Privacy Policy

1. Personal Data We Collect

When you use this site (mortgage calculator, AI advisor, contact form, mortgage application), we may collect:

• Name, contact phone, email address
• Inquiry category (first-time / refinance / second / top-up) and message content
• Property address, valuation, loan amount, monthly income, debt service (for AI analysis and bank matching)
• Documents you upload (HKID, income proof, etc., if you choose self-upload)
• IP address, browser type, visit timestamps (for abuse prevention)

2. Purpose of Use

• Help you complete a mortgage application and refer to partner banks
• Block bot attacks via Cloudflare Turnstile
• Send real-time notifications to Dr Loan advisors for follow-up
• Site operation, traffic analytics, and abuse prevention

We do not sell or rent your personal data to any third party for marketing purposes.

3. Third-Party Service Providers

To deliver our service, certain personal data is shared with (each has their own privacy policy):

• Supabase (database and file storage)
• Vercel (website hosting)
• Cloudflare Turnstile (bot challenge verification)
• OpenAI (AI mortgage analysis; only de-identified data: loan amount, valuation, income ratios)
• Telegram (advisor real-time notifications)
• Partner Banks (referral, only with your explicit consent)

4. Data Retention

• Lead inquiries: retained 24 months for follow-up and reconciliation
• Mortgage applications and uploaded documents: retained 7 years (per HK financial industry standard)
• IP addresses and access logs: retained 90 days

5. Your Rights (PDPO)

Under the Hong Kong Personal Data (Privacy) Ordinance (PDPO), you may:

• Access personal data we hold about you
• Correct inaccurate data
• Request deletion of data no longer required to be retained
• Withdraw consent for processing

To exercise these rights, email info@drloan.hk. We will respond within 7 business days.

6. Data Security

Technical measures include:

• Site-wide HTTPS encryption (HSTS preload)
• Cloudflare Turnstile bot challenges
• Upstash-backed API rate limiting
• Content Security Policy to prevent XSS
• Multi-factor authentication on all admin accounts
• File uploads: MIME whitelist + magic-byte verification

7. Cookie Use

We use only essential cookies to maintain login state and prevent abuse; no third-party tracking cookies for advertising.

8. Policy Updates

This policy may be updated from time to time. Significant changes will be announced on the site. Please review periodically.

9. Contact Us

Data protection contact:
Dr Loan
Flat B, 4/F, Carlee Building, 18 Tong Mei Road, Mong Kok, Kowloon
Email: info@drloan.hk
WhatsApp: +852 6086 1449