Book a consultation
Client Data

Client Data Privacy

When your organisation engages EMPO, you trust us with documents, data, and sometimes information about the people you serve. This statement explains how we protect it.

Last updated: 1 July 2026

Who this statement is for

This Client Data Privacy & Confidentiality statement is for organisations that engage EMPO Training & Consultancy Services for paid or partnership work — consultancy, organisational development, MEAL (monitoring, evaluation, accountability and learning), proposal and report writing, organisational profiles, website creation, and training commissioned for your team under an engagement.

It explains how we handle your organisation's information, and how we handle any personal data — about your staff, partners, or the affected people and beneficiaries you serve — that you ask us to work with during an engagement.

This is different from our website Privacy Policy. If you are just browsing empomm.com or sending us a message, our Privacy Policy is the one that applies to you. This statement is for organisations that have hired EMPO to do a piece of work.

Individuals who enrol in a course on EMPO Academy (academy.empomm.com) are covered by the Academy's own terms and our website Privacy Policy, not by this statement.

See also our Privacy Policy (how the empomm.com website handles visitor information) and our Terms & Conditions.

Our commitment

EMPO works inside the humanitarian sector in Myanmar. We know that the documents and data you share with us can be sensitive — a draft strategy a donor has not seen yet, a budget, a partner list, or a dataset that includes real people in difficult situations. We treat that responsibility seriously.

Our promise is simple: we keep your information confidential, we only ask for what the work genuinely needs, we follow your instructions, and we do not use your data for anything beyond delivering your engagement.

We are guided by widely recognised data-protection principles — lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality — and we comply with applicable Myanmar law. Myanmar does not yet have a single comprehensive data-protection statute, so we choose to hold ourselves to good international practice rather than to the minimum.

Confidentiality

We treat your documents, strategies, internal data, and the deliverables we produce for you as confidential. That means:

  • We do not share your information with anyone outside EMPO without your agreement, except where we are required to by law.
  • We do not use your materials as case studies, samples, or marketing examples without asking you first and getting your permission.
  • We do not name you as a client publicly unless you are comfortable with it.
  • Anyone at EMPO who works on your engagement is bound by confidentiality, and we keep access to your information limited to the people who actually need it.

If your organisation needs a formal Non-Disclosure Agreement (NDA) — or your donor requires one — we are happy to sign one before work begins. Just ask. Confidentiality continues after the engagement ends; it does not expire when the invoice is paid.

We work on your behalf — under your instructions

When we handle personal data as part of your engagement, the principle is simple: it is your data, your purposes, and your decisions, and we act on your instructions. In legal terms, you are the data controller and EMPO is the data processor — a service provider acting on your behalf.

In practice this means:

  • We process personal data only to carry out the work you have asked us to do, and only as you instruct.
  • We do not decide, on our own, to use your data for new or unrelated purposes.
  • We do not sell, rent, or trade your data, and we do not build our own mailing lists or profiles from it.
  • If an instruction looks like it would breach the law or put people at risk, we will tell you rather than simply proceed.

We ask only for what the work needs

Data minimisation is one of the most practical protections there is: information we never hold cannot be lost, leaked, or misused. So at the start of an engagement we agree what data we actually need to do the job well, and we ask for that — not for everything you have.

Where a task can be done with anonymised or aggregated data instead of records that identify individuals, we will suggest that. Where we only need a sample rather than a full dataset, we will ask for a sample. If you send us more than the work requires, we will say so.

Special care for humanitarian and beneficiary data

Some engagements — particularly MEAL work — involve personal data about affected people: survey responses, beneficiary lists, complaints and feedback, case information. This is the most sensitive data we ever touch, and it gets the most care.

Our handling of this data is aligned with humanitarian data-protection norms, including:

  • Do No Harm — we work so that handling data does not expose people to risk, stigma, or harm.
  • Accountability to Affected Populations (AAP) — we respect that the data belongs to real people who have a stake in how it is used.
  • The principles in the ICRC Handbook on Data Protection in Humanitarian Action, which set the standard for protecting personal data in humanitarian contexts.

Concretely, that means we minimise the collection of directly identifying details, we anonymise or pseudonymise data as early as is practical, we are especially careful with anything that could reveal location, ethnicity, religion, health, or protection status, and we never present findings in a way that could identify a vulnerable individual. We follow the principles of these recognised standards; we do not claim a certification we do not hold. We hold ourselves to the practice that protects people, not to a badge.

How we keep your information secure

We use proportionate, sensible security measures to protect your information against loss, unauthorised access, and disclosure:

  • Need-to-know access — only the EMPO team members assigned to your engagement can see your data, and only the parts they need.
  • Secure storage — files are kept in protected, access-controlled accounts rather than on open or shared drives.
  • Secure transfer — we agree a safe method for sending files, use protected links or sharing controls rather than unprotected attachments where it matters, and avoid sending sensitive data over insecure channels.
  • Trained people — our team understands confidentiality and humanitarian data protection, and treats your data as carefully as their own work.
  • Secure logins — we use protected passwords and enable multi-factor authentication on the tools that support it.

No system is ever perfectly secure, and we will not pretend otherwise. What we promise is to apply reasonable, current safeguards and to keep improving them.

Tools and sub-processors

To deliver an engagement, we sometimes rely on reputable third-party tools — for example, cloud storage and document collaboration, email, and data-collection or analysis tools such as spreadsheet and Kobo-based templates. These tools are used in the course of client work, not on our public website. We use them only as needed to deliver your engagement, and we choose established providers with their own security practices.

If your engagement or your donor requires that we name the specific tools we will use, that we avoid certain platforms, or that data stays within particular systems, tell us at the start and we will work within those constraints. Anyone we bring in to support an engagement is held to the same confidentiality obligations we hold ourselves to.

Retention, return, and secure deletion

We keep your data only for as long as the engagement needs it, plus any short period we agree for revisions, sign-off, and our own records.

At the end of an engagement, we will — at your choice:

  • Return your data and deliverables to you in an agreed format, and/or
  • Securely delete the copies we hold, including working files, once you confirm you no longer need us to keep them.

If you need a written confirmation that data has been deleted, we will provide one. Where a donor or contract sets a specific retention or destruction requirement, we will follow it.

If something goes wrong: telling you about a breach

If we become aware of a data breach affecting your information — for example, unauthorised access, loss, or accidental disclosure — we will tell you as soon as we reasonably can, normally within 48 to 72 hours of becoming aware. We will explain what happened, what data was involved, what we are doing about it, and what we recommend you do next. Where your engagement's agreement sets a specific notification window, that window applies.

Because you are the data controller, prompt notification matters: it lets you meet your own obligations to donors, regulators, and the people whose data is affected. Your named EMPO point of contact owns this, and can bring in our founder and CEO, Zon Hsai, where needed. We will support you throughout.

Your responsibilities as the client

Good data protection is a shared effort. As the data controller, a few things rest with your organisation:

  • Lawful basis and consent — make sure you have the right to share the data with us and to have it processed, including any consent needed from the people the data is about.
  • Accurate instructions — tell us clearly what you need done with the data, and let us know about any restrictions, donor requirements, or sensitivities before we begin.
  • Send only what is needed — please avoid sending us personal or sensitive data the engagement does not require, and use the secure channels we agree.
  • Keep us informed — if a data subject withdraws consent, or your instructions change, let us know so we can act on it.

Working with international partners and across borders

Many of our clients work with international donors and partners, and some of the tools we use are operated by providers based outside Myanmar. This can mean data is stored or processed in other countries.

Where that is the case, we handle it transparently and in line with the data-protection principles in this statement and any requirements your donor or contract sets. If your engagement requires data to stay within Myanmar or within specific systems, tell us at the outset and we will design the work around that.

Formal terms for each engagement

This page is our standing commitment. Each specific engagement is governed by the agreement we sign with you — which may include a contract or scope of work, an NDA, and where relevant a data-processing agreement that records exactly what data we handle, for what purpose, and under what safeguards.

These documents are available on request, and we are glad to use your organisation's or your donor's template where you have one. The governing law and terms for a paid engagement are set out in the agreement for that engagement.

Questions or requests? Talk to us

If you have a question about how we will handle your data, need an NDA or data-processing agreement, or want to ask us to return or delete data, please get in touch. A real person will respond.

  • Email: contact@empomm.com
  • Phone: +95 9 250 326 876
  • EMPO Training & Consultancy Services, Yangon, Myanmar

For a specific engagement, your named EMPO point of contact is the fastest route — and they can loop in our founder and CEO, Zon Hsai, on any data-protection question that needs it.

This statement was last updated on 1 July 2026. We may update it as our practice and Myanmar's data-protection law develop, and the latest version is always the one on this page.