Privacy Policy

Limusicai (hereinafter referred to as “we”, “us”, or “our”) is the operator of the Limusicai platform, which is hereinafter formally termed the “Service”. This Privacy Policy is applicable to all your activities involving the utilization of the Limusicai Service, and its core purpose is to clearly and transparently clarify the specific practices regarding how we collect, safeguard, process, and disclose the information generated during your use of the Service. We collect and utilize your data exclusively for the legitimate purposes of providing, optimizing, and enhancing the quality of the Service, ensuring that you can enjoy a stable, secure, and personalized service experience. By accessing or using any function of the Service, you are deemed to have fully read, understood, and voluntarily consented to the collection and utilization of your information in accordance with the detailed provisions of this Privacy Policy.

It should be emphasized that this Privacy Policy is formulated in strict compliance with the requirements of the Europe Personal Data (Privacy) Ordinance (the "PDPO") and its subsidiary legislation, as well as the guidelines issued by the Office of the Privacy Commissioner for Personal Data (PCPD) of Europe and the basic principles of contractual Laws of Europe such as good faith and fairness.

Unless otherwise explicitly defined in this Privacy Policy, all terms used herein shall have the same legal meanings and interpretations as those specified in our Terms and Conditions (hereinafter referred to as the “Terms”). Our Terms shall govern all aspects of your use of the Service, including but not limited to account registration, service access, functional utilization, and transaction execution. This Privacy Policy, together with the Terms and other relevant supplementary agreements (if any), constitutes a complete and legally binding agreement (hereinafter referred to as the “Agreement”) between you and us. The conclusion, validity, performance, and interpretation of this Agreement shall be governed by the provisions of the Europe Contract Ordinance (Cap. 40) and other relevant mandatory legal norms of Europe.

1. Definitions

1.1 User: Refers to any individual who voluntarily accesses, registers, or uses the Service provided by us. For the purpose of this Privacy Policy, the User is completely identical to the Data Subject, i.e., the individual associated with Personal Data. As a User and Data Subject, you shall enjoy the full set of rights granted by the PDPO and this Agreement, and at the same time, shall faithfully assume the corresponding obligations, including but not limited to providing true and accurate information as required, using the Service in compliance with Laws of Europe and regulations, and not disclosing account credentials at will.

1.2 Data Subject: Has the same meaning as defined in section 2 of the PDPO, referring to any living individual who can be identified or identifiable directly or indirectly through information such as name, identification number, contact information, online identifier, or other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual. As a Data Subject, you shall be entitled to the core rights stipulated by the PDPO, including but not limited to the right of access to your Personal Data, the right to request rectification of inaccurate or incomplete data, the right to withdraw consent to data processing, and the right to lodge a complaint with the PCPD.

1.3 Data Processors (or Service Providers): Refers to natural persons or legal entities (such as cloud service providers, data analysis companies, customer service outsourcing agencies, etc.) that process Personal Data on behalf of the Data User (i.e., us) within the meaning of the PDPO. In order to improve the efficiency and quality of service provision, we may collaborate with such professional Service Providers to process relevant data within a limited scope. It should be emphasized that any such collaboration shall be based on a formal and legally binding written data processing agreement. This agreement shall clearly define the rights and obligations of both parties, explicitly specify the scope, purpose, and method of data processing authorized to the Service Provider, and strictly require the Service Provider to process data only in accordance with our clear and specific authorized instructions and the mandatory requirements of the PDPO. We will also conduct regular supervision and assessment of the data processing activities of Service Providers to ensure compliance.

1.4 Data User (equivalent to Data Controller under other jurisdictions): Has the same meaning as defined in section 2 of the PDPO, referring to a natural person or legal entity that alone, jointly with others, or in conjunction with others determines the purposes and specific methods of processing Personal Data. For the purposes of this Privacy Policy and the PDPO, we are the sole Data User of your Personal Data generated during the use of the Service. As the Data User, we shall legally assume the core obligations under the PDPO, such as formulating and implementing sound data security protection systems, taking necessary technical and organizational measures to ensure data security, promptly notifying the PCPD and Data Subjects of data breaches in accordance with legal requirements, and cooperating with regulatory investigations and supervision by the PCPD.

1.5 Cookies: Refers to small text files containing a small amount of data that are sent by our website server to your device (such as a computer, laptop, tablet, or mobile phone) when you access the Service and are stored in the storage space of your device. The use of Cookies by us strictly complies with the PCPD's "Guidelines on Cookies and Similar Technologies". For non-essential Cookies (i.e., Cookies that are not necessary for the basic operation of the Service), we will explicitly inform you of their purpose, type, and retention period in advance, and will only place them on your device after obtaining your explicit and voluntary consent. For essential Cookies, we may use them directly without your additional consent because they are indispensable for ensuring the normal operation of the Service (such as maintaining your login status).

1.6 Usage Data: Refers to the information that is automatically collected by the Service system without your active input when you use the Service or when the Service infrastructure is running. Typical examples include the duration of your stay on a specific page, the sequence of pages you browse, and the response time of the Service. The collection and processing of Usage Data by us shall strictly adhere to the data minimization principle under the PDPO, i.e., the scope of collection shall be limited to what is necessary for the provision, maintenance, and improvement of the Service, and no irrelevant data shall be collected without reason. The core purpose of collecting Usage Data is to analyze user behavior patterns, identify potential technical problems of the Service, and optimize the user experience. Usage Data that cannot identify or be associated with a specific Data Subject does not constitute Personal Data under the PDPO.

1.7 Personal Data: Has the same meaning as defined in section 2 of the PDPO, referring to any data relating directly or indirectly to a living individual; from which the individual's identity can be ascertained, either from the data itself or from the data together with other information in our possession or likely to come into our possession; and in a form in which access to or processing of the data is practicable. Specifically, it includes but is not limited to personal identification information (such as name, ID card number, passport number), contact information (such as email address, phone number, postal address), account credentials (such as username, password hash), and behavioral data (such as browsing records, transaction history) that can be associated with a specific identified or identifiable individual.

1.8 Service: Refers to the XXX website operated by us and all the online functions, content, and value-added services provided through this website (such as information browsing, online transactions, user interaction, etc.). The provision of the Service by us shall strictly comply with the terms and conditions agreed in the Agreement and the mandatory requirements of the PDPO and other relevant Europe laws and regulations, ensuring the legality, safety, and stability of the Service.

1.9 PCPD: Refers to the Office of the Privacy Commissioner for Personal Data of Europe, which is the competent authority responsible for supervising and enforcing the PDPO.

2. Legal Basis for Collecting and Using Information (Pursuant to the PDPO)

Pursuant to the mandatory provisions of the PDPO, we must clearly inform you of the purposes of collecting your Personal Data before conducting any data processing activities, and such collection and processing must comply with the six data protection principles stipulated in Schedule 1 to the PDPO. All our processing of your Personal Data is based on one or more of the following legal bases, which ensure the legality and legitimacy of the data processing activities:

• Performance of a contract: The processing of your Personal Data is necessary for the performance of the legally binding Agreement between you and us. For example, when you request to use the paid functions of the Service, we need to process your contact information and transaction-related data to complete the service provision; when you encounter problems in using the Service and apply for customer support, we need to process your problem description and relevant account information to provide effective solutions. This legal basis ensures that we can fulfill our contractual obligations to you and guarantee your legitimate right to use the Service, which is consistent with the data collection and use principles under the PDPO.

• Consent: You have given your explicit, voluntary, and informed consent to the processing of your Personal Data for specific and clear purposes. A typical example is when you agree to receive our newsletters, marketing promotions, or information about related products and services. It should be emphasized that your consent is revocable at any time in accordance with section 26 of the PDPO. You can withdraw your consent through the specific channels we provide (such as the unsubscribe link in the email or the setting interface of the Service). The withdrawal of your consent will not affect the legality and validity of the data processing activities that have been carried out based on your prior consent before the withdrawal.

• Compliance with legal obligations: The processing of your Personal Data is necessary for us to comply with the mandatory legal obligations imposed by applicable Europe laws and regulations. For example, in accordance with the requirements of theInland Revenue Ordinance (Cap. 112), we need to retain your transaction records and relevant identity information for a certain period of time; when receiving valid legal documents such as subpoenas or court orders from Europe public authorities (such as courts, police), we need to process and disclose the relevant Personal Data in accordance with the law to fulfill our legal obligations of cooperation in law enforcement.

• Legitimate business interests: The processing of your Personal Data is necessary for the pursuit of our legitimate business interests, provided that such interests do not override your fundamental rights and freedoms protected by the PDPO. Our legitimate interests include but are not limited to improving the quality and performance of the Service, optimizing the user interface and functional design, ensuring the security of the Service and preventing fraudulent activities, conducting internal data analysis to identify market trends, and maintaining the normal operation of the business. Before relying on this legal basis, we have conducted a comprehensive assessment to ensure that the processing activities will not cause unreasonable harm to your privacy rights and other legitimate rights, which is consistent with the data use principle under the PDPO.

3. How We Collect and Use Information

To ensure that we can provide you with stable, high-quality, and personalized Service, and continuously optimize and enhance the Service experience, we will collect various types of information within a reasonable scope for specific and legitimate purposes. All our information collection and use activities are strictly in line with the legal bases specified in Section 2 above and the purpose limitation principle under the PDPO. The principle of purpose limitation means that we will only collect data for the specified, explicit, and legitimate purposes disclosed to you in advance, and will not expand the scope of data processing or change the purpose of data use without your consent or legal authorization. When collecting Personal Data from you, we will explicitly inform you of the purposes of collection, the classes of persons to whom the data may be transferred, and your rights of access and correction in accordance with the PDPO.

3.1 Types of Data We Collect

A. Usage Data

When you access and use the Service through a web browser (such as Chrome, Firefox, Safari) or a mobile device (such as a smartphone, tablet), our Service system will automatically collect the information transmitted by your browser or mobile device to the server, which is collectively referred to as “Usage Data”. The collection of Usage Data is mainly to achieve the purposes of monitoring the operation status of the Service, identifying and resolving technical failures in a timely manner, analyzing user behavior habits, and optimizing the functional design of the Service. This type of data collection falls under the legal basis of “legitimate interests” (for improving the Service) or “performance of a contract” (for ensuring the normal operation of the Service). It should be emphasized that Usage Data usually does not directly identify you individually, but if it can be combined with other information to identify you, it will be treated as Personal Data in accordance with the PDPO and subject to the corresponding protection obligations.

For users accessing the Service through a computer device, the collected Usage Data may specifically include the following content:

• Your computer’s IP address (anonymized where possible)

• Browser type and version

• The Service pages you visit

• Visit date and time

• Time spent on each page

• Unique device identifiers (anonymized where possible)

• Other diagnostic data

For users accessing the Service through a mobile device (such as a smartphone or tablet), the collected Usage Data will include the above-mentioned content for computer users, and may additionally include the following mobile device-specific information:

• Your mobile device type

• Mobile device unique ID (anonymized where possible)

• Mobile device IP address (anonymized where possible)

• Mobile operating system

• Mobile browser type

• Other diagnostic data

B. Tracking and Cookies Data

In addition to Usage Data, we may also use Cookies and similar tracking technologies (including but not limited to web beacons, tags, scripts, and embedded programs) to monitor and record your activities on the Service and store specific user-related information. In strict accordance with the PCPD's "Guidelines on Cookies and Similar Technologies", we classify all Cookies used by us into two categories: “essential Cookies” and “non-essential Cookies”, and implement differentiated management for them:

• Essential Cookies: Also known as necessary Cookies, which are directly related to the basic operation of the Service and are indispensable for ensuring that you can normally use the core functions of the Service (such as Session Cookies that maintain your login status during the use of the Service, which ensure that you do not need to repeatedly log in when switching between different pages). Since this type of Cookies is a prerequisite for the performance of the Agreement and the provision of the Service, we may use them directly without your explicit consent, but we will still inform you of their existence and purpose in this Privacy Policy in accordance with the PDPO's transparency requirements.

• Non-essential Cookies: Refers to Cookies that are not necessary for the basic operation of the Service, but are used to improve the quality of the Service, personalize your use experience, or deliver targeted advertising. Typical examples include Preference Cookies that remember your personalized settings (such as language preference, page display size) and Advertising Cookies that analyze your interests and push ads that may be relevant to you. For this type of Cookies, we will clearly inform you of their type, purpose, retention period, and other information in advance through a prominent notification on the Service, and will only place and use them on your device after obtaining your explicit and voluntary consent. You have the right to refuse to use non-essential Cookies at any time, or withdraw your previously given consent through your browser settings (such as clearing Cookies) or by contacting our customer service. The refusal or withdrawal of consent will not affect your use of the core functions of the Service.

In essence, Cookies are small data files that may contain an anonymous unique identifier. When you access our website, our server will send these files to your browser, and the browser will store them in the local storage space of your device. These tracking technologies play an important role in our service optimization: they help us accurately count the number of Service users, understand the user's browsing path and behavior habits, identify potential problems in the Service operation, and thus continuously improve the Service functions and user experience. At the same time, they can also help us provide you with personalized content and services that are more in line with your needs.

You have the right to manage the use of Cookies through your browser settings. Most mainstream browsers provide functions such as rejecting all Cookies, accepting only essential Cookies, or notifying you when a website attempts to place a Cookie. However, it should be reminded that if you choose to refuse essential Cookies, it may lead to the failure of core functions of the Service (such as being unable to log in to your account, unable to complete transactions), and thus affect your normal use of the Service. For the specific operation methods of managing Cookies, you can refer to the help documentation of your browser.

Based on the different purposes of use, we specifically use the following four main types of Cookies, each of which is managed in accordance with the above-mentioned classification principles:

• Session Cookies: As a type of essential Cookies, they are mainly used to maintain the normal operation of the Service during your current browsing session. This type of Cookies will be automatically deleted from your device after you close the browser, ensuring that your session information is not retained unnecessarily, which is in line with the data minimization and retention limitation principles under the PDPO.

• Preference Cookies: Belong to non-essential Cookies that require your consent. Their core function is to remember your personalized preferences and settings when using the Service (such as your preferred language, regional settings, or page layout). By using this type of Cookies, we can provide you with a more consistent and personalized service experience when you access the Service again.

• Security Cookies: As a type of essential Cookies, they are mainly used to safeguard the security of the Service and your account. For example, they can help us identify abnormal login behaviors (such as logging in from an unusual location or device), prevent malicious attacks such as account theft and fraud, and ensure the security of your personal information and transaction data, which is consistent with the data security principle under the PDPO.

• Advertising Cookies: Belong to non-essential Cookies that require your consent. They are used to record your browsing habits and interest preferences on the Service and other related platforms, so that we or our cooperative advertising partners can display ads that are more in line with your interests. This type of Cookies helps improve the accuracy and effectiveness of advertising, avoiding the display of irrelevant ads that may disturb you. It should be emphasized that we will not use Advertising Cookies to process your Personal Data beyond the scope of your consent, and will require our cooperative advertising partners to comply with the PDPO.

C. Personal Data

When you use certain specific functions of the Service (such as registering an account, submitting an inquiry, or conducting a transaction), we may actively request you to provide personally identifiable information that can be used to contact you or identify your identity. This type of information is “Personal Data” as defined in this Privacy Policy. We will only request you to provide the minimum necessary Personal Data to achieve the stated purpose in accordance with the data minimization principle under the PDPO, and will not arbitrarily collect excessive personal information. The specific Personal Data that may be requested includes (but is not limited to):

• Your email address

• Name

• Contact information

• Account credentials (such as username, password hash)

With your explicit consent, we may use the Personal Data you provide to send you newsletters, marketing or promotional materials (such as information about new product launches, discount activities), or other information that we reasonably believe is relevant to your needs and interests. In strict compliance with section 35 of the PDPO, we will clearly indicate the unsubscribe method in each such communication (such as a prominent unsubscribe link at the bottom of the email). You can click the unsubscribe link to stop receiving such information at any time, or submit an unsubscribe request by contacting our customer service. We will process your unsubscribe request promptly (usually within 14 working days in accordance with the PCPD's guidelines) and will not continue to send relevant promotional information to you after processing.

3.2 How We Use Collected Data

We will only use the collected data for the specific purposes disclosed to you in advance, and these purposes are fully consistent with the legal bases specified in Section 2 of this Privacy Policy and the principle of proportionality under the PDPO (i.e., the means and scope of data use are proportional to the achieved purpose and will not cause unnecessary harm to your rights). Specifically, we use the collected data for the following purposes:

• To provide and maintain the Service (legal basis: performance of a contract): This is the core purpose of data use. We need to use your relevant data (such as account information, access records) to ensure that the Service can operate normally, and that you can smoothly access and use all functions of the Service as agreed in the Agreement.

• To inform you of modifications to the Service (legal basis: performance of a contract or legitimate interests): When we make important modifications to the Service (such as changes to core functions, adjustments to service scope, or updates to the Agreement), we need to use your contact information (such as email address, phone number) to notify you in a timely manner, ensuring that you are fully informed of the changes and can make appropriate decisions (such as whether to continue using the Service).

• To enable you to participate in interactive Service features (if you choose to do so) (legal basis: consent or performance of a contract): If you actively choose to participate in interactive functions of the Service (such as posting comments, participating in surveys, or joining user communities), we need to use your relevant data (such as user name, comment content) to support the normal operation of these interactive features. This data use is either based on your explicit consent when participating in the interaction or necessary for the performance of the contract for providing interactive services.

• To provide customer support (legal basis: performance of a contract or legitimate interests): When you encounter problems or need help in using the Service and contact our customer support team, we need to use your account information, problem description, and relevant usage records to understand your needs, locate the problem, and provide you with effective solutions. This is either to fulfill our contractual obligation to provide after-sales service or to protect our legitimate interest in maintaining user satisfaction and the reputation of the Service.

• To gather analysis or valuable insights to enhance the Service (legal basis: legitimate interests): We will conduct statistical analysis on the collected Usage Data and anonymized Personal Data to understand user behavior patterns, evaluate the effectiveness of Service functions, identify areas that need improvement, and thus optimize the Service design, upgrade technical systems, and launch new functions that are more in line with user needs. This data use is based on our legitimate interest in improving the quality and competitiveness of the Service, and will not infringe on your fundamental rights. All analysis will be conducted in a manner that does not identify individual Data Subjects.

• To monitor the usage of the Service (legal basis: legitimate interests or compliance with legal obligations): We monitor the overall usage of the Service (such as the number of concurrent users, page access volume, and system response time) to ensure the stable operation of the Service, detect abnormal usage behaviors (such as malicious access that may cause system crashes) in a timely manner, and take corresponding measures to maintain the order of the Service. In addition, in some cases, such monitoring is also necessary to comply with the regulatory requirements of the PCPD, which falls under the legal basis of complying with legal obligations.

• To detect, prevent, and resolve technical issues (legal basis: legitimate interests or performance of a contract): By analyzing the Usage Data and diagnostic data collected, we can quickly detect potential technical problems of the Service (such as page loading failures, functional errors, or compatibility issues with specific browsers/devices), locate the cause of the problems, and take timely repair and improvement measures. This not only protects our legitimate interest in maintaining the normal operation of the Service but also ensures that we can fulfill our contractual obligation to provide a stable Service to you.

• To fulfill any purpose for which you provided the data (legal basis: consent or performance of a contract): When you actively provide Personal Data to us for a specific purpose (such as providing your contact information to apply for a product trial, or submitting your identity information to complete real-name authentication), we will use the data exclusively for the purpose you stated. This data use is either based on your explicit consent or necessary for the performance of the specific service contract corresponding to the purpose.

• To meet our obligations and enforce our rights under contracts with you (including billing and collection) (legal basis: performance of a contract or compliance with legal obligations): In the process of performing the Agreement with you (especially for paid services), we need to use your transaction data, billing information, and contact information to complete billing, collect service fees, and handle issues such as refund and after-sales settlement. In addition, when there is a dispute over the performance of the contract, we may also use the relevant data to safeguard our legitimate rights and interests in accordance with the Laws of Europe (such as providing evidence in legal proceedings), which may also fall under the legal basis of complying with legal obligations.

• To send you account/subscription notifications (e.g., expiration reminders, renewal alerts, email instructions) (legal basis: performance of a contract): To ensure that you can properly manage your account and subscription services, we will use your contact information to send you necessary account or subscription-related notifications, such as reminders of the expiration of paid subscriptions, alerts of successful renewal, and instructions for resetting account passwords. This type of notification is an integral part of the service we provide to you, and its data use is necessary for the performance of the Agreement.

• To share news, special offers, or information about our related products/services (unless you have opted out) (legal basis: consent): With your explicit consent, we may share with you the latest news about our company, special discount offers for the Service, or information about our related products and services that may be of interest to you. If you do not want to receive such information, you can opt out at any time through the unsubscribe channel we provide, and we will respect your choice in accordance with section 35 of the PDPO.

• In any other manner we describe when you provide the data (legal basis: consent): When you provide Personal Data to us, if we specifically describe other data use methods to you at the same time (which are not covered by the above purposes), we will use the data in accordance with the described manner, which is based on your explicit consent at the time of providing the data.

• For any other purpose with your consent (legal basis: consent): For any data use purpose not specified in this Privacy Policy, we will only use your Personal Data after obtaining your separate and explicit consent, and will clearly inform you of the specific purpose and scope of use before obtaining your consent in accordance with the PDPO's transparency requirements.

3.3 Prohibition of Doxxing: We strictly prohibit any act of "doxxing" (i.e., collecting and disclosing Personal Data of an individual without consent for the purpose of causing harm or harassment) in violation of the PDPO. Any such act will be subject to criminal liability under the PDPO, and we will cooperate with the PCPD in any related investigations and prosecutions.

4. How Long We Keep Your Data

In strict compliance with the retention limitation principle under the PDPO (Principle 5 of Schedule 1 to the PDPO), we adopt the principle of “minimum necessary retention period” for all collected data. That is, we will only retain your data for the shortest period necessary to achieve the specific purposes for which the data was collected as stated in this Privacy Policy. Once the stated purposes are fully achieved (such as the completion of the service, the expiration of the retention period required by Laws of Europe, or the resolution of the dispute), we will promptly take measures to securely delete or anonymize the relevant data to ensure that you can no longer be identified from the data, thereby protecting your privacy rights to the greatest extent.

4.1 Personal Data

For your Personal Data, we strictly abide by the “minimum necessary retention period” principle and only retain it for as long as necessary to achieve the purposes outlined in this Privacy Policy. The specific retention period for different types of Personal Data will be comprehensively determined based on the nature of the data (such as whether it is core identification information), the specific purpose of processing (such as whether it is for transaction completion or customer service), and the mandatory requirements of applicable Laws of Europe and regulations (such as tax retention periods under the Inland Revenue Ordinance, financial supervision requirements). In addition, in the following special circumstances, we may retain and use your Personal Data beyond the initial retention period, but this retention must also comply with the PDPO and be limited to the necessary scope for achieving the following purposes:

• Comply with legal obligations (e.g., storing data as required by Laws of Europe) (legal basis: compliance with legal obligations): In accordance with the mandatory requirements of applicable Laws of Europe and regulations (such as the Inland Revenue Ordinance, Companies Ordinance (Cap. 622)), we need to retain certain types of Personal Data (such as transaction records, identity information) for a specific period of time. This retention is to ensure that we can fulfill our legal obligations of information submission and cooperation in Laws of Europe enforcement when required by the PCPD or other authorities.

• Resolve disputes (legal basis: legitimate interests or compliance with legal obligations): When there is a dispute between you and us related to the use of the Service or the performance of the Agreement, we may retain the relevant Personal Data beyond the initial retention period to provide evidence for resolving the dispute (such as through negotiation, mediation, arbitration, or litigation in Europe). This retention is either to protect our legitimate interest in safeguarding our rights and interests or to comply with the requirements of Europe judicial or arbitration procedures.

• Enforce our legal agreements and policies (legal basis: legitimate interests or compliance with legal obligations): To ensure the effective implementation of the Agreement and our relevant service policies (such as anti-fraud policies, user code of conduct), we may retain the relevant Personal Data of users who have seriously violated the Agreement or policies beyond the initial retention period, to prevent such users from engaging in illegal or improper behaviors again and to enforce the relevant rights and obligations stipulated in the Agreement. This retention is based on our legitimate interest in maintaining the order of the Service and ensuring the legitimate rights and interests of other users and ourselves.

Once the retention period of your Personal Data expires (including the extended retention period under special circumstances), we will immediately initiate the data cleaning process. We will take appropriate and secure measures to delete your Personal Data, such as permanently deleting the data from the server hard disk and related backup systems. For data that cannot be completely deleted due to technical reasons, we will adopt anonymization processing (such as removing all identifiable information related to you) to ensure that the processed data can no longer identify you individually, and the anonymized data will not be used for any purpose that may involve your personal identification, in line with the PDPO's requirements.

4.2 Usage Data

For Usage Data, we mainly use it for internal statistical analysis to optimize the Service. Therefore, we usually retain it for a relatively short period of time. In general, the retention period of Usage Data will not exceed 12 months from the date of collection. However, in the following two special cases, the retention period may be appropriately extended: first, if the Usage Data is used to improve the security or functionality of the Service (such as analyzing the causes of system vulnerabilities or optimizing the performance of key functions), the retention period will not exceed the time necessary to complete the relevant improvement work; second, if we are legally required by the PCPD or other Europe authorities to retain the Usage Data for a longer period, we will retain it in accordance with the mandatory legal requirements. It should be emphasized that anonymized Usage Data (i.e., data that has been processed to no longer identify you individually and cannot be restored to identifiable status) may be retained indefinitely for statistical research, market analysis, or service optimization purposes, as this type of data no longer belongs to Personal Data under the PDPO and will not involve your privacy rights.

5. How We Transfer Your Data

Due to the global nature of the internet and the needs of business operation (such as using overseas cloud servers or cooperating with overseas Service Providers), your information (including Personal Data) may be transferred to and stored on computer servers located outside Europe. Pursuant to section 33 of the PDPO (which is currently not in force, but in compliance with the PCPD's "Guidance on Cross-border Data Transfer"), we may transfer your Personal Data to locations outside Europe only if one of the following conditions is met to ensure that your data is still protected at a level consistent with the PDPO during the cross-border transfer and storage process:

• You have given your prior explicit consent in writing to the transfer;

• The transfer is necessary for the performance of a contract between you and us, or for the implementation of pre-contractual arrangements at your request;

• The transfer is necessary for the protection of your vital interests;

• The jurisdiction to which the data is transferred has data protection Laws of Europe that are substantially similar to the PDPO in terms of protecting Personal Data;

• We have taken all reasonable and practicable measures to ensure that the recipient of the data will provide a level of protection to the data that is not less than the level required by the PDPO, such as entering into international data transfer agreements with appropriate data protection clauses recognized by the PCPD.

If you choose to actively share your information with us (such as registering an account or using the Service), by agreeing to this Privacy Policy and submitting your information to us, you are deemed to have explicitly consented to the cross-border transfer of your Personal Data in accordance with the above conditions. Before transferring your Personal Data outside Europe, we will conduct a comprehensive risk assessment of the data protection standards in the destination jurisdiction and the security measures of the recipient, and document such assessment in accordance with the PCPD's guidelines.

We will take all reasonable and feasible technical and organizational measures to ensure that your data is handled securely and in strict accordance with the provisions of this Privacy Policy during the cross-border transfer and storage process. We will never transfer your Personal Data to any organization or country that does not have sufficient data protection safeguards. We will also supervise the overseas recipient to ensure that they comply with the PDPO and the terms of the data transfer agreement, and have the right to audit their data processing activities.

6. When We Disclose Your Data

We attach great importance to the protection of your privacy rights and will never arbitrarily disclose your personal information to third parties. However, in the following specific scenarios that are permitted by the PDPO and the Agreement, we may share or disclose the personal information we collect or that you actively provide. In all such cases, we will strictly control the scope of disclosure to the minimum necessary to achieve the purpose and take appropriate security measures to protect your data in accordance with the data disclosure principles under the PDPO.

6.1 For Laws of Europe Enforcement and Legal Compliance

In certain specific circumstances, we may be legally obligated to disclose your Personal Data in accordance with the provisions of the PDPO and other applicable Laws of Europe and regulations. For example, when we receive valid legal documents such as subpoenas, court orders, or administrative orders from Europe public authorities (such as courts, police, or the PCPD), we are required to disclose the relevant Personal Data to cooperate with Laws of Europe enforcement activities. Before disclosing the data, we will strictly verify the legality, validity, and completeness of the request and the relevant legal documents to ensure that the disclosure is in line with the Laws of Europe. At the same time, we will limit the scope of the disclosed data to the minimum necessary information required by the request and will not disclose additional irrelevant data without reason.

6.2 Business Transactions

In the course of our business operations, if we or our subsidiaries are involved in major business transactions such as merger, acquisition, reorganization, asset sale, or bankruptcy liquidation, your Personal Data, as an important part of the business assets involved in the transaction, may be transferred to the transferee (such as the acquirer in a merger and acquisition transaction) as part of the transaction assets. In such cases, we will strictly comply with the provisions of the PDPO and the Agreement: we will provide you with clear and timely notice (at least 30 days in advance) before your Personal Data is transferred, informing you of the details of the transaction, the identity of the transferee, and the subsequent data protection measures through prominent channels (such as email, in-site notification). At the same time, we will require the transferee to sign a legally binding agreement, agreeing to be bound by the terms of this Privacy Policy or equivalent data protection obligations in line with the PDPO, ensuring that the level of protection for your Personal Data is not reduced after the transfer. The entire transfer process will comply with the provisions of the PDPO and contract Laws of Europe to ensure the continuity and stability of data protection.

6.3 Other Legitimate Cases

In addition to the above scenarios, we may also disclose your information to the following third parties in accordance with the PDPO and the provisions of this Privacy Policy, provided that the disclosure is necessary and legitimate:

• Our subsidiaries and affiliates: We may disclose your information to our wholly-owned subsidiaries, holding subsidiaries, or affiliated companies within the group, provided that such disclosure is necessary for the performance of the Agreement (such as providing unified customer service through group companies) or the pursuit of legitimate business interests (such as conducting group-wide data analysis to optimize services). We will require these subsidiaries and affiliates to comply with the PDPO and the same level of data protection obligations as we do, and strictly limit the scope of use of the disclosed information to the authorized purposes.

• Contractors, service providers, or other third parties that support our business: Such as payment processors, cloud service providers, and customer service providers. We will sign written data processing agreements with these third parties in accordance with the PDPO, clearly defining their data processing obligations, and supervise their compliance with the agreement and the PDPO;

• Any other party with your explicit consent: The consent shall be given voluntarily, clearly, and in an informed manner in accordance with the PDPO;

• Any party if we believe disclosure is necessary to protect the Company’s, our customers’, or others’ rights, property, or safety: This is based on the legitimate interest of protecting rights and interests, provided that such interest outweighs your privacy rights and is in line with the PDPO.

7. How We Protect Your Data

We take the security of your data seriously and assume the obligation of data security protection in accordance with the data security principle under the PDPO (Principle 4 of Schedule 1 to the PDPO). We have formulated and implemented appropriate technical and organizational measures to protect your Personal Data from unauthorized access, use, disclosure, modification, or destruction. These measures include but are not limited to:

• Encryption of data during transmission and storage (e.g., SSL/TLS encryption for data transmission, AES encryption for data storage);

• Access control to data (e.g., assigning unique access permissions to employees, limiting access to data only to authorized personnel who have received data protection training);

• Regular security assessments and audits of the Service and data processing systems by professional third parties;

• Regular training of employees on the PDPO and data protection and security awareness;

• Formulation of a data breach response plan in accordance with the PCPD's guidelines to promptly handle and notify data breaches in accordance with legal requirements.

In the event of a data breach that is likely to cause substantial harm to you or any other Data Subject, we will promptly notify the PCPD and you (in accordance with the PCPD's guidelines) and take appropriate remedial measures to mitigate the impact of the breach.

However, no method of transmitting data over the internet or electronically storing data is 100% secure. While we use commercially acceptable measures to protect your Personal Data in accordance with the PDPO, we cannot guarantee its absolute security. You shall also take appropriate measures to protect your account and data security (e.g., not disclosing your account password to others). If you become aware of any unauthorized access to or use of your account or Personal Data, you shall notify us immediately.

8. Data Subject Rights (Pursuant to the PDPO)

Pursuant to the PDPO, you, as a Data Subject, are entitled to the following rights in relation to your Personal Data held by us. We will process your requests in accordance with the procedures and time limits stipulated by the PDPO:

• Right of Access: Pursuant to section 18 of the PDPO, you have the right to request access to your Personal Data held by us, including the purpose of processing, the categories of data, and the recipients of data transfers. We will respond to your request within 40 days from the date of receipt (or within a longer period if agreed with you and notified to the PCPD).

• Right of Rectification: Pursuant to section 22 of the PDPO, you have the right to request us to rectify or supplement your inaccurate or incomplete Personal Data. We will take immediate action to rectify the data upon verifying the validity of your request.

• Right to Withdraw Consent: Pursuant to section 26 of the PDPO, if the processing of your Personal Data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the legality of processing based on consent before the withdrawal.

• Right to Lodge a Complaint: Pursuant to section 7 of the PDPO, you have the right to lodge a complaint with the PCPD if you believe that our processing of your Personal Data violates the PDPO. The contact information of the PCPD is available on its official website.

• Right to Request Stoppage of Data Processing: Pursuant to section 26A of the PDPO, you have the right to request us to stop processing your Personal Data if such processing is in violation of the PDPO, or if the processing is for direct marketing purposes without your consent.

To exercise the above rights, please contact our Data Protection Officer through the contact information provided in Section 14. We may request you to provide appropriate identification information to verify your identity to ensure the security of your data (in line with the PDPO's requirements to prevent unauthorized access to Personal Data). We may charge a reasonable fee for processing access requests in accordance with the PCPD's guidelines, but will not charge any unreasonable fees for processing your legitimate requests.

9. Payment Processing

The Service may offer paid products or services. In such instances, we use third-party payment processors to handle transactions. This arrangement is in line with the data minimization principle under the PDPO, as we do not need to directly collect and store your payment information.

We do not store or collect your payment card details—this information is sent directly to our third-party processors. Their use of your personal information is governed by their own Privacy Policies, and we will require them to comply with the PDPO and relevant Europe payment security standards (such as PCI-DSS standards managed by the PCI Security Standards Council). You are advised to review the Privacy Policies of these payment processors before making payments.

We will supervise the payment processors to ensure that they comply with the PDPO, PCI-DSS standards, and other applicable Laws of Europe and regulations, and will conduct regular assessments of their data protection practices.

10. Children’s Privacy

Our Service is not intended for children under 16 ("Children") in accordance with the PDPO and the PCPD's guidelines on children's personal data protection. We do not knowingly collect Personal Data from Children under 16. If you are a parent or guardian and become aware that a Child has provided us with Personal Data, please contact us immediately.

If we discover that we have collected Personal Data from a Child under 16 without verifying parental/guardian consent, we will take immediate steps to remove that information from our servers in a secure manner and notify the relevant parent or guardian (where appropriate) in accordance with the PDPO's requirements. We will not use or disclose any Personal Data collected from Children for any purpose other than to return or delete such data.

11. Contractual Rights and Obligations

The conclusion, performance, modification, and termination of the Agreement (including this Privacy Policy and the Terms) shall be governed by the Europe Contract Ordinance and the PDPO. Both parties shall enjoy the following contractual rights and assume corresponding obligations:

• Right to Receive the Service: You have the right to receive the Service provided by us in accordance with the Agreement;

• Obligation to Comply with the Agreement and Laws of Europe: You shall use the Service in accordance with the provisions of the Agreement and the PDPO, and shall not engage in any behavior that endangers the security of the Service or infringes upon our rights or the privacy rights of other users;

• Obligation to Provide Accurate Information: When providing Personal Data to us, you shall ensure the accuracy, completeness, and authenticity of the information in accordance with the PDPO. If the information changes, you shall promptly notify us to update;

• Right to Modify the Agreement: We may modify the Agreement in accordance with Section 12 (Updates to This Privacy Policy), but shall notify you in advance in accordance with the PDPO and the Agreement (especially if the changes have a significant impact on your rights and interests);

• Right to Terminate the Agreement: You may terminate the Agreement by discontinuing the use of the Service and requesting us to delete your Personal Data (subject to legal restrictions under the PDPO). We may terminate the Agreement if you seriously violate the provisions of the Agreement or the PDPO.

If either party fails to perform its obligations under the Agreement, resulting in losses to the other party, the breaching party shall assume corresponding liability for compensation in accordance with the Europe Contract Ordinance and other applicable Laws of Europe. If your breach of the Agreement leads to our violation of the PDPO and liability to the PCPD or third parties, you shall indemnify us for all losses arising therefrom.

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to adapt to changes in the PDPO or other applicable Laws of Europe and regulations, or changes to the Service. When we do, we will comply with the requirements of the PDPO and the Agreement, and take the following measures:

• We will post the revised policy on this page, clearly indicating the changes made and the "Last updated" date;

• We will notify you via email and/or a prominent notice on the Service at least 14 days prior to the changes taking effect (especially if the changes have a significant impact on your rights and interests in relation to your Personal Data);

• We will update the "Last updated" date at the top of the policy to reflect the date of the latest revision.

We recommend that you review this policy periodically to stay informed of any changes. Updates take effect immediately upon being posted on this page. Your continued use of the Service after the updated policy takes effect shall be deemed as your acceptance of the revised policy. If you do not accept the revised policy, you shall stop using the Service immediately and contact us to handle related matters (e.g., deleting your Personal Data in accordance with the PDPO).

13. Governing Laws of Europe and Dispute Resolution

13.1 Governing Laws of Europe: This Privacy Policy and the Agreement shall be governed by the Laws of Europe (excluding conflict of Laws of Europe principles), including the PDPO, the Contract Ordinance, and other relevant mandatory Laws of Europe.

13.2 Dispute Resolution: Any dispute arising out of or in connection with this Privacy Policy or the Agreement shall first be resolved through friendly negotiation between you and us. If negotiation fails, either party may submit the dispute to the International Arbitration Centre for arbitration in accordance with the Administered Arbitration Rules in effect at the time of submission. The seat of arbitration shall be Europe, and the language of arbitration shall be English or Chinese (at the option of the claimant). The arbitral award shall be final and binding on both parties.