Privacy Policy

1. Who we are

“MachinedQuartz” is the trading name of AIREKA Scientific Co., Limited, a private limited company registered in the Hong Kong Special Administrative Region in 2013. Our principal place of business is in Kwun Tong district, Kowloon, Hong Kong SAR. We fabricate and sell quartz cuvettes, optical windows, and custom-machined fused-silica labware to research institutions, OEM instrument makers, and pharmaceutical and biotechnology companies in 30+ countries.

For the purposes of the EU General Data Protection Regulation (GDPR), UK GDPR, and similar laws, AIREKA Scientific Co., Limited is the data controller of personal information collected through this website and our sales channels.

2. What information we collect

2.1 Information you provide directly

• Order & account data: name, business name, billing/shipping address, country, email address, phone number, VAT/EORI/tax-ID where applicable, and the products you order.
• Quote & inquiry data: the contents of any custom-fabrication inquiry, the application or instrument you intend the cuvette for, technical drawings or specifications you attach, and any return correspondence with our sales engineers.
• Payment data: we do not store full credit-card numbers on our servers. Payment is processed by PayPal, Stripe, or our bank’s secure portal. We receive only a transaction confirmation, the last four digits of the card, and the cardholder name and billing country.
• Account credentials: if you create a customer account, your password is stored hashed (one-way encrypted) and is never visible to us in plain text.

2.2 Information collected automatically

• Standard server logs: IP address, user agent, referring URL, pages visited, and timestamps. Used to diagnose errors, detect abuse, and maintain site security. Retained for 30 days.
• Cookies and analytics: see §7 for the full list and your choices.
• Approximate location: derived from your IP address. Used to localize currency display and shipping-cost estimates. Never resolved beyond city-level.

2.3 Information from third parties

If you sign in using Google or another single-sign-on provider, we receive your name and email address from that provider. If you arrive via a referral or affiliate link, we receive the referrer URL but no other personal data.

3. How we use your information

• Fulfill orders: process payment, manufacture or pull from stock, prepare shipping documentation, and deliver products. This is the primary use of order data.
• Respond to inquiries: answer quote requests, technical questions, and after-sales support tickets.
• Customs & tax compliance: generate commercial invoices, customs declarations, and tax records as required by Hong Kong, the destination country, and shipping carriers (UPS, FedEx, DHL, USPS).
• Account management: if you have an account, let you log in, view your order history, and re-order.
• Marketing communications: only if you have opted in via newsletter signup or checkout checkbox. Every marketing email contains an unsubscribe link.
• Site security and analytics: detect fraud, mitigate denial-of-service attacks, and understand which pages are useful so we can improve them.
• Legal compliance: respond to lawful requests from courts and regulators where we are obligated to disclose information.

4. Legal basis for processing (GDPR / UK GDPR)

5. How we share information

We share only the minimum data necessary, only with parties that need it to fulfill the purposes above, and only under contractual privacy obligations. Specifically:

• Shipping carriers (UPS, FedEx, DHL, USPS, China Post, Hongkong Post): name, address, phone, package contents description, customs value. Required for delivery.
• Payment processors (PayPal, Stripe, our merchant bank): name, billing address, transaction amount, currency. They handle the card details — we don’t see them.
• Cloud hosting and email infrastructure: our website server and email server may temporarily process your data in the course of delivering pages and emails. See §8 for specifics.
• Professional advisers (accountants, auditors, lawyers): only when required for compliance work, and only under confidentiality.
• Regulators and law enforcement: if we are required to disclose by court order, subpoena, or applicable law. We will challenge any request that appears overbroad.

6. International data transfers

Because we operate from Hong Kong and ship globally, your information may cross borders. Specifically:

• Order data is processed and stored on servers physically located in Hong Kong and the United States.
• Shipping data is transmitted to carriers in your destination country.
• Email is routed through email-server providers that may temporarily store messages in the EU, US, or Hong Kong.

Where we transfer data of EU or UK residents outside the EEA/UK, we rely on the European Commission’s Standard Contractual Clauses with our processors. For California residents, we comply with the cross-border transfer requirements of the CCPA/CPRA. For Hong Kong residents, transfers are governed by the Personal Data (Privacy) Ordinance (PDPO).

7. Cookies & tracking technologies

We use cookies (small text files stored on your browser) for the purposes below. You can manage or disable cookies in your browser settings; doing so may affect site functionality.

We do not use marketing/advertising cookies, retargeting pixels, Facebook Pixel, Google Ads tracking, or third-party social-media trackers on this website.

8. Third-party services we use

The list below names every third party that may process your data on our behalf, what they do, and where their privacy policy lives.

9. Data retention

• Order records and invoices: 7 years after order completion (required for Hong Kong tax compliance under the Inland Revenue Ordinance).
• Account data: for as long as your account is active. You may delete your account at any time; we delete associated personal data within 30 days, except records we are legally required to retain (orders/invoices per above).
• Inquiry / quote correspondence: 3 years from the last reply, then archived in encrypted offline storage for an additional 2 years, then permanently deleted.
• Server logs: 30 days, then automatically purged.
• Newsletter subscriptions: until you unsubscribe; after unsubscribe, we retain your email on a suppression list to honor the opt-out.
• Marketing consent records: for as long as we rely on the consent, plus 2 years after withdrawal (as evidence of past lawful processing).

10. Security

We use commercially reasonable technical and organizational measures to protect your data:

• TLS 1.3 encryption for all traffic between your browser and our servers.
• Hashed passwords (bcrypt) — we never store or transmit plain-text passwords.
• Restricted backend access: admin accounts use two-factor authentication; logs are reviewed monthly.
• Database backups encrypted at rest; retained on isolated storage with rotated keys.
• WordPress and WooCommerce kept updated; security patches applied within 72 hours of release.
• Annual third-party penetration test of the order and checkout flow.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33–34 and PDPO Hong Kong guidance.

11. Your rights

Regardless of where you live, you can ask us to:

• Access the personal data we hold about you, and receive a copy in a portable format.
• Correct data that is wrong or incomplete.
• Delete your data, except where we are required to keep it (e.g., tax records).
• Object to processing based on legitimate interests.
• Restrict processing while we investigate a dispute about your data.
• Withdraw consent at any time (e.g., unsubscribe from marketing).
• Lodge a complaint with your data protection authority (see below).

11.1 EU & UK residents (GDPR / UK GDPR)

You have the rights listed above plus the right to data portability (Art. 20) and the right not to be subject to automated decision-making (Art. 22 — we don’t do any). You may complain to your national data protection authority. UK residents can contact the Information Commissioner’s Office (ICO).

11.2 California residents (CCPA / CPRA)

You have the right to know what personal information we collect, to request deletion, to opt out of any “sale” or “sharing” of personal information (we do not sell or share — see §5), and to non-discrimination for exercising these rights. To exercise these rights, email info@machinedquartz.com with the subject line “CCPA request.”

11.3 Canada (PIPEDA)

You have rights of access, correction, and withdrawal of consent. The supervisory authority is the Office of the Privacy Commissioner of Canada.

11.4 Hong Kong residents (PDPO)

The Personal Data (Privacy) Ordinance (Cap. 486) governs our handling of personal data of Hong Kong residents. You may submit data access or correction requests under section 18/22 of the Ordinance. The supervisory body is the Privacy Commissioner for Personal Data (PCPD).

12. Children’s privacy

Our products are sold to laboratories, OEM instrument makers, and similar business customers. The website is not directed at children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a minor has provided personal information through this site, contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be flagged with a banner on the homepage for at least 30 days and noted in the “Last updated” date at the top of this page. For changes that materially expand the use of your data, we will obtain fresh consent where required by law.

Previous versions of this policy are available on request.

14. Contact us