← All materials

PolyU Alumni Data Integration — Final Synthesized Plan

Opportunity: EventBinder (Kenta Ng) pitching "Robbie" (Mr Robbie Sin, IT Manager, PolyU Alumni Affairs Office) on two named workstreams — (1) LinkedIn profile refresh / alumni-data currency, and (2) event registration data integration.

Prepared by synthesizing two independent efforts:

Date: 2026-07-11. Status: internal synthesis + client-ready recommendation. v2 — cross-checked against an independent, blind codex rerun (Section F); its convergence confirms the spine, and four of its risks are elevated below. v3 (2026-07-12) — delivery model set to on-prem self-host in the AAO office (client direction; Robbie green-lit) and Parking added as Pilot Zero (§C.8); see the updated hosting bullet in §C.5 and the new discovery items in §D. v4 (2026-07-12) — added §C.12 QR & Wallet identity layer and §C.13 AI-assisted data integration (self-hosted, human-in-the-loop — Robbie-requested); +2 discovery items. v5 (2026-07-12) — added §C.14 Information-architecture reference (SCAA + Alpha student platform reviewed live); the alumni portal's gap is information surfaced, not styling.

How to read this doc: Section A is the decision-comparison table (the core deliverable — every major choice with why-chosen / why-not). Section B is the evidence-confidence ledger (what is safe to say vs speculative — read before any client contact). Section C is the full final plan. Section D is open questions + immediate next actions (cover message + reconciled meeting-question shortlist).


0. The single sharpest positioning (the one decision that matters)

"You already own the systems. What you don't own is the seam. I'm proposing a paid six-week discovery that maps and proves one governed path back to your Alumni record — for LinkedIn-sourced career data and for event participation from every source (CEMS, art-mate, PFS/LimeSurvey) — not another app, event system, or QR check-in."

This fuses PA's "One Alumnus, One Record" narrative frame with PB's discipline of scope (interoperability/data-contract layer, explicitly not a product pitch, sized as a de-risking discovery). Robbie is technical and is AAO's own IT manager — the pitch must read as an integration-architecture proposal to a peer, wrapped in a memorable one-record story, never as a vendor selling a platform.


A. Decision-comparison table (PA vs PB vs Final + rationale)

# Decision PA's position PB's position FINAL Why final / why not the alternative
A1 Core positioning "Alumni Engagement Layer" on top of AMS/CEMS; gamification, digital card, wallet passes, engagement mechanics ("One Alumnus, One Record"). Narrow "data interoperability" layer: identity linkage + data contracts + consent/provenance + writeback. Explicitly NOT an app, event system, QR, or gamification. PB's scope + PA's story. Sell a data-interoperability discovery, framed with PA's "one alumnus, one record, one journey" narrative. Gamification/wallet/app are a future-vision appendix slide, not the ask. PB is correct on scope: Robbie asked for exactly two things (LinkedIn + event data), and CEMS already does QR check-in, payment, social login, attendance, analytics — pitching an app or QR layer pitches what they own and reads as a vendor upsell to a technical buyer. PA's engagement-layer framing over-scopes and invites the "why not ITS?" and "$1/head" fights. But PA's narrative is far more memorable and sellable than PB's dry "governed path," so we keep the story and drop the extra product.
A2 Scope of workstream 1 (LinkedIn) LinkedIn is structurally dead for individual records; recommend non-renewal / downgrade to free Alumni tab; redeploy HK$300k into first-party capture. "Sign in with LinkedIn" = login only (name/email/photo). Optional vetted enrichment feed (EverTrue) after legal review. Same first-party core, BUT adds Verified on LinkedIn (Lite/Plus) as a possible legitimate consented career-refresh route (Plus lists current position + recent education + change notifications under member OAuth). Do NOT recommend cancelling before auditing the contract. PB's LinkedIn framing wins, with PA's redeployment logic held in reserve. Lead with: audit the contract first; test Verified-on-LinkedIn (dev/Lite) feasibility; first-party progressive profiling is the guaranteed engine; enrichment feed only post-legal-review. Do not open with "cancel the HK$300k." PB found a product PA's research never examined. PA's "no LinkedIn product can ever deliver individual records" is overstated — it's true of Talent Insights/Recruiter/Sales Nav/public API/scraping (all well-sourced in PA), but Verified on LinkedIn Plus is a member-consented per-profile API that returns current position + education (PB sourced to Microsoft Learn docs, 11 Jul 2026). Both agree it needs written LinkedIn+PolyU approval and may require a Plus partnership. PA's "cancel it" is politically dangerous — the contract may sit with HR/Careers/Comms, not AAO, and rubbishing it before evidence attacks an internal stakeholder. PB's "judge against purchased purpose, not a predetermined cancellation result" is the wiser play.
A3 Scope of workstream 2 (events) Unified event layer that replaces art-mate for flagships, writes registration+attendance back to AMS; CEMS keeps small events; cabi POS for on-site scan/badge. Canonical event-participation data contract across CEMS + art-mate + PFS/LimeSurvey + future vendors; reconciliation + exception queue + writeback. CEMS is the default; external systems allowed but must return data to a standard. NO new registration/QR/scanner product. PB's data-contract approach. The deliverable is a canonical participation contract + connectors + reconciliation, not a competing event system. CEMS stays the operational default. PA's "replace art-mate for flagships" re-opens the exact ticketing-vs-ticketing / HK$1-per-head price fight PA's own incumbent analysis warns against, and it duplicates CEMS. PB's "make data-return mandatory, don't ban the tool" is both cheaper to sell and technically correct. PA's on-site POS/scanner build is out of scope for a discovery and competes with CEMS scanning. Keep PA's "attack the seam" line — PB operationalizes it as the data contract.
A4 Architecture Engagement & Integration Layer (EIL): identity gateway, engagement ledger, consent ledger, profile-delta queue, connectors (CEMS/art-mate/form), rotating signed QR token. Minimal data, AMS = system of record. Event Interoperability Service + LinkedIn connector: source adapters, schema validation, identity match (confidence tiers), consent check, provenance, exception queue, reconciliation. Profile-assertion contract + event-participation contract. "Reuse existing ITS integration bus/iPaaS/ETL first." Merge — they are the same architecture. Use PB's naming (interoperability service, assertion/participation contracts, adapters) + PA's "minimal data, opaque join key, AMS untouched" discipline + PB's critical "reuse existing ITS middleware first" principle. Rotating-QR token = deferred (belongs to a build, not discovery; and see A11). The two designs are ~90% identical (both: append-only engagement ledger, per-purpose consent ledger, profile-delta/assertion queue, no second master record). PB adds the discovery-critical instruction to check for an existing ITS integration bus/iPaaS before proposing a new runtime — avoids the "you're duplicating our platform" objection. PA's rotating signed QR is well-designed but is a build feature, not a discovery item, and drags the events story back toward "new QR product" (A3). Defer it.
A5 Privacy / PDPO Deep PDPO analysis: Part VIA (donations = DM), s.35J/35K written consent for FHKPUAA provision, DPP1/DPP3, penalties, s.35D grandfathering, TPCL for lucky draws, no fingerprinting. Consent-per-purpose ledger. Consent-per-purpose separation table, PICS matrix, "marketing consent never a condition for ticketing," data-processor obligations (destroy on termination, no subcontracting/AI without consent), PolyU PO Data Privacy Terms. PA's depth + PB's data-processor framing. Use PA's PDPO substance (Part VIA, DPP1/DPP3, s.35D grandfathering as a budget argument) AND PB's operational rules (EventBinder = data processor under PolyU PO terms; no personal data to external AI services; destruction certificates). Correct PA's one over-reach (see A5-note). PA researched PDPO deepest and best-sourced (PCPD Direct Marketing guidance read in full). PB contributes the data-processor legal posture that PA lacks — critical because PolyU's standard PO terms make EventBinder a processor with destruction/subcontracting/AI-tool obligations. A5-note / correction: PA's own critic flags that "sharing AAO→FHKPUAA data needs written consent" is too broad — s.35J/35K written consent applies specifically to provision for direct marketing; non-DM sharing is a DPP3 prescribed-consent question. Use the corrected version. Also: FHKPUAA is now out of primary scope (see A9), so this mostly becomes a discovery flag, not a workstream.
A6 Procurement / tender path Small direct-award paid discovery, then pilot sized under threshold, then scale. "Ask the threshold numbers in meeting 1." No figure researched. HKD 50k–200k = Finance Office RFQ (≥3 quotes); >HKD 200k = tender (public Dec-2024 departmental quick guide). Discovery at HKD 188k will likely need competing quotations — do NOT expect a relationship direct-award. Never split scope to dodge a threshold. COI disclosure (proposer is an alumnus with an AAO relationship). PB's procurement realism. Expect the HKD ~188k discovery to face an RFQ with ≥3 quotes, not a direct award. Confirm the current Finance band with Robbie. Prepare COI disclosure and supplier registration early. PB actually researched the thresholds; PA's "size it for direct award" is an unsupported assumption — PA's own critic lists procurement as un-researched gap #1, and "direct award below threshold" is likely wrong at HKD 188k (which sits in the RFQ band and near the tender line). PB's honest "you will probably compete" is safer and prevents a strategy built on a false premise. Caveat: the HKD 200k tender figure comes from a departmental quick guide (PB self-labels it "planning evidence, not the final rule") — confirm in the meeting; do not state it to the client as settled.
A7 Pilot design Phase 1 Card+Capture pilot (~3-4mo), Phase 2 Events+Rewards (~4-6mo), ship before Homecoming 2027. Each phase separately signable. 3 controlled proofs: Pilot A LinkedIn dev-tier proof (5-10 test accounts, synthetic AMS); Pilot B event integration proof (1 CEMS + 1 external/PFS source, idempotency/matching/reconciliation); Pilot C one controlled live 100-400-person AAO event. Homecoming = retrospective case study, NOT first live test. PB's three-proof pilot. It maps exactly to the two workstreams and de-risks with synthetic data before any production PII. Keep PA's "each phase separately signable" + "Homecoming 2027 as the ship-by milestone" framing. PB's pilot is tighter, evidence-gated, and correctly forbids using the 6,000-person Homecoming as the first live test (a build-order discipline PA lacks). PA's "Card+Capture / Events+Rewards" phases presume the engagement-layer product rejected in A1 and include gamification/wallet not in scope. PA's 90th-anniversary deadline and land-and-expand phasing are good and retained.
A8 Commercial structure Phase 0 fixed-fee discovery (number TBD, "small enough for direct award"); Phase 1-2 fixed-price build + annual licence; anchor annual number vs HK$300k LinkedIn + Hivebrite enterprise. IP: PolyU-branded, EventBinder retains platform IP, source escrow. Specific numbers: discovery HKD 168k-198k, open at HKD 188k, floor HKD 158k (only w/ written scope cut). Pilot ranges: LinkedIn proof 120-220k; CEMS+1 connector 280-480k; combined production pilot 520-900k. Milestone split 25/35/30/10. Form A (bespoke, PolyU-owned infra) vs Form B (EventBinder licensed service). Background-IP carve-out; don't submit reusable source as a deliverable. PB's commercial machinery wholesale. Open at HKD 188k discovery, floor 158k with written scope reduction, milestone-billed 25/35/30/10. Keep PA's anchor-vs-LinkedIn/Hivebrite line for the eventual build quote only, not the discovery. Prepare Form A vs Form B before hosting policy is known. PB did the real commercial work; PA left it "TBD, refine after discovery." PB's background-IP carve-out and "quote core-code ownership as a separate buyout; don't let a discovery PO capture the platform" are essential given PolyU's broad PO IP terms. PA's Hivebrite/LinkedIn anchoring is useful but PA's own research grades that SaaS pricing as weak ([likely], search-result grade) — so use it as rhetoric in the build phase, never as a quotable fact.
A9 FHKPUAA Treated as a live integration opportunity (unified card, NetID SSO into the new Federation portal, graduate-verification API kills transcript uploads); Phase 3. Deep research on Cambison, EGM, new portal. Explicitly out of primary scope — "FHKPUAA is not a primary stakeholder unless AAO identifies a specific dependency. Robbie is AAO, not FHKPUAA." PB's exclusion. Keep FHKPUAA as a discovery flag / phase-3 vision note only, not a workstream. Retain PA's research as background (eligibility-claim pattern, not a second member DB). Robbie asked for two things; FHKPUAA is neither, and V3's evidence shows individual FHKPUAA membership already routes through the Alumni Portal — so the "bridge" PA designed is partly moot. Pulling it in bloats scope and adds the highest-PDPO-risk data-sharing question uninvited. PA's Federation research is genuinely good and stays in reserve for when AAO raises it.
A10 Handling the incumbent (art-mate / AlphaSoft) Rich profile (§7b): 5 positioning rules — sell a different category, attack the seam not the vendor, lead with data-governance, offer year-one coexistence, let HKAAA→Glue-Up make the argument. Deep tech/company intel. art-mate = one event source that must return data to the standard; "coexistence" via mandatory data-return contract; use Homecoming as a case study to measure real match rates. No badmouthing. PA's positioning doctrine + PB's mechanism. Use PA's five rules (esp. "attack the seam, never the vendor" and coexistence) as the stance; use PB's canonical data-return contract as the how. Keep the incumbent intel internal. This is PA's standout unique asset — PB never profiled the incumbent. The 5 rules are exactly right and prevent the price-anchoring trap. PB supplies the concrete deliverable (external-vendor data-return standard) that turns "coexistence" from a slogan into a contract clause. Do NOT surface the incumbent's tech weaknesses (PHP 5.6, AWS Singapore, no PICS) as an attack — PA's own critic grades several as inference, Lo is personally trusted by AAO, and it's beneath a governance pitch.
A11 Rotating QR / digital card / wallet In-app rotating QR (CityU pattern) + Apple/Google Wallet passes; central to the "card done right" feature. Opaque, event-scoped, revocable tokens with no PII in the QR (a security principle), but NO new QR product. Defer to a build; keep only PB's security principle. In discovery, adopt "no personal data in QR/URLs; opaque revocable tokens" as a design rule. Do not pitch a rotating-QR card or wallet passes. PA's card is a genuinely good product idea but (a) it's a build feature not a discovery item, (b) PA's own critic flags two unverified claims under it (iOS PWA cache/eviction misstatement; Apple Wallet has no rotating barcode, so "add to Apple Wallet at turnstiles" may not work without NFC hardware), and (c) it competes with CEMS's existing check-in. Wrong altitude for this pitch.
A12 Gamification Tier system, streaks, stamp rally (cabi QR-art collectibles), leaderboards, NUS AlumPERKS merchant model — framed as hypothesis+measurement (CASE AEM). Explicitly out of scope; "prove the loop before game mechanics." PB's exclusion. Cut from the pitch entirely; retain "hypothesis + CASE-AEM measurement" framing only if AAO asks about engagement ROI. Both efforts agree gamification lacks proven ROI (PA's critic caught PA's platforms memo overselling ASU Sun Devil Rewards against PA's own playbook). It's not one of Robbie's two asks and reads as scope-creep to a technical buyer. Kill it.
A13 Discovery deliverable & duration Phase 0: 4-6 wks, stakeholder interviews + systems audit + tech spike (SSO + one AMS API call). Costed roadmap + KPI baseline. 6 wks, week-by-week plan, 15 deliverables, acceptance criteria requiring written sign-off from BOTH AAO and ITS, a working dev-tier LinkedIn proof + event reconciliation prototype, and an "access-dependent proof is not silently waived" clause. PB's 6-week structured discovery with explicit acceptance criteria and the dual AAO+ITS sign-off. Fold in PA's specific spike targets (NetID SSO round-trip; one AMS write-back; one CEMS event read). PB's discovery is dramatically more rigorous (acceptance criteria, failure-state handling, "blocked test → document dependency + smallest next action"). PA's spike targets are excellent and concrete — merge them in as the technical proof content. Dual sign-off is a PB insight that protects against AAO saying yes while ITS blocks integration.
A14 Meeting / discovery strategy Top-5 discovery questions; credibility slide (PolyU DS grad, ex-AMA lecturer, campus WiFi, BME KOA client work); demo kit; "do NOT say" list. 90-min technical scoping session, 8 named roles, timed agenda, "then stop — let them explain," 40 prioritized questions, objection-handling scripts. Cover message drafted (WhatsApp/email, bilingual). PB's meeting choreography + PA's credibility positioning + reconciled question set (Section D). Use PB's cover message (already Robbie-specific, bilingual) with one PA-sourced tightening. PB's meeting mechanics are more complete (roles, timing, objection scripts, "then stop"). PA contributes the credibility narrative (Kenta is a PolyU-native target user — genuinely differentiating) and the sharp "do NOT say" guardrails (2011 not 2017; no "HKU CONNECTS"; don't assert Dynamics; don't badmouth art-mate). Merge.

A5-note, A6-caveat, A10-caution are carried into Sections B and C below.


B. Evidence-confidence ledger — read before ANY client contact

The two efforts researched different things and disagree on what is proven. This ledger reconciles them. Grade key: ✅ primary-sourced & safe to state · ⚠️ likely / inference / single-source — hedge it · ❌ unsupported or client-asserted — treat as a discovery question, never a claim.

Fact Grade Reconciliation notes
AMS + Alumni Portal in-house by ITS, live 2024-06-13, "free from licensing restrictions" Both efforts; PA sourced to ITS Jun-2024 eNewsletter. Anchor fact.
First 10 days: ~5,200 visits, **~4,000 records updated** (<1% of base) Same eNewsletter. The problem-statement number.
CEMS: QR + card check-in, MS/Google/Apple/WeChat guest login (from 2024-12), payment, analytics Both; PA sourced to ITS CEMS service page + Nov-2024 eNewsletter. This is why "don't pitch QR" is correct.
PFS event registration = LimeSurvey ✅ (PB) / absent in PA Key reconciliation: PB confirmed via PFS footer/page metadata (V3 evidence table, obs 12704). PA's 12 memos never mention LimeSurvey/PFS at all. Not a contradiction — PA simply didn't look at PFS; PB's sourcing is sound. Safe to state, attribute to "PolyU Form Service (PFS)".
Alumni Portal is Next.js ⚠️ (PB) / absent in PA PB fingerprinted it (obs 12705); PA found the stack deliberately masked (strict CSP, masked x-powered-by) and framework "unknown." Treat as likely, not load-bearing — do not assert the framework to ITS.
2011 NetID split (NOT 2017) Both efforts independently corrected the "2017" premise in Kenta's brief. PA sourced to alumni FAQ. Do not repeat "2017" to the client.
90th anniversary 2027; Strategic Plan 2025/26-2030/31 names alumni engagement PA downloaded and text-extracted both. Deadline + budget hook.
Homecoming 2026: art-mate = gate admission QR only; all capacity-limited sub-activities on CEMS; ≥1 gathering on PFS; 6,000+ attendees, ~200 volunteers PA (curl-verified redirects) + PB. Use the narrow version — art-mate did only the gate; that two-system seam is PolyU's own design.
LinkedIn: Talent Insights aggregate-only; Recruiter 25/export cap, hiring-use; Sales Nav no export; public API closed 2015-05; Sign-in returns identity only; scraping legally dead (hiQ, Proxycurl, PCPD) PA's best-sourced section (LinkedIn's own docs + case law).
Verified on LinkedIn (Lite/Plus) — Plus lists current position + recent education + validation status + change notifications, member-OAuth, subject to Plus partnership + written agreement ✅ (PB) / absent in PA The substantive LinkedIn disagreement. PB sourced to Microsoft Learn (11 Jul 2026). PA's "no product can ever deliver individual records" is therefore overstated. Both agree it needs LinkedIn+PolyU written approval and may need a Plus partnership. State it as a feasibility to test in discovery, not a promise.
HK$300k/yr LinkedIn spend ❌ client-asserted Neither effort verified it. PA matched ≈US$38.5k to a median contract (⚠️ inference). Which product/seat/owner = discovery question #1. Never state as fact; never say "cancel it."
art-mate = AlphaSoft Design Ltd; PHP 5.6.37 (EOL); HK$1/free-reg + HK$600/event + HK$1,000/yr + 1% commission; AWS Singapore; PolyU relationship since 2014 ✅ (facts) / ⚠️ (7-FTE headcount, "HK$1/head paid" extrapolation) PA only (PB never profiled incumbent). PHP/pricing/AWS/2014 = confirmed via live curl + art-mate's own pages. 7 staff = single paywalled Ming Pao source (⚠️); HKAAA→Glue-Up migration = ⚠️ (search excerpt, page not fetched). Keep all incumbent intel INTERNAL.
PDPO: Part VIA (donations=DM), s.35C/E/F/G, s.35J/35K written consent for third-party DM provision, s.35D narrow grandfathering, DPP1 not-excessive, penalties HK$500k/3yr & HK$1M/5yr PA read PCPD Direct Marketing guidance in full. Correction: s.35J/35K applies to provision for direct marketing only; non-DM AAO↔︎FHKPUAA sharing is a DPP3 question (PA critic flagged PA's own over-broad wording).
EventBinder = data processor under PolyU PO terms: destroy PII on termination, no subcontracting/no external-AI without written consent, broad PolyU IP ownership, 12-mo warranty, breach notice ✅ (PB) PB read the public PolyU PO Data Privacy + PO terms PDF. PA lacks this. Drives the background-IP carve-out and "no PII to AI services" rules.
Procurement: >HK$50k-200k = Finance Office RFQ ≥3 quotes; >HK$200k = tender ⚠️ PB only, from a Dec-2024 departmental quick guide (PB self-labels "planning evidence, not final rule"). PA researched nothing here (its own critic: gap #1). Confirm with Robbie; do not state as settled. Any HKD 200k figure appearing as fact in PA's PROPOSAL.md would be unsourced.
CityU rotating-QR / killed physical cards 2025-03; HKUST alumni app (Beautitag); Hivebrite/Graduway/Vaave pricing ⚠️ PA only, mostly search-result grade. HKUST app ✅ (App Store fetched). CityU ⚠️. SaaS pricing ⚠️ — never quote as fact. Only relevant if we pitch a card/build (we don't, in discovery).
FHKPUAA: Cambison third-party application host; new membership portal "in final upgrades"; 24-Oct-2025 EGM, 5 member categories; individual membership routes through Alumni Portal ✅ (mostly) / ⚠️ ("payments processed on Cambison host" = inference) PA deep-researched. Out of primary scope (A9) — background only.
cabi (EventBinder) v2025 apps' live-traffic / production status ✅ (stack) / ⚠️ (event-mgmt) — verified 2026-07-12 Live SSH probe: cabi2025 is a real prod box (408d uptime) running dashboard + backend + analytics via Cloudflare Tunnel + Tailscale. Reusable & claimable: the operating stack + analytics. NOT present on cabi2025: event management, payments, SSO, consent ledger. falcon23 verified 2026-07-12: runs cabi_binder_app (event mgmt) + cabi_qr_app (QR check-in) via CF Tunnel → event + QR are reusable, not net-new. Still unverified: payments, SSO, consent, and real prod traffic (box freshly booted, prod+dev mixed).

Three architecture/analytics conflicts to resolve explicitly (both efforts or PA-internal):

  1. cabi device-fingerprinting analytics (FPID+IP+TLS) is disqualifying for a public university under PCPD's posture — must be rebuilt as consented, account-based tracking, or omitted. Never show fingerprinting to PolyU. ✅ Confirmed in code 2026-07-12: cabi_binder_app uses clientjs + api/createFPID_record.ts (FPID) with zero consent framework (grep consent|privacy|gdpr|pdpo = 0). Strip or gate behind consent before any PolyU build.
  2. Apple Wallet has no rotating barcode — so "add eCard to Apple Wallet at turnstiles" may be unusable without NFC certification. (Moot if we defer the card, per A11.)
  3. Mainland China access: cabi is Cloudflare-first (degraded/blocked in the Mainland); 14 mainland networks + WeChat-login users. Flag as a discovery/hosting item (PB's hosting Option C boundary + WeChat channel), don't hand-wave.

C. The full final plan

C.1 What we are pitching (and explicitly not)

Pitching: A six-week, fixed-fee paid discovery that produces working proofs and canonical data contracts for the two workstreams Robbie named, plus a costed pilot SOW — an implementable blueprint AAO keeps regardless of who builds it.

Explicitly NOT pitching (say this on page one): a replacement for AMS/Alumni Portal or CEMS; a new alumni app (native or PWA); a new QR/ticketing/payment/check-in product; campus-wide gamification; LinkedIn scraping; automatic profile overwrite; an FHKPUAA redesign.

The frame: One alumnus, one record. Today one alumnus can register on art-mate for the gate, on PFS for one activity, and on CEMS for another — three sign-ups, no single person-linked record landing in AMS. Every silo works; the seams don't. The discovery maps and proves one governed path back to the record.

C.2 Positioning against the "why not ITS?" objection

ITS built AMS in-house in June 2024 specifically to escape vendor licensing — so any pitch touching the system of record dies. Position EventBinder as: an integration architect across AAO/ITS/LinkedIn/vendors; a delivery accelerator outside the ITS backlog; a vendor-neutral designer of canonical data contracts; a builder of proof connectors and exception workflows. Everything is built against ITS-owned, documented, hand-over-able interfaces (source escrow if procurement requires). Reuse any existing ITS integration bus/iPaaS/ETL first. The architecture is deliberately designed so engaging EventBinder now never locks PolyU out of insourcing later. Answer to "ITS can build it": "The discovery is useful either way — it gives ITS agreed source contracts, field semantics, privacy rules, exceptions, tests, and a working LinkedIn spike. PolyU then chooses the delivery owner."

C.3 Workstream 1 — LinkedIn data integration (honestly)

LinkedIn refresh policy default: "notify and confirm," never silent career-profile replacement. Missing LinkedIn fields never clear valid AMS data. If durable LinkedIn-derived storage isn't permitted, use it only as a temporary prefill and store the alumnus's independently confirmed correction as the AMS value.

C.4 Workstream 2 — event registration & data integration

C.5 Target architecture (merged)

Sources (LinkedIn OIDC/Verified APIs; CEMS; art-mate; PFS/LimeSurvey; approved CSV) → source adapters (API/webhook/scheduled export/controlled file) → Alumni Data Integration Service (identity linkage · consent + provenance · profile assertions · event-participation ledger · exception queues · reconciliation · audit/monitoring) → approved, traceable updatesAMS + Alumni Portal (official record — untouched internals) → AAO reporting (freshness, source coverage, participation, exceptions).

Design invariants (from both efforts):

C.6 PDPO / data-governance (merged, corrected)

Data flow PDPO handle Approach
Event/membership/donation asks to named alumni Part VIA direct marketing (silence ≠ consent; penalties to HK$500k/3yr, HK$1M/5yr for transfer-for-gain) Segmentation joined to the consent ledger; first-use opt-out; withdrawals propagate to AMS
Collecting profile data DPP1 (adequate, not excessive; fair means) Progressive 1-2 field confirmation is the minimal-collection pattern
New purpose DPP3 (prescribed consent) Enumerated purposes; new purpose = new flag = new capture flow
AAO→FHKPUAA provision for DM s.35J/35K written consent FHKPUAA a named transferee; fhkpuaa_provision flag captured in-flow. (Non-DM sharing is a separate DPP3 question — corrected from PA's over-broad wording.)
Third-party enrichment DPP1/DPP3 + PCPD anti-scraping No scraping; vetted feed enters as confirm-before-write suggestions, post legal review
Legacy pre-2013 records s.35D narrow grandfathering; burden on data user Likely NOT grandfathered without proof → a large share needs fresh Part VIA consent. This is a budget argument as much as a risk.

EventBinder as data processor (PolyU PO terms): destroy PII on termination with destruction certificates; no subcontracting without written consent; no production/sample personal data into external AI services (OpenAI/Anthropic/Google/public Ollama) without written approval — use synthetic data; server-side authorization on every person/event record; encryption in transit + at rest; tamper-resistant audit; role separation (view/match/approve/export/admin). Consent is never a condition of ticketing, attendance, LinkedIn connection, or profile correction. Lucky draws (if ever) need a Trade Promotion Competition Licence (HK$1,590, ~2-wk lead, no cash prizes) — flag, don't build.

C.7 Handling the incumbent — five rules (internal doctrine)

  1. Sell a different category — data-interoperability/governance, not a per-event ticketing tool. Never build a feature-vs-feature table (the HK$1/head anchor kills the deal).
  2. Attack the seam, not the vendor — "In 2026 one alumnus signed up on art-mate for the gate and again on CEMS/PFS for activities. 2027 = one identity, one record, one journey." Critiques PolyU's own two-system split.
  3. Lead with data ownership + governance — every scan feeds AAO's own record via SSO-verified identity, HK-controlled, PDPO-documented. Unanswerable by a 7-person shop; you never name them.
  4. Offer year-one coexistence — art-mate keeps ticketing; you own the data contract, reconciliation, and writeback. Lets AAO say yes without firing anyone Lo knows.
  5. Let the HKAAA→Glue-Up migration make the argument (⚠️ verify before quoting) — a longtime art-mate client already graduated its membership function to a dedicated platform.

Keep all incumbent tech intel (PHP 5.6, AWS Singapore, no PICS, contact details) strictly internal — several claims are inference-grade, and Lo is personally trusted by AAO.

C.8 Pilot (post-discovery, quoted separately)

C.9 Commercial (internal)

C.10 Measurable outcomes (baselined in discovery)

Freshness (% records confirmed in last 12mo; monthly volume vs the ~4,000-in-10-days baseline) · closed event loop (% registrations resolved to an AMS record; % attendance written back <24h — today ~0) · verified identity at events (% flagship registrations via SSO vs self-declared) · consent coverage (% contactable records with current Part VIA flags) · engagement in CASE Alumni Engagement Metrics framing (experiential/volunteer/philanthropic/communication) for peer-benchmarkable numbers. LinkedIn: connection rate, usable-profile rate, confirmed-update yield, assertion acceptance rate, refresh yield. Voluntary LinkedIn connection / optional updates are measured outcomes, not guaranteed software acceptance.

C.11 Kenta's credibility (the differentiator)

PolyU BSc (Hons) Data Science 2019 and a target user of this system (his own duplicate "EventBinder CEO" career rows are a live demo of the data-quality problem); former AMA visiting lecturer + capstone supervisor (2021-25); built PolyU campus Wi-Fi (HKT era); delivered PolyU BME KOA system infra/security. NetID, ITS working practice, campus operations = first-hand knowledge. Procurement pack (company profile, PI + cyber insurance, references — PolyU BME KOA, HKU President's Office, Veolia — support/SLA) available on request.

C.12 QR & Wallet identity layer — the events differentiator (vision, not the discovery ask)

Confirmed in cabi code (2026-07-12): branded/image QR (smartQr/qrArt + Python cabi-qr-art), GIF QR (binder type B005), dynamic QR (smartQr), and Add-to-Wallet (cabi-qr-v2025/components/wallet). Real, and a genuine step up from art-mate's plain gate QR.

Two QR jobs — never conflate:

Wallet: ✅ for a stable alumni identity card / event ticket / networking pass. ❌ not a drop-in for the daily-rotating access token (a wallet barcode is static without live PassKit / Google-Wallet push updates — a real build, not a freebie).

FPID — hard rule: deliver the "just arrive, machine knows you" UX via a consented wallet pass or a scannable code, NOT silent device fingerprinting (FPID is PCPD-disqualifying for a university — see R1 / ledger). Same UX, no legal liability.

Positioning: keep this OUT of the discovery headline (Robbie asked for two things; a wallet product reads as upsell + steps on CEMS). Use it as the answer to "why cabi vs art-mate" and an events-phase vision: art-mate prints a gate QR; cabi gives each alum a wallet identity + styled dynamic QR that carries their verified record — "one alumnus, one record" made physical, alongside (never replacing) PolyU's secure access QR.

C.13 AI-assisted data integration — self-hosted, human-in-the-loop (client-requested)

Robbie's ask (2026-07-12): much of the integration/reconciliation work is done by humans today; he wants an AI agent to cut it, and — again citing ITS constraints — wants it self-hosted. This is client-driven, so it passes the scope test (unlike gamification/app, which we rejected as upsell).

The convergence that makes it clean: the plan's hard PDPO rule is no personal data to external AI services (OpenAI/Anthropic/Google/public Ollama) without written consent — EventBinder is a data processor under PolyU PO terms. So the AI agent must run on self-hosted local models on PolyU premises → PDPO turns Robbie's self-host wish into a requirement, and vice-versa. And it's squarely Kenta's existing capability: he already operates self-hosted LLMs (local Ollama/MLX + GPU hosts) — demonstrable, not aspirational.

Honest design:

Set expectations (don't oversell): assistive + human-gated, not full automation; local-model quality is below frontier cloud models but sufficient for matching/extraction/normalization — and it's the only PDPO-compliant option; it needs inference hardware + an accuracy eval in the pilot.

Why it strengthens the bid: a specialized, PDPO-safe capability ITS's backlog won't deliver soon, it directly attacks Robbie's stated pain, and it's uniquely Kenta's. Frame it as an AI-assisted layer inside the two existing workstreams (less manual matching/entry), NOT a separate "AI product."

C.14 Information-architecture reference — what a member/alumni hub actually surfaces (SCAA + Alpha)

The problem (Robbie's instinct, confirmed live 2026-07-12): PolyU's alumni portal is information-poor — framed as "update your record," not "here's everything your membership gives you." This is about information/services surfaced, not visual styling. Two references reviewed:

Gap vs PolyU alumni portal: unified hub (vs fragmented portal + CEMS + MS-Form + eCard) · self-service + payment · facility bookings · rewards · personalized notifications/renewals · a functional digital card · personalized news.

Discipline (reconcile with the anti-over-scope rule, A1/E): this is the IA reference / roadmap vision for the Alumni Hub — NOT "build all of SCAA's features" for the discovery. Near-term wedge stays parking (§C.8); the hub grows around the one record. Differentiation is the governed data layer underneath (integration + on-prem + AI + one-record), NOT competing with an off-the-shelf member app like AVEEGO on features — PolyU could buy AVEEGO; they can't buy the governed alumni record we build.


D. Still unknown / needs discovery + immediate next actions

D.1 The genuine unknowns (all become discovery questions, never claims)

  1. Which LinkedIn product/seat/owner is the ~HK$300k? (product identity + figure both unverified) — and does PolyU have/qualify for Verified on LinkedIn Plus?
  2. Does CEMS already write participation to AMS? (if yes, scope narrows to non-CEMS sources) — and what supported AMS write interface exists (API / staging table / batch / none)?
  3. Does ITS operate an existing integration bus / iPaaS / ETL / master-data service the design must reuse?
  4. Why art-mate for Homecoming, and what data came back? Can 6,000 registrations be reconciled against alumni records? What's exportable (fields, stable IDs, scan data)?
  5. Current Finance procurement band (confirm the >HK$200k tender / HK$50-200k RFQ guide is live policy) + supplier-registration timeline + is Director-of-ITS approval required + is it classed consultancy/IT/software?
  6. Consent state: what share of records has current Part VIA consent? Which pre-2013 records lack demonstrable grandfathering (s.35D)?
  7. Hosting/residency ITS will accept + mainland-alumni network topology (WeChat channel, Cloudflare-in-Mainland limits).
  8. Portal framework/vendor (Next.js is ⚠️, masked) — and the "Alumni ID vs Alumni NetID" string in the portal JS.
  9. Turnstile/reader capability (only if a card/token is ever scoped).
  10. cabi v2025 live-traffic/production status — verify before any capability claim (honesty item; see Risk R1).
  11. Who actually holds the budget? AAO vs Development / Foundation / Advancement. Alumni-data + donor-solicitation work is often funded by Advancement, not the Alumni Affairs Office — Robbie may not be the budget owner. (codex-surfaced; potentially the most important commercial unknown — map this stakeholder early.)
  12. Payments scope. Does AAO need paid events / memberships / donations / refunds? CEMS claims payment; art-mate has PayMe/Alipay/WeChat rails; cabi has none. If yes, this pulls in finance + PSP integration scope — keep it explicitly out of the discovery unless AAO raises it.
  13. PIPL / cross-border for mainland alumni. Beyond access/latency (item 7), a Cloudflare-first or non-Mainland-hosted stack raises PIPL cross-border transfer obligations for mainland-resident alumni, not only PDPO. Ask hosting + mainland-channel + data-residency questions together.
  14. Real match-rate ceiling. Family/group bookings, guests, name changes, multiple NetIDs, shared emails, walk-ins — the exception queue is the main workload, not an edge case. Ask for a representative messy sample to estimate the true auto-link rate before promising numbers.
  15. Internal-network adjacency. Does the AAO-office box, on the PolyU network, get internal reachability to AMS/CEMS APIs (subject to ITS segmentation)? If yes, integration is far easier than a public-API path — confirm early.
  16. Form-owner access for the parking prefill. Who owns the "Request for hourly parking space" MS Form? Need them to generate one Get pre-filled link — this unblocks Pilot Zero (§C.8).
  17. Quantify the manual work (Robbie's AI driver). Which reconciliation/data-entry tasks are done by hand, how many staff-hours/week, on what volume — so the AI agent's value (§C.13) is sized against real numbers, not "save time."
  18. Local-inference hardware. What can sit in the AAO office (GPU / Apple-Silicon box) for on-prem LLM inference, and its power / cooling / space / noise limits.

D.2 Immediate next actions

  1. Send Robbie the cover message + executive V4 proposal (below), attach the detailed technical appendix (the V4 interoperability proposal).
  2. Request before the meeting: the exact LinkedIn SKU + renewal date; the owner of one CEMS event flow + the Homecoming data-flow owner; which ITS integration middleware to reuse; the current Finance procurement band.
  3. Prepare: EventBinder company/security/background-IP/subprocessor + supplier docs; COI disclosure; Form A vs Form B commercial drafts.
  4. Book a 90-minute technical scoping session with Robbie + AAO alumni-data owner + AMS/Portal owner + CEMS owner + PFS owner + DPO/privacy delegate + one Homecoming/external-event owner. Agenda: confirm two outcomes + ten priority fields → trace one CEMS event and the Homecoming 2026 flow end-to-end → identify the LinkedIn product/tier/renewal → select discovery samples + technical owners → confirm procurement route + acceptance authority. Then stop and let them draw their internal reality.
  5. Quote the fixed-fee discovery only after access + acceptance owners are confirmed.
  6. Fast-track Pilot Zero (parking) in parallel as goodwill proof — get the form owner to generate the prefill link, stand up the thin profile-holding front end (6 fields), and demo the 3-tap flow to Robbie before/at the meeting. Near-zero cost, no PII on the box, and it earns the paid discovery.

D.3 Cover message to Robbie

Use PB's cover message as-is — it is already Robbie-specific, bilingual (WhatsApp Cantonese + short English email), and correctly scoped to the two workstreams with no app/QR pitch. One tightening from PA: add a single line naming the "one alumnus, one record" outcome so the ask has a memorable spine. Draft addition to the English version's opening: "The goal is simple — one alumnus, one record: every LinkedIn refresh and every event participation traceable back to the right person in AMS." File: PB/ROBBIE_PROPOSAL_COVER_MESSAGE_V4.md.

D.4 Reconciled meeting-question shortlist

PA offered a tight top-5; PB offered a fuller 40-question bank. Reconciliation: use PA's 5 as the must-answer spine (they map to the decision drivers), backed by PB's bank as the deep reference. The spine:

  1. LinkedIn: exact product / edition / seats / annual fee / contract owner / renewal + notice date / actual usage — and does PolyU have or qualify for Verified on LinkedIn Plus? (unblocks all of workstream 1)
  2. Events → AMS: what does CEMS currently write to AMS? Why did Homecoming use art-mate? What data returned, and could 6,000 registrations be reconciled to alumni records? (sizes workstream 2)
  3. ITS: who owns the AMS/CEMS schema + write interfaces; will ITS grant NetID SSO + a sandbox; is there an existing integration bus to reuse; what hosting/residency rules apply; and — bluntly — what would ITS prefer EventBinder build vs specify? (the "why not ITS" objection + reuse-first)
  4. Money/process: budget band, current Finance procurement route + threshold, signing authority, supplier-registration timeline, and is the 90th anniversary (2027) the ship-by milestone? (procurement path)
  5. Consent/privacy: who is the DPO delegate; what share of records has current Part VIA consent; what's the PICS/retention posture; and (softly) is there any AAO↔︎FHKPUAA data-sharing dependency? (gates every writeback)

Then, from PB's bank as needed: the "what does 'demographic data' mean in named fields" question; multi-NetID canonical-person rule; CEMS guest representation; art-mate export fields/stable IDs; PFS export mode; and "which AAO event has a manageable audience and a cooperative owner" (to pick Pilot C).


E. What I deliberately rejected — from BOTH efforts

Rejected from PA: (1) the engagement-layer product framing — app, digital rotating-QR card, wallet passes, gamification, on-site POS/scanner — over-scoped for two named workstreams and duplicative of CEMS; (2) "replace art-mate for flagships" — re-opens the price-anchor fight PA's own incumbent analysis warns against; (3) "cancel/downgrade the HK$300k LinkedIn contract" as an opener — politically risky and premature; (4) "size the discovery for direct award" — unsupported; the figure sits in the RFQ/tender zone; (5) the unverified card-tech claims (iOS PWA cache/eviction; Apple Wallet rotating barcode).

Rejected from PB: (1) the flat, un-narrated "governed path" tone — kept PB's scope but re-wrapped it in PA's "one alumnus, one record" story so it actually sells; (2) treating the incumbent as merely "one more source" — PA's five-rule doctrine is needed to avoid the price-anchor trap; (3) PB's near-total silence on PDPO substance (Part VIA / s.35D grandfathering / donations-as-DM) — PA's depth is a genuine differentiator with a technical, privacy-aware buyer; (4) PB's occasional over-hedging (V4 hedges every internal fact to a discovery question — correct for a client doc, but internally we DO know the well-sourced facts in Section B and should speak them with confidence).

Flagged as speculative in the final plan (do not state as fact): the ~HK$300k figure and its product; the HK$200k tender threshold (departmental-guide grade); art-mate 7-FTE headcount and the HKAAA→Glue-Up migration; all SaaS pricing; the Next.js portal framework; and cabi's production status.


F. Independent cross-check — blind codex rerun (2026-07-11)

A second, different model family (codex, gpt-5.5) re-ran the same synthesis task from scratch — blind to this plan, blind to the folder authorship (it did not know it had written PB). It converged on every major decision in Section A: PB-narrow interoperability positioning, audit-not-cancel on LinkedIn, CEMS-default event data contract, reuse-ITS-middleware-first architecture, expect-RFQ procurement, the three-proof pilot with Homecoming as a case study (not the first live test), PA's "attack the seam" incumbent doctrine kept internal, FHKPUAA out of phase 1, and card/wallet/gamification deferred. Two independent lineages reaching the same plan is the strongest available signal the spine is correct, not an artifact of one model's bias. Full output: P1/CODEX-CROSSCHECK.md.

Risks the cross-check independently confirmed — hereby ELEVATED

Net-new items the cross-check surfaced (folded into D.1)

The one caveat where both models agree and neither verified

The HKD 188k discovery price (and pilot ranges) came from PB and were adopted unchallenged by the codex rerun too. Agreement here is not validation — it's two models trusting the same single source. Verify against real cost/margin before quoting (see the price-validation flag in C.9).