PRIVACY

Privacy Policy

Last updated: 16 June 2026
01

Our Commitment

Broken Fingers+ is operated by Brokenness Ltd., a limited company registered in Hong Kong. We are a social enterprise, and every product is hand-stitched in small batches by artisans (makers) at local sheltered workshops. We understand that entrusting us with personal data such as your name, address, and phone number is an act of trust, and we protect your privacy with the same care we put into our handcraft.

This Privacy Policy explains, in plain language, what data we collect, why we collect it, how we use and protect it, and what rights you have. Our principle is simple: we collect only the data our operations genuinely need, clearly explain its purpose, store it securely, and will never sell your personal data to any third party.

This policy applies to the handling of personal data when you browse and use brokenfingers-plus.com, place an order, subscribe to our newsletter, or contact us about any matter. If you have questions about anything here, you are welcome to email info@brokenfingers-plus.com at any time, and we will be glad to help.

02

Compliance with the PDPO

We handle your personal data in strict compliance with the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong, the "PDPO") and its six Data Protection Principles. In short, this means we commit to:

  • Collecting lawfully and fairly — collecting only the data needed to fulfil orders, provide services, and meet legal requirements, and telling you the purpose at the time of collection;
  • Keeping data accurate and only as long as necessary — making every effort to keep data accurate and not retaining it for longer than needed once its purpose is fulfilled;
  • Using data only for its stated purpose — never using your data for an unrelated new purpose without your consent;
  • Applying security measures — taking reasonable steps to prevent loss, unauthorised access, processing, or deletion of data;
  • Staying transparent — making our privacy practices public (that is, this policy);
  • Respecting your rights — allowing you to access and correct your own personal data.

In this policy, "personal data" means any information that can directly or indirectly identify you, such as your name, contact details, and delivery address.

03

What We Collect

We collect only the data needed to complete your order, provide customer service, and improve our website. Depending on how you use this site, we may collect the following categories:

  • Information required to place an order — when you shop, we need your name, delivery address, email address, and phone number so we can make, pack, arrange delivery, and contact you when needed (for example, to confirm an address or notify you of shipment).
  • Payment information — payments are securely processed in encrypted form by payment providers such as Shopify Payments and PayPal. We do not store your credit card number; these sensitive payment details are handled directly by certified payment providers.
  • Browsing and device information — when you browse the site, certain technical data is automatically recorded, such as cookies, IP address, and browser type, used for anonymous website analytics to help us understand which pages are popular and whether the site works properly across different devices.
  • Subscription information — if you choose to subscribe to our newsletter, we collect your email address to send you new arrivals, offers, and brand stories.

For example: if you are simply browsing the site and looking at products, we will not know who you are and will only see anonymous browsing data; we receive your personal contact details only when you place an order or actively subscribe.

04

Why & How We Use It

We collect data so that you can smoothly receive the handcrafted leather goods you love, and be well looked after whenever you need it. Specific uses include:

  • Processing orders, shipping, and refunds — using your name, address, and phone number to arrange production, packing, delivery, and tracking; and, if a refund is needed, to verify the order and return the payment.
  • Customer service — replying to your enquiries, following up on returns, exchanges, or care requests, and resolving delivery or product issues.
  • Newsletter (only when you subscribe) — we send the newsletter only when you have actively subscribed; every email includes an unsubscribe link, so you can opt out with one click at any time.
  • Anonymous website analytics — understanding site usage in an aggregated, anonymous way, so we can improve the layout, loading speed, and shopping experience.

We will not use your data for an unrelated new purpose without your consent. Our most important promise is this: we will never sell your personal data to a third party. Your trust is not something to be traded.

05

Third-Party Services

To run our online store, arrange delivery, and stay in touch with you, we rely on a number of trusted service providers. In doing so, we share with them only the minimum data necessary to complete that service, not all of your personal data:

  • Shopify — our e-commerce and checkout platform, which hosts the store, processes orders, and handles the secure payment flow.
  • Shopify Payments and PayPal — the payment providers that process your online payment transactions. We transmit only the data necessary to complete the transaction; we ourselves do not access or store your full credit card number, and the related payment details are handled directly by the payment providers under their own privacy and security policies.
  • SF Express / Hongkong Post — the logistics partners responsible for local and international delivery. We provide only the name, delivery address, and phone number needed for delivery.
  • Mailchimp — if you subscribe to the newsletter, we send emails through this platform and provide only your email address.
  • Google Analytics — provides anonymous website analytics to help us understand overall usage trends.

Each of these providers has its own privacy policy and may use the data they receive only within the scope of our instructions, and for no other purpose. We choose our partners carefully, but for how each third-party platform operates, we also suggest you review their respective policies.

06

Cookies & Tracking

Cookies are small text files stored in your browser that help the website "remember" your actions. We use cookies mainly to:

  • Maintain your shopping cart — so the products you add do not disappear as you browse other pages;
  • Remember your login status — if you have created an account, saving you from logging in again on every page;
  • Anonymous visitor analytics — counting site traffic and usage in an aggregated way, never to identify you personally.

You can refuse or delete cookies at any time in your browser settings. Please note, however, that some features that rely on cookies (such as the shopping cart and automatic login) may then stop working properly, affecting your shopping experience. Most browsers let you manage your cookie preferences on their "Settings" or "Privacy" page.

07

Data Security

We take reasonable and appropriate technical and administrative measures to protect your personal data against loss, unauthorised access, disclosure, alteration, or deletion. These include:

  • Encrypted payment processing — sensitive payment data such as credit cards is processed in encrypted form by payment providers like Shopify Payments and PayPal, and we ourselves do not store your credit card number;
  • Trusted platforms — order and account data is stored on Shopify, an e-commerce platform that meets industry security standards;
  • Data minimisation — we collect only the data we need and share with providers only the minimum information required to complete a service, thereby reducing risk.

While we do our best to protect your data, we must be honest: no method of transmission over the internet or electronic storage can be guaranteed one hundred percent secure. If you suspect a problem with your account or data security, please email us immediately at info@brokenfingers-plus.com, and we will help you as soon as possible.

08

Cross-Border Transfers

Our online store is built on Shopify, a global e-commerce platform. As a result, when you place an order or use the site, some of your data (such as order and account data) may be stored or processed on servers operated by Shopify and its service providers located outside Hong Kong. Likewise, our newsletter service (Mailchimp) and analytics tool (Google Analytics) may also process the relevant data overseas.

Wherever your data is processed, we require our service providers to take appropriate measures to protect your personal data in accordance with their privacy policies and applicable law. We choose to work with these internationally recognised platforms precisely because they have mature security and compliance frameworks.

By using this website and providing us with personal data, you understand and agree that your data may involve the cross-border transfer and processing described above. If you have any questions about this, you are welcome to email us before placing an order.

09

Data Retention

We do not keep your data indefinitely — we retain it only for as long as needed to fulfil the purpose of collection, or for the period required by law, after which it is deleted or anonymised. Our retention arrangements for each type of data are as follows:

  • Order records: retained for 7 years — to meet the record-keeping requirements of Hong Kong tax and commercial law for transaction and accounting records.
  • Newsletter subscription data: retained until you unsubscribe — once you opt out, we stop sending and remove your email from our active list.
  • Account data: retained until you request deletion — you may ask us to delete your account and related personal data at any time (except records we are legally required to keep, such as the order records above).

For example, even if you request deletion of your account, we may still need to retain the transaction records relating to your past orders until the 7-year statutory period expires, in order to meet our tax and audit obligations.

10

Your Rights (PDPO)

Under the PDPO, you have a number of rights over your own personal data. We respect these rights and will help you exercise them, including:

  • Right of access — you may request access to the personal data we hold about you;
  • Right of correction — if data is incorrect or out of date (for example, a new address after moving), you may request a correction;
  • Right of deletion — you may request deletion of your account and personal data (except records we are legally required to keep);
  • Withdrawing consent / unsubscribing — you may withdraw your newsletter subscription at any time, or withdraw consent you previously gave for the use of your data.

To exercise any of these rights, simply email info@brokenfingers-plus.com stating your request. To keep your data safe, we may first need to verify your identity before processing an access, correction, or deletion request. We will respond and follow up within a reasonable time.

11

Children's Privacy

This website and our products are intended mainly for adult customers and are not aimed at children. We do not knowingly collect personal data from anyone under the age of 18. If you are a minor, please place an order or provide personal data on this site only with the consent and supervision of a parent or guardian.

If we discover that we have collected a child's personal data without appropriate consent, we will take reasonable steps to delete it as soon as possible. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us by email at info@brokenfingers-plus.com, and we will help follow up.

12

Updates, Contact & Complaints

Policy updates. As our services and the law evolve, we may update this Privacy Policy from time to time. Any update will be published on this website, with the "last updated date" at the top of the page taking precedence. For significant changes, we will notify active members by email. We suggest you revisit this page from time to time to stay informed of our latest privacy practices; continuing to use this website after an update takes effect means you accept the updated content.

Contact us. If you have any questions about this policy, how we handle your personal data, or wish to exercise any of your rights, you are welcome to contact us by:

Complaints. If you believe we have handled your personal data improperly, please email us first and we will take it seriously and do our best to resolve it. You also have the right to lodge a complaint or enquiry with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).