PRIVACY POLICY

Comfi Care iOS Application

Operated by Comfi Care Limited

Effective Date: 12 April 2026  |  Last Updated: 12 April 2026

1. Introduction

Comfi Care Limited (the "Company", "we", "us", or "our") is a company incorporated in Hong Kong. We operate the Comfi Care mobile application (the "App") available on Apple’s App Store.

This Privacy Policy explains how we collect, use, store, protect, and share your personal data when you use our App. It is designed to comply with the Personal Data (Privacy) Ordinance (Cap. 486) of the Laws of Hong Kong (the “PDPO”), Apple’s App Store Review Guidelines, and other applicable data protection laws.

By downloading, installing, or using the App, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not use the App.

2. Data Controller

The data controller responsible for your personal data is:

Comfi Care Limited

Hong Kong SAR

Email: info@comfi.care

For enquiries regarding your personal data, please contact our designated Data Protection Officer at the email address above.

3. Key Definitions

• “Personal Data” means any data relating directly or indirectly to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained, as defined by the PDPO.

• “Health-Related Data” means personal data relating to the physical or mental health of an individual, including foot scan images, arch measurements, biomechanical assessments, and any derived health insights or classifications.

• “Foot Image Data” means photographs, 3D scans, depth maps, and any other visual or photogrammetric data of users’ feet captured through the App.

• “Data Subject” means the individual to whom the personal data relates, i.e., you as the user of the App.

• “Processing” means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or erasure.

4. Personal Data We Collect

We collect the following categories of personal data when you use our App:

4.1 Account and Identity Data

• Full name

• Email address

• Phone number (if provided)

• Account login credentials (encrypted)

• User profile preferences

4.2 Foot Image and Scan Data (Health-Related Data)

• Photographs of your feet taken via your device’s camera

• 3D foot scans generated through photogrammetry (using Apple’s PhotogrammetrySession or equivalent technology)

• Depth maps and point cloud data derived from foot scans

• Foot landmark detection data (e.g., arch height, foot length, width measurements)

• USDZ or other 3D model files of your feet

4.3 Health and Biomechanical Data

• Arch Height Index (AHI) measurements and classification (e.g., flat arch, normal arch, high arch)

• Foot type classification results

• Biomechanical assessment reports

• Custom insole design parameters derived from your foot data

• Any notes, observations, or health-related information you voluntarily provide

4.4 Device and Technical Data

• Device model, operating system version, and unique device identifiers

• App usage data, crash logs, and diagnostics

• IP address and approximate (coarse) location data

• Language and region settings

4.5 Transaction Data

• Records of purchases, orders, and payments for custom insole products

• Shipping and delivery information

Note: Payment processing is handled by third-party payment processors (e.g., Apple Pay, Airwallex). We do not store your full credit card or banking details.

5. How We Collect Your Data

We collect personal data through the following means:

1. Directly from you when you register for an account, input your profile information, or communicate with us.

2. Through the App when you use the camera and scanning features to capture foot images and generate 3D scans.

3. Automatically through your device when you use the App, such as device identifiers, crash logs, and usage analytics.

4. From third-party service providers who assist with payment processing, analytics, or cloud hosting.

Important: Before we collect any Foot Image Data or Health-Related Data, the App will request your explicit consent through a clear, prominent in-app consent prompt. You may withdraw your consent at any time (see Section 11).

6. Purposes of Data Collection and Use

In accordance with Data Protection Principle 1 (DPP1) of the PDPO, we collect and use your personal data solely for the following lawful and directly related purposes:

We will not use your personal data for any purpose other than those stated above or purposes directly related thereto, unless we have obtained your separate prescribed consent.

7. Special Provisions for Health-Related Data

We recognise that Foot Image Data and Health-Related Data constitute sensitive personal data requiring enhanced protection. In compliance with the PDPO, Apple’s HealthKit and health data guidelines, and industry best practices, we commit to the following:

1. Explicit Consent: We will obtain your informed, explicit consent before collecting any health-related data. The consent mechanism will clearly describe the nature of data being collected, the purpose, and how it will be used.

2. Purpose Limitation: Health-related data will be used exclusively to provide foot health assessments, generate custom insole designs, and deliver the core services of the App. It will not be used for advertising, marketing, or data mining purposes.

3. No Third-Party Marketing Use: In accordance with Apple’s App Store Review Guidelines (Section 5.1.3), health-related data gathered through the App will never be disclosed to third parties for advertising, marketing, or use-based data mining.

4. Data Minimisation: We collect only the minimum health-related data necessary to provide our services. We do not collect data that is excessive or unrelated to foot health assessment and insole customisation.

5. Enhanced Security: Health-related data is subject to additional security measures, including encryption at rest and in transit, access controls, and audit logging (see Section 9).

6. No iCloud Storage of Health Data: Personal health-related data will not be stored in Apple’s iCloud in an unencrypted or uncontrolled manner. Data synced to cloud services will use our own secured servers with appropriate safeguards.

8. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients, strictly for the purposes described in this Policy:

8.1 Service Providers and Partners

• Cloud hosting and infrastructure providers (e.g., Firebase, Google Cloud, AWS) for secure data storage and processing.

• Payment processors (e.g., Apple Pay, Airwallex) for transaction processing. These providers only receive data necessary to complete your payment.

• 3D insole manufacturing partners who require your foot scan data to produce custom insoles. These partners are bound by non-disclosure agreements and data processing contracts.

8.2 Legal and Regulatory Authorities

We may disclose your personal data where required by law, regulation, court order, or governmental request, or where disclosure is necessary to protect our legal rights, enforce our terms of service, or ensure the safety of our users.

8.3 Cross-Border Data Transfers

Our operations span Hong Kong and mainland China (via our Shenzhen entity). Your data may be transferred to and processed in jurisdictions outside of Hong Kong. In such cases, we will ensure that:

• Adequate safeguards are in place to protect your personal data, including contractual data protection clauses.

• The transfer is necessary for the performance of our contract with you or for purposes directly related to the services you have requested.

• We comply with any applicable guidance issued by the Privacy Commissioner for Personal Data on cross-border data transfers.

8.4 No Sale of Personal Data

We do not sell, rent, lease, or trade your personal data to any third party for their own commercial purposes.

9. Data Security

In compliance with Data Protection Principle 4 (DPP4) of the PDPO, we implement appropriate technical and organisational measures to safeguard your personal data against unauthorised or accidental access, processing, erasure, loss, or use. These measures include:

• Encryption: All personal data, including foot images and health data, is encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256 encryption or equivalent).

• Access Controls: Strict role-based access controls limit access to personal data to authorised personnel who require it for legitimate business purposes.

• Authentication: Multi-factor authentication and secure password policies protect access to our systems and databases.

• Secure Development: We follow secure software development practices, including regular code reviews, vulnerability assessments, and penetration testing.

• Incident Response: We maintain a data breach incident response plan to promptly detect, contain, investigate, and assess the risk of harm to affected individuals in the event of a data breach.

• Audit Logging: Access to health-related data is logged and monitored for security audit purposes.

• Device-Level Security: Where feasible, sensitive foot scan data is processed on-device and only transmitted to our servers when necessary for service delivery.

10. Data Retention

In accordance with Data Protection Principle 2 (DPP2) of the PDPO, we retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law.

• Account Data: Retained for as long as your account is active. Upon account deletion, your account data will be erased within 30 days, subject to any legal retention obligations.

• Foot Image and Health Data: Retained for as long as necessary to provide ongoing services, including insole reordering and updated assessments. You may request deletion at any time.

• Transaction Data: Retained for a minimum of seven (7) years as required by Hong Kong tax and commercial regulations.

• Device and Technical Data: Retained for up to twelve (12) months for analytics and troubleshooting purposes, after which it is anonymised or deleted.

When personal data is no longer required, we will securely erase or anonymise it so that it can no longer be associated with you.

11. Your Rights Under the PDPO

Under the PDPO, you have the following rights in relation to your personal data:

11.1 Right of Access (Section 18, PDPO)

You have the right to request access to the personal data we hold about you. We will respond to a data access request within 40 days of receiving it. A reasonable fee may be charged to cover our administrative costs.

11.2 Right of Correction (Section 22, PDPO)

You have the right to request the correction of any personal data that is inaccurate. We will respond to a data correction request within 40 days of receiving it.

11.3 Right to Withdraw Consent

Where we process your personal data based on your consent (including for health-related data collection), you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to the withdrawal. You may withdraw consent by:

• Using the in-app privacy settings to revoke data collection permissions.

• Contacting us at the email address provided in Section 2.

• Deleting your account through the App.

11.4 Right to Deletion

You may request the deletion of your personal data, including all foot images, scan data, and health-related records. We will process deletion requests promptly, subject to any overriding legal retention requirements. Account deletion functionality is available within the App settings.

11.5 Right to Opt Out of Direct Marketing

We will not use your personal data for direct marketing purposes without your separate, explicit, written consent as required by Part VIA of the PDPO. If you have previously consented, you may opt out at any time by following the unsubscribe instructions in our communications or contacting us directly.

12. Cookies, Tracking, and Analytics

The App does not use browser cookies. However, the App may use the following technologies:

• Firebase Analytics or equivalent analytics services to collect anonymised usage data for the purpose of improving App performance and user experience.

• Crash reporting tools (e.g., Firebase Crashlytics) to diagnose and resolve technical issues.

We do not engage in cross-app tracking. In accordance with Apple’s App Tracking Transparency (ATT) framework, we will request your explicit permission before any tracking activity occurs. You may manage tracking permissions at any time through your iOS device settings (Settings > Privacy & Security > Tracking).

13. Children’s Privacy

The App is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such data promptly.

If the App is used to scan the feet of a minor (e.g., for custom insole fitting), a parent or legal guardian must provide consent and operate the App on behalf of the minor. The parent or guardian is responsible for managing the minor’s data and exercising any rights on their behalf.

14. Third-Party Services and Links

The App may contain links to or integrations with third-party services, websites, or applications (e.g., WhatsApp for customer support). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services before providing them with your personal data.

15. Data Breach Notification

In the event of a personal data breach that poses a real risk of significant harm to affected individuals, we will:

1. Take immediate steps to contain the breach and mitigate any potential damage.

2. Notify the Privacy Commissioner for Personal Data (PCPD) as soon as reasonably practicable.

3. Notify affected individuals where the breach is likely to result in a real risk of significant harm, providing information about the nature of the breach and recommended protective measures.

4. Maintain records of all data breaches, including their effects and remedial actions taken.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

• Post the updated Privacy Policy within the App and on our website.

• Update the “Effective Date” and “Last Updated” dates at the top of this document.

• Notify you via in-app notification or email where the changes are significant, particularly if they affect how we handle health-related data.

Your continued use of the App after any changes to this Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically.

17. Governing Law and Dispute Resolution

This Privacy Policy is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Hong Kong.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: info@comfi.care

Comfi Care Limited

Email: Comfi Care Limited

Website: https://comfi.care/

You may also lodge a complaint with the Privacy Commissioner for Personal Data, Hong Kong:

Office of the Privacy Commissioner for Personal Data (PCPD)

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wan Chai, Hong Kong

Hotline: (852) 2827 2827

Website: www.pcpd.org.hk

19. Personal Information Collection Statement (PICS)

As required by Data Protection Principle 1(3) of the PDPO, the following statement is provided at or before the time of collecting your personal data:

1. Purpose: Your personal data, including foot images and health-related measurements, is collected for the purpose of providing personalised foot health assessments and custom insole products.

2. Transferees: Your data may be shared with our manufacturing partners, cloud service providers, and payment processors as described in Section 8 of this Privacy Policy.

3. Obligation/Voluntariness: Providing your account data is necessary for using the App. Providing foot scan data is voluntary but required for core services (foot assessment and custom insole design).

4. Rights: You have the right to request access to and correction of your personal data. Requests may be directed to: info@comfi.care

— End of Privacy Policy —