Privacy Policy


This Privacy Policy (“policy”) statement is made by IRESC Hong Kong Limited (“IRESC”).  The policy applies across all websites that we own and operate and all services we provide, including our BRSR, and any other apps or services we may offer (collectively, “services”). When we say ‘personal data’ we mean identifiable information about you, like your name, email, address, telephone number, bank account details, payment information, support queries, community comments and so on. If you can’t be identified (for example, when personal data has been aggregated and anonymized) then this notice doesn’t apply. 

We may need to update this policy from time to time. Where a change is significant, we’ll make sure we let you know – usually by sending you an email. You can read the whole policy below, or if you haven’t got much time, you can jump to the section you need using the navigation menu.

Who are 'We'?

When we refer to ‘we’ (or ‘our’ or ‘us’), that means IRESC Hong Kong Limited and all its wholly owned subsidiaries. Our headquarters are in Hong Kong but we operate and have offices globally. Address details for all IRESC offices are available on our Contact us page. Our services consist of all the services we provide now or in the future, including our online and mobile dynamic data on the fly – initially starting with Risk Management related business processes.

Our Principles of Data Protection

Our approach to data protection is built around four key principles. They’re at the heart of everything we do relating to personal data.
Transparency: We take a human approach to how we process personal data by being open, honest and transparent.
Enablement: We enable connections and efficient use of personal data to empower productivity and growth.
Security: We champion industry leading approaches to securing the personal data entrusted to us.
Stewardship: We accept the responsibility that comes with processing personal data.

What Information IRESC Collects

We collect information about you only if we need the information for some legitimate purpose. IRESC will have information about you only if 

(a) you have provided the information yourself; (b) IRESC has automatically collected the information; or (c) IRESC has obtained the information from a third party. 

Information you provide to us: When you visit or use some parts of our websites and/or services we might ask you to provide personal data to us. For example, we ask for your contact information when you sign up for a free trial, participate in community forums, join us on social media, take part in training and events, contact us with questions or request support. If you don’t want to provide us with personal data, you don’t have to, but it might mean you can’t use some parts of our websites or services.

You may provide us with the following information: (a) Account signup: When you sign up for an account to access one or more of our services, we ask for information such as your name, contact number, email address, company name and country to complete the account signup process. You’ll be required to choose a unique username and password for accessing the account.  (b) Payment processing: As part of our subscription plan, we ask you to provide your name, contact information, credit card information or other payment account information. When you submit your card information, we store the name and address of the cardholder, the expiry date and last four digits of the credit card number. For quick processing of future payments, we may store your credit card information or other payment account information in an encrypted format in the secured servers of our payment service providers. (c) Event registrations and other form submissions: We record information that you submit when you (1) register for any event, including webinars or seminars; (2) subscribe to our newsletter or mailing list; (3) submit a form to download any product, whitepaper, or other materials; (4) submit a form to request customer support or contact IRESC for any other purpose.  (d) Interactions with IRESC: We may record, analyze and use your interactions with us, including email, telephone, and chat conversations with our sales and customer support professionals, for improving our interactions with you and other customers. (e) Testimonials: When you authorize us to post testimonials about our products and services on websites, we may include your name and other personal information in the testimonial.

Information we collect automatically: We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on. This information is useful for us as it helps us get a better understanding of how you’re using our websites and services so that we can continue to provide the best experience possible (e.g., by personalizing the content you see).

Information we get from third parties: The majority of information we collect, we collect directly from you. Sometimes we might collect personal data about you from other sources, such as publicly available materials or trusted third parties like our marketing and research partners. We use this information to supplement the personal data we already hold about you, in order to better inform, personalize and improve our services, and to validate the personal data you provide.

Where we collect personal data, we’ll only process it:

  • to perform a contract with you, or

  • where we have legitimate interests to process the personal data and they’re not overridden by your rights, or

  • in accordance with a legal obligation, or 

  • where we have your consent.

If we don’t collect your personal data, we may be unable to provide you with all our services, and some functions and features on our websites may not be available to you. 

 If you’re someone who doesn’t have a relationship with us, but believe that a BRSR subscriber has entered your personal data into our websites or services, you’ll need to contact that BRSR subscriber for any questions you have about your personal data (including where you want to access, correct, amend, or request that the user delete, your personal data).

How We Use your Information

First and foremost, we use your personal data to operate our websites and provide you with any services you’ve requested, and to manage our relationship with you. We also use your personal data for other purposes, which may include the following: To communicate with you. This may include: providing you with information you’ve requested from us (like training or education materials) or information we are required to send to you

  • operational communications, like changes to our websites and services, security updates, or assistance with using our websites and services

  • marketing communications (about BRSR or another product or service we think you might be interested in) in accordance with your marketing preferences

  • asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with).

To support you: This may include assisting with the resolution of technical support issues or other issues relating to the websites or services, whether by email, in-app support or otherwise. To enhance our websites and services and develop new ones: For example, by tracking and monitoring your use of websites and services so we can keep improving, or by carrying out technical analysis of our websites and services so that we can optimize your user experience and provide you with more efficient tools.

To protect: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our websites and services fairly.

To market to you: In addition to sending you marketing communications, we may also use your personal data to display targeted advertising to you online through our own websites and services or through third party websites and their platforms. To analyze, aggregate and report: We may use the personal data we collect about you and other users of our websites and services (whether obtained directly or from third parties) to produce aggregated and anonymized analytics and reports, which we may share publicly or with third parties.

Legal Bases For Collecting & Using Information

Legal processing bases: If you’re an individual from the European Economic Area (EEA), our legal basis for information collection and use depends on the personal information concerned and the context in which we collect it. Most of our information collection and processing activities are typically based on: (i) contractual necessity; (ii) one or more legitimate interests of IRESC of a third party that are not overridden by your data protection interests; or (iii) your consent. Sometimes, we may be legally required to collect your information, or may need your personal information to protect your vital interests or those of another person.

Withdrawal of consent: Where we rely on your consent as the legal basis, you have the right to withdraw your consent at any time, but this will not affect any processing that has already taken place.

Legitimate interests notices: Where we rely on legitimate interests as the legal basis and those legitimate interests are not specified above, we will clearly explain to you what those legitimate interests are at the time that we collect your information

How We Can Share Your Information

There will be times when we need to share your personal data with third parties. We will only disclose your personal data to:

  • employees and independent contractors of IRESC and its subsidiaries on a need-to-know basis

  • third party service providers and partners who assist and enable us to use the personal data to, for example, support delivery of or provide functionality on the website or services, or to market or promote our goods and services to you

  • regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure

  • an actual or potential buyer (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business

  • other people where we have your consent.

International Data Transfers

When we share data, it may be transferred to, and processed in, countries other than the country you live in – such as to the United States, where our data hosting provider’s servers are located. These countries may have laws different to what you’re used to. Rest assured, where we disclose personal data to a third party in another country, we put safeguards in place to ensure your personal data remains protected.

For individuals in the European Economic Area (EEA), this means that your data may be transferred outside of the EEA. Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data (like New Zealand), or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the European Commission’s Standard Contractual Clauses.

For further information, please contact us.


The length of time we keep your personal data depends on what it is and whether we have an ongoing business need to retain it (for example, to provide you with a service you’ve requested or to comply with applicable legal, tax or accounting requirements). We’ll retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices. Sometimes, we may retain your information for longer periods as permitted or required by law, such as to maintain suppression lists, prevent abuse, if required in connection with a legal claim or proceeding, to enforce our agreements, for tax or to comply with other legal obligations. Following that period when we no longer have a legitimate need, we’ll make sure it’s deleted or anonymized.

Your Rights

It’s your personal data and you have certain rights relating to it. When it comes to marketing communications, you can ask us not to send you these at any time – just follow the unsubscribe instructions contained in the marketing communication, or send your request to

You also have rights to:

  • know what personal data we hold about you, and to make sure it’s correct and up to date

  • request a copy of your personal data, or ask us to restrict processing your personal data or delete it

  • object to our continued processing of your personal data

You can exercise these rights at any time by making a request to

If you’re not happy with how we are processing your personal data, please let us know by getting in touch by email to We will review and investigate your complaint, and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you how to submit a complaint.

If you are in the European Economic Area (EEA), you have the following rights with respect to information that IRESC holds about you.  They are: (1) right to access: you have the right to access the categories of personal information that we hold about you; (2) right to rectification: you have the right to update the information we hold about you or to rectify any inaccuracies; (3) right to erasure: you have the right to request that we delete your personal information; (4) right to restriction of processing: you may have the right to restrict the use of your information in certain circumstances; (5) right to data portability: you have the right to transfer your information to a third party in a structures, commonly used and machine-readable format; (6) right to object: you have the right to object to use of your information in certain circumstances, such as for direct marketing (7) right to complain: you have the right to complain to appropriate supervisory authority if you have any grievance against the way we collect, use or share your information.


Security is a priority for us when it comes to your personal data. We’re committed to protecting your personal data and have appropriate technical and organizational measures in place to make sure that happens.

We are taking following measures to improve the Data Security of our clients.
1. We have partnered with
   They are ISO 27001  certified and also provide 100% uptime availability.

We’re always keen to hear from you. If you’re curious about what personal data we hold about you or you have a question or feedback for us on this notice, our websites or services, please get in touch.

2. IRESC also offers 100% client ownership of the data. Paying Clients can configure the MongoDB Database where they prefer; in their own servers or private cloud or public cloud.
3. BRSR Database if fully Encrypted and Salted.
4. We use SSL to ensure Application and Data are encrypted and decrypted.
5. Our BRSR has User Level security.
Each user is assigned a Group and each Group has been given access to certain functions.
Menu access is controlled by this user level security.
This configuration is flexible and done by Client Admin.

How To Contact Us

We’re always keen to hear from you. If you’re curious about what personal data we hold about you or you have a question or feedback for us on this notice, our websites or services, please get in touch.

As a technology company, we prefer to communicate with you by email – this ensures that you’re put in contact with the right person, in the right location, and in accordance with any regulatory time frames. Contact us by email to

Terms & Conditions

IRESC own everything put into our services unless otherwise stated and excluding content owned by others. This includes rights in the design, compilation, and look and feel of our services. It also includes rights in all copyrighted works, trademarks, designs, inventions, and other intellectual property. Trial users agree not to copy, distribute, modify or make derivative works of any of IRESC content or use any of IRESC’s intellectual property rights in any way not expressly permitted by IRESC. While using IRESC services, Trial users may share confidential information with IRESC, and  become aware of confidential information about  IRESC. Trial users and IRESC both agree to take reasonable steps to protect the other party’s confidential information from being accessed by unauthorized individuals. Trial users or IRESC may share each other’s confidential information with legal or regulatory authorities if required to do so.