Privacy Policy

Chelsey House ActiveLuxe Limited, operating as Chelsey Luxe, is committed to protecting the privacy and security of your personal data. This Privacy Policy explains in clear, comprehensive terms how we collect, use, disclose, and safeguard information when you visit our website at chelseyluxe.lat, engage with our services, or communicate with our team. We encourage you to read this document thoroughly.

1. Introduction

Chelsey House ActiveLuxe Limited (referred to throughout this policy as Chelsey Luxe, we, us, or our) is a private limited company registered in Hong Kong with its registered office at Rm 6503, 65/F Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong. We operate as a strategic advisory firm serving enterprises, family offices, and founder-led ventures globally.

This Privacy Policy applies to all personal data we process in the course of our business, including data collected through our website, during client engagements, through professional networking, and via direct communications. By using our website or engaging our services, you acknowledge that you have read and understood this policy. If you do not agree with any aspect of this policy, you should discontinue use of our website and services.

We act as a data controller for the personal data we collect and process. This means we determine the purposes and means of processing your personal data and are responsible for ensuring that processing complies with applicable data protection laws.

2. Types of Data Collected

We collect several categories of personal data, each described in detail below. We only collect data that is relevant and limited to what is necessary for the purposes described in this policy.

We do not collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data) unless you voluntarily provide such information in the course of an engagement. We do not collect payment card information directly; any financial transactions are processed through secure third-party channels.

3. How We Collect Data

We collect personal data through the following methods and channels:

• Direct interactions: When you fill out our contact form on chelseyluxe.lat, send us an email, call our office, attend a meeting or event, or engage us for advisory services. This includes data you provide during the onboarding process for a client engagement.
• Automated technologies: When you visit our website, our server automatically logs certain technical data including your IP address, browser type, referring URLs, and timestamps. We do not use invasive tracking technologies; our approach to automated collection is conservative and limited to what is necessary for security and basic analytics.
• Professional networks and public sources: We may collect limited professional information from publicly available sources such as company websites, professional networking platforms, and industry registries when conducting preliminary research relevant to a potential or active engagement.
• Third parties: On rare occasions, we may receive data from referral partners, industry associations, or event organizers where you have consented to the sharing of your information.

Where we collect data from sources other than you directly, we will inform you of the source and the categories of data collected within a reasonable period, and no later than one month after obtaining the data.

4. Purposes of Data Processing

We process personal data for the following specific purposes. We do not use your data for purposes that are incompatible with those listed below without providing notice and, where required, obtaining your consent.

• Service delivery: To provide strategic advisory services, respond to inquiries, prepare proposals, conduct research and analysis, and deliver the engagements for which we have been retained.
• Communication: To respond to messages received through our contact form, email, or telephone; to schedule and conduct meetings; to provide updates relevant to active engagements.
• Business development: To identify and communicate with prospective clients, share relevant insights and thought leadership, and manage professional relationships.
• Website operation and improvement: To operate, maintain, and improve our website; to analyze usage patterns and optimize user experience; to diagnose and resolve technical issues.
• Security and fraud prevention: To protect our website, systems, and data against unauthorized access, cyber threats, and malicious activity; to maintain the confidentiality of client information.
• Legal compliance: To comply with applicable laws, regulations, and legal processes; to respond to lawful requests from government authorities; to establish, exercise, or defend legal claims.
• Business administration: To manage our client relationships, maintain internal records, conduct billing and financial management, and fulfill contractual obligations.

5. Legal Basis for Processing

For individuals located in the European Economic Area (EEA), the United Kingdom, and other jurisdictions that require a lawful basis for processing personal data, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and equivalent legislation:

• Consent: Where you have given clear, specific, and informed consent for us to process your personal data for a particular purpose — for example, when you submit our contact form or subscribe to receive communications from us. You may withdraw consent at any time by contacting cc@chelseyluxe.lat.
• Contractual necessity: Where processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract — for example, when we process your data to prepare an engagement proposal or deliver agreed-upon services.
• Legitimate interests: Where processing is necessary for our legitimate interests or those of a third party, provided your rights and interests do not override those interests. Our legitimate interests include: operating and improving our website, responding to inquiries, developing our business, protecting our systems and data, and managing client relationships. We carefully balance our interests against your privacy rights before relying on this basis.
• Legal obligation: Where processing is necessary to comply with a legal or regulatory obligation to which we are subject — for example, maintaining records for tax purposes, complying with anti-money laundering requirements, or responding to binding requests from regulatory authorities in Hong Kong or other applicable jurisdictions.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We share data only in the following limited circumstances:

• Service providers: We engage trusted third-party service providers who process data on our behalf and under our instruction. These include website hosting providers, email service providers, cloud storage platforms, and professional advisers (legal counsel, accountants, auditors). All service providers are bound by data processing agreements that impose confidentiality, security, and data protection obligations consistent with this policy.
• Professional advisers: We may share data with our legal, financial, and compliance advisers where necessary for the purposes of obtaining professional advice or managing legal claims.
• Legal and regulatory authorities: We may disclose data where required by applicable law, regulation, court order, or governmental authority, including to regulatory bodies in Hong Kong or other jurisdictions where we operate.
• Business transfers: In the event of a merger, acquisition, restructuring, or sale of all or a portion of our assets, personal data may be transferred to the successor entity, subject to the terms of this Privacy Policy and applicable law.
• With your consent: We may share data with other parties where you have provided explicit consent for such sharing.

7. International Data Transfers

Chelsey House ActiveLuxe Limited is headquartered in Hong Kong. Personal data we collect may be transferred to, stored in, and processed from Hong Kong and other countries where our service providers operate, including the United States, Singapore, and the United Kingdom.

Where we transfer personal data from the EEA, the United Kingdom, or other jurisdictions with data transfer restrictions to countries that have not been recognized as providing an adequate level of data protection, we implement appropriate safeguards in accordance with applicable law. These safeguards include:

• European Commission-approved Standard Contractual Clauses (SCCs), supplemented by transfer impact assessments and additional technical and organizational measures where necessary;
• The UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable;
• Binding corporate rules where relevant for intra-group transfers;
• Any other transfer mechanism recognized under applicable data protection law.

You may request details of the specific safeguards we have in place for international transfers by contacting us at cc@chelseyluxe.lat.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. Our specific retention periods are as follows:

Upon expiry of the applicable retention period, personal data is securely deleted, destroyed, or anonymized so that it can no longer be associated with an identifiable individual. We review our data holdings annually to identify data that has reached the end of its retention period.

9. Security Measures

We implement and maintain technical, administrative, and physical security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption: Data transmitted between your browser and our website is encrypted using TLS (Transport Layer Security). Data at rest on our servers is encrypted using AES-256 encryption. Email communications containing sensitive information are encrypted where technically feasible.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls, multi-factor authentication, and unique user credentials. Access privileges are reviewed quarterly.
• Network security: Our hosting infrastructure employs firewalls, intrusion detection systems, and regular vulnerability scanning. We apply security patches and updates promptly according to a documented patch management policy.
• Physical security: Our office premises at Central Plaza, Hong Kong, are protected by building security, access card systems, and secure document storage. Physical access to server infrastructure is restricted to authorized data center personnel.
• Organizational measures: All personnel receive data protection training upon onboarding and annually thereafter. We maintain a documented incident response plan and conduct periodic security assessments. Our data protection policies are reviewed and updated at least annually.
• Third-party assurance: We require all service providers who process personal data on our behalf to maintain security standards at least as protective as our own, verified through contractual obligations and periodic review.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay, in accordance with applicable data protection law.

10. Your Data Protection Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We respond to all rights requests within one month (extendable by two months for complex requests, with notice provided within the first month). There is generally no fee for exercising these rights, though we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

• Right of access: You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with information about how and why it is processed. The first copy is provided free of charge; additional copies may incur a reasonable administrative fee.
• Right to rectification: You may request that we correct inaccurate or incomplete personal data we hold about you. We will act on such requests promptly and notify any recipients of your data of the corrections where feasible.
• Right to erasure (right to be forgotten): You may request deletion of your personal data where: the data is no longer necessary for the purpose for which it was collected; you withdraw consent and no other legal basis applies; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or deletion is required by law. This right is subject to certain exceptions, including where retention is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
• Right to restrict processing: You may request that we limit the processing of your personal data where: you contest the accuracy of the data (restriction applies while we verify accuracy); the processing is unlawful and you oppose erasure and request restriction instead; we no longer need the data but you require it for legal claims; or you have objected to processing and we are verifying whether our legitimate grounds override yours.
• Right to data portability: You may request a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller without hindrance from us. This right applies where processing is based on consent or a contract and is carried out by automated means.
• Right to object: You may object to processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately. Where you object to processing based on legitimate interests, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights related to automated decision-making and profiling: We do not engage in automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you. Should this change, we will update this policy, notify you, and provide meaningful information about the logic involved.

To exercise any of these rights, please contact us at cc@chelseyluxe.lat or write to our registered office. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with a supervisory authority in your country of residence or the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) if you believe our processing of your personal data violates applicable law.

11. CCPA Rights for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following specific rights:

• Right to know: You may request that we disclose: the categories of personal information we have collected about you; the categories of sources from which the information was collected; the business or commercial purpose for collecting, selling, or sharing the information; the categories of third parties with whom we disclose the information; and the specific pieces of personal information we have collected about you. You may make such a request twice in a 12-month period.
• Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions including completing transactions, detecting security incidents, debugging, exercising free speech, complying with legal obligations, and other activities permitted by the CCPA.
• Right to correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing: Chelsey House ActiveLuxe Limited does not sell or share personal information as those terms are defined under the CCPA. We do not sell personal data to third parties for monetary consideration, nor do we share personal data for cross-context behavioral advertising.
• Right to limit use of sensitive personal information: We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you services, charge you different prices, provide a different level of service, or retaliate in any way.

To exercise your CCPA rights, please contact us at cc@chelseyluxe.lat with the subject line: CCPA Request. We will verify your identity using information you have previously provided to us and respond within 45 days (extendable by an additional 45 days with notice). You may designate an authorized agent to make a request on your behalf; we will require written proof of the agent’s authority and may also verify your identity directly.

12. Children’s Privacy

Our website and services are directed at business professionals and enterprises. We do not knowingly collect, solicit, or maintain personal data from children under the age of 16. If we become aware that we have inadvertently collected personal data from a child under 16 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us immediately at cc@chelseyluxe.lat.

This policy complies with the requirements of the Children’s Online Privacy Protection Act (COPPA) in the United States and equivalent legislation in other jurisdictions. We do not target our website, content, or marketing toward children.

13. Third-Party Links

Our website may contain links to external websites, platforms, or resources that are not operated by Chelsey House ActiveLuxe Limited. These links are provided for convenience and informational purposes only. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

When you follow a link to a third-party website, we encourage you to review the privacy policy of that website before providing any personal data. This Privacy Policy applies solely to data collected by Chelsey House ActiveLuxe Limited through our website and services; it does not extend to third-party sites even if accessed through a link on our website.

14. Cookies Policy

Our website uses a minimal set of cookies and similar technologies. We prioritize privacy and use no advertising or tracking cookies. The following describes our cookie usage:

• Essential cookies: These are necessary for the website to function properly. They enable core functionality such as security and form submissions. Our website currently uses no persistent essential cookies; session identifiers, where used, are temporary and expire when you close your browser.
• Analytics cookies: We may use privacy-focused analytics that do not set cookies or collect personal identifiers. Where analytics are deployed, they collect only aggregated, anonymized data about website usage patterns.
• No advertising cookies: We do not use cookies for advertising, retargeting, or cross-site tracking purposes. We do not participate in advertising networks or behavioral advertising programs.

Most web browsers allow you to control cookies through browser settings. You may configure your browser to block all cookies, delete existing cookies, or alert you when cookies are being set. Please note that blocking essential cookies may affect website functionality. For more information about managing cookies, visit the help documentation for your specific browser.

15. Changes to This Privacy Policy

We review this Privacy Policy regularly and may update it from time to time to reflect changes in our practices, technology, legal requirements, or operational needs. When we make material changes, we will:

• Post the updated policy on this page with a revised effective date;
• Display a prominent notice on our website for a reasonable period;
• Where required by law, notify you directly (for example, by email) and obtain your renewed consent where the changes affect the legal basis for processing.

We encourage you to review this policy periodically. Your continued use of our website or services after the effective date of an updated policy constitutes your acknowledgment of the changes. Historical versions of this policy are available upon request.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the details below. We take privacy seriously and will respond to all inquiries promptly and thoroughly.

You may also lodge a complaint with your local data protection supervisory authority or the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.