Skip to content
    Skip to main content
    Lyoen & Partners — Home
    Book a discovery call

    Privacy

    Last updated April 23, 2026

    Last updated: April 23, 2026

    Who We Are

    This Privacy Policy explains how Lyoen and Partners Limited ("L&P", "we", "our" or "us"), a company registered in Hong Kong at Unit B, 11/F Yam Tze Commercial Building, 23 Thomson Road, Wan Chai, Hong Kong, collects, uses and protects your personal data when you visit lyoenandpartners.com (the "Website").

    L&P is the data controller responsible for the personal data collected through this Website.

    Our Data Protection Officer can be contacted at: privacy@lyoenandpartners.com

    For any questions regarding this Privacy Policy, your personal data, or to exercise your data subject rights, please contact us at the same address.

    Scope

    This Privacy Policy covers only the Website (lyoenandpartners.com) in its capacity as a public-facing information site for L&P, the BOS methodology, and L&P's advisory and fractional-leadership services.

    It does not cover:

    • getparry.com, the PARRY product marketing site, which is governed by its own privacy policy;
    • app.getparry.com, the PARRY web application, which is governed by a separate privacy policy provided at the point of account creation;
    • Any advisory, consulting or fractional-leadership engagement with L&P, which is governed by the data-protection and confidentiality terms of the applicable engagement letter.

    Information We Collect

    1. BOS Diagnostic Submissions

    When you complete the BOS Diagnostic on the Website, you voluntarily provide:

    • Your first name;
    • Your professional role / title;
    • Your work email address;
    • Your company name;
    • Governance assessment responses in the form of numerical ratings against structured questions about your board cycle;
    • Optionally, a consent indication to receive follow-up communications about your results.

    We also collect your IP address at the point of submission, solely for spam prevention and fair-use enforcement.

    2. Newsletter Subscription

    When you subscribe to L&P's governance insights newsletter, you voluntarily provide your email address. You may also provide additional preferences where offered (e.g. language).

    3. Contact Form and Discovery Session Requests

    When you submit the Website's contact form — including requests for a Discovery Session — you voluntarily provide:

    • Your name;
    • Your work email address;
    • Optionally, a phone or messaging identifier (e.g. WhatsApp number, LINE ID);
    • Your company name or organisation (where provided);
    • A message describing your enquiry or request;
    • A topic or category selection for routing.

    4. Feedback Drawer Submissions

    When you submit feedback through the Website's feedback drawer, you voluntarily provide short structured responses (ratings and free-text) and, optionally, contact details you choose to include for follow-up. The feedback drawer fields are optional.

    5. Browser and Analytics Data

    When you visit the Website, we automatically collect certain technical information through cookies and analytics tools, including: your IP address, browser type and version, device type, approximate geographic location (derived from IP address), pages visited and time spent, and referral source. This data is collected through Google Analytics and through our hosting platform's built-in analytics.

    6. Cookies and Consent Preferences

    When you first visit the Website, a cookie consent banner is displayed, allowing you to accept or decline non-essential cookies. We record your consent choice in a strictly necessary cookie so that your preference is respected on subsequent visits.

    You may update your cookie preferences at any time via the cookie settings accessible from the Website footer. Details of individual cookies are set out in the Cookie Policy.

    How We Use Your Information

    BOS Diagnostic Data

    We use your diagnostic data to:

    • Generate and deliver a personalised BOS Roof Health Report to the email address you provide. This is a transactional communication you have requested by submitting the diagnostic.
    • Store your assessment responses so that they are available as reference material during any subsequent Discovery Session you may choose to book.
    • Where you have given separate consent, contact you about your diagnostic results and relevant governance advisory services.
    • Use the combination of your IP address and email address to prevent duplicate submissions. We do not use your IP address for any other purpose in connection with the diagnostic.

    Newsletter Subscription

    We use your email address to send the newsletter and related governance insights you have subscribed to receive. You may unsubscribe at any time via the unsubscribe link in any email.

    Contact Form and Discovery Session Requests

    We use the information you provide in the contact form to:

    • Respond to your enquiry;
    • Where requested, schedule a Discovery Session or conversation;
    • Keep a reasonable record of enquiries for operational and audit purposes.

    We do not use contact form data for unsolicited marketing outside the scope of your enquiry.

    Feedback Drawer Submissions

    We use feedback drawer data to improve the Website and L&P's service content. Feedback is treated as L&P intellectual property pursuant to the Terms of Service.

    Browser and Analytics Data

    We use analytics data in aggregate to understand Website traffic, improve content relevance and diagnose technical issues. We do not use browser data to build individual user profiles or to target advertising.

    Legal Basis for Processing

    We process your personal data on the following legal grounds:

    • Consent. Newsletter subscription, follow-up contact about diagnostic results (where the separate consent checkbox is ticked), and analytics cookies are processed on the basis of your consent. You may withdraw consent at any time.
    • Legitimate interest. We process BOS Diagnostic data (name, role, email, company, responses and IP address) based on our legitimate interest in qualifying business-to-business leads, delivering the Roof Health Report you have requested, and enforcing fair-use of the diagnostic tool. This processing is proportionate, expected by an individual submitting a business diagnostic, and does not override your rights.
    • Legitimate interest. We process contact form data based on our legitimate interest in responding to enquiries and operating a client-development function. This is proportionate and expected.
    • Legitimate interest. We process feedback drawer data based on our legitimate interest in improving the Website and our service content.
    • Legal obligation. Where we are required to retain or disclose personal data to comply with applicable law, we process on that basis.

    Data Retention

    | Data category | Retention period | |---|---| | BOS Diagnostic submissions (name, role, email, company, responses, score) | 24 months from date of submission, unless you become an active L&P client (in which case engagement-letter retention terms apply) | | IP addresses captured at diagnostic submission | 12 months, solely for duplicate-submission prevention | | Newsletter subscriber list | Until you unsubscribe, or 24 months of no opens/interactions, whichever is earlier | | Contact form submissions | 24 months from date of last interaction, unless you become an active L&P client | | Feedback drawer submissions | 24 months from date of submission | | Browser and analytics data | Up to 14 months (Google Analytics default); aggregated hosting-platform analytics retained for the duration of our use of that platform | | Cookie consent record | 12 months |

    After the applicable retention period, personal data is deleted or anonymised. You may request earlier deletion by exercising your rights below.

    Who We Share Your Data With

    We do not sell or share your personal data with third parties for their marketing purposes. We share data only with the following service providers (sub-processors), who process data on our behalf under contractual obligations to protect your information:

    | Sub-processor | Purpose | Data processed | Hosting location | |---|---|---|---| | Supabase | Website hosting, database, authentication | Diagnostic submissions, newsletter list, contact form submissions, feedback, session data | Singapore (ap-southeast-1) | | Google Analytics (Google LLC) | Website analytics | Browser data, usage patterns (anonymised) | United States | | Resend | Transactional and newsletter email delivery | Email addresses, message content | United States |

    We require all sub-processors to maintain appropriate technical and organisational measures to protect your personal data and to process it only in accordance with our instructions.

    International Data Transfers

    Your personal data may be transferred to, and processed in, countries outside your country of residence:

    • Singapore — for hosting, database and authentication services provided by Supabase (ap-southeast-1 region);
    • United States — for analytics (Google LLC) and transactional / newsletter email delivery (Resend).

    Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission (where required under the GDPR or UK GDPR) and the corresponding safeguards required under the Thailand PDPA, the Vietnam PDPD and the Hong Kong PDPO.

    Google LLC is certified under the EU–US Data Privacy Framework, providing an additional layer of assurance for analytics data transferred to the United States under Google Analytics.

    Singapore provides a comparable statutory framework for the protection of personal data under the Personal Data Protection Act 2012 ("PDPA Singapore"). For transfers of EU or UK personal data to Singapore, we rely on Standard Contractual Clauses to ensure GDPR-equivalent protection.

    AI-Assisted Content

    The Website publishes weekly governance insights that are generated with the assistance of artificial intelligence from curated public sources (published articles, reports and publicly available professional commentary). This content is labelled as AI-assisted in accordance with applicable transparency obligations, including the EU AI Act (Regulation 2024/1689).

    No personal data from Website visitors or subscribers is used as input for generating AI-assisted content. Diagnostic responses are processed algorithmically to produce the Roof Health Report — they are not used to train any AI model and are not shared with any generative AI service.

    Insights and diagnostic outputs are informational and do not constitute professional advice.

    Your Rights

    Depending on your location and applicable law, you have the following rights regarding your personal data:

    • Access — confirmation of whether we process your personal data and a copy of that data;
    • Rectification — correction of inaccurate or incomplete data;
    • Erasure — deletion of your personal data where there is no compelling reason for continued processing;
    • Restriction — restriction of processing in certain circumstances;
    • Data portability — export in a structured, commonly used, machine-readable format;
    • Objection — where processing is based on legitimate interest, you may object; we will cease processing unless we demonstrate compelling legitimate grounds;
    • Withdrawal of consent — where processing is based on consent, withdrawable at any time (withdrawal does not affect prior lawful processing);
    • Complaint — to a supervisory authority in your jurisdiction, for example the relevant Data Protection Authority in the EEA, the Personal Data Protection Committee in Thailand, or the Office of the Privacy Commissioner for Personal Data in Hong Kong.

    To exercise any of these rights, please contact our Data Protection Officer at: privacy@lyoenandpartners.com

    We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

    Data Security

    We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include encryption in transit (TLS), access controls, and regular review of our security practices. No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

    Children

    The Website is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

    Changes to This Policy

    We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates the most recent revision. We encourage you to review this page periodically. Material changes will be communicated through the Website.

    Applicable Regulations

    This Privacy Policy is designed to comply with applicable data protection laws, including:

    • The General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR
    • The Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO")
    • The Thailand Personal Data Protection Act B.E. 2562 (2019) ("PDPA")
    • The Vietnam Personal Data Protection Decree 13/2023/ND-CP ("PDPD")
    • The EU Artificial Intelligence Act (Regulation 2024/1689), with respect to transparency obligations for AI-assisted content

    Where there is any conflict between applicable laws, we apply the standard that provides the highest level of protection for your personal data.

    Contact

    Lyoen and Partners Limited Unit B, 11/F Yam Tze Commercial Building 23 Thomson Road, Wan Chai Hong Kong

    Data Protection Officer: privacy@lyoenandpartners.com

    We use essential cookies to make the site work. With your consent, we also use anonymous analytics to improve it. Read our cookie policy or Privacy Policy