PRIVACY POLICY

Last updated: 19/02/2026

‍

VERSION 1 - THE PLAIN ENGLISH VERSION

Who we are

IPSEM Squared Limited is based in Hong Kong and works across Europe and Asia. We provide:

• Business Performance Improvement (BPI) services; and
• Sponsorship advisory and broking services.

This policy explains what personal information we use, why we use it, and your rights.

‍

EU and UK Representatives

If you are in the EU or UK, you can contact our representatives:

EU Representative:

DataRep

Address:
77 Camden Street Lower
Dublin D02 XE80
Ireland
‍

UK Representative:

Illustre Consulting Limited

Address:
206 Upper Richmond Road West
East Sheen
London
SW14 8AH
Email: hello@illustre.co

‍

When we're in control of data (and when we aren't)

Sometimes we decide how personal data is used (e.g., sponsorship discussions, marketing, website enquiries). In those cases, we are the controller.

Sometimes we handle personal data only on a client’s instructions (e.g., during a BPI project). In those cases, we are a processor and the client is the controller.

‍

What Information We Use

We may use:

• Names, job titles and work contact details
• emails and messages with you
• information shared during BPI work (like roles, workflows, approvals, reporting inputs)
• sponsorship-related information (commercial contacts, proposals, negotiation notes)
• website technical data (like IP address and cookies)
• Information submitted through website forms (managed via HubSpot)

We may hold personal information relating to individuals located in the EU, UK, Australia, New Zealand, the United States and Canada in connection with delivering our services.

We don’t use automated profiling or automated decision-making.

‍

Our BPI platform (hosting can vary)

Depending on the project, the BPI platform might be:

• Hosted by us,
• hosted by the client, or
• delivered through our technology partner
  ‍

Our BPI technology platform is provided by:
QLBS.COM LIMITED
253 Queen Street
Auckland 1010
New Zealand

The platform is hosted using Microsoft Azure cloud services.

These providers operate under contractual data protection and security commitments.

‍

Why we use personal data

We use personal data to:

• deliver BPI services (analysis, reporting, service improvement)
• support sponsorship work (introductions, negotiation support, relationship management)
• respond to enquiries and manage client relationships
• meet legal and regulatory obligations

‍

Service providers we use

To run our business, we use trusted third-party platforms, including:

• HubSpot – for managing client relationships, marketing emails, and website contact forms.
• Monday.com – for project management and operational coordination.

These providers process personal data on our behalf under contractual safeguards.

Because we operate internationally, some data may be processed outside the EU or UK (for example, in the United States or Israel). Where required, we use appropriate legal safeguards to protect that data.

‍

How we keep the data secure

We choose reputable service providers and require them to meet appropriate security and confidentiality standards.

‍

Sharing and international transfers

We don’t sell personal data. We may share it with trusted service providers (like hosting or collaboration tools) and professional advisers, under contracts and confidentiality.

To operate our business we use Microsoft 365 (including Outlook, SharePoint and Teams) for email and document storage. Our Microsoft 365 environment is supported by:

‍

SecuHostIT Solutions & Media Services SDN. BHD. (Malaysia)

‍

They may access systems for administration and support under confidentiality obligations.

Microsoft services may involve processing in multiple countries, including the United States and other locations where Microsoft operates.

We also use trusted service providers, including:

• QLBS.COM LIMITED (New Zealand) – BPI technology platform provider
• Microsoft Azure – cloud hosting provider
• HubSpot (United States) – CRM and marketing tools
• Monday.com (Israel) – project and workflow management

‍

Because we operate internationally, personal information may be processed outside your country (including in Hong Kong, New Zealand, Australia, Israel, the United States or Canada). Where required by law, we use recognised safeguards to protect transferred data.

‍

How long we keep it

We keep personal data only as long as needed for the work we’re doing, plus any legal or contractual requirements.

We keep personal data for seven (7) years, or the length of contracted services plus seven (7) years, whichever is longer.

‍

Your rights

If EU/UK law applies, you may have rights to access, correct, delete, or object to certain processing.

Contact us at: info@ipsemsquared.com

‍

Cookies

We use cookies. See our Cookie Notice here.

‍

Contact

IPSEM Squared Limited

Address:
2401, Dominion Centre
43-59 Queen's Road East
Wan Chai, Hong Kong
999077
Email: info@ipsemsquared.com

‍

VERSION 2 - THE LEGALESE VERSION

IPSEM Squared Limited (“IPSEM Squared”, “we”, “us”, “our”)

Last updated: 19/02/2026

1. Introduction

We are incorporated and based in Hong Kong and operate extensively across Europe and Asia. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data in connection with our:

• Business Performance Improvement (BPI) services; and
• Sponsorship Advisory and Broking services.

‍

Where applicable, we comply with:

• Hong Kong Personal Data (Privacy) Ordinance (cap. 486) ("PDPO");
• EU GDPR; and
• UK GDPR and the UK Data Protection Act 2018

‍

2. Representatives (EU GDPR and UK GDPR)

If you are located in the EU or UK, you may contact our appointed representatives:

EU Representative (Article 27 EU GDPR)

DataRep

Address:
77 Camden Street Lower
Dublin D02 XE80
Ireland

UK Representative (Article 27 UK GDPR)

Illustre Consulting Limited

Address:
206 Upper Richmond Road West
East Sheen
London
SW14 8AH
Email: hello@illustre.co

‍

3. Controller vs Processor

Depending on the service and context, IPSEM Squared may act as:

3.1 Data Controller

Where we determine the purposes and means of processing, including:

• Sponsorship discussions, introductions, negotiations and relationship management;
• Website enquiries and communications;
• Marketing and business development.

3.2 Data Processor

Where we process personal data solely on behalf of a client under a written agreement (including a Data Processing Addendum), including:

• BPI engagement delivery (diagnostics, workflow review, reporting);
• Platform configuration and support (where involving personal data).

Where we act as Processor, the client is the Controller and we process personal data only on documented instructions.

‍

4. Personal data we process

We may process (as applicable):

• Identity and contact data: name, role, employer, business email/telephone;
• Engagement data: meeting notes, correspondence, proposals;
• Operational and governance data: organisational roles/responsibilities, workflow approvals, service delivery records, contract administration data, reporting outputs;
• Sponsorship commercial data: negotiation records, rights packaging documents, commercial contacts;
• Website/technical data: IP address, device/browser data, cookies and analytics.

We do not intentionally process special category data (sensitive data) unless explicitly required, minimised, and contractually agreed with appropriate safeguards.

We may process personal data relating to individuals located in the European Union, United Kingdom, Australia, New Zealand, the United States and Canada, in connection with the provision of our services.

Where individuals submit information via website forms powered by HubSpot, we may collect and process submitted contact details, enquiry information, and related interaction data for the purposes described in Section 6.

‍

5. BPI platform hosting (varies by client)

The BPI platform may be:

• Hosted by IPSEM Squared (or its appointed suppliers), or
• Hosted by the client (client-managed hosting).
• Provided through our technology partner as described below.

Where the BPI platform is delivered via our technology partner, the platform is provided by:‍

QLBS.COM LIMITED
253 Queen Street
Auckland 1010
New Zealand

QLBS.COM LIMITED hosts the platform using Microsoft Azure cloud infrastructure.

Where applicable, QLBS.COM LIMITED and Microsoft Azure act as sub-processors and are subject to contractual data protection and security obligations.

Security and hosting responsibilities are allocated in accordance with contractual arrangements and the applicable hosting model.

Security responsibilities may vary depending on hosting model and contractual allocation:

• Where IPSEM Squared hosts, we implement and maintain appropriate security measures for the hosting environment.
• Where the client hosts, the client is responsible for securing the hosting environment (with IPSEM Squared applying appropriate controls within the scope of our access and responsibilities).

‍

6. How we use personal data and lawful bases

Where EU/UK GDPR applies, we process personal data only where we have a lawful basis, including:

6.1 Delivering BPI Services

Purposes: service improvement, operational analysis, reporting, governance/process alignment, platform support.
Lawful basis: performance of a contract; legitimate interests; legal obligation (where applicable).

6.2 Sponsorship Advisory and Broking

Purposes: introductions, commercial evaluation, negotiation support, relationship management.
Lawful basis: performance of a contract; legitimate interests.

6.3 Communications and Marketing

Purposes: responding to enquiries, sending relevant updates (where permitted).
Lawful basis: legitimate interests and/or consent where required; you may opt out at any time.

6.4 Legal and Compliance

Purposes: regulatory compliance, dispute management, protection of rights.
Lawful basis: legal obligation; legitimate interests.

‍

7. No automated decision-making / profiling

We do not conduct automated decision-making or profiling of individuals for the purposes of Article 22 EU/UK GDPR.

‍

8. Sharing and Disclosures

We do not sell personal data. We may disclose personal data to:

• Our clients (where necessary for service delivery);
• Professional advisers (legal/accounting) under confidentiality;
• Technology providers and sub-processors (e.g., hosting, collaboration tools) under written agreements;
• Regulators, law enforcement, or courts where required by law

We use Microsoft 365 (including Outlook, SharePoint, Teams and related services) for email, document management, communication and collaboration.

Microsoft 365 services are provided through Microsoft Corporation and/or relevant regional Microsoft entities.

Administrative and support services for our Microsoft 365 environment are provided by:

‍

‍SecuHost IT Solutions & Media Services SDN. BHD. Kuala Lumpur, Malaysia

‍

SecuHost acts as an IT services provider and may have access to our Microsoft 365 environment strictly for administration, support and maintenance purposes under contractual confidentiality obligations.

We also currently use the following third-party service providers to support our other operations:

• QLBS.COM LIMITED (New Zealand) – provider of the BPI technology platform.
• Microsoft Azure (Microsoft Corporation and/or relevant regional Microsoft entities) – cloud infrastructure hosting provider used in connection with the BPI platform.
• HubSpot, Inc. (United States) – CRM, marketing and website forms.
• Monday.com Ltd. (Israel) – project management and workflow coordination platform.

These providers process personal data on our behalf under contractual data protection obligations.

‍

9. International Transfers

As a Hong Kong-based organisation operating internationally, personal data may be transferred to and processed in multiple jurisdictions, including:

• Hong Kong
• Malaysia (in connection with IT administration service
• New Zealand
• Australia
• Israel
• United States (including Microsoft infrastructure)
• Canada
• European Union Member States
• United Kingdom
• Other jurisdictions where Microsoft operates data centres

Microsoft may process personal data in multiple global locations in accordance with its own data protection commitments and applicable safeguards.

HubSpot, Inc. is headquartered in the United States and may process personal data in the United States and other jurisdictions. Monday.com Ltd. is headquartered in Israel and may process personal data in Israel and other jurisdictions. Where required under EU or UK data protection law, we rely on appropriate safeguards, including Standard Contractual Clauses and equivalent mechanisms, for international transfers.

Where required under EU or UK data protection law, we implement appropriate safeguards for international transfers, including:

• Standard Contractual Clauses (SCCs);
• UK International Data Transfer Agreements (where applicable);
• Contractual data protection provisions;
• Transfers to jurisdictions recognised as providing adequate protection (where applicable).

‍

10. Security

We maintain appropriate technical and organisational measures such as:

• access controls and least-privilege permissions;
• secure storage and transmission;
• confidentiality obligations for personnel and contractors;
• supplier due diligence for relevant service providers.

Our Microsoft 365 environment is administered with the assistance of an external IT services provider under contractual confidentiality obligations. Access is limited to authorised personnel and subject to role-based permissions.

We conduct appropriate due diligence on third-party service providers and require contractual commitments regarding data protection, confidentiality, and security measures.

‍

11. Retention

We retain personal data only for as long as necessary for the purposes described, including contractual, legal, and legitimate business requirements. Indicative retention periods: seven (7) years, or the length of contracted services plus seven (7) years, whichever is longer.

‍

12. Data Protection Impact Assessments

Where the use of third-party technology platforms or cross-border hosting arrangements may give rise to elevated data protection risk, we will assess whether a Data Protection Impact Assessment (DPIA) is required under applicable law.

‍

13. Your rights (EU/UK)

Subject to applicable law, you may have rights to:

• access, correction, deletion, restriction, objection, portability, and withdrawal of consent (where relevant).

To exercise rights, contact: info@ipsemsquared.com

EU individuals may also contact our EU Representative. UK individuals may also contact our UK Representative.

‍

14. Cookies

We use cookies. See our Cookie Notice here.

‍

15. Contact

IPSEM Squared Limited

Address:
2401, Dominion Centre
43-59 Queen's Road East
Wan Chai, Hong Kong
999077
Email: info@ipsemsquared.com

‍