Skip links
Get a quote

AltroPlus sets the standard for global automotive brokerage and parts sourcing. Built for professional buyers.

AltroPlus

GDPR Compliance Statement

Last updated: 10 February 2025

AltroPlus Ltd. (“AltroPlus”, “we”, “our”, “us”) is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) when processing personal data of individuals located in the European Union (EU) and European Economic Area (EEA).

Although AltroPlus is incorporated and primarily regulated in Hong Kong Special Administrative Region (SAR), we operate internationally and engage with EU/EEA-based business clients, suppliers, and partners. As such, we apply GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality to all applicable data processing activities.

This GDPR Compliance Statement explains AltroPlus’ role, responsibilities, safeguards, and procedures as both a Data Controller and, where applicable, a Data Processor.

1. Scope of GDPR Compliance

This GDPR Compliance Statement applies to:

  • Visitors from the EU/EEA accessing the AltroPlus website
  • EU/EEA-based business contacts, clients, suppliers, and partners
  • Personal data processed in connection with:
    • Vehicle brokerage services
    • Automotive parts wholesale and resale
    • Supplier coordination and verification
    • Trade facilitation, logistics coordination, and documentation handling
    • Contractual, financial, and compliance-related communications

GDPR applies irrespective of whether processing occurs within or outside the EU/EEA.

2. Roles and Responsibilities Under GDPR

2.1 Data Controller

AltroPlus acts as a Data Controller when it determines the purposes and means of processing personal data, including but not limited to:

  • Business inquiries and quotation requests
  • Client and supplier onboarding
  • Contract negotiation and execution
  • Invoice issuance and payment coordination
  • Compliance with legal, accounting, tax, and AML requirements

2.2 Data Processor

AltroPlus may act as a Data Processor when processing personal data on behalf of clients, strictly following documented instructions, including:

  • Handling trade documentation containing personal data
  • Coordinating logistics or customs documentation
  • Supporting brokerage transactions involving third-party service providers

In such cases, processing is governed by a Data Processing Agreement (DPA).

3. Categories of Personal Data Processed

Depending on the business relationship, AltroPlus may process the following categories of personal data:

  • Identification data (name, job title, company affiliation)
  • Business contact details (email address, phone number, business address)
  • Transactional and contractual data
  • Communication records
  • Technical data (IP address, browser type, device identifiers)

AltroPlus does not intentionally process special category (sensitive) personal data as defined under Article 9 GDPR.

4. Lawful Bases for Processing

AltroPlus processes personal data under one or more of the following lawful bases pursuant to Article 6 GDPR:

  • Contractual necessity – to perform or enter into contracts
  • Legitimate interests – to conduct B2B operations, improve services, and prevent fraud
  • Legal obligations – including accounting, tax, trade, and regulatory compliance
  • Consent – where explicitly required by law

Where processing is based on legitimate interests, AltroPlus performs a balancing assessment to ensure such interests do not override the rights and freedoms of data subjects.

5. Data Subject Rights

EU/EEA data subjects have the right to:

  • Access their personal data
  • Rectify inaccurate or incomplete data
  • Request erasure (“right to be forgotten”)
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent at any time (where applicable)

Requests may be submitted to office@altroplus.com. AltroPlus responds to valid requests within statutory timelines and no later than 30 days.

6. Data Security Measures

AltroPlus implements appropriate technical and organizational measures to protect personal data, including:

  • Access control and authentication mechanisms
  • Encryption where appropriate
  • Secure IT infrastructure and network protections
  • Monitoring, logging, and incident response procedures
  • Internal data access limitation on a need-to-know basis

7. Data Retention

Personal data is retained only for as long as necessary to:

  • Fulfill contractual obligations
  • Comply with legal and regulatory requirements
  • Resolve disputes and enforce agreements

Once retention periods expire, personal data is securely deleted or anonymized.

8. International Data Transfers

Where personal data is transferred outside the EU/EEA, AltroPlus ensures appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Contractual confidentiality obligations
  • Technical and organizational security controls

9. Sub-Processors

AltroPlus may engage trusted sub-processors (e.g. hosting providers, communication platforms, logistics partners). All sub-processors are subject to GDPR-compliant contractual obligations.

A current list of sub-processors may be provided upon request.

10. Data Breach Notification

In the event of a personal data breach posing a risk to data subjects, AltroPlus will:

  • Investigate and contain the incident promptly
  • Notify affected clients and data controllers without undue delay
  • Cooperate with supervisory authorities where required

11. Supervisory Authority

EU/EEA data subjects have the right to lodge a complaint with their local supervisory authority if they believe their data protection rights have been violated.

12. Contact Information

AltroPlus Ltd.
Email: office@altroplus.com
Jurisdiction: Hong Kong SAR

This website uses cookies to improve your web experience.
Explore
Drag