Privacy Policy

Effective Date: April 13, 2026

1. Who We Are

HKSM (HK School of Management) operates the website hksmnow.com. We provide online education for working professionals. For GDPR purposes, HKSM is the data controller.

2. Information We Collect

Information you provide:

  • Name (first and last) — for account identification
  • Email address — for login and communications
  • Password — stored as an irreversible hash, never in plain text
  • Marketing preferences — whether you want to receive emails from us

Information collected automatically:

  • IP address — recorded at registration, login, and consent changes for security purposes
  • Browser and device information — for security and audit logging
  • Login attempts — for rate limiting and fraud prevention (retained 90 days)
  • Session data — to keep you logged in (retained 30 days after last activity)

Consent audit log: We maintain a permanent record of your marketing consent choices and any changes. This includes timestamp, IP address, browser, and the choice made. This log exists to demonstrate legal compliance and is never deleted.

3. How We Use Your Information

  • Provide your account (legal basis: contract) — name, email, password
  • Send verification and password reset emails (legal basis: contract) — email
  • Security and fraud prevention (legal basis: legitimate interest) — IP, login attempts, session data
  • Compliance and audit (legal basis: legal obligation) — consent log
  • Educational marketing emails (legal basis: consent) — email, name
  • Promotional marketing emails (legal basis: consent) — email, name
  • Website analytics (legal basis: legitimate interest) — anonymized browsing data, no cookies

4. Cookies

Essential cookies (always active):

  • hksm_session — keeps you logged in (duration: 2 hours)

We do not use analytics cookies. Our analytics system (Matomo) operates without cookies and with anonymized IP addresses, so no consent is required.

Marketing cookies (require your consent):

  • mautic_device_id, mtc_id — our marketing system, links your browsing to your account if you register (duration: persistent)

You can manage marketing cookie preferences using our cookie banner or your browser settings.

5. Third-Party Services

Matomo Analytics (self-hosted): We use Matomo for website analytics, hosted on our own servers at analytics.hksmnow.com. This system operates without cookies and anonymizes IP addresses. All data remains within our infrastructure with no third-party sharing.

Google reCAPTCHA: Our registration form uses Google reCAPTCHA v3 to prevent automated abuse. When you submit the form, Google collects device and interaction data. See Google's Privacy Policy and Terms of Service.

Mautic (self-hosted): We use Mautic for email marketing, hosted on our own servers at marketing.hksmnow.com. If you consent to marketing, your name, email, and preferences are stored there. All data remains within our infrastructure.

GoDaddy: Our website and database are hosted by GoDaddy in the United States.

6. Marketing Emails

We send two types of marketing emails — only if you opt in:

  • Educational content: Free tips, course updates, industry insights
  • Promotional offers: Discounts, new course announcements, special offers

You can change your preferences anytime from your account page or by clicking "unsubscribe" in any email.

We also send transactional emails (verification, password reset) which are required for your account to function and don't require consent.

7. Data Retention

  • Account data — until you request deletion
  • Consent audit log — permanent (legal requirement)
  • Failed login attempts — 90 days
  • Successful login attempts — 30 days
  • Sessions — 30 days after last activity
  • Expired verification/reset tokens — 7 days after expiry

8. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and data
  • Export your data
  • Object to processing based on legitimate interest
  • Withdraw consent for marketing

To delete your account or export your data: Visit your account settings page.

To update marketing preferences: Visit your account settings page or click unsubscribe in any email.

To manage marketing cookies: Use the cookie banner or your browser settings.

Account deletion notice: Deleting your account is permanent and cannot be reversed. Once deleted, we cannot restore your account, verify past purchases, or process refunds. Certain data may be retained where required by law, including consent records (for legal compliance) and transaction records (for tax and accounting purposes).

For other privacy requests, please contact us. We will respond within 30 days.

9. Data Security

We protect your data using:

  • Password hashing (bcrypt)
  • HTTPS encryption
  • Secure, HTTP-only session cookies
  • CSRF protection on all forms
  • Rate limiting on login attempts

10. International Transfers

Your data is stored in the United States (GoDaddy hosting). If you are in the EU/UK, transfers are protected by Standard Contractual Clauses with our service providers.

11. Children

Our services are for adults and working professionals. We do not knowingly collect data from anyone under 16.

12. Changes to This Policy

We will update this policy as our practices change. Material changes will be announced via email or website notice.

13. Contact

For privacy questions or to exercise your rights, please contact us.

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us.

Contact Us