Privacy Policy


Last Updated: November 3, 2025

This Privacy Policy sets out how Leiwe & Partners (referred to as "we," "us," or "our"), a consulting firm based in Hong Kong, collects, uses, protects, and discloses personal data in compliance with the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the EU General Data Protection Regulation (GDPR), and the US Health Insurance Portability and Accountability Act (HIPAA), where applicable. We are committed to maintaining the confidentiality, integrity, and security of your personal data. By engaging with our services, you acknowledge and consent to the practices described in this policy.


Collection and Use of Personal Data


We collect personal data that is necessary for us to provide our consulting services, manage our relationship with you, and fulfil our legal and regulatory obligations. The types of data we may collect depend on the nature of your interaction with us and can include, but are not limited to, identification data (like name, job title, company name, and contact details), professional data, financial information (for billing purposes), and, if relevant to a specific consulting engagement (particularly in healthcare or related sectors), protected health information (PHI). We collect this data directly from you, from your organisation, or from third parties with your consent or as permitted by law. We will always inform you, at or before the time of collection, of the purposes for which the data will be used, whether the provision of the data is obligatory, and the consequences of not providing it.

Your personal data is used to deliver and administer our consulting services, including providing advice, executing contracts, managing projects, and communicating with you about your engagement. We also use the data for internal business purposes such, as financial administration, quality control, risk management, and training. Furthermore, we may use your information for direct marketing purposes (such as sending updates, market insights, and event invitations) but only in accordance with the strict requirements of the PDPO and GDPR, and only if we have obtained your explicit consent, or have a legitimate interest where allowed. You have the right to opt-out of direct marketing at any time.


Specific Compliance Commitments (GDPR and HIPAA)


For individuals or data falling under the scope of the GDPR, our processing of your personal data is based on lawful grounds, primarily contractual necessity for providing our services, fulfilling legal obligations, or your explicit consent. You have specific rights, including the right to access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object to processing. We act as a Data Controller or Data Processor, as defined by the GDPR, depending on the service provided.

Where our services involve handling Protected Health Information (PHI), we strictly adhere to HIPAA requirements. Leiwe & Partners operates as a Business Associate in such cases and is committed to maintaining the privacy and security of PHI. We implement appropriate administrative, physical, and technical safeguards to prevent unauthorised access, use, or disclosure of PHI. We will use and disclose PHI only as permitted or required by the relevant Business Associate Agreement and HIPAA regulations.


Data Disclosure and Cross-Border Transfer


We will keep all personal data held by us confidential. We may, however, disclose or transfer your personal data to third-party service providers (e.g., IT, security, and administrative support) who assist us in operating our business, but only to the extent necessary for them to perform their functions and under a duty of confidentiality. We may also disclose data to professional advisors, auditors, regulatory authorities, or government agencies, as required by law, regulation, or court order, or to protect our legitimate interests.

As a Hong Kong-based firm serving international clients, your personal data may be transferred outside of Hong Kong. We ensure that any such transfer complies with the PDPO and, where applicable, the GDPR. For transfers of EU personal data outside the European Economic Area (EEA), we implement safeguards such as the Standard Contractual Clauses (SCCs) or rely on other legally compliant transfer mechanisms to ensure that your data is protected to a standard equivalent to that provided within the EEA.


Data Retention and Security


We will retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, including for the purpose of satisfying any legal, accounting, or reporting requirements. Our retention periods are determined in accordance with the PDPO's data retention principles and other applicable laws like GDPR and HIPAA. Once data is no longer necessary, we will securely destroy or permanently anonymise it.

We are committed to protecting the personal data we hold. We have implemented a range of generally accepted technical and organisational security measures to protect against unauthorised or accidental access, processing, erasure, loss, or use of your data. These measures include secure servers, encryption, firewalls, and restricting access to personal data to only those employees who require it for their duties. Our employees are trained on data privacy and security best practices.


Your Rights and Contact Information


You have the right to request access to and correction of your personal data held by us. Under GDPR, you may have additional rights as noted above. All such requests, including inquiries about our privacy practices or complaints regarding the handling of your personal data, should be made in writing.

Please address all data access, correction, and privacy-related inquiries to our Data Protection Officer via email at dpo@leiwe.partners

We will handle your requests in accordance with the PDPO, GDPR, and HIPAA, and respond to you within the legally required timeframe.


Personal Information Collection Statement (PICS)


This Personal Information Collection Statement (PICS) is provided to you in compliance with the Hong Kong Personal Data (Privacy) Ordinance (PDPO). It explains the purposes for which we collect your personal data, the classes of persons to whom the data may be transferred, and your rights of access and correction. This PICS supplements our full Privacy Policy.


Purposes of Collection


The personal data collected from you by Leiwe & Partners will be used for the following purposes (the "Purposes"):

  • To provide and administer our consulting services to you or your organisation, including carrying out the specific instructions, agreements, and contracts related to our professional engagement.

  • To perform client management, relationship management, and administrative functions, such as invoicing, processing payments, debt collection, and managing your account with us.

  • To comply with legal and regulatory obligations applicable to Leiwe & Partners in Hong Kong and other relevant jurisdictions, including obligations under the PDPO, GDPR, and HIPAA, as well as requirements related to anti-money laundering, counter-terrorist financing, and sanctions compliance.

  • To conduct risk management, quality assurance, and internal business analysis, including audits, internal controls, and data analytics to improve our services.

  • To enable us to send you direct marketing materials related to our services, updates, market insights, and events, but only where you have provided your explicit consent or where we are permitted to do so by law.

  • To handle any enquiries, complaints, or data access/correction requests made by you.


Consequence of Non-Provision


The supply of personal data by you is voluntary unless otherwise specified. However, please note that if you fail to provide the data requested, or if the data provided is inaccurate or incomplete, we may not be able to provide or continue to provide the relevant consulting services to you or your organisation.


Classes of Transferees


We may transfer your personal data to the following classes of persons (whether within or outside Hong Kong):

  • Our Affiliates and Personnel: Any member, employee, agent, or representative of Leiwe & Partners.

  • Service Providers: Third-party service providers and vendors who assist us in providing our services, such as IT service providers, data storage providers, professional advisors, and administrative support. These third parties are contractually bound to keep your data confidential.

  • Successors: Any person or entity that takes over the operation of Leiwe & Partners, or is involved in a merger, acquisition, or internal restructuring.

  • Governmental/Regulatory Bodies: Law enforcement agencies, government authorities, regulators, and other competent governmental or judicial bodies, as required by law, court order, or regulatory request.

  • Professional Advisors: External auditors, legal advisors, and other professional experts.

  • Business Associates (under HIPAA): Other entities that perform functions or provide services involving the use or disclosure of Protected Health Information (PHI) on our behalf, in compliance with a Business Associate Agreement.


Access and Correction Rights


Under the PDPO, you have the right to:

  • Check whether we hold personal data about you and to request access to that data.

  • Require us to correct any personal data relating to you that is inaccurate.

  • Object to the use of your personal data for direct marketing purposes.

We reserve the right to charge a reasonable fee for processing any data access request.


Contact for Inquiries


Requests for access or correction of personal data, or for information regarding our policies and practices, should be addressed to our Data Protection Officer via email at dpo@leiwe.partners