1. Who we are
Nano Advanced Services Limited ("NAS", "we", "us", "our") is a company incorporated in the Hong Kong Special Administrative Region (company number 76848773) with registered office at Unit 1603, 16th Floor, The L. Plaza, 367–375 Queen's Road Central, Sheung Wan, Hong Kong. NAS is the data controller for personal data submitted via our marketing website at nas.cards. If you are a customer of a programme operated on the NAS platform, the operator of that programme is the controller of your account data — this policy covers only the marketing site. Contact: privacy@nas.cards.
2. What we collect
From the marketing site, we collect only what you give us:
- Contact-form submissions: first name, last name, work email, company, and the free-text message you send.
- Technical request data: server logs (IP address, user-agent, timestamps, URL requested) retained briefly for security and abuse-prevention.
- Consent state: stored in your browser's
localStorageso the cookie banner doesn't ask twice. Not transmitted to us.
We do not run analytics, advertising, social, or session-replay scripts by default.
3. Why we collect it (legal basis)
- Contact-form data — to reply to your enquiry. Legal basis: pre-contractual measures at your request (Art. 6(1)(b) GDPR) and our legitimate interest in responding to B2B enquiries (Art. 6(1)(f)).
- Server logs — security, abuse prevention, debugging. Legal basis: legitimate interest (Art. 6(1)(f)).
- Consent state — to honour your cookie/tracking preference. Legal basis: necessary for the service you have requested.
4. How long we keep it
- Contact-form submissions: up to 24 months after the last interaction, then deleted unless we have entered into a commercial relationship.
- Server logs: typically 30 days, longer where required by law or for ongoing security investigation.
5. Who we share it with
We share personal data only with processors strictly necessary to operate the marketing site:
- Hosting and content delivery: a tier-one cloud-services provider in the European Union (primary location Frankfurt, Germany), serving the site through a globally-distributed CDN. The provider processes the data on our instructions under a written data-processing addendum.
- Contact-form processing: when you submit the form, the data is processed by serverless functions in our cloud account in the EU and delivered to our team via our transactional email and SMS sub-processor located in the EU. Form contents are not used by the sub-processors for any purpose other than delivery.
- Bot protection: the contact form is protected by Google reCAPTCHA Enterprise. The service receives the page URL, IP address, browser and device information, and interaction signals it uses to score the request and reject automated submissions. The script is loaded only when you focus the form, not on every page view. Two legal bases apply, and they are separate: storage of, and access to, information on your device is treated as strictly necessary under the EU ePrivacy Directive and the UK PECR (no consent required); the subsequent processing of any personal data the service receives is carried out on the basis of our legitimate interest in protecting our forms from automated abuse (Art. 6(1)(f) GDPR). reCAPTCHA Enterprise is provided by Google LLC (United States); transfers are made under the European Commission's Standard Contractual Clauses and the UK IDTA / UK Addendum to the SCCs as applicable, supplemented by additional technical and organisational measures.
If any processor is outside Hong Kong, the EEA, or the UK, the transfer is covered by Standard Contractual Clauses (UK IDTA / EU SCCs), the Hong Kong PCPD Recommended Model Contractual Clauses, or an adequacy decision, as applicable. The named list of sub-processors is available on written request to privacy@nas.cards.
6. Cookies & tracking
By default this site sets no cookies. We store a single key in localStorage to remember your consent choice — this is not a cookie under ePrivacy and is necessary for honouring your preference. If we later add analytics or marketing scripts, they will run only after you accept them via the banner, and you can withdraw consent at any time using the "Cookie preferences" link in the footer.
We respect the Global Privacy Control (GPC) signal where it is recognised under Applicable Law. If your browser sends a GPC signal, we treat it as a request not to be subject to non-essential tracking, even where you have not made an explicit choice in our cookie banner. We do not currently honour the legacy "Do Not Track" signal because it is not consistently defined; we apply the GPC standard instead.
7. Your rights
Depending on your jurisdiction (HK PDPO, EU GDPR, UK GDPR, and equivalent laws) you have the right to:
- Access the personal data we hold about you.
- Request rectification of inaccurate data.
- Request erasure ("right to be forgotten") where applicable.
- Restrict or object to processing based on legitimate interest.
- Receive a copy of your data in a portable format (data portability).
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your data-protection authority — in Hong Kong, the Privacy Commissioner for Personal Data (pcpd.org.hk); in the UK, the Information Commissioner's Office (ico.org.uk); in the EU/EEA, your local Supervisory Authority.
To exercise any of these rights, email privacy@nas.cards with "Data request" in the subject. We respond within the timeframe required by Applicable Law (typically one month for UK/EU GDPR requests).
8. Security
The marketing site enforces HTTPS, HSTS, a strict Content Security Policy, and a restrictive Permissions Policy. Personal data submitted through the contact form is transmitted over TLS to our processor. The full security posture of programmes operated on the NAS platform is covered in the compliance pack, shared after the first commercial discussion.
9. Contact & complaints
Privacy enquiries: privacy@nas.cards. You may also lodge a complaint with the data-protection authority for your jurisdiction (see Section 7).