Shop

Privacy Policy

How Dollar Media Technology Limited (ChinaBridge) collects, uses, and safeguards your personal data.

Last updated: 10 April 2026

GDPR CCPA UK GDPR

1. Who we are

This Privacy Policy is issued by Dollar Media Technology Limited (doing business as "ChinaBridge", "we", "us", "our"), a company registered in Hong Kong, with its principal office at Kam Fone Mansion, 16 Kam Fong Street, Mong Kok, Kowloon, Hong Kong. ChinaBridge designs, manufactures and sells hardware wallets for cryptocurrency self-custody and operates the website chinabusinessbridge.com.

For the purposes of the European Union General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable US state privacy laws, Dollar Media Technology Limited is the controller of the personal data described below.

Our Data Protection Officer (DPO) can be reached at [email protected] or by post at the address above, marked "For the attention of the DPO".

2. What personal data we collect

We collect only the data we need to operate our store, ship devices, support customers, secure our systems, and comply with the law. The categories below describe what we hold and where it comes from.

2.1 Account data

If you create a ChinaBridge account, we store your full name, email address, a salted bcrypt password hash (we never see or store your plaintext password), the preferred language and currency you select, and the timestamps of account creation and last login.

2.2 Order and delivery data

When you place an order, we process your shipping address, billing address, phone number (required by the carrier for customs and delivery notifications), the list of items ordered, the order total, applicable taxes and duties, and any optional delivery note you provide. Payment is handled directly by our payment processor (see section 5); we receive only the transaction reference, the last four digits of the payment instrument where relevant, and the authorization status. We do not store full card numbers or CVV codes on our systems.

2.3 Support correspondence

If you contact support, warranty, or our security team, we retain the content of the messages you send us, any attachments, the email address or phone number you write from, and our replies. These records are linked to your order or account only when necessary to resolve your request.

2.4 Technical and analytics data

When you browse chinabusinessbridge.com we collect standard server logs (request method, URL, response code, user agent, referrer, and a truncated IP address — the final octet of IPv4 addresses is stripped before storage). We also use a self-hosted Plausible Analytics instance on EU servers to measure aggregated traffic. Plausible does not set cross-site cookies and does not build user profiles. See our Cookie Policy for the full list of cookies and local-storage keys.

2.5 Firmware update and device data

When your hardware wallet checks for firmware updates via our companion software, we receive the current firmware version and the device model. We do not receive your wallet addresses, balances, transactions, or recovery phrase — these never leave the device.

2.6 Marketing data (only if you subscribe)

If you subscribe to security advisories or our low-volume newsletter, we store the email address you provided and the timestamp and source of your consent.

3. Why we process personal data — and our legal bases

Under Article 6 GDPR and applicable US privacy laws, each processing activity must have a legal basis. The table below links each purpose to its legal basis.

PurposeLegal basis (GDPR Art. 6)
Creating and maintaining your accountPerformance of a contract (Art. 6(1)(b))
Processing and delivering your orderPerformance of a contract (Art. 6(1)(b))
Invoicing, bookkeeping, tax reportingLegal obligation (Art. 6(1)(c)) — US federal and state tax law
Responding to support, warranty and security requestsPerformance of a contract and legitimate interest (Art. 6(1)(b), (f))
Fraud prevention, abuse detection, protecting our systemsLegitimate interest (Art. 6(1)(f))
Firmware update delivery and device authenticity verificationPerformance of a contract and legitimate interest (Art. 6(1)(b), (f))
Aggregated analytics on website performanceLegitimate interest (Art. 6(1)(f)) — anonymized, privacy-preserving
Marketing communications (newsletter, advisories)Consent (Art. 6(1)(a)) — you may withdraw at any time
Marketing cookies (Google Ads, Meta, TikTok)Consent (Art. 6(1)(a)) — granular, per category

Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing that took place before withdrawal.

4. How long we keep personal data

We do not keep personal data for longer than is necessary for the purposes described above. Specific retention periods:

  • Account data: for the life of your account plus 24 months after closure, to allow reactivation and to defend against fraudulent chargebacks.
  • Order and invoicing data: 7 years as required by US federal tax record-keeping requirements (IRS) and equivalent EU bookkeeping rules.
  • Support correspondence: 36 months from the last message in the thread.
  • Security and fraud logs: 18 months.
  • Server access logs: 30 days.
  • Analytics data: aggregated for 14 months, then permanently deleted.
  • Marketing consents: until you withdraw consent, plus 36 months of proof-of-consent records as required by ePrivacy guidance.
  • Cookie consent records: 12 months from collection.

5. Who we share personal data with

We do not sell your personal data. We share it only with vetted service providers who act as processors on our behalf, each of whom is bound by a Data Processing Agreement (DPA) that meets the standards of Article 28 GDPR. Our current processors are:

ProcessorPurposeCountryDPA
Stripe Payments Europe, Ltd.Card and SEPA payment processingIrelandStripe DPA + SCCs
BTCPay Server (self-hosted)Optional Bitcoin payment processingUnited StatesN/A (self-hosted)
Shopify International Ltd.E-commerce platform and order managementIrelandShopify DPA + SCCs
Cloudflare Germany GmbHCDN, DDoS protection, WAFGermanyCloudflare DPA + SCCs
DHL Express (USA), Inc.Parcel delivery (primary carrier)United StatesDHL DPA
SF Express / FedExParcel delivery (domestic HK / international standard)Hong Kong / United StatesCarrier DPA
Postmark (ActiveCampaign LLC)Transactional email deliveryUnited StatesPostmark DPA + SCCs
Sentry (Functional Software, Inc.)Error monitoring for chinabusinessbridge.comGermany (EU region)Sentry DPA + SCCs
Plausible Insights OÜPrivacy-preserving web analytics (self-hosted)EstoniaPlausible DPA

We may also disclose data to: our auditors and professional advisers (under confidentiality), our banks and tax authorities (for statutory reporting), and law-enforcement or regulatory authorities where we are legally compelled to do so. Where a disclosure request does not have a valid legal basis, we will challenge it.

6. International transfers

Some of our processors operate outside the United States and the European Economic Area (EEA). Where personal data is transferred out of the EEA, we rely on one of the following safeguards:

  • EU Standard Contractual Clauses (2021/914) with the relevant module and additional technical and organisational measures, as assessed through a transfer impact assessment.
  • UK International Data Transfer Addendum for transfers subject to UK GDPR.
  • Compliance with the EU–US Data Privacy Framework (where the recipient is certified) as an additional safeguard.
  • For transfers within the United States, compliance with applicable US federal and state privacy laws, including the CCPA where applicable.

You may request a copy of the safeguards in place for a specific transfer by writing to our DPO.

7. Your rights

You have the following rights in respect of your personal data, subject to the limitations set out in applicable law:

  • Right of access — to know what personal data we hold about you and to receive a copy.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure ("right to be forgotten") — to have your data deleted, subject to our legal retention obligations (notably the 10-year bookkeeping period).
  • Right to restriction of processing — to have processing limited in specific circumstances.
  • Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object — to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent — where processing is based on consent, at any time.
  • Right not to be subject to automated decision-making — see section 8.
  • Right to lodge a complaint with a supervisory authority. EU residents may complain to the supervisory authority of their habitual residence. California residents may contact the California Attorney General's office. Residents of other US states may contact their respective state attorney general.

To exercise any of these rights, write to [email protected]. We will respond within one month and will, in any event, acknowledge receipt within 72 hours. Where necessary we may ask for proof of identity before disclosing personal data.

8. Automated decision-making and profiling

We do not make any decisions about you that are based solely on automated processing and that produce legal or similarly significant effects. Our fraud-prevention system may flag an order for human review, but no order is rejected without a human decision.

9. Children

Our products and website are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, please contact our DPO and we will delete it.

10. Security

We apply technical and organisational measures appropriate to the risk, including:

  • Transport-layer encryption (TLS 1.3) for all traffic to and from chinabusinessbridge.com.
  • Encryption at rest (AES-256) for customer records and backups.
  • Password storage using the Secure Remote Password (SRP) protocol and bcrypt hashes with per-record salts.
  • Payment tokenisation and hardware-security-module (HSM) isolation for payment credentials, handled by our PCI-DSS-certified processors.
  • Role-based access control, mandatory SSO with hardware-backed two-factor authentication for staff, and quarterly access reviews.
  • Continuous vulnerability scanning, an external penetration test at least once a year, and a public responsible-disclosure program.
  • Written incident-response playbooks and 72-hour breach-notification procedures aligned with Article 33 GDPR.

No security measure is perfect. If you suspect your account has been compromised or see anything unusual, please contact [email protected] immediately.

11. Cookies and similar technologies

For information on cookies, local-storage keys, and how to change your preferences, see our dedicated Cookie Policy.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities or in the law. The "Last updated" date at the top of the page always reflects the most recent material revision. Where changes are material, we will notify you by email (for account holders) or by a prominent banner on chinabusinessbridge.com at least 30 days before the change takes effect.

13. Contact

For privacy questions, data-subject requests, or to report a suspected incident:

Dollar Media Technology Limited — Data Protection Officer
Kam Fone Mansion, 16 Kam Fong Street
Mong Kok, Kowloon, Hong Kong
Email: [email protected]
a Hong Kong registered company