Last updated: 2026-02-17
ONY1 PRIVACY POLICY
Effective Date: February 17, 2026
Operator: Magi Systems Limited, a company incorporated in Hong Kong (BRN: 76008482), Unit 1603, 16th Floor, The L. Plaza, 367 - 375 Queen's Road Central, Sheung Wan, Hong Kong ("Company," "we," "us," or "our")
Product: ONY1 (the "Service")
This Privacy Policy explains how we collect, use, store, and protect personal data in connection with the Service. It is drafted in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") and its six Data Protection Principles.
This Privacy Policy applies to all visitors to our website, all registered users of the Service, and any individuals whose personal data is processed through the Service.
For purposes of this policy:
- "Personal Data" means any data relating directly or indirectly to a living individual from which it is practicable to identify that individual.
- "Data Subject" means the individual to whom Personal Data relates.
- "Customer" means the business or individual who registers for and uses the Service.
- "Customer Data" means all data uploaded to or created within the Service by the Customer, as defined in our Terms of Service.
1. Our Role: When We Are Data User and When We Are Data Processor
1.1 Company as Data User
We act as a Data User (as defined under the PDPO) when we collect and process Personal Data for our own purposes, including:
- Account registration and management
- Billing and payment processing
- Customer support communications
- Service analytics and improvement
- Marketing communications (with consent)
- Compliance with legal obligations
1.2 Company as Data Processor
When Customers upload or input Personal Data of their own clients, employees, or contacts into the Service, the Customer is the Data User and we act as a Data Processor. In this capacity:
- We process Personal Data solely on the Customer's instructions and for the purpose of providing the Service
- We do not use Customer Data for our own purposes
- The Customer is responsible for ensuring it has lawful basis to collect and process such data
- The Customer is responsible for responding to Data Access Requests from its own data subjects
2. Personal Data We Collect
2.1 Data You Provide Directly
When you register for or use the Service, we may collect:
- Account information: Full name, email address, company name, job title, phone number
- Billing information: Billing address, company registration details, VAT/tax identification numbers. Payment card details are collected and processed directly by our payment processor (Stripe) and are not stored on our systems.
- Support communications: Messages, emails, and attachments sent to our support channels
- Preferences: Language, timezone, notification settings, and feature configurations
2.2 Data Collected Automatically
When you access the Service, we automatically collect:
- Usage data: Features accessed, actions performed, pages visited, timestamps, session duration
- Device and connection data: IP address, browser type and version, operating system, device type, screen resolution
- Log data: Server logs including access times, error logs, and referring URLs
2.3 Data from Third Parties
We may receive data from:
- Payment processor (Stripe): Transaction status, subscription status, payment method type (not full card details)
- Google Sign-In: If you sign in using Google, we receive your name, email address, and profile picture as authorized by you through Google's consent screen. We do not receive your Google password.
- Shopify (where enabled): If you connect a Shopify store to the Service, we receive product, order, and customer data as configured by you through the integration. You are responsible for ensuring you have lawful basis to share such data with the Service.
2.4 Customer Data
Customers upload and manage their own business data within the Service. This may include Personal Data of the Customer's clients, employees, suppliers, or contacts. We process this data solely to provide the Service and in accordance with Section 1.2 above.
3. How We Use Personal Data
We use Personal Data only for the following purposes, which are directly related to our functions and activities as operator of the Service:
| Purpose | Legal Basis (PDPO) |
|---|---|
| Providing and maintaining the Service | Necessary for the performance of the contract (ToS) |
| Processing payments and managing subscriptions | Necessary for the performance of the contract |
| Responding to support requests | Necessary for the performance of the contract |
| Sending transactional notifications (billing, security, service changes) | Necessary for the performance of the contract |
| Monitoring and improving Service performance, security, and reliability | Legitimate operational interest directly related to our functions |
| Detecting and preventing fraud, abuse, and security incidents | Legitimate operational interest and legal compliance |
| Generating Anonymized Data for analytics, benchmarking, and product improvement | Consent via Terms of Service; data is irreversibly anonymized |
| Sending marketing communications about the Service | Explicit consent; you may opt out at any time |
| Complying with legal obligations, law enforcement requests, and court orders | Required by law |
We do not use identifiable Customer Data to train artificial intelligence or machine learning models. Only Anonymized Data (as defined in our Terms of Service) may be used for such purposes.
4. Anonymized Data
We may derive Anonymized Data from use of the Service. Anonymized Data has been processed such that it cannot reasonably be used to identify any Customer, individual, or data subject. Anonymized Data is not Personal Data.
We use Anonymized Data for benchmarking, analytics, machine learning and AI model training, product improvement, and commercial purposes. Full details are set out in Section 11 of our Terms of Service.
5. Cookies and Tracking Technologies
5.1 What We Use
We use the following types of cookies and similar technologies:
| Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security, load balancing | Session or up to 12 months |
| Functional | Remembering your preferences, language, and settings | Up to 12 months |
| Analytics | Understanding how the Service is used, feature adoption, error tracking | Up to 24 months |
5.2 What We Do Not Use
We do not use advertising or third-party tracking cookies. We do not sell or share cookie data with advertisers.
5.3 Managing Cookies
You can manage cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning correctly.
6. Data Sharing and Disclosure
We do not sell Personal Data. We share Personal Data only in the following circumstances:
6.1 Service Providers (Subprocessors)
We engage trusted third-party service providers to help operate the Service. These providers process Personal Data only on our instructions and are contractually required to protect it.
| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Stripe | Payment processing, subscriptions, invoicing | Billing details, transaction data, payment method type |
| Supabase | Cloud hosting, database, authentication | All Customer Data, account information, authentication credentials |
| Vercel | Application hosting and content delivery | IP address, request logs, usage data |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request headers, traffic data |
| PostHog | Product analytics and feature tracking | Usage data, device data, anonymized behavioral events |
| Resend | Transactional and support email delivery | Email address, name, email content |
| Ably | Real-time messaging and data synchronization | Session data, real-time event data |
| Intercom | Customer support, helpdesk, live chat | Name, email, support messages, device data |
| Marker.io | Bug reporting and visual feedback | Screenshot data, browser data, user-submitted feedback |
| Authentication (Sign in with Google) | Name, email address, profile picture (as authorized by you) | |
| Shopify | E-commerce integration (where enabled by Customer) | Product data, order data, customer data as configured by the Customer |
This list is current as of the effective date of this policy. We will update this list as subprocessors change. You may request the current list at any time by emailing support@ony1.com.
6.2 Legal Requirements
We may disclose Personal Data where required by law, regulation, court order, or governmental request, or where necessary to protect our rights, safety, or property.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, Personal Data may be transferred to the acquiring entity. We will notify affected users of any such transfer.
6.4 With Customer's Consent
We may share Personal Data where the Customer has given explicit consent.
7. International Data Transfers
The Service is hosted on infrastructure that may be located outside Hong Kong. By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions outside Hong Kong.
We take reasonable steps to ensure that any international transfer of Personal Data is protected by appropriate safeguards, including contractual obligations on our service providers to maintain confidentiality and security standards consistent with the PDPO.
8. Data Retention
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with DPP2 of the PDPO.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of the account, plus 12 months after termination for administrative purposes |
| Billing and transaction records | 7 years from the date of the transaction (as required for tax and accounting compliance) |
| Support communications | 3 years from the date of the last communication in the thread |
| Usage and log data | 24 months from the date of collection |
| Customer Data | Duration of the account. Upon termination, retained for 30 calendar days to allow for data export requests, then permanently deleted. |
| Inactive accounts (no paid subscription) | Deleted after 12 months of inactivity following 30 days' notice, per our Terms of Service |
| ToS acceptance records | 7 years from acceptance date |
| Anonymized Data | Retained indefinitely (not Personal Data) |
When Personal Data is no longer required, we delete or irreversibly anonymize it.
9. Data Security
We implement commercially reasonable technical and organizational measures to protect Personal Data against unauthorized or accidental access, processing, erasure, loss, or use, in accordance with DPP4 of the PDPO. These measures include:
- Encryption of data in transit (TLS) and at rest
- Access controls and role-based permissions for internal systems
- Regular security reviews and monitoring
- Secure authentication mechanisms
- Incident response procedures
No method of transmission or storage is 100% secure. While we strive to protect Personal Data, we cannot guarantee absolute security.
10. Your Rights
Under the PDPO, data subjects have the following rights:
10.1 Right of Access (DPP6)
You have the right to request access to the Personal Data we hold about you. We will respond to verified requests within 40 days.
10.2 Right of Correction (DPP6)
You have the right to request correction of any Personal Data that is inaccurate. We will process correction requests within 40 days.
10.3 Right to Opt Out of Direct Marketing
You have the right to opt out of receiving direct marketing communications at any time. You can do so by clicking the unsubscribe link in any marketing email or by contacting us at support@ony1.com. We will give effect to your request without charge.
10.4 How to Exercise Your Rights
To make a Data Access Request or Data Correction Request, please contact us at:
Email: support@ony1.com Subject line: Data Access Request / Data Correction Request
We may need to verify your identity before processing your request. We will not charge a fee for data access requests unless the request is manifestly unfounded or excessive.
10.5 Customer Data Subjects
If you are an individual whose Personal Data has been uploaded to the Service by one of our Customers (e.g., you are a client, employee, or contact of the Customer), please direct any data access or correction requests to the relevant Customer. As Data Processor, we process such data on the Customer's instructions and will assist the Customer in responding to valid requests.
11. Children's Data
The Service is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child, we will take steps to delete it promptly.
12. Direct Marketing
We will not use your Personal Data for direct marketing purposes unless we have obtained your explicit consent.
Where consent has been given, we may contact you about:
- New features and product updates for the Service
- Service-related offers and promotions
- Industry insights and educational content
You may withdraw your consent at any time by contacting support@ony1.com or using the unsubscribe mechanism in any marketing communication. We will cease direct marketing without charge upon receiving your request.
We do not provide your Personal Data to third parties for their direct marketing purposes.
13. Data Breach Notification
In the event of a data breach affecting Personal Data, we will:
- Assess the nature and scope of the breach
- Take immediate steps to contain and mitigate the breach
- Notify affected Customers without undue delay and in any event within 72 hours of becoming aware of the breach
- Where appropriate, notify the Office of the Privacy Commissioner for Personal Data (PCPD)
- Cooperate with affected parties and authorities as required
While breach notification is not currently mandatory under the PDPO, we follow the PCPD's recommended best practices and the commitment made in our Terms of Service.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days' prior notice via email or through the Service.
The "Last updated" date at the bottom of this policy indicates when the most recent changes were made.
Continued use of the Service after the effective date of changes constitutes acceptance.
15. Contact Us
If you have any questions about this Privacy Policy, wish to make a Data Access Request or Data Correction Request, or have a complaint about our handling of your Personal Data, please contact us:
Magi Systems Limited
Unit 1603, 16th Floor, The L. Plaza 367 - 375 Queen's Road Central Sheung Wan, Hong Kong
Email: support@ony1.com
Website: https://ony1.com
If you are not satisfied with our response to a complaint, you may contact the Office of the Privacy Commissioner for Personal Data (PCPD):
Website: https://www.pcpd.org.hk
Hotline: (852) 2827 2827