1. Introduction
iOE Technology Ltd. ("EC4S", "we", "us", or "our") operates the EC4S Smart Site Safety System centralized management platform, including the website at https://ec4s.com, the EC4S mobile application, IoT device ingest APIs, and related services (collectively, the "Platform").
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you register for an account, use the Platform, administer a project, upload or receive site and device data, or purchase hardware through the EC4S store.
This policy applies to registered users, project administrators, invited team members, guest viewers, store customers, and individuals whose personal data is uploaded to the Platform by a customer (such as site personnel appearing in telemetry, alerts, or CCTV-related metadata).
2. Data controller and contact
For the purposes of the Personal Data (Privacy) Ordinance (Cap. 486) of the Hong Kong Special Administrative Region ("PDPO"),iOE Technology Ltd., Hong Kong, is the data user (controller) in respect of personal data processed to operate the Platform, authenticate users, and provide our services.
Where a customer (such as a project administrator, contractor, or developer) uploads personal data relating to its employees, subcontractors, or site visitors, that customer may act as an independent data user for such data. In those circumstances, EC4S processes the data as a service provider on the customer's instructions and in accordance with this policy and applicable law.
Privacy enquiries and data subject requests: legal@ec4s.com. General support: ecpermitinfo@gmail.com.
3. Information we collect
The categories of personal data we may collect depend on how you use the Platform:
3.1 Account data
- Email address, full name, phone number, job title, and profile avatar
- Authentication credentials and session tokens managed through our identity provider
- Account preferences such as theme, language, and two-factor authentication settings
- Role assignments, project memberships, and permission records
3.2 Project and operational data
- Project metadata including contract number, location, coordinates, contractor, consultant, client, and nature of works
- IoT device identifiers, telemetry payloads (including flexible JSON schemas), GPS tracks, timestamps, and device-uploaded images
- Alert records including type, severity, status, source device, description, comments, map coordinates, and workflow history
- CCTV stream configuration, stream health logs, and playback session metadata
- Equipment certification records, permit-to-work records, confined space monitoring data, digital asset QR records, VR safety training records, custom variables, KPIs, and audit logs
3.3 Store and checkout data
- Contact name, email, phone, company name, site contract number, and contract name
- Shipping and billing addresses
- Uploaded business name card documents and free-trial agreement signer details
- Order history, payment status, and delivery records
3.4 Mobile application data
- Push notification device tokens used to deliver alert notifications
- Precise location data displayed on alert maps when an alert record contains GPS coordinates (the app does not continuously track location in the background for this purpose)
- Profile photos uploaded through the mobile app
3.5 Automatically collected data
- IP address, browser or device type, operating system, and access timestamps
- Server logs, API usage logs, and security event records
- Session cookies and local storage used to maintain authenticated sessions
4. How we use information
We use personal data to:
- Provide, operate, maintain, and secure the Platform
- Register accounts, authenticate users, and enforce role-based access controls
- Ingest, store, process, display, and transmit IoT telemetry, alerts, dashboards, and CCTV stream metadata
- Deliver notifications through email, webhooks, Telegram (where configured), and mobile push notifications
- Process hardware store orders, free-trial agreements, and related customer communications
- Generate AI-assisted dashboards and widgets using Google Gemini where enabled by a project administrator
- Monitor system performance, detect fraud or abuse, and investigate security incidents
- Comply with legal obligations and respond to lawful requests
- Provide customer support and service-related communications
We do not use personal data for third-party advertising. We do not sell personal data.
5. Legal bases for processing
Under the PDPO and applicable Hong Kong law, we process personal data on the following bases:
- Contract performance: to provide the Platform and fulfil store orders you request
- Legitimate interests: to secure the Platform, prevent fraud, maintain audit trails, and improve reliability, balanced against your privacy rights
- Legal obligation: where processing is required by applicable law or regulatory request
- Consent: where required, such as for optional push notifications or other features that rely on your explicit choice
6. Sharing and service providers
We disclose personal data to trusted service providers who process data on our behalf solely to operate the Platform:
- Supabase — authentication, database, file storage, and realtime services
- Stripe — payment processing for hardware store orders
- Google (Gemini) — AI-assisted dashboard generation where enabled
- Vercel — website and API hosting
- MediaMTX / streaming infrastructure — CCTV ingest and playback
- Expo Push Notification service — delivery of mobile alert notifications
- Optional per-project integrations configured by customers, such as Telegram Bot API, ThingsBoard embeds, and Hong Kong Observatory (HKO) weather data
We may also disclose personal data:
- To other users within your project according to role-based permissions set by project administrators
- When required by law, court order, or governmental authority
- To protect the rights, property, or safety of EC4S, our users, or others
- With your direction or consent, or at the instruction of the customer who uploaded the data
7. Customer-uploaded data and your responsibilities
Project administrators and customers are responsible for ensuring they have lawful authority and all necessary consents, notices, and permissions to collect, upload, and monitor personal data through the Platform, including data relating to site workers, visitors, and individuals captured in telemetry, alerts, or CCTV-related workflows.
EC4S provides technology tools and does not determine whether a customer's monitoring, CCTV deployment, or data collection practices comply with employment, privacy, construction safety, or other applicable laws. Customers remain solely responsible for their compliance obligations in each jurisdiction where they operate.
8. Data retention
We retain personal data for as long as your account or project remains active and as necessary to provide the Platform, maintain security logs, fulfil contractual obligations, resolve disputes, and comply with legal requirements.
When you delete your account (available in web and mobile settings) or submit a valid deletion request, we will delete or anonymize personal data within a reasonable period, subject to:
- Backup retention cycles and disaster recovery requirements
- Records we must retain for legal, tax, audit, or fraud-prevention purposes
- IoT telemetry, alert history, and project records retained according to project settings and operational needs where deletion would affect other authorized users or customers
9. Security
We implement reasonable technical and organizational measures designed to protect personal data, including encryption in transit, access controls, row-level security policies, role-based permissions, and audit logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
You are responsible for maintaining the confidentiality of your login credentials, protecting device ingest tokens, and promptly notifying us of any suspected unauthorized access.
10. International data transfers
Personal data may be processed in jurisdictions where our service providers operate, which may include locations outside Hong Kong (such as the United States or European Union). Where personal data is transferred outside Hong Kong, we take reasonable steps to ensure appropriate safeguards are in place consistent with applicable law.
11. Your rights
Subject to the PDPO and applicable law, you may have the right to:
- Request access to personal data we hold about you
- Request correction of inaccurate personal data
- Request deletion of personal data, subject to legal and operational retention requirements
- Opt out of direct marketing communications where applicable
- Lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong
To exercise these rights, contact legal@ec4s.com. We may need to verify your identity before responding. If your data was uploaded by a project administrator, we may direct you to that customer where appropriate.
12. Cookies and similar technologies
We use essential cookies and similar technologies to maintain authenticated sessions and secure the Platform. We do not use advertising cookies or third-party tracking SDKs for behavioural advertising.
You can control cookies through your browser settings. Disabling essential cookies may prevent you from logging in or using certain features.
13. Children
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us at legal@ec4s.com and we will take appropriate steps to delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be posted at https://ec4s.com/privacy with an updated effective date. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy, except where applicable law requires additional consent.
15. Governing law
This Privacy Policy is governed by the laws of the Hong Kong Special Administrative Region, including the PDPO.
For the terms governing your use of the Platform, see our Terms of Service.