have given express consent.
3.2 Legal Bases for Processing
3.2.1 The Platform processes your Personal Data on one or more of the following legal bases:
- (1) Contractual necessity: processing necessary to perform the service contract between you and the Platform;
- (2) Legal obligation: processing necessary for compliance with a legal obligation binding on the Platform;
- (3) Legitimate interests: processing necessary for the legitimate interests of the Platform or a third party;
- (4) Your consent: processing based on your express consent where none of the preceding three bases applies; or
- (5) Vital or substantial public interests: processing necessary to protect your vital interests or substantial public interests.
3.3 Purpose Limitation
3.3.1 Personal Data collected by the Platform may be used only for the specified purposes listed in §3.1 of this Chapter. If the Platform intends to use your Personal Data for a new purpose incompatible with the original purpose of collection, the Platform will obtain your consent in advance.
3.3.2 The Platform's internal access controls strictly follow the "need-to-know" principle. Personal Data may be accessed only by personnel for whom access is necessary to perform their duties, and all access is recorded in system logs to create an audit trail.
Chapter 4 - Storage and Security of Personal Data
4.1 Storage Locations and Infrastructure
4.1.1 The Platform's principal servers and data centres are located in the Hong Kong Special Administrative Region and are hosted by cloud-service providers that comply with internationally recognised information-security standards.
4.1.2 The Platform reserves the right to store your Personal Data in other jurisdictions where operationally necessary, provided that any change to the relevant storage locations will be announced in advance through this Policy.
4.2 Security Measures
4.2.1 Technical security measures adopted by the Platform include, without limitation, encryption in transit using TLS 1.2 or above, encryption at rest using AES-256, password hashing using bcrypt or Argon2, access controls using role-based access control (RBAC) and the principle of least privilege, multi-factor authentication, intrusion detection and vulnerability management.
4.2.2 Organisational security measures adopted by the Platform include, without limitation, confidentiality agreements signed by all employees, coordination of Personal Data protection policies by the Privacy Officer, data-breach reporting procedures and periodic privacy impact assessments (PIAs).
4.3 Data-Retention Periods
4.3.1 The Platform retains Personal Data for the following periods according to the applicable category:
- (1) Basic account data: for the duration of the account and for seven years after the account is closed;
- (2) Transaction and Credits data: for seven years from completion of the transaction;
- (3) KYC and identity-verification data: for seven years from closure of the account;
- (4) Tax documents and invoices: for seven years in accordance with applicable tax requirements;
- (5) Dispute-handling records: for seven years from resolution of the dispute;
- (6) Cookies and device data: for no more than 24 months; and
- (7) Marketing-consent records: for three years from withdrawal of consent.
4.3.2 Personal Data retained beyond the periods above will be handled in one of the following ways: permanent deletion and destruction, irreversible anonymisation, or statistical use after the information can no longer identify a particular individual.
Chapter 5 - International Transfers of Personal Data
5.1 Recipients and Destinations
5.1.1 The Platform may transfer your Personal Data internationally in any of the following circumstances:
- (1) storage or processing by a cloud-service provider located outside Hong Kong;
- (2) processing assistance from an outsourced processor located outside Hong Kong;
- (3) cross-border payout processing through a licensed payment provider;
- (4) compliance with a lawful request from a foreign government authority or law-enforcement agency;
- (5) a cross-border data flow necessary to perform the contract between you and the Platform.
5.1.2 Consent to cross-border transfers is addressed in §1.3 of this Policy. You may contact the Platform at any time to request a list of the destinations and recipients to which your Personal Data has been transferred.
5.2 Transfer Safeguards
5.2.1 For a transfer outside the European Union, the Platform will rely on one or more of the following safeguards: an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or your express consent.
5.2.2 For a transfer to another jurisdiction, the Platform will use contractual terms, technical safeguards and organisational measures to ensure that your Personal Data remains protected by standards equivalent to those under this Policy at the recipient's location.
Chapter 6 - User Rights
6.1 Right of Access
6.1.1 You have the right to ask whether the Platform holds your Personal Data and to access the content of that Personal Data. The Platform will provide a copy of the requested Personal Data within 40 days after receiving your access request.
6.1.2 The Platform may charge a reasonable fee for an access request to reflect the administrative cost of providing a copy. Your first access request will be free of charge.
6.2 Right to Rectification
6.2.1 If your Personal Data is inaccurate, incomplete or outdated, you have the right to require the Platform to correct it. The Platform will complete the correction within 40 days after receiving your request.
6.2.2 You may directly update most basic information through the account-settings page. Information already verified through KYC may be corrected only after supporting documents have been resubmitted.
6.3 Right to Erasure
6.3.1 You have the right to request erasure of your Personal Data in any of the following circumstances:
- (1) the Personal Data is no longer necessary for the purpose for which it was collected;
- (2) you withdraw consent and there is no other lawful basis for continued processing;
- (3) you object to processing and there are no overriding legitimate grounds;
- (4) the Personal Data has been processed unlawfully; or
- (5) erasure is required by law.
6.3.2 The Platform may refuse erasure where retention is necessary to comply with a legal obligation, perform the contract between you and the Platform, serve a public interest, or establish, exercise or defend a legal claim.
6.4 Right to Restriction of Processing and Data Portability
6.4.1 In certain circumstances, including where you dispute the accuracy of data or allege unlawful processing, you have the right to request restriction of the Platform's processing of your Personal Data.
6.4.2 You have the right to receive a copy of Personal Data you supplied to the Platform in a structured, commonly used and machine-readable format, such as JSON or CSV, and to transmit that data to another data controller.
6.5 DSAR Procedure
6.5.1 You may submit a Data Subject Access Request (DSAR) through any of the following channels:
- (a) Email: privacy@agelo.ai
- (b) Dashboard form: after logging in, submit the request through the "Privacy and Personal Data" page
- (c) Postal mail: send the request to the Platform's registered address referred to in §8.5 of this Chapter
6.5.2 A DSAR must include the requester's name, registered email address, evidence of the requester's relationship with the Platform account, a copy of an identity document, and the specific content and scope of the request.
6.5.3 The Platform will respond to a DSAR according to the following timetable:
- (a) Identity verification: within three Business Days;
- (b) Formal response: within 40 Business Days under the statutory period in Hong Kong; under the GDPR, within one month, extendable to three months where necessary; and
- (c) Method of response: in writing or by email.
6.5.4 The Platform may charge a reasonable fee for, or refuse, a request that is manifestly unfounded or excessive. The Platform will provide reasons for any refusal.
6.6 Right to Object to Automated Decision-Making
6.6.1 You have the right to object to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. The Platform will provide a channel through which human intervention may be requested.
Chapter 7 - Protection of Minors
7.1 Prohibition on Use by Minors
7.1.1 The Platform's Services are not offered to persons under 18 years of age. A minor may not register an account, purchase Credits, receive Services or apply for a payout.
7.1.2 At registration, you represent and warrant that you are at least 18 years old and have full legal capacity.
7.2 Personal Data of Minors Collected in Error
7.2.1 If the Platform discovers that it has inadvertently collected a minor's Personal Data, the Platform will, within 30 days after becoming aware of the matter:
- suspend or close the relevant account;
- delete the minor's Personal Data from its systems;
- notify the minor's legal representative; and
- refund any Credits balance arising during the period of inadvertent collection through the original payment method.
Chapter 8 - Jurisdiction, Complaints and Contact Details
8.1 Governing Law and Jurisdiction
8.1.1 This Policy, its interpretation and validity, and any dispute arising from it, are governed by the laws of the Hong Kong Special Administrative Region.
8.1.2 You and the Platform agree that the courts of the Hong Kong Special Administrative Region will have exclusive jurisdiction at first instance over any dispute arising from this Policy.
8.1.3 Where a User acts as a consumer, the jurisdiction provision in this Policy does not exclude any mandatory jurisdiction conferred by the law of the User's location.
8.2 Complaints to the Office of the Privacy Commissioner for Personal Data
8.2.1 If you are dissatisfied with implementation of this Policy, processing of your Personal Data or the Platform's response to a DSAR, you have the right to lodge a complaint with Hong Kong's Office of the Privacy Commissioner for Personal Data (PCPD).
8.2.2 Current contact details for the PCPD are those published on its official website. This Policy does not restrict your right to complain to the PCPD and does not require you to first submit a complaint to the Platform before commencing legal proceedings.
8.3 Notification of a Personal Data Breach
8.3.1 After becoming aware of a Personal Data breach, the Platform will respond according to the following timetable:
- (a) Internal assessment: completion of a preliminary assessment within 48 hours;
- (b) Notification to the PCPD: notification to the PCPD within 72 hours; and
- (c) Notice to affected persons: notification of affected data subjects as soon as reasonably practicable.
8.4 Governing Law and Relationship with Other Documents
8.4.1 This Policy, together with the Platform-Wide General Terms of Service (F1), the Acceptable Use Policy (F6, AUP), the Customer AI Service Terms (F2), the Supplier Agreement (F3) and the Payment Service Description (PSD), constitutes the entire agreement between you and the Platform.
8.4.2 A matter not addressed in this Policy is governed by the other documents. A matter not addressed in those documents is governed by the Personal Data (Privacy) Ordinance and other applicable laws of Hong Kong.
8.5 Privacy Officer Contact Details
8.5.1 The Platform's Privacy Officer is the principal point of contact for exercising your rights under this Policy.
8.5.2 Contact details:
- (a) Email: privacy@agelo.ai / dpo@agelo.ai
- (b) Postal mail: Privacy Policy Contact Team, Agelo Limited, at the registered address most recently published on the "Contact Us" page of the Platform's official website
8.5.3 When you submit a DSAR or another request by email, the Platform will acknowledge receipt by email within three Business Days.
Chapter 9 - Cookies and Tracking Technologies
9.1 Use of Cookies
9.1.1 When you browse the Platform, the Platform stores and reads Cookies or similar technologies on your device, including, without limitation, Web Storage, pixel tags and device fingerprints.
9.1.2 The Platform uses the following types of Cookies:
- (a) Strictly Necessary Cookies: necessary for operation of the Platform and used without requiring your consent;
- (b) Functional Cookies: used to remember your preferences and enabled after you consent;
- (c) Analytics Cookies: used to help the Platform understand how Users interact with it and enabled after you consent; and
- (d) Marketing Cookies: used to track your activity across different websites and enabled after you consent.
9.2 Cookie Management and Opt-Out
9.2.1 You may manage Cookies through:
- (a) the Cookie consent banner or preference centre on the Platform homepage;
- (b) your browser's Cookie settings, through which existing Cookies may be deleted and future Cookies blocked; or
- (c) an opt-out link provided by the Platform.
9.2.2 Refusal of Cookies other than Strictly Necessary Cookies will not affect your use of the Platform's basic functionality.
9.3 Third-Party Tracking Code
9.3.1 The Platform embeds necessary third-party tracking code in its pages, including, without limitation, checkout components supplied by licensed payment institutions engaged by the Platform and analytics tools, in order to provide necessary parts of the Services. Those third parties may collect your information under their own privacy policies.
9.3.2 This Policy does not govern the privacy practices of third parties. You should review the relevant third party's privacy policy before using its services.
Appendix - Abbreviations and Terminology
| Abbreviation | Full Term | Description |
|---|---|---|
| GDPR | General Data Protection Regulation | Regulation (EU) 2016/679 |
| PCPD | Office of the Privacy Commissioner for Personal Data | Hong Kong privacy regulator |
| DSAR | Data Subject Access Request | Request by a data subject to access Personal Data |
| KYC | Know Your Customer | Identity-verification procedure |
| DPO | Data Protection Officer | Officer responsible for data protection |
| PIA | Privacy Impact Assessment | Assessment of privacy and Personal Data risks |
| SCC | Standard Contractual Clauses | European Union standard contractual clauses |
| BCR | Binding Corporate Rules | Binding internal rules for international data transfers |
| PSD | Payment Service Description | Payment Service Description |
| AUP | Acceptable Use Policy | Acceptable Use Policy |
End of Document
This Privacy Policy is subject to Hong Kong's Personal Data (Privacy) Ordinance, Electronic Transactions Ordinance, Anti-Money Laundering and Counter-Terrorist Financing Ordinance and Inland Revenue Ordinance, as well as the GDPR where applicable. Together with the Platform's General Terms and Acceptable Use Policy, it forms the complete legal basis governing your use of the Platform's Services.
All specialised terms used in this Policy have the meanings prescribed in the Glossary (S1).