Privacy Policy

This Privacy Policy applies to information processed through:

• The amafi.ai website, including all pages and content
• Valuation meeting booking forms and contact forms
• Our mergers and acquisitions advisory services
• Related communications, including email correspondence and advisory engagement materials

We collect information in the following categories.

A. Contact and Identity Information

• Name, work email address, phone number
• Job title and role
• Company or organization name

B. Business and Company Data

When you submit a valuation meeting form or engage our advisory services, we may collect:

• Company name and website
• Industry and sector classification
• Revenue range, net profit, and EBITDA
• Number of employees and geographic location
• Ownership structure and reason for sale
• Preferred timeline and transaction objectives

C. Advisory Engagement Data

• Financial documents and records shared during engagements
• Deal materials, information memoranda, and buyer profiles
• Correspondence and notes related to advisory mandates
• Buyer and seller criteria and matching preferences

D. Website Interaction Data

• Newsletter subscription details
• Contact form submissions and enquiry details
• Content downloads and resource requests

E. Technical and Log Data

• Device and browser information
• IP address and timestamps
• Page views, referral sources, and site usage analytics

We use personal information to:

• Provide mergers and acquisitions advisory services
• Prepare business valuations, deal materials, and information memoranda
• Identify and match potential buyers with seller opportunities
• Respond to enquiries submitted through our website and contact forms
• Schedule and conduct valuation meetings
• Send service updates, advisory communications, and important notices
• Improve our website content, user experience, and service offerings
• Monitor website performance and prevent abuse
• Comply with legal obligations and enforce our policies

Under the PDPO, we use personal data for the purpose(s) for which it was collected or directly related purposes, unless consent is obtained or otherwise permitted by law.

Amafi uses artificial intelligence (“AI”) tools, including third-party AI providers, as part of delivering our advisory services. We believe in being transparent about how AI is used in connection with your data.

How We Use AI

• Generating deal materials such as information memoranda, teasers, and buyer outreach communications
• Analysing business and financial data to support valuations and market positioning
• Identifying and matching potential buyers based on acquisition criteria, industry fit, and transaction preferences
• Summarising and structuring information provided during advisory engagements

Third-Party AI Providers

We may use third-party AI services (such as Anthropic/Claude and similar providers) to process data in connection with the activities described above. When we do so:

• Data shared with AI providers is limited to what is necessary for the specific task
• We select providers with appropriate data handling and security practices
• Third-party AI providers are contractually restricted from using your data to train their models, where such contractual protections are available
• AI-generated outputs are reviewed by our advisory team before being used in any client-facing materials

No Solely Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects based solely on automated processing. All material advisory decisions, including valuations, buyer recommendations, and deal strategy, involve human review and professional judgement.

We treat all information submitted through valuation meeting forms and provided during advisory engagements as confidential. This includes business financial data, company details, transaction objectives, and any other sensitive commercial information.

Our confidentiality commitments include:

• Restricting access to advisory data to authorised personnel involved in your engagement
• Not disclosing your business information to potential buyers or other third parties without your prior consent
• Using non-disclosure agreements with prospective buyers before sharing identifying business details
• Applying appropriate technical safeguards to protect stored advisory materials

Confidentiality obligations survive the conclusion of any advisory engagement, subject to applicable legal and regulatory requirements.

Hong Kong (PDPO)

We are committed to handling personal data in a manner consistent with the PDPO Data Protection Principles, including:

• Purpose and collection limitation
• Accuracy and retention controls
• Use limitation
• Security safeguards
• Openness and transparency
• Data access and correction rights

Australia (Privacy Act + APPs)

For Australian personal information, we aim to comply with applicable APP obligations, including:

• Open and transparent management of personal information
• Use and disclosure controls
• Data quality and security
• Access and correction rights

We do not sell personal information.

We may disclose personal information to:

• Service providers and infrastructure partners (hosting, storage, analytics, security)
• AI service providers used in connection with our advisory services (see Section 4)
• Potential buyers or acquirers, with your prior consent, as part of a transaction process
• Professional advisors (legal, audit, compliance)
• Regulators, law enforcement, courts, or authorities where legally required

We require recipients to process data under confidentiality and security obligations.

Your information may be processed in jurisdictions outside Hong Kong or Australia. This may occur when we use cloud-based infrastructure, third-party AI providers, or engage with counterparties in cross-border transactions.

Where cross-border transfers occur, we apply reasonable contractual, organizational, and technical safeguards appropriate to the sensitivity of the data and applicable legal requirements.

We retain personal information only as long as reasonably necessary for:

• Delivering advisory services and fulfilling engagement obligations
• Legitimate business operations and audit trails
• Legal, contractual, tax, and regulatory obligations

Advisory engagement data, including financial records and deal materials, may be retained for the duration required by applicable professional standards and regulatory requirements.

We take steps to de-identify or securely delete information when it is no longer required.

We use administrative, technical, and organizational safeguards designed to protect personal information, including:

• Access controls and least-privilege permissions
• Encryption in transit and, where applicable, at rest
• Monitoring and logging for suspicious activity
• Secure handling procedures for confidential advisory materials

No system is guaranteed to be fully secure. If you suspect unauthorized access to any information you have shared with us, please notify us promptly.

We do not send direct marketing communications without an appropriate legal basis.

Where required by applicable law (including Hong Kong direct marketing requirements and Australian electronic marketing requirements), we will seek required consent and provide opt-out/unsubscribe options.

Depending on your jurisdiction and legal requirements, you may have rights to:

• Request access to personal information we hold about you
• Request correction of inaccurate personal information
• Request deletion where appropriate
• Object to or restrict certain processing (where applicable)
• Withdraw consent where processing is consent-based
• Request information about how AI has been used in processing your data

Hong Kong

You may submit a data access request or data correction request under the PDPO.

Australia

You may request access to and correction of personal information under the Privacy Act and APPs.

To exercise rights, contact us using the details below. We may need to verify your identity before processing requests.

We may use cookies or similar technologies for:

• Session management
• Security and fraud prevention
• Analytics and website performance

You can manage cookie settings through your browser where supported.

Where the Australian Notifiable Data Breaches scheme applies, we will assess eligible data breaches and provide notifications as required by law.

Our website and advisory services are intended for business users and are not directed to children.

We may update this Privacy Policy from time to time. We will update the “Last Updated” date and provide additional notice where required by law.