Version: v1.0.1 Last Updated: 2026-04-24
Privacy Policy / 私隱政策
0. Bilingual Clause / 語言條款
The English version is the authoritative text. The Chinese (Traditional) version is for convenience. In case of conflict, the English version prevails, except where applicable data-protection law mandatorily requires otherwise.
英文版本為正式權威版本。繁體中文版本僅供參考。如有歧異,除適用資料保護法律 強制規定另有要求外,以英文版本為準。
1. Who This Policy Applies To / 適用對象
This Privacy Policy explains how mii.events Management (operator of mii.events, "we", "us", "our") processes personal data.
本私隱政策說明 mii.events Management(mii.events 之營運商,「我 們」、「本公司」)如何處理個人資料。
It applies to:
適用對象包括:
- Platform Users — Admins, Agents, and Clients (also referred to as "Event Hosts") who hold accounts and use the admin dashboard, APIs, or paid features; 平台用戶 — 持有帳戶並使用管理後台、API 或付費功能之 Admin、Agent 及 Client(亦稱「活動主辦方」);
- Event Guests — invitees who use an event website hosted on the Platform, e.g. to RSVP, check in, or receive invitations; 活動賓客 — 透過本平台所託管之活動網站進行互動(如回覆邀請、入場登 記、接收邀請)之受邀者;
- Website Visitors — people browsing our public marketing pages. 網站訪客 — 瀏覽我們公開市場推廣網頁之人士。
Where a Client (Event Host) uses the Platform to run their own events, the Client is the data controller of guest personal data, and we act as a data processor on the Client's behalf. In that case, the Client's own privacy notice governs the guest-facing relationship, and this Policy describes our processing on their behalf.
當 Client(活動主辦方)使用本平台舉辦其自身活動時,Client 為賓客個人資料之 資料控制者,而我們則代表 Client 作為資料處理者。在該情況下,賓客面向 之關係受 Client 本身之私隱通知規範,本政策則說明我們代其進行之處理。
2. Data We Collect / 我們收集的資料
2.1 Account & Profile Data / 帳戶及個人檔案資料
For Platform Users (Admin / Agent / Client):
就平台用戶(Admin / Agent / Client):
- name, display name, email, username, hashed password, phone number; 姓名、顯示名稱、電郵、使用者名稱、雜湊密碼、電話號碼;
- role and permission assignments (user group); 角色及權限配置(用戶群組);
- plan type, organisational hierarchy (e.g. Admin ↔ Agent ↔ Client linkage); 方案類型、組織層級(例如 Admin ↔ Agent ↔ Client 之連結關係);
- preferred currency, language; 偏好貨幣、語言;
- profile photo or branding assets you upload. 閣下上載之頭像或品牌素材。
2.2 Event & Guest Data / 活動及賓客資料
Uploaded or entered by Clients / Agents, or submitted by guests via the registration form:
由 Client / Agent 上載或輸入,或由賓客透過登記表單提交:
- event details (name, date, venue, floor plan, questions, media); 活動資料(名稱、日期、場地、平面圖、問題、多媒體內容);
- guest name, contact (email / phone), attendance status, dietary or accessibility needs, seat assignment, check-in status; 賓客姓名、聯絡資料(電郵/電話)、出席狀態、飲食或無障礙需求、座位安排、 入場登記狀態;
- RSVP form answers and any custom questions the Client configures; 回覆邀請表單答案及 Client 所設定之自訂問題;
- OTP verification records (code hash, timestamps, attempt count) for guest identity verification, where enabled by the Client. 賓客身份驗證之 OTP 紀錄(代碼雜湊、時間戳、嘗試次數),於 Client 啟用時適 用。
2.3 Payment Data / 付款資料
- Credit-purchase transactions, amounts, currency (USD / HKD), plan and pack identifiers, Stripe payment references, timestamps; Credit 購買交易、金額、貨幣(美元/港幣)、方案及 credit 包識別碼、Stripe 付款參考、時間戳;
- we do not store full card numbers; payment card data is collected and processed by Stripe under its own PCI-DSS-certified infrastructure; 我們不儲存完整信用卡號碼;信用卡資料由 Stripe 於其自有且通過 PCI DSS 認證之基礎架構收集及處理;
- billing metadata (name, email, country, tax status) as required for invoicing and tax reporting. 開立發票及稅務申報所需之帳單元資料(姓名、電郵、國家、稅務狀態)。
2.4 Technical & Usage Data / 技術及使用資料
- IP address, device / browser identifiers, operating system, locale; IP 位址、裝置/瀏覽器識別碼、作業系統、地區設定;
- server-side logs of API requests, response codes, timestamps, authentication events; API 請求、回應代碼、時間戳、身份驗證事件之伺服器端紀錄;
- bot-protection signals from Cloudflare Turnstile (challenge token, outcome); 來自 Cloudflare Turnstile 之機器人防護訊號(驗證 Token、結果);
- Server-Sent Events (SSE) subscription metadata for real-time features. 即時功能之 Server-Sent Events (SSE) 訂閱元資料。
2.5 Cookies / Cookies
- strictly necessary session cookies (login, CSRF, locale); 嚴格必要之 Session Cookies(登入、CSRF、語言設定);
- preference cookies (e.g. theme, language persistence); 偏好 Cookies(例如主題、語言記憶);
- we do not currently deploy third-party advertising or cross-site tracking cookies. If this changes, a cookie banner with granular consent will be introduced. 目前不使用第三方廣告或跨站追蹤 Cookies。如日後引入,將提供附細項同意 選項之 Cookie 橫幅。
2.6 Communications / 通訊紀錄
- messages sent via the Platform (content, recipient, delivery status); 透過本平台發送之訊息(內容、收件人、送達狀態);
- support correspondence. 支援通訊內容。
3. Sources of Data / 資料來源
We collect personal data:
我們收集個人資料之途徑:
- directly from you when you register, log in, configure an event, make a purchase, contact us, or RSVP; 閣下註冊、登入、設定活動、購買、聯絡我們或回覆邀請時直接提供;
- from Clients / Agents who upload guest lists or configure events on behalf of guests; 由 Client / Agent 代表賓客上載名單或設定活動時提供;
- automatically via server logs, cookies, and service integrations; 透過伺服器紀錄、Cookies 及服務整合自動收集;
- from third-party services that we integrate with (e.g. Stripe for payment outcomes). 由我們整合之第三方服務(例如 Stripe 之付款結果)提供。
4. Purposes & Legal Bases / 目的與合法依據
We process personal data for the following purposes. Where the EU/UK GDPR applies, we rely on the legal bases listed in brackets.
我們就以下目的處理個人資料。於適用歐盟/英國 GDPR 時,我們依賴括號內所列合法 依據。
- Provide and operate the Service — account management, event hosting, guest registration, check-in, seat assignment, SSE real-time updates. (Contract; Legitimate interests) 提供及運作本服務 — 帳戶管理、活動託管、賓客登記、入場登記、座位安 排、SSE 即時更新。(合約;正當利益)
- Payments and credits — process Stripe transactions, fulfil credit purchases, issue refunds, maintain the credit ledger. (Contract; Legal obligation for tax records) 付款及 Credit — 處理 Stripe 交易、完成 credit 購買、發出退款、維持 credit 帳簿。(合約;就稅務紀錄之法律義務)
- Security and fraud prevention — rate limiting, bot protection, abuse detection, anti-spam, incident response. (Legitimate interests; Legal obligation) 安全及反詐騙 — 流量限制、機器人防護、濫用偵測、反垃圾訊息、事件處 理。(正當利益;法律義務)
- Communications — transactional messages, password resets, OTP delivery, service announcements. (Contract; Legitimate interests; Consent where required) 通訊 — 交易訊息、密碼重設、OTP 發送、服務公告。(合約;正當利益;法律 要求時之同意)
- Analytics and improvement — aggregate usage trends, feature adoption, error diagnostics. (Legitimate interests) 分析及改進 — 聚合使用趨勢、功能採納率、錯誤診斷。(正當利益)
- Legal compliance and dispute resolution — keeping records, responding to lawful requests, enforcing terms. (Legal obligation; Legitimate interests) 法律合規及爭議解決 — 保留紀錄、回應合法請求、執行條款。(法律義務; 正當利益)
- Marketing of our own similar services to existing Platform Users (Legitimate interests, with opt-out). We do not sell personal data and do not use guest data for our own marketing without separate consent. 向現有平台用戶行銷我們自己之同類服務 (正當利益,附退出選項)。我 們不出售個人資料,且不於未另取得同意下將賓客資料用於我們自身之 行銷。
5. How Data Is Shared / 資料分享方式
We share personal data only as follows:
我們僅於下列情況分享個人資料:
Within the role hierarchy — Admins see Agents they manage; Agents see their Clients; Clients see their event guests. This is an intentional design feature, not an unrelated disclosure. 於角色層級內 — Admin 可見其管理之 Agent;Agent 可見其 Client; Client 可見其活動賓客。此為有意設計之功能,非無關之披露。
Sub-processors / vendors, including: 次級處理者/供應商,包括:
- Stripe, Inc. — payments, refunds, payment processing; Stripe, Inc. — 付款、退款、付款處理;
- MongoDB, Inc. — database hosting provider; MongoDB, Inc. — 資料庫託管供應商;
- Cloudflare, Inc. — CDN, DNS, Turnstile bot protection, network layer; Cloudflare, Inc. — CDN、DNS、Turnstile 機器人防護、網絡層;
- Third-party messaging delivery service — for delivery of invitations and notifications; 第三方訊息傳送服務 — 用於傳送邀請及通知;
- Email hosting provider — for transactional email delivery. 電郵託管供應商 — 用於交易電郵之傳送。
Sub-processors are bound by contractual confidentiality and data- protection terms (e.g. Standard Contractual Clauses for transfers out of the EEA / UK where applicable). 次級處理者受合約保密及資料保護條款約束(例如於自歐洲經濟區/英國轉移時, 採用標準合約條款)。
Professional advisors (lawyers, auditors) under confidentiality. 專業顧問(律師、核數師),均受保密約束。
Law-enforcement or regulators when legally required, and subject to challenge where appropriate. 執法機關或監管機構,於法律要求下提供,並於適當情況下提出異議。
Corporate transactions — in a merger, acquisition, or reorganisation, personal data may be transferred to the successor, subject to the same or stricter protections. 公司交易 — 於合併、收購或重組中,個人資料可能轉移予繼承實體,但須維 持同等或更嚴格之保護水準。
We do not sell personal data.
我們不出售個人資料。
6. International Transfers / 跨境資料轉移
The Platform may process data on servers located outside your country (including in Hong Kong, the EU, the UK, and the United States).
本平台可能於閣下所在國家以外之伺服器上處理資料(包括位於香港、歐盟、英國及 美國之伺服器)。
Where personal data is transferred from the EEA / UK / Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses, the UK International Data Transfer Addendum, or adequacy decisions, as applicable.
當個人資料自歐洲經濟區/英國/瑞士轉移時,我們依靠適當之保障措施,例如標 準合約條款、英國國際資料轉移附錄或相應充分性認定(視乎適用情況)。
7. Retention / 保留期限
We keep personal data only as long as needed for the purposes described, unless a longer retention is required by law.
我們僅於為達成上述目的所需之期間內保留個人資料,惟法律要求較長期限者除外。
Indicative retention periods:
概略保留期限:
| Data / 資料 | Retention / 保留期 |
|---|---|
| Active account data / 活躍帳戶資料 | For the life of the account / 帳戶存續期間 |
| Guest list & RSVP data / 賓客名單及回覆資料 | Until the Client deletes the event, or 12 months after the event end date, whichever is earlier / 由 Client 刪除活動或活動結束日後 12 個月(以較早者為準) |
| OTP records / OTP 紀錄 | 30 days (expired/banned kept as audit) / 30 日(已過期/封鎖者作審計保留) |
| Payment & tax records / 付款及稅務紀錄 | 7 years (HK statutory) / 7 年(香港法定要求) |
| Server logs / 伺服器紀錄 | 90 days rolling / 90 日循環覆蓋 |
| Backups / 備份 | 30–90 days / 30–90 日 |
| Closed account metadata / 已關閉帳戶元資料 | Minimum set kept for dispute and legal-obligation reasons / 為爭議及法律義務最低限度保留 |
8. Security / 資料安全
We implement appropriate technical and organisational measures, including:
我們實施適當之技術及組織措施,包括:
- TLS encryption in transit; 傳輸中採用 TLS 加密;
- hashed passwords (never stored in plaintext); 雜湊密碼(絕不以明文儲存);
- token-based authentication with role-based access control; 基於令牌之身份驗證,並配合角色存取控制;
- rate limiting and Cloudflare Turnstile bot protection on sensitive endpoints; 於敏感端點實施流量限制及 Cloudflare Turnstile 機器人防護;
- Stripe webhook signature verification and idempotent credit fulfilment; Stripe Webhook 簽章驗證及等冪 credit 發放;
- strict schema validation at the database layer; 資料庫層之嚴格結構驗證;
- audit logs for sensitive operations; 敏感操作之審計紀錄;
- principle-of-least-privilege for staff access. 員工存取採最低權限原則。
No system is perfectly secure; in the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected users as required by applicable law.
沒有系統可絕對安全;如發生可能對閣下權利及自由構成風險之個人資料外洩事件, 我們將按適用法律之要求通知相關監管機關及受影響用戶。
9. Your Rights / 閣下之權利
Subject to applicable law, you may have the right to:
在適用法律允許之範圍內,閣下可能享有以下權利:
- access a copy of your personal data; 查閱閣下個人資料之副本;
- rectify inaccurate data; 更正不準確之資料;
- erase your data (subject to exceptions such as legal retention); 刪除閣下之資料(惟須受法律保留等例外情況限制);
- restrict or object to processing; 限制或反對處理;
- port your data in a structured format; 以結構化格式可攜閣下之資料;
- withdraw consent at any time, without affecting prior processing; 隨時撤回同意,且不影響撤回前之處理;
- lodge a complaint with a supervisory authority, such as the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD), or the authority in your country of residence. 向監管機關(例如香港個人資料私隱專員公署)或閣下居住國之相關機關 提出投訴。
How to exercise your rights / 行使權利之方法: email [email protected] (subject: Privacy Request). We will respond within the period required by applicable law (typically within 30 days).
行使權利之方法:發送電郵至 [email protected](主旨:私隱請求)。我 們將於適用法律所要求之期間內(通常為 30 日內)回覆。
If the data relates to a guest and was uploaded by a Client, we will normally redirect the request to that Client as the data controller, and assist them under our data-processor obligations.
如資料為由 Client 上載之賓客資料,我們通常會將請求轉交該 Client 以資料控制者 身份處理,並按資料處理者之義務協助其回應。
10. Children's Data / 兒童資料
The Platform is not intended for use by children under 13 (or the minimum age in your jurisdiction) to create accounts. A minor may appear in guest lists uploaded by an adult organiser. If you believe we hold data about a child without appropriate consent, contact [email protected] (subject: Children's Data) and we will investigate and delete as appropriate.
本平台並不擬讓 13 歲以下(或所在司法管轄區法定最低年齡)兒童自行建立帳戶。 未成年人或會出現於成人主辦方上載之賓客名單中。如閣下認為我們在未獲適當同意 下持有兒童資料,請聯絡 [email protected](主旨:兒童資料),我們將進行 調查並作適當刪除。
11. Automated Decision-Making / 自動化決策
We do not carry out solely automated decision-making that produces legal or similarly significant effects on you.
我們不進行對閣下產生法律效力或類似重大影響之全自動化決策。
12. Changes to This Policy / 本政策之變更
We may update this Policy from time to time. The "Last Updated" date at the top of the document will reflect the latest revision. For material changes, we will notify you by in-app notice and / or email before the change takes effect.
我們可不時更新本政策。文件頂部之「最後更新日期」將反映最新版本。就重大變 更,我們將於生效前透過應用程式內通知及/或電郵通知閣下。
13. Contact / 聯絡我們
- Data-protection contact / 資料保護聯絡人: [email protected] (subject: Privacy Enquiry)
END OF DOCUMENT / 文件結束