Zada Lau

Legal

Privacy Policy

Effective date: 28 May 2026

Last updated: 28 May 2026

1. Who we are

This website, zadalau.com (“the Site”), is operated by Zada Lau, trading as Grumpy to Great, a sole proprietorship registered in Hong Kong [HK Business Registration number: to be confirmed], and as a sole trader in Australia [ABN: to be confirmed] (collectively, “we”, “us”, “our”).

We operate across both Hong Kong and Australia. For the purposes of data protection law, we act as the data controller for personal information collected through this Site.

If you have any questions about this policy or how we handle your personal information, contact us at tashidelek@zadalau.com.

2. Scope of this policy

This policy explains what personal information we collect through zadalau.com, why we collect it, how we use and protect it, who we share it with, and the rights you have over it.

This policy is written to comply with the personal-data laws that most commonly apply to our visitors, including:

  • The Hong Kong Personal Data (Privacy) Ordinance (PDPO)
  • The Australian Privacy Act 1988 and the Australian Privacy Principles
  • The EU General Data Protection Regulation (GDPR) and the UK GDPR
  • The California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Brazil's Lei Geral de Proteção de Dados (LGPD)

Where these laws grant you specific rights, we honour them. Section 8 sets out those rights in detail.

3. What personal information we collect

We collect only what we need. Specifically:

Information you give us directly:

  • Newsletter signup — when you subscribe to Zada's newsletter, we collect your email address (and your name, if you provide it).
  • Contact form / email — when you contact us through the Site or by email, we collect your name, email address, and the content of your message, along with any other information you choose to include.

Information collected automatically:

  • Basic technical information — when you visit the Site, our hosting providers automatically log standard technical data such as your IP address, browser type, device type, referring page, and the pages you view. This is used for security, troubleshooting, and keeping the Site running. We do not use analytics or tracking tools on this Site.
  • Strictly necessary cookies — see our separate Cookie Policy for details. We do not set advertising or analytics cookies.

We do not intentionally collect sensitive personal information (such as health data, religious beliefs, or financial account numbers) through this Site. Please do not send us sensitive information through the contact form.

4. Why we collect it and our legal basis

What we collectWhyLegal basis (GDPR terms)
Newsletter emailTo send you the newsletter you asked forConsent
Contact form detailsTo respond to your enquiryLegitimate interest / steps prior to a contract
Technical/server logsSecurity, troubleshooting, site operationLegitimate interest

Under Hong Kong's PDPO and the Australian Privacy Principles, we collect personal data only for purposes directly related to our functions and activities, by lawful and fair means, and we tell you why at the point of collection.

You can withdraw your consent to the newsletter at any time by clicking “unsubscribe” in any newsletter email, or by emailing tashidelek@zadalau.com.

5. Who we share it with

We do not sell your personal information. We never have and we never will.

We share personal information only with the third-party service providers who help us operate the Site, and only to the extent they need it to perform their service:

  • Vercel (United States) — website hosting and content delivery.
  • GitHub (United States) — source-code hosting (does not process visitor personal data in normal operation).
  • Brevo (European Union) — email newsletter management and delivery. When you subscribe, your email address is stored in Brevo on our behalf.

Each of these providers processes data under their own privacy and security commitments. Where they are located outside your home jurisdiction, your data may be transferred internationally — see Section 6.

We may also disclose personal information where required by law, regulation, court order, or governmental authority in Hong Kong, Australia, or another jurisdiction with valid authority; or where necessary to protect our legal rights.

6. International data transfers

We operate across Hong Kong and Australia, and our service providers are located in the United States and the European Union. This means your personal information may be processed in, and transferred between, Hong Kong, Australia, the United States, the European Union, and other jurisdictions where our providers operate.

Where personal information is transferred out of a jurisdiction whose laws require specific safeguards (such as the EU/UK under GDPR), we rely on the appropriate legal mechanisms for such transfers (such as the providers' standard contractual clauses or adequacy arrangements). By using the Site or subscribing to the newsletter, you understand that your information may be processed in these locations.

7. How long we keep it

  • Newsletter subscribers — until you unsubscribe, after which your email is removed from the active list within a reasonable period.
  • Contact enquiries — for as long as needed to handle your enquiry and for a reasonable period afterwards for our records, then deleted.
  • Server logs — retained for a limited period by our hosting providers for security and operational purposes.

We do not keep personal information longer than necessary for the purpose it was collected.

8. Your rights

Depending on where you live, you have some or all of the following rights over your personal information:

  • Access — ask for a copy of the personal information we hold about you.
  • Correction — ask us to correct information that is inaccurate or incomplete (a core right under the HK PDPO and Australian Privacy Principles).
  • Deletion / erasure — ask us to delete your personal information (the “right to be forgotten” under GDPR; similar rights under CPRA, LGPD).
  • Withdraw consent — unsubscribe from the newsletter or otherwise withdraw consent at any time.
  • Object / restrict — object to or ask us to restrict certain processing (GDPR/UK GDPR).
  • Portability — ask for your data in a portable, machine-readable format (GDPR, LGPD, CPRA).
  • Non-discrimination — we will not treat you differently for exercising your privacy rights (CCPA/CPRA).
  • Do Not Sell / Share — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of, but you retain the right to direct us not to (CCPA/CPRA).

To exercise any of these rights, email tashidelek@zadalau.com. We will respond within the timeframe required by the law applicable to you (for example, one month under GDPR; 45 days under CPRA). We may need to verify your identity first.

If you are in Hong Kong and believe we have not handled your data properly, you may complain to the Office of the Privacy Commissioner for Personal Data (PCPD). If you are in the EU/UK, you may complain to your local data protection authority. If you are in Australia, you may complain to the Office of the Australian Information Commissioner (OAIC).

9. How we protect your information

We take reasonable technical and organisational measures to protect personal information against loss, misuse, and unauthorised access. Our service providers (Vercel, Brevo, GitHub) maintain their own industry-standard security measures. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

10. Children

This Site is not directed at children. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, contact us at tashidelek@zadalau.com and we will delete it.

11. Links to other sites

The Site links to other websites, including mettafi.com and external pages. We are not responsible for the privacy practices of other sites. When you follow a link to another site, we encourage you to read its privacy policy. (Note: mettafi.com is operated by a related business — see its own privacy policy for how it handles data.)

12. Changes to this policy

We may update this policy from time to time. When we do, we will change the “Last updated” date at the top. Significant changes will be communicated where appropriate. Your continued use of the Site after a change means you accept the updated policy.

13. Contact

Questions, requests, or complaints about this policy or your personal information:

Email: tashidelek@zadalau.com

Operated by: Zada Lau, trading as Grumpy to Great (Hong Kong) and as a sole trader (Australia)

Postal address: [to be confirmed — a contact address is recommended, even if a PO box or registered-agent address]