CourseHKUHKU course reviews

Legal

Privacy Policy

Last updated: 13 April 2026

CourseHKU (“we”, “us”) is an independent student project. This policy explains what personal data we collect, why we collect it, and how we use it. We aim to handle data in a way that is consistent with the Hong Kong Personal Data (Privacy) Ordinance (PDPO).

1. What we collect

  • Account data. Your HKU email address (@hku.hk or @connect.hku.hk), a display name you choose, and a password stored only as a bcrypt hash (we never store your password in plain text).
  • Email verification data. A short-lived 6-digit code (stored as a hash) and its expiry, used once to verify ownership of your email.
  • Reviews you submit. Free-text review body, numeric ratings, optional professor name, optional term label, and a flag for whether you want the review shown anonymously.
  • Operational logs. Rate-limiting records keyed to your user ID or IP address, and standard server request logs.

We do not use third-party advertising trackers. We do not sell personal data.

2. Why we collect it

  • To run the service. Authenticate sign-ins, associate your reviews with your account, and let you come back to them.
  • To keep the review pool honest. Requiring a verified HKU email limits spam and signals that a review comes from someone at the university.
  • To prevent abuse. Rate limits and IP logging help us catch bots, scraping, and bulk posting.

3. What we share

We do not share personal data with third parties except processors that we rely on to run the site:

  • Our hosting provider (Vercel)
  • Our database provider
  • Our email delivery provider (Resend), to send verification codes
  • Our rate-limit store (Upstash)

These providers process data on our behalf and are bound by their own privacy terms.

4. What is public

Reviews you post are visible to anyone visiting the site. By default your display name is shown; if you check “post anonymously”, your name is hidden in the public view (but the review remains associated with your account internally so you can edit or delete it).

Your email address is never shown publicly.

5. Your rights

Under the PDPO you have the right to request access to, correction of, or deletion of your personal data. You can:

  • Edit or delete any review you have posted from your account.
  • Request full deletion of your account and all associated reviews by contacting us at privacy@coursehku.com.

6. Retention

We keep account data for as long as your account exists. Verification codes are deleted or marked consumed within 15 minutes. Deleted reviews are removed from the database. Backups may retain data for a short rolling window before being overwritten.

7. Changes

If we change this policy we will update the “Last updated” date at the top. Material changes will be announced on the site.

8. Contact

Questions or requests: privacy@coursehku.com.