Your data, handled with care.
What we collect, why we collect it, and the rights you have over it. Written to the strictest standard across our nine markets.
01Introduction
Cool Bionic (“we”, “us”, or “our”) is a company incorporated in Hong Kong that designs, manufactures, and sells cold plunge and ice bath products through our website at coolbionic.com. We are committed to protecting your personal data and respecting your privacy in every market we serve.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding your data. It applies to all users of our website, customers, and anyone who interacts with our services — regardless of location.
We operate across Hong Kong, Taiwan, Singapore, Malaysia, Thailand, Japan, Canada, Australia, New Zealand, and Indonesia. This policy is drafted to comply with the strictest requirements across all applicable data protection laws, including the Hong Kong PDPO, Singapore PDPA, Malaysia PDPA 2010, Thailand PDPA, Japan APPI, Canada PIPEDA, Australia Privacy Act 1988, New Zealand Privacy Act 2020, Taiwan PIPA, and Indonesia’s PDP Law (Law No. 27 of 2022).
02Data Controller
The data controller responsible for your personal data is:
Cool Bionic Limited
Registered in Hong Kong
Email: privacy@coolbionic.com
Website: coolbionic.com
If you have questions about how we handle your data, or wish to exercise any of your rights, please contact us at the address above.
03What We Collect
Information you provide directly
- Account information. Name, email address, phone number, and password when you create an account.
- Order information. Billing and shipping address, phone number, and order details when you make a purchase.
- Payment information. Credit card or payment details processed securely through Stripe. We do not store full card details on our servers.
- Communication data. Messages, inquiries, or feedback sent via contact forms, email, or customer support channels.
- Marketing preferences. Your communication preferences when you subscribe to our newsletter or marketing.
- Customisation data. Specifications or preferences you provide when customising products.
Information collected automatically
- Device information. IP address, browser type and version, operating system, device identifiers, and screen resolution.
- Usage data. Pages visited, time spent, click patterns, referring URLs, and browsing behaviour on our website.
- Location data. Approximate geographic location derived from your IP address.
- Cookie data. Information collected through cookies and similar tracking technologies (see Section 06).
Information from third parties
- Payment processors (Stripe) confirming transaction status.
- Analytics providers (Google Analytics) providing aggregated usage data.
- Advertising platforms (Meta/Facebook) providing campaign performance data.
- Shipping and logistics partners providing delivery status updates.
Payment data and Stripe
Your payment information is processed directly by Stripe, our PCI DSS Level 1 certified payment processor. When you enter payment details at checkout, this information is transmitted directly to Stripe’s servers using TLS encryption. We do not store, process, or have access to your full credit card numbers. We only receive a tokenised reference and limited transaction details (last four digits, card brand, transaction confirmation).
For more information, see Stripe’s Privacy Policy at stripe.com/privacy.
04How We Use It
We use your personal data for the following purposes and legal bases:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Processing & fulfilling orders | Name, address, email, phone, payment token | Performance of contract |
| Managing your account | Account info, preferences | Performance of contract |
| Customer support & warranty | Contact, order history, communications | Contract / Legitimate interest |
| Marketing emails & SMS | Name, email, phone, purchase history | Consent (opt-out provided) |
| Analytics & improvement | Device info, usage data, cookies | Legitimate interest / Consent |
| Advertising & retargeting | Cookie data, browsing behaviour | Consent |
| Fraud prevention & security | IP, device info, transaction data | Legitimate interest / Legal obligation |
| Legal compliance | As required by law | Legal obligation |
| Loyalty & rewards | Account info, purchase history, points | Contract / Consent |
05Who We Share With
We do not sell your personal data. We share information only with the following categories of recipients, and only to the extent necessary:
- Payment processor. Stripe, for processing payments securely.
- Shipping & logistics partners. 3PL providers and local delivery services for order fulfilment.
- Analytics providers. Google Analytics, for understanding website usage.
- Advertising partners. Meta (Facebook/Instagram) via the Meta Pixel, for advertising measurement and retargeting, subject to your cookie consent.
- Email & communication services. For sending transactional and marketing communications.
- Hosting & infrastructure. Our hosting provider in Singapore for storing and processing data.
- Customer support tools. Live chat and form providers (Chaty, Fluent Forms) for managing inquiries.
- Professional advisors. Lawyers, accountants, and auditors where necessary.
- Legal & regulatory authorities. Where required by law, court order, or to protect our legal rights.
All third-party service providers are contractually obligated to protect your data and may only process it for the specific purposes we have instructed.
06Cookies
Our website uses cookies and similar tracking technologies. We obtain your consent before placing non-essential cookies, in compliance with applicable laws in Singapore, Thailand, Japan, New Zealand, Australia, and other jurisdictions.
Types of cookies we use
| Type | Purpose | Provider | Consent |
|---|---|---|---|
| Strictly Necessary | Essential site functions — cart, checkout, security | WooCommerce, CheckoutWC | No |
| Functional | Remember preferences, language, region | WordPress, Kadence | Yes |
| Analytics | Understand site usage, visitor behaviour | Google Analytics | Yes |
| Marketing | Retargeting, ad measurement, personalisation | Meta Pixel, Google Ads | Yes |
Managing cookies
You can manage your cookie preferences at any time through our cookie consent banner displayed when you first visit our website. You may also adjust cookie settings in your browser. Disabling certain cookies may affect site functionality.
07International Transfers
Your personal data is primarily stored on servers located in Singapore. As we operate internationally, your data may be transferred to and processed in countries outside your country of residence, including Hong Kong and other locations where our service providers operate.
When we transfer personal data across borders, we ensure appropriate safeguards are in place:
- Ensuring the receiving country provides an adequate level of data protection.
- Entering into data processing agreements requiring recipients to protect your data to a comparable standard.
- Obtaining your explicit consent where required (particularly for transfers from New Zealand, Japan, and Indonesia).
- Relying on recognised frameworks such as the APEC Cross-Border Privacy Rules (CBPR) where applicable.
Stripe, Google, and Meta maintain their own international transfer mechanisms and compliance frameworks.
08Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law:
- Account data. Duration of your account plus 3 years after closure.
- Order & transaction data. 7 years after transaction date for tax, accounting, and legal compliance.
- Marketing data. Until you unsubscribe or withdraw consent; removed within 30 days.
- Website analytics. Aggregated/anonymised for up to 26 months (Google Analytics default).
- Customer support records. 3 years after resolution.
- Warranty records. Warranty period (1 year from purchase) plus 2 additional years.
When the retention period expires, we will securely delete or anonymise your personal data.
09Your Rights
Depending on your location and applicable law, you have the following rights. We honour these rights for all customers regardless of jurisdiction, applying the highest standard of protection:
Universal rights (all customers)
- Access. Request a copy of the personal data we hold about you.
- Correction. Request we correct inaccurate or incomplete data.
- Deletion. Request we delete your data, subject to legal retention requirements.
- Withdraw consent. Withdraw consent for marketing or non-essential cookies at any time.
- Object. Object to processing for direct marketing purposes.
- Opt-out of marketing. Unsubscribe from marketing emails and SMS at any time.
Additional rights by jurisdiction
| Jurisdiction | Additional Rights |
|---|---|
| Singapore | Right to withdraw consent at any time; DNC Registry protections for SMS |
| Malaysia | Right to data portability (subject to technical feasibility); mandatory DPO access |
| Thailand | Right to anonymisation; object to processing; data portability |
| Japan | Electronic disclosure; disclosure of third-party transfer records |
| Canada | Challenge compliance via complaint to Privacy Commissioner of Canada |
| Australia | Complain to the Office of the Australian Information Commissioner (OAIC) |
| New Zealand | Complain to NZ Privacy Commissioner; enhanced cross-border protections |
| Taiwan | Request list of recipients; request deletion |
| Indonesia | Object to automated decision-making; withdraw consent; data portability |
| Hong Kong | Access and correction under PDPO; opt-out of direct marketing |
How to exercise your rights
Contact us at privacy@coolbionic.com. We will respond within 30 days (or sooner if required by local law). We may need to verify your identity before processing your request. If we cannot fulfil a request for a legal reason, we will explain why.
10Marketing
We may send you marketing communications by email and SMS about our products, promotions, and offers. You’ll be automatically enrolled when you make a purchase or create an account, but you may opt out at any time.
How to opt out
- Email. Click “unsubscribe” at the bottom of any marketing email.
- SMS. Reply STOP to any marketing SMS message.
- Account settings. Update preferences in your account dashboard.
- Contact us. Email privacy@coolbionic.com to request removal.
We process opt-out requests within 10 business days. Even after opting out of marketing, you’ll continue to receive essential transactional communications.
We comply with Singapore’s Do Not Call (DNC) Registry. If your number is registered, we will not send you marketing SMS unless you’ve given us clear, prior consent.
11Children’s Privacy
Our products are not intended for use by children under 18 without adult supervision and medical clearance. We do not knowingly collect personal data from children under 16 (or 13, depending on jurisdiction). If we become aware that we’ve collected data from a child without appropriate parental consent, we will delete it promptly.
If you are a parent or guardian and believe your child has provided us with personal data, contact privacy@coolbionic.com.
12Security
We implement appropriate technical and organisational measures to protect your data:
- TLS/SSL encryption for all data transmitted between your browser and our servers.
- PCI DSS Level 1 compliance through Stripe for payment processing.
- Server security including firewalls, fail2ban intrusion prevention, and regular security updates.
- Access controls limiting employee access on a need-to-know basis.
- Regular security assessments and monitoring.
While we take all reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining the highest practicable standards.
13Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:
- Notify relevant data protection authorities within required timeframes (72 hours for Singapore and New Zealand; 3 days for Indonesia; as soon as feasible for Canada and others).
- Notify affected individuals as soon as practicable — nature of breach, data involved, steps you can take.
- Take immediate steps to contain the breach and mitigate any potential harm.
- Document the breach and our response, retaining records for a minimum of 24 months (PIPEDA requirement and best practice).
14Third-Party Links
Our website may contain links to third-party websites, social media platforms, and services we don’t operate. We are not responsible for their privacy practices. Review the privacy policies of any third-party services before providing them with your personal data.
15Changes
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Post the updated policy on our website with a revised effective date.
- Notify you by email or through a prominent website notice if changes are significant.
- Obtain your consent where required by law before applying material changes.
Review this policy periodically to stay informed about how we protect your data.
16Contact
For any question, concern, or request about this Privacy Policy or our data handling:
Cool Bionic Limited
Email: privacy@coolbionic.com
Web: coolbionic.com
Complaints & concerns
If you’re not satisfied with our response, you may lodge a complaint with the data protection authority in your jurisdiction:
- Hong Kong. Office of the Privacy Commissioner for Personal Data (PCPD)
- Singapore. Personal Data Protection Commission (PDPC)
- Malaysia. Department of Personal Data Protection (JPDP)
- Thailand. Personal Data Protection Committee (PDPC)
- Japan. Personal Information Protection Commission (PPC)
- Canada. Office of the Privacy Commissioner of Canada (OPC)
- Australia. Office of the Australian Information Commissioner (OAIC)
- New Zealand. Office of the Privacy Commissioner (OPC)
- Taiwan. National Development Council (NDC)
- Indonesia. Ministry of Communication and Information Technology (Kominfo)