Privacy Policy

Last Updated: 2026-02-05

Version: 1.0.0

Introduction

MARC GLOBAL TRADE LINK CO., LIMITED ("we", "us", or "our") operates the EC-Permit mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using EC-Permit, you consent to the data practices described in this policy.

EC-Permit is a construction permit management application designed for business use, enabling project teams to create, manage, and collaborate on permits and forms with offline capabilities.

Information We Collect

We collect several types of information from and about users of our Service:

Account Information:

Email address (used for authentication and communications)
Password (securely hashed and encrypted)
Display name (2-50 characters)

Profile Information:

Avatar/profile photo (optional, stored in cloud storage)
Position/job title (optional)
Digital signature (optional, for form approvals)
Company association
Language preference (English, Traditional Chinese, Simplified Chinese)
Theme preference (light, dark, system)

Form Submission Data:

Text responses to form questions
Photos and images uploaded to permits
PDF and file attachments
Digital signatures captured within forms
Date and time entries
Map pin locations (coordinates on project maps)
Table data and structured responses
All form-related metadata (submission dates, status changes, action history)

Device Information:

Device identifiers (for push notifications)
Device name, brand, and model
Operating system name and version
App version and build number
Device type (physical device or emulator)
Platform (iOS or Android)
Push notification tokens (Expo Push Token)

Usage Information:

Project memberships and roles
Form submissions and approvals
Notification interactions (read/unread status)
Login history and session information
Feature usage patterns within the app

Biometric Information:

Face ID or fingerprint data (stored locally on your device only, never transmitted to our servers)
Biometric authentication is optional and used solely for convenient login

Support and Feedback:

Email and phone number (when submitting support queries)
Feedback messages and bug reports
Device and network information at time of support request

How We Use Your Information

We use the information we collect for the following purposes:

Service Provision:

Authenticate users and manage accounts
Enable form creation, submission, and collaboration
Facilitate project management and team coordination
Synchronize data across devices and offline/online modes
Process form approvals and status workflows

Communication:

Send push notifications about form actions, mentions, and updates
Deliver project invitations and reminders
Respond to support queries and feedback
Notify users of system updates or maintenance

Service Improvement:

Analyze usage patterns to improve features and user experience
Debug technical issues and optimize performance
Develop new features based on user needs

Security:

Protect against unauthorized access and fraud
Maintain data integrity and security
Comply with legal obligations and enforce our terms

Business Operations:

Maintain audit trails for form actions and approvals
Support compliance and record-keeping requirements
Facilitate multi-user project collaboration

Data Storage and Security

Cloud Storage:

We use Supabase, a secure cloud database and storage provider, to store your data. Supabase uses industry-standard security measures including:

Encrypted data transmission (SSL/TLS)
Secure PostgreSQL database with access controls
Cloud storage buckets with restricted access
Regular security updates and monitoring

Your data is stored on Supabase infrastructure located in secure data centers.

Local Device Storage:

Certain information is stored locally on your device:

Login credentials (encrypted in device secure storage)
Cached form data (for offline access)
App preferences and settings
Offline sync queue (pending uploads)

Local storage uses:

Expo SecureStore (encrypted storage for sensitive data)
AsyncStorage (for app state and preferences)

Security Measures:

Passwords are hashed using industry-standard algorithms
Session tokens are securely stored and automatically refreshed
Biometric authentication data never leaves your device
All data transmission uses HTTPS encryption
Access controls limit data visibility based on project membership
Regular security audits and updates

File Storage:

Photos, PDFs, signatures, and attachments are stored in Supabase Storage with:

Unique file identifiers to prevent unauthorized access
Access controls based on project permissions
Secure URLs with authentication requirements

Third-Party Services

We use the following third-party services to provide and improve our Service:

Supabase:

Purpose: Backend database, authentication, and file storage
Data shared: All user data, form submissions, and uploaded files
Privacy policy: https://supabase.com/privacy

Expo Push Notification Service:

Purpose: Deliver push notifications to your device
Data shared: Device push tokens, notification content
Privacy policy: https://expo.dev/privacy

We do not share your personal information with third parties for marketing or advertising purposes. These service providers are bound by contractual obligations to keep your information secure and confidential.

Data Sharing and Collaboration

Within Projects:

When you join a project, certain information becomes visible to other project members:

Your display name and avatar
Your position/job title
Forms you create, submit, or take action on
Your responses to form questions
Your comments and approvals

Project administrators can:

View project member lists and roles
Manage project permissions
Access all forms within their projects

Form Collaboration:

Forms you create or are assigned to may be visible to:

Project members based on project permissions
Users mentioned or assigned in form workflows
Project administrators and form reviewers

We Do Not:

Sell your personal information to third parties
Share your data with advertisers
Use your data for purposes unrelated to the Service
Share data across different organizations/companies without consent

Your Rights Under Hong Kong Law

Under the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong, you have the following rights:

Right to Access:

You can request access to your personal data we hold. You may view and export your data through the app's profile settings.

Right to Correction:

You can request correction of inaccurate or incomplete personal data. Update your profile information directly in the app or contact us for assistance.

Right to Deletion:

You can request deletion of your personal data. To delete your account:

Contact us at info@ecpermit.com
We will process your deletion request within 30 days
Some data may be retained for legal or compliance purposes

Right to Data Portability:

You can request a copy of your data in a structured, machine-readable format.

Right to Withdraw Consent:

Where we process data based on consent, you may withdraw consent at any time.

To Exercise Your Rights:

Contact us at info@ecpermit.com with your request. We will respond within 30 days and may require identity verification to protect your privacy.

Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

Active Accounts:

While your account is active, we retain all your data to provide continuous service.

Deleted Accounts:

Upon account deletion, most data is deleted within 30-90 days
Some information may be retained longer for legal, security, or compliance reasons
Anonymized or aggregated data may be retained indefinitely for analytics

Form Records:

Form submissions and approvals may be retained longer for audit and compliance purposes
Project data may be retained based on project retention policies

Legal Requirements:

We may retain certain data to:

Comply with legal obligations
Resolve disputes and enforce agreements
Support business operations and record-keeping requirements

Backup Systems:

Deleted data may remain in backup systems for up to 90 days before permanent deletion.

Biometric Data and Device Authentication

EC-Permit offers optional biometric authentication (Face ID, Touch ID, or fingerprint) for convenient login.

Local Processing Only:

Biometric data is processed entirely on your device
Your biometric data never leaves your device or is transmitted to our servers
We only store a flag indicating you have enabled biometric login

How It Works:

Your device's operating system (iOS or Android) handles biometric authentication
We receive only a "success" or "failure" result from your device
Your login credentials are retrieved from encrypted local storage upon successful authentication

Disabling Biometric Login:

You can disable biometric authentication at any time in the app settings. This will not affect your ability to log in with email and password.

Children's Privacy

EC-Permit is designed for business use by professionals in construction and project management. The Service is not directed to individuals under 18 years of age.

We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately at info@ecpermit.com, and we will take steps to delete such information.

International Data Transfers

Your data may be stored and processed in data centers located outside of Hong Kong, including but not limited to servers operated by Supabase.

We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws. Data transfers are conducted using:

Secure encrypted connections
Service providers with robust security and privacy commitments
Contractual protections requiring data protection standards

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

Material changes will be communicated via email or in-app notification
The "Last Updated" date at the top of this policy indicates the most recent revision
Continued use of the Service after changes constitutes acceptance of the updated policy

Review Regularly:

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

MARC GLOBAL TRADE LINK CO., LIMITED

G/F., No.2A1, Shung Tak Street, Tai Po, Hong Kong

Email: info@ecpermit.com

We will respond to your inquiries within 30 days.