Legal · Hong Kong PDPO · Last updated June 2026

Privacy Policy.

What we collect, why, who we share it with, and the rights you have over it — in the plainest English we can manage. We use cookieless analytics, set no advertising or cross-site tracking cookies of our own, and never sell your personal data. Governed by the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong.

This Privacy Policy explains, in plain terms, how Schnalz.net handles personal data in connection with this website and the apps we publish. It is written to be transparent and accurate to what we actually do — not to make promises we cannot keep. It is not legal advice to you. Please read it alongside our Terms of Service.

1. Who we are

This website (schnalz.net) is operated by Schnalz.net ("Schnalz", "we", "us", or "our"), a digital-marketing and software studio based in the Hong Kong Special Administrative Region (Hong Kong SAR). We provide digital-marketing services to clients (AI/GEO, SEO, Google Ads, paid social, and web & app development) and we publish our own iOS/Android apps and websites under the name "Schnalz Studio".

For the purposes of the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (the "PDPO"), as amended by the Personal Data (Privacy) (Amendment) Ordinance 2021, we are the data user responsible for the personal data we collect through this website.

We also welcome visitors from the European Union, the United Kingdom, and other regions. Where data-protection laws such as the EU/UK General Data Protection Regulation ("GDPR") apply to you, we aim to honour equivalent rights as described in this policy. We are based in Hong Kong and are not established in the EU or UK; references to GDPR-style rights are offered as a courtesy and are given effect to the extent those laws actually apply to your situation.

2. What information we collect

We deliberately keep data collection to a minimum. We do not run advertising or cross-site tracking on our own website, and we do not build profiles of our visitors. Specifically, this is what we collect:

2.1 Contact form. If you use our contact form, we collect the information you choose to submit: your name, your email address, and your message, plus — where you provide them — an optional company name, an optional phone number, and an optional budget or monthly ad-spend range. Submissions are processed and delivered to us through Formcarry, a form-delivery service (see Section 6). The form also contains a hidden "honeypot" field used purely to detect and block automated spam; it is invisible to genuine users and is not used to identify or track you.

2.2 Appointment scheduling. If you book a call with us, scheduling is handled through Calendly. When you book, Calendly collects the details you enter (such as your name, email, and chosen time) in order to arrange the meeting. That information is processed under Calendly's own privacy terms as well as this policy (see Section 6).

2.3 Cookieless web analytics. We use counter.dev, a privacy-focused, cookieless analytics service, to understand aggregate visit numbers and trends. It collects aggregate visit data only. It does not set cookies, does not store IP addresses, and does not build cross-site profiles of you. We see counts and trends, not individuals.

2.4 Server and access logs. Our hosting provider, Hostinger, keeps standard server and access logs (which may briefly include technical data such as IP addresses, browser/user-agent strings, and request timestamps) for the security, integrity, and operation of the site. These logs are generated and retained by the hosting provider under its own arrangements and are used by us only for security and operational purposes.

2.5 Theme preference (not a cookie). When you switch between light and dark mode, your choice is stored in your browser's localStorage. This is not a cookie, is not used for tracking, never leaves your device, and is not transmitted to us or to any third party.

2.6 Direct communications. If you contact us by email or via Telegram, we receive and retain the contents of your message and your contact details so that we can respond and keep a record of our correspondence.

We do not knowingly collect special-category or sensitive personal data through this website, and we ask that you do not submit it through the contact form. The apps we publish are designed to collect little or no personal data — see Section 11.

3. Why we use your information (purposes & legal bases)

We only use personal data for the purposes for which it was collected, or for a directly related purpose. Where a legal basis is relevant (for example, for visitors to whom GDPR-style laws apply), the corresponding basis is noted:

  • To respond to you and provide what you asked for — answering enquiries, preparing quotes, and arranging calls. Basis: performance of, or steps prior to entering into, a contract, and our legitimate interest in responding to you.
  • To operate, secure, and maintain the website — including hosting, server logs, and spam prevention (the honeypot). Basis: our legitimate interest in running a secure, functioning website.
  • To understand aggregate usage — via cookieless analytics that do not identify you. Basis: our legitimate interest in improving the site, supported by the privacy-preserving design of the analytics we use.
  • To remember your theme preference — stored only on your own device. Basis: your action in selecting it; no server-side processing of personal data is involved.
  • To comply with legal obligations — where Hong Kong or other applicable law requires us to retain or disclose information. Basis: compliance with a legal obligation.
  • To establish, exercise, or defend legal claims, and to protect our rights, property, users, and lawful interests. Basis: our legitimate interests.

Where we rely on consent (for example, if we ever ask to send you optional updates), you may withdraw it at any time without affecting processing already carried out. We will not use your contact details to send you marketing you did not ask for.

4. Cookies, analytics & tracking

We take a deliberately minimal approach:

  • This website sets no advertising or cross-site tracking cookies of its own.
  • Our analytics provider, counter.dev, is cookieless — it sets no cookies and does not store your IP address (see Section 2.3).
  • Your light/dark theme preference is stored in localStorage, which is not a cookie and never leaves your device (see Section 2.5).

Third-party services you actively choose to use from our site — for example Calendly (scheduling) or external links — may set their own cookies or process data under their own privacy policies once you interact with them. We do not control those technologies. You can manage or block cookies through your browser settings; doing so will not affect your ability to read this site, as we do not depend on cookies to function.

5. We do not sell your personal data

We do not sell, rent, or trade your personal data, and we do not share it with third parties for their own independent marketing. We share information only with the service providers needed to operate the site and respond to you (Section 6), or where we are legally required to do so.

6. Third-party service providers & international transfers

To run this website and respond to you, we rely on a small number of reputable third-party service providers who process limited data on our behalf or under their own terms. Because some of these providers operate outside Hong Kong, your information may be transferred to, processed in, and stored in jurisdictions other than Hong Kong. The main providers are:

  • Formcarry — contact-form delivery (United States).
  • Calendly — appointment scheduling (United States).
  • counter.dev — cookieless, aggregate analytics (European Union).
  • Hostinger — website hosting and server/access logs.
  • Telegram — where you choose to communicate with us via Telegram.

Each provider processes data under its own privacy terms; we encourage you to review them. We select providers we consider reputable and take reasonable steps so that personal data continues to be handled with appropriate care when it is transferred internationally. By submitting information through the contact form or otherwise communicating with us through these channels, you consent to, and understand that, your information may be transferred to, processed in, and stored outside Hong Kong as described above. We will only disclose personal data to others where you have asked us to, where a provider needs it to perform a service for us, or where disclosure is required or permitted by law. These third-party providers are independent services with their own privacy and security practices; to the maximum extent permitted by applicable law, we are not responsible for the independent acts or omissions of any third-party provider, and your use of services such as Calendly is also subject to that provider's own terms.

Separately, when we deliver marketing or development services to clients, we may handle data using platforms such as Google, Meta, and similar ad/analytics services on the client's behalf — that processing is described in Section 12.

7. How long we keep your information (retention)

We keep personal data only for as long as is reasonably necessary for the purposes set out in this policy, after which we delete or anonymise it. In practice:

  • Contact-form and enquiry data is retained for as long as needed to handle your enquiry and any resulting relationship, and for a reasonable period afterwards to maintain a record of our dealings and to handle any follow-up, legal, or accounting needs.
  • Scheduling data is retained for as long as needed to arrange and follow up on the meeting.
  • Analytics data is aggregate and does not identify you.
  • Server/access logs are retained by the hosting provider for the period needed for security and operation.

Where law requires a longer retention period, or where information is needed to establish, exercise, or defend legal claims, we may keep it for that longer period.

8. How we protect your information (security)

We take the security of personal data seriously and apply reasonable and practicable technical and organisational measures designed to protect it against unauthorised or accidental access, loss, alteration, disclosure, or destruction — including limiting access to those who need it, using reputable service providers, and relying on encrypted connections where appropriate. However, no website, transmission method, or storage system is completely secure, and we cannot and do not guarantee absolute security. You share information with us at your own risk, and you are responsible for keeping any credentials or communications channels you use secure on your side.

9. Your rights

Under the PDPO, and subject to its conditions and exemptions, you have the right to:

  • Ask whether we hold personal data about you and to request access to it (a data access request);
  • Request correction of personal data that is inaccurate; and
  • Be informed of our policies and practices in relation to personal data and of the kinds of data we hold.

We may charge a reasonable fee for complying with a data access request, as permitted by the PDPO, and we will respond within the timeframe required by law.

If you are in the EU, UK, or another region whose data-protection laws apply to you, you may also have additional rights — such as to erasure, restriction or objection to certain processing, data portability, and withdrawal of consent — and we will give effect to those rights to the extent the applicable law requires. Some of these rights are subject to conditions and exceptions, and certain data (for example, aggregate analytics that does not identify anyone) may not be capable of being linked back to you.

How to exercise your rights. Contact us through our contact form, by Telegram, or by email (details in Section 14). We may need to verify your identity before acting on a request, to protect your data.

Complaints. If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), or, where applicable, with your local data-protection authority.

10. Children

Our website and services are intended for businesses and adults and are not directed at children under the age of 13. We do not knowingly collect personal data from children through this website. The apps we publish are designed to collect little or no personal data (see Section 11). If you believe a child has provided us with personal data, please contact us and we will take reasonable steps to delete it.

11. Our apps (Schnalz Studio)

The apps we publish under "Schnalz Studio" are designed to minimise data and, in general, do not collect personal data. For example:

  • DB Transport — requires no account and collects no personal data. It records only anonymous, aggregate click counts (no identifiers and no stored IP addresses). Any optional location is used on your device only, to pick a route, and is not sent to us. The in-app feedback form collects only the email address and message you choose to send, solely so we can reply to you.
  • Other apps similarly avoid collecting personal data.

Because each app may differ slightly, app-specific privacy notes are published on each app's own page. See all our apps (for example, DB Transport, Vokabel, Lumina Sudoku, and Circles) for details specific to the app you are using. The apps are provided "as is" — see our Terms of Service.

12. Client engagements (when we act on your behalf)

When we deliver marketing or development services to a client, we may process that client's business and campaign data and access advertising or analytics accounts — for example Google Ads, Meta, or Google Analytics (GA4) — on the client's behalf. In that context we act as the client's data processor/agent, handling data under the client's instructions. The specifics of that processing (including responsibilities, security, and any personal data involved) are governed by the separate written client agreement, not by this website policy. This policy covers our own website and the apps we publish.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or the law. When we do, we will revise the "Last updated" date below and post the updated version on this page. Material changes may be highlighted more prominently. Your continued use of the website after an update takes effect indicates your awareness of the revised policy. We encourage you to review this page periodically.

14. How to contact us

If you have any questions about this Privacy Policy, wish to exercise your rights, or want to raise a privacy concern, please contact us:

This Privacy Policy is governed by the laws of the Hong Kong SAR. You also have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), if you believe your data-protection rights have been infringed. For the rules that apply to your use of this website and our apps, please see our Terms of Service.

Last updated · June 2026