Personal Data Protection and Privacy Policy

Personal Data Protection and Privacy Policy

This policy will help you understand the following:

1. Personal Data Collection and Usage Policy
2. How we protect your personal data
3. Your Rights
4. How we handle minors' personal data
5. How we transfer your personal data across borders
6. How to update this policy
7. How to contact us

1 Personal Data Collection and Usage Rules

（1）What personal data do we collect about you?

1. When you use XNeuro, we will collect the following data:

If you do not grant permission, we cannot provide this feature. In addition to the above permissions, you can choose whether to grant additional system permissions for the software.

When you contact us, we may store your communication or call records and content, or the contact information you provided, to contact you, assist you with issues, or record the resolution of related problems.

（2）How We Use Your Personal Data

1. For personal data required by core functionalities, we use it to provide the service. We also use this data to maintain and improve the service, as well as to develop new features.

data type	Purpose of use	storage life
Name (nickname/alias/code)	Displays account ID	We retain your personal information only for the aforementioned purposes and other legitimate commercial purposes (including applicable legal requirements, statutes of limitations, product usage periods, and information required for warranty support and support requests). Generally, as long as you maintain an account on our product, we will retain your account-related personal information. If you withdraw consent for personal information processing (e.g., account cancellation), your personal information backup will be removed from our cloud storage. However, due to technical reasons, the backup may remain temporarily stored in the database for up to 30 days.
sex	Update account information
postbox	Update account information
birthday	Update account information

（3）How We Use Cookies and Similar Technologies

1、Cookie

Cookies and similar technologies are widely used in the internet. To ensure proper website operation, we store small data files called cookies on your computer or mobile device. These cookies typically contain identifiers, site names, and a combination of numbers and characters. Through cookies, websites can store your preferences and other data. We will not use cookies for purposes beyond those specified in this policy. You can manage or delete cookies according to your preferences. You can clear all cookies stored on your computer, and most web browsers have built-in cookie-blocking features. However, if you do this, you will need to manually adjust your settings each time you visit our website.

2. Other Similar Technologies

In addition to cookies, we also use website beacons, pixel tags, and other similar technologies to understand your preferences for our products or services and improve your experience.

（4）How We Share, Transfer, and Disclose Your Personal Data

1. Share

We will not share your personal data with any company, organization, or individual outside our company unless you give explicit consent.

We may share your personal data with third parties as required by laws and regulations or mandatory requirements from government authorities.

2. Transfer

We will not transfer your personal data to any company, organization, or individual, except in the following cases:

a) Transfer with explicit consent: Upon obtaining your explicit consent, we will transfer your personal data to third parties;

b) In cases of mergers, acquisitions, or bankruptcy liquidation involving personal data transfers, we will require the new entity holding your personal data to continue complying with this data protection policy. Otherwise, we will require the entity to obtain your authorization again.

3. Public Disclosure

We will only publicly disclose your personal data under the following circumstances:

After obtaining your explicit consent;

Disclosure under legal requirements: We may disclose your personal data when required by law, legal procedures, litigation, or mandatory requirements from government authorities, including:

1. related to the fulfillment of obligations under laws and regulations with the personal data controller
2. ii directly related to national security and defense security;
3. iii directly related to public safety, public health, or major public interests;
4. directly related to criminal investigation, prosecution, trial, and judgment enforcement;
5. v. When safeguarding the vital interests of data subjects or other individuals, such as their lives and property, but obtaining their explicit consent is impractical;
6. The personal data covered by the VI is voluntarily disclosed by the data subject to the public.
7. vii Essential for executing contracts as required by the data subject;
8. viii Collecting personal data from legally disclosed sources, such as legitimate news reports or government data releases;
9. ix Maintenance is essential for ensuring the safe and stable operation of the products or services provided, including the detection and resolution of any malfunctions.
10. The data controller is a news organization, and such control is necessary for its legitimate news reporting activities.
11. The data controller of the personal data is an academic research institution. When conducting statistical or academic research for public interest purposes, and when providing externally the results of such research or descriptions, the institution performs de-identification processing on the personal data contained in the results.

Please note that, under applicable laws, the sharing or transfer of anonymized personal data---provided that the recipient cannot reconstruct or re-identify the data subject---is not considered external sharing, transfer, or public disclosure of personal data. Therefore, no separate notification or additional consent from you will be required for the storage or processing of such data.

2 How We Store and Protect Your Personal Data

（1）Personal data collected through our cloud platform operations will be stored in Singapore.

（2）We prioritize the security of personal data. We implement comprehensive physical, managerial, and technical safeguards to prevent unauthorized access, disclosure, use, modification, damage, or loss of your personal data. For instance, we employ encryption to ensure data confidentiality; implement protection mechanisms to prevent malicious attacks; enforce access control protocols to restrict data access to authorized personnel; and conduct security and privacy training programs to enhance employees' awareness of data protection. While we strive to protect your personal data, please note that no security measure can be entirely foolproof.

（2）Security Responsibilities of Cloud Platform

1. ZKTecoNeuro is responsible for the security management and operation of services and data interactions on its cloud platform, ensuring the security of the cloud service platform and infrastructure it provides. When you access the ZKTecoNeuro cloud platform through API calls, SDKs, or self-developed software/hardware embedded systems, you must independently guarantee the security and compliance of your applications and data, including hardware and software. The primary responsibility of ZKTecoNeuro Cloud lies in developing and maintaining various basic services, platform services, and application services, while your main responsibility involves customizing third-party client applications and building third-party cloud services based on ZKTecoNeuro's cloud services. The diagram below illustrates the shared responsibility model among the basic cloud service provider, ZKTecoNeuro, and your data security obligations.

2. Security Responsibility of ZKTecoNeuro Cloud

a) ZKTecoNeuro Cloud leverages top-tier cloud platforms like Amazon Web Services (AWS), Tencent Cloud, and Alibaba Cloud to ensure robust security management, operational infrastructure, and physical device protection.

b) ZKTecoNeuro Cloud Security safeguards both data security and cloud service security. Leveraging its security team and the professional attack protection expertise of globally renowned security service providers, ZKTecoNeuro delivers secure cloud platform operations and maintenance services. This ensures the secure operation of ZKTecoNeuro Cloud while protecting your privacy and data. Key features include:

1. Data Security: This refers to the security management of your business data in cloud environments, covering data collection and identification, classification and grading, access control and encryption, as well as privacy compliance.
2. Access control management: manages access permissions for resources and data, including user management, permission management, and authentication.
3. Cloud service security: refers to the security management of business-related application systems in cloud computing environments, covering the design, development, deployment, configuration, and usage of applications and service interfaces.

3. Your Security Responsibility

a) When using ZKTecoNeuro's cloud solutions, you must strictly comply with its security configurations and access requirements. Additionally, you must ensure the security of your cloud environment, client devices, or hardware products.

b) The application software developed using ZKTecoNeuro SDK/API. While ZKTecoNeuro provides technical support, it cannot guarantee the security of the entire software system.

c) You are responsible for data security compliance, privacy policy, and related data for customized products based on the ZKTecoNeuro solution, including privacy policy statements and legal compliance. When necessary, ZKTecoNeuro's security compliance team is available to provide assistance and consulting services for security solutions.

（3）We will retain your personal data for the duration necessary to achieve the purposes outlined in this policy, unless required by law, permitted by license, or otherwise permitted by law. The retention period may vary depending on different scenarios and products/services. Our criteria for determining retention periods include: the time required to fulfill business objectives (including providing products/services, maintaining transaction records, managing and improving product/service performance, ensuring system/security, addressing user inquiries/complaints, and troubleshooting); whether users consent to extended retention periods; and any special legal or contractual requirements. We will retain your registration data as long as it is necessary to provide services. You may opt to cancel your account. Upon cancellation, we will cease providing products/services associated with that account and delete your personal data unless otherwise required by law.

（4）In the event of a personal data security incident, we will notify you in accordance with legal requirements (within 30 calendar days at the latest) of: the incident's details and potential impacts, the measures we have taken or will take, recommendations for risk mitigation, and remedial actions. We will inform you via email, letter, phone call, or push notification. If individual data subjects cannot be individually notified, we will issue public announcements through reasonable and effective means. Additionally, we will report the incident's handling to regulatory authorities as required.

（5）The internet is not 100% secure. While we have implemented these security measures, please note that there are no 'perfect security measures' online. We will do our best to ensure the security of your data.

（6）To ensure a seamless browsing experience, you may receive content or web links from third parties (hereinafter referred to as "third parties") external to us and our partners. We have no control over such third parties. You may choose whether to access the links, content, products, or services provided by third parties. We cannot control the privacy and data protection policies of third parties, and such third parties are not bound by this policy. Before submitting personal data to a third party, please review their privacy policy.

III Your Rights

In accordance with the laws, regulations, and standards of China, as well as the common practices of other countries and regions, we guarantee your rights to exercise the following rights regarding your personal data:

（1）Access to your personal data

You have the right to access your personal data, except in cases specified by laws and regulations. To exercise this right, you can view your personal information in the My page of the APP, including nickname/name, gender, date of birth, and email.

（2）Correction of your personal data

If you find any errors in the personal data we have processed about you, you have the right to request corrections. You can submit a correction request through the methods listed in "(1) Access to Your Personal Data".

（3）Delete your personal data

You may submit a written request to us to delete your personal data in the following circumstances:

1. If our processing of personal data violates laws and regulations;
2. If we collect or use your personal data without obtaining your consent;
3. If our processing of personal data violates the agreement with you;
4. If you cease using our products or services, or if you log out of your account;
5. If we cease to provide you with products or services.

（4）Right to withdraw consent for personal data processing

When applicable laws require it, you have the right to withdraw your consent at any time when we process your personal data with your consent. To protect your rights, you may contact us directly (see Section 7: How to Contact Us) to exercise this right easily. Withdrawing your consent does not affect the legality and validity of the processing of your personal data based on your consent prior to withdrawal, nor does it impact our processing of your personal data based on other appropriate legal grounds.

（5）Responding to your request

To ensure security, you may need to provide a written request or otherwise verify your identity. We may first require you to verify your identity before processing your request.

We generally waive fees for reasonable requests, but may charge reasonable costs for repeated or excessive requests. We may decline requests that are unjustified, require excessive technical measures (e.g., developing new systems or fundamentally altering existing practices), pose risks to others' legitimate rights, or are impractical (e.g., involving data stored on backup tapes).

We cannot respond to your request in the following cases:

1. Obligations related to fulfilling legal requirements with personal data controllers;
2. Directly related to national security and defense security;
3. Directly related to public safety, public health, or major public interests;
4. Directly related to criminal investigation, prosecution, trial, and judgment enforcement;
5. The data controller has conclusive evidence that the data subject acted with malicious intent or abused their rights;
6. When safeguarding the vital interests of data subjects or other individuals, including their lives and property, but obtaining consent proves difficult;
7. Responding to a data subject's request may cause serious harm to the lawful rights and interests of the data subject or other individuals or organizations;
8. Involving trade secrets.

IV How We Handle Personal Data of Minors

1. Our products, websites, and services are primarily intended for adults. We do not proactively provide direct services or collect personal data from minors (as defined by the laws of your jurisdiction, typically referring to individuals under the age of 18).

2. If you are a minor, you must carefully read and understand all terms of this policy under the guidance of your parents or guardians (hereinafter collectively referred to as "guardians"). You may only use our services or provide personal data to us with explicit consent from your guardians. Minors should not create personal data subject accounts without parental or guardian consent. If you are a minor, we recommend that your parents or guardians carefully review this policy and use our services or provide data to us only with their explicit consent.

3. We will only use or publicly disclose personal data of minors that have been collected with parental consent, if permitted by law, with explicit consent from parents or guardians, or if necessary to protect the minors.

4. If we find that we have collected personal data of a minor without prior verifiable parental consent, we will take the following actions immediately:

1. Stop processing the personal information
2. Remove such information from our systems permanently as soon as possible, where reasonably practicable.
3. Inform the relevant guardian as appropriate.

5 How to update this policy

Our personal data protection and privacy policy may change.

We will not reduce your rights under this policy without your explicit consent. Any changes to this policy will be published on this page.

For significant changes, we will issue more prominent notifications (including via email for certain services, specifying the specific updates to our personal data protection policy).

The material changes referred to in this policy include but are not limited to:

1. Our service model has undergone significant changes, including the purpose of processing personal data, the types of personal data processed, and the methods of using personal data;
2. We have undergone significant changes in ownership structure and organizational framework, such as ownership changes caused by business adjustments, bankruptcy, or mergers and acquisitions.
3. The primary recipients of personal data sharing, transfer, or public disclosure have changed;
4. Significant changes occur in your rights to personal data processing and how you exercise them;
5. When the department responsible for personal data security, contact details, or complaint channels change;

We will also archive the previous version of this policy for your reference.

6 How to Contact Us