HCR Data and Privacy Protection Policy

Version [2.0]
Update Date: [25][August],2022
Effective Date: [25][August],2022

Beijing HCR Co., Ltd. and its affiliates (hereinafter "We" or "HCR") respect and are committed to protecting personal information and privacy. Most of our operations are conducted using only statistical information that is not personally identifiable. We have established this Data and Privacy Protection Policy (hereinafter "this Policy"), which describes our basic information and data protection principles, and other data processing-related information in general.

This policy is an upgrade and revision of the previous HCR Data and Privacy Protection Policy, in order to present more transparently our collection and use of your personal information, as well as the control you have over your personal information. We promise to keep your personal information and other data strictly confidential and to handle your personal information in strict accordance with the contents herein. We will collect, use, store, share and transfer your personal information pursuant to your consent and other legal grounds for processing your personal information.

This Policy serves only as an overview of the overall situation with regard to our personal information and privacy protection, stating our uniform requirements and standards in the field of data processing. For the avoidance of ambiguity, this Policy does not contain all information about our personal information processing for specific purposes in specific product or service scenarios; for specific data processing practices in specific product or service scenarios, please also refer to the applicable privacy policies or statements provided by our clients ("Clients") or by us in those scenarios. In addition, for clarification, this Policy is independent of any privacy policies or statements that our clients may present or provide directly to individual end users ("Users" or "You").

 

This Policy will help clients and users understand the following:

Basic Information about Us

II Our Data Protection Principles

III How We Process Personal Information

IV How We Share, Transfer and Publicly Disclose Your Personal Information

How We Retain Your Personal Information

VI How We Protect Your Personal Information

VII How We Transfer Your Personal Information Globally

VIII Your Rights to Your Personal Information

IX How We Process Personal Information of Minors

How This Policy Is Updated

XI Definition of Terms

 

Basic Information about Us

Beijing HCR Co., Ltd. (HCR), founded in 2008, is a data analysis service provider. We mainly provide business analysis and application based on internal and external data, consumer attitude and behavior data and industry data, and customized industry analysis and application solutions for industry leaders and government bodies in China.

Address: 1/F, South Tower, Guotou Creative Information Industrial Park, 18 Jiuxianqiao Middle Road, Chaoyang District, Beijing, China

Tel: 8610-5326 3633

 

II Our Data Protection Principles

In our data processing practices, we always adhere to the following principles:

1. Safety:

We will take appropriate technical and organizational measures to protect personal information from risks such as loss, unauthorized access, destruction, alteration or public disclosure;

We have set up special management departments and managers internally to strictly control the number of people who have access to personal data and to reduce the risk of data leakage;

We will take appropriate measures to ensure the accuracy, completeness, availability and timeliness of personal information;

We promise to take practical steps to achieve adequate protection before and after the transfer of personal information to other parties.

2. Transparency:

We promise not to use personal information for any illegal activities;

We will work with our clients to ensure that our processing of personal information has a proper, valid and reasonable legal basis;

We will ensure that as much information as possible is made publicly available for the processing of personal information to ensure transparency in data processing;

We respect and promise to respect relevant rights of the personal information subject in accordance with applicable laws, including but not limited to the rights to inquire, correct, delete, and withdraw consent.

 

3. Necessity:

We promise to process only data (including the quantity and type of data) that is strictly necessary for a specific purpose in the implementation of business functions;

We promise to carry out data processing only for legitimate purposes, to specify the purposes before data processing, and to strictly observe the limits of the purposes;

We promise to design and implement a strict authority control system internally to limit the number of employees authorized to access and handle personal information;

We promise to retain personal information only for the period of time necessary to achieve the purpose of processing and not to delete it unless otherwise required by mandatory laws, regulations or regulatory requirements;

We promise to strictly use processing methods that have the least impact on the right to personal information.

 

III How We Process Personal Information

1. What personal information we process

HCR works with clients in a variety of business scenarios. We will work with our clients to ensure that we have obtained your complete and valid consent for the personal information collected and processed, except in the following circumstances:

1) The processing is necessary for the formation and performance of contracts to which you are a party;

2) The processing is necessary for the performance of legal duties or obligations;

3) The processing is necessary for responding to a public health emergency, or for protecting the life, health and property of you or other natural persons in an emergency;

4) Your personal information is processed within a reasonable range for the purpose of news reporting, public opinion monitoring and other actions in the public interest;

5) The personal information that has been disclosed by yourself or legally disclosed is processed within a reasonable range in accordance with law;

6) Other circumstances specified in laws and administrative regulations.

In some business scenarios, we may conduct data processing ourselves as the personal information processor, such as market research and other types of data collection in the name of HCR. In such cases, we will provide you with HCR's privacy policy or statement in strict compliance with applicable laws and regulations, and may separately provide you with a specific privacy statement with details about that particular business scenario.

In some business scenarios, we will act as a fiduciary to conduct data processing in strict accordance with the personal information processor’s instructions, such as when we are entrusted by a client to complete data collection and analysis; in such cases, please refer to the privacy policy provided by the client for the scope, purpose, sharing and retention of personal information processing and other related information.

In general, the personal information we process may include the following categories:

1) Identity data - name, ID number or other identifiers;

2) Contact information - address, e-mail address and telephone number;

3) Feature data - including interests, preferences, feedback and survey results.

In relevant business procedures, we will process personal information in accordance with specific requirements of the client or specific needs of the project to ensure that the type of personal information used is necessary for realizing the business procedure.

2. Special statement about Cookies

Cookies are small files that a website, application, or service transfers and stores on your device; HCR's websites, online services, interactive applications, emails, and advertisements may use cookies and other similar technologies, such as pixel tags and web beacons. Cookies may be stored on your computer for a short period of time (e.g. only when you open your browser) or for a longer period of time, even years; if you do not want your personal information to be stored in cookies, you can configure your browser to disable cookies. Please note that we cannot access cookies not configured by us.

As most websites do, we will automatically collect certain information to analyze cumulative trends and manage our websites. Such information may include Internet Protocol (IP) address, browser type, Internet Service Provider (ISP), page referrer/exit pages, files you view on our websites (e.g. HTML pages, graphics, etc.), operating systems, date/time stamps, and/or click stream data.

We may use cookies or similar tracking technologies to analyze trends, manage websites, track user behaviors on the websites, and collect information about the overall audience characteristics of our user base.

If you have enabled Do Not Track in your browser, all HCR websites will respect your choice.

The management of cookies and cookie preferences must be done in your browser's options/preferences and, in principle, we will enable cookies or similar technologies and collect information about you through cookies only with your explicit consent. For more information about cookies and instructions on how to configure your browser to accept, delete or block cookies, please visit www.allaboutcookies.org.

 

IV How We Share, Transfer and Publicly Disclose Your Personal Information

1. Sharing your personal information

In general, we will not share your personal information with others, but we may share your personal information with third parties in the following circumstances:

1) We have obtained your explicit authorization or consent in advance. We will share your personal information with other parties only with your express consent.

2) Sharing in legal situations. The sharing of your personal information is required by applicable laws, regulations, legal procedures, governmental mandates or judicial decisions.

3) Sharing to protect legitimate interests. We may provide your personal information to third parties within the scope required or permitted by law when it is necessary for protecting the interests, property or safety of us and our users or the public.

4) Sharing with authorized partners as required by business. In order to provide you with perfect products and services, we may use services or technologies provided by authorized partners. We will share your personal information only for lawful, legitimate, necessary, specific, and explicit purposes, and only as much personal information as is necessary. For more information on how your personal information will be shared in specific business scenarios, please refer to the privacy policy or other relevant legal documents separately provided to you by us and our clients.

We will always make a rigorous assessment of the sharing necessity, and will only share personal information that is necessary for providing services. Moreover, we will enter into strict confidentiality agreements with our partners, only share your personal information for lawful, legitimate, necessary, specific, and explicit purposes, and require them to process your personal information in accordance with our instructions, this Policy, and any other relevant confidentiality and security measures. Our partners have no right to use the shared personal information for any other purpose.

We will, and we will urge our partners to, use your personal information only for the purpose of data processing.

We may also share your personal information with third parties in the event of a sale, transfer or merger of certain businesses or assets. When there are changes in the control of a business, we will take practical measures to require the purchaser of the business or part of the business to continue to process and protect your personal information at the same standards as described in this Policy.

2. Transferring your personal information

We will not transfer your personal information to any company, organization or individual unless with your express consent. In the event of a merger, acquisition or liquidation, which involves the transfer of personal information, we will require the new holder of your personal information to continue to be bound by this Policy. If there is any change in the manner of personal information collection and processing as specified herein, the new holder will ask for your consent again.

3. Publicly disclosing your personal information

We will keep your personal information confidential in compliance with relevant laws and regulations. Unless with your express consent or authorization or required by law, we will not publicly disclose your personal information. If required by law, legal procedures, litigation or government authorities, we will disclose your personal information to competent authorities. In such cases, we guarantee that we will require the requesting party produce valid legal documents for the disclosure, and we will do our reasonable best to take security measures for the disclosed information in accordance with laws and industry standards.

4. Exceptions regarding consent for sharing, transfer, and public disclosure of personal information

In accordance with relevant laws and regulations, we may share, transfer, and publicly disclose your personal information without your consent in the following circumstances:

1) The processing is necessary for the formation and performance of contracts to which you are a party;

2) The processing is necessary for the performance of legal duties or obligations;

3) The processing is necessary for responding to a public health emergency, or for protecting the life, health and property of you or other natural persons in an emergency;

4) Your personal information is processed within a reasonable range for the purpose of news reporting, public opinion monitoring and other actions in the public interest;

5) The personal information that has been disclosed by yourself or legally disclosed is processed within a reasonable range in accordance with law;

6) Other circumstances specified in laws and administrative regulations.

You fully understand and agree that sharing and transfer of personal information that has been anonymized while ensuring the data recipient cannot recover and re-identify the personal information subject is not an act of sharing, transferring or publicly disclosing the personal information, and no separate notification and consent will be required for the storage and processing of such data.

 

How We Retain Your Personal Information

Unless expressly required by applicable laws, regulations or regulatory requirements, we will retain your personal information only in China and for the minimum period necessary to achieve the purpose of processing. When the aforementioned retention period expires, we will promptly store your personal information by means of offline backup at the request of the client or as required by applicable laws and regulations, which no one (including us) will have access to unless requested by the client or regulatory authorities.

 

VI How We Protect Your Personal Information

We have taken reasonably practicable measures and technical measures to protect the security of the personal information we process. Nevertheless, please note that while we have taken reasonable measures to protect your personal information, no website, Internet transmission, computer system or wireless connection is absolutely secure.

We promise that we have taken security measures in line with industry standards to protect your personal information from unauthorized access, public disclosure, use, modification, damage or loss. We will take all reasonably practicable measures to protect your personal information, including:

1) We will de-identify your personal information as soon as practicable, thereby reducing the risk of being identified by other organizations or individuals through de-identified personal information. We will regularly review the way of data processing (including physical security measures) to avoid all kinds of unauthorized access.

2) We have established a uniform authority control system for the processing of personal information at the Group level, which is effectively implemented across all departments and business teams; we only grant access to personal information to employees whose access is necessary for the purpose of data processing and to other people who are authorized to process the personal information, and we ensure that such people are subject to strict contractual confidentiality obligations.

3) We will make continuous efforts to safeguard the security of your personal information and will implement safety measures such as encryption throughout storage and transmission to prevent unauthorized access, use or disclosure of your personal information.

4) We will take security measures such as encryption when transmitting and storing your sensitive personal information.

 

In case of a personal information security incident, we will, in accordance with laws and regulations, promptly inform you of: the basic situation of the security incident and the potential impacts, the disposal measures we have taken or will take, the suggestions for you to prevent and reduce the risks on your own, and the remedial measures available to you, etc. We will promptly inform you of the incident by email, correspondence, phone call, and push notification, etc. If it is difficult to inform you one by one, we will take reasonable and effective ways to publish an announcement. In addition, we will actively report the personal information security incident in accordance with the requirements of regulatory authorities.

 

VII How We Transfer Your Personal Information Globally

In principle, the information we collect and generate in China will be stored in China. If some products or services involve data exit, we will separately inform you of the purpose of data exit and the recipient by pop-up window or email, obtain your consent separately and take corresponding measures required by laws and regulations, and we will ensure that the data recipient has sufficient capacity to protect your personal information.

 

VIII Your Rights to Your Personal Information

We highly respect your rights to your personal information. Below is a list of your lawful rights and how we will protect those rights. Please note that in specific product or service scenarios, for security concerns, we may have to verify your identity before handling your requests. To the extent permitted by applicable laws, your near relatives may exercise the following rights to access, copy, correct and delete your personal information, unless you have other arrangements.

1. Right to be informed: We will inform you of how we process your personal information through this Policy and other related legal documents. We are committed to improving the transparency of our data processing.

2. Access right: You have the right to access your personal information.

3. Right of correction: In the event that you find an error in your personal information we have processed, you have the right to request that we make a correction.

4. Right of deletion: In any of the following circumstances, you can request us to delete your personal information:

1) The purpose of processing has been achieved, cannot be achieved, or is no longer necessary to be achieved;

2) We cease to provide the product or service, or the storage period has expired (e.g. you no longer use our product or service, or you have canceled your account);

3) You have withdrawn your consent;

4) We violate laws, administrative regulations or agreements when processing your personal information;

5) Other circumstances specified in laws and administrative regulations.

We will decide whether to respond to your request in accordance with national laws and regulations and regulatory requirements, and if we decide to respond to your request for deletion, we will notify the entities which have obtained your personal information from us of deleting your personal information in time, unless laws or regulations stipulate otherwise, or such entities have separately obtained your consent.

5. Right of refusal: You have the right to refuse our processing of your personal information even if the processing is based on our legitimate interests, the exercise of public authority, direct marketing (including data aggregation), and statistical reasons.

6. Right to withdraw consent: If you have agreed to our processing of your personal information but change your mind later, you can withdraw your consent at any time and we will immediately stop processing your personal information.

7. Right to reject automated decision-making: In some business functions, we may make decisions solely based on automated decision-making mechanisms such as information systems and algorithms. When making automated decisions, we will ensure the transparency of the decision-making and the fairness and impartiality of the results, and will not apply unreasonable differential treatment to you in terms of transaction prices and other transaction conditions; when pushing information, we will also provide you with options and rejection methods not specific to your individual characteristics. If you believe that the results of automated decision-making significantly affect your legitimate rights and interests, you have the right to request an explanation and to reject our decisions made solely by means of automated decision-making.

8. Right to portability: You have the right to request the transfer of your personal information to a designated personal information processor when the conditions set forth by the state Internet information authorities are met.

You may exercise your rights as described above by contacting us through the contact information disclosed in this Privacy Policy, or by methods disclosed in the Privacy Policy or other related legal documents separately provided by us and our clients.

Since we serve a wide range of corporate clients in a variety of industries, and we, as the fiduciary, will hand over the original materials (including personal information) under a particular project to the client upon completion of the project, to ensure timely and comprehensive response to your requests, we suggest that you make your request directly to the controller of your personal information (usually our client) under a specific business scenario (e.g. a specific project), which will forward your request to us as appropriate. We will respond to your request as soon as possible after receiving it.

For security concerns, you may have to make your request in a written way or prove your identity by other means. We may ask you to validate your identity before processing your request. In principle, we do not charge a fee for your reasonable requests, but will collect certain costs as appropriate for repeated requests that exceed reasonable limits. We may decline requests that are repetitive for no reason, require excessive technical means (for example, requiring the development of new systems or fundamental changes to current practices), pose a risk to the legal rights and interests of others, or are highly impractical (for example, involving information stored on backup tapes).

In general, we will respond to your request as soon as possible within fifteen days or within the period stipulated by laws and regulations, except in the following circumstances:

1) Your request is related to our performance of obligations under laws and regulations;

2) Your request is directly related to national security and defense security;

3) Your request is directly related to public safety, public health, and significant public interest;

4) Your request is directly related to criminal investigation, prosecution, trial and enforcement of sentences;

5) We have sufficient evidence of subjective malice or abuse of your rights;

6) We choose to safeguard the life, property, and other significant legal rights and interests of you or other individuals, while it is difficult to obtain the consent of such persons;

7) Responding to your request will result in serious damage to the legitimate rights and interests of you or other individuals or organizations;

8) Your request involves trade secrets.

If you are not satisfied with our reply, you could complain through [ts_mail@hcr.com.cn].

IX How We Process Personal Information of Minors

Our products, websites and services are primarily intended for adults. If you are a minor under the age of 18, you should read this Policy with your guardian(s) before using our products and/or services, and should ensure that you have obtained your guardian's consent to use our services and provide us with your information. We will give priority to the protection of the personal information of minors in accordance with relevant national laws and regulations.

If your guardian does not agree to your use of our services or your provision of personal information to us under this Policy, please terminate your use of our services immediately and notify us in time.

For personal information of minors collected with the consent of their parents or legal guardians, we will use or publicly disclose this information only when permitted by law, with express consent of their parents or guardians, or when necessary for the protection of the minors.

If you are the guardian of a minor, please contact us promptly if you have any question about the use of our services or the provision of user information to us by the minor under your guardianship. We will protect the confidentiality and security of minors' user information in accordance with relevant national laws and regulations and this Policy. In case we find that we have collected personal information from minors without prior verifiable parental or legal guardian consent, we will do our best to delete relevant data as soon as possible.

 

How This Policy Is Updated

We reserve the right to update or modify this Policy from time to time.

We will not diminish your rights under this Privacy Policy without your express consent. We will publish all changes made to this Policy on this page.

For material changes, we will also provide a more notable notice (for certain services, we may provide an email notification of specific changes to our Privacy Policy).

Material changes shall include but not be limited to:

1) Material changes in our service model, such as the purpose of personal information processing, the type of personal information processed, and the way personal information is used.

2) Material changes in our ownership structure and organizational structure, such as changes in ownership due to business restructuring and bankruptcy-related M&A;

3) Changes in the main objects of personal information sharing, transfer or public disclosure;

4) Material changes in your right to participate in the processing of personal information and the way you exercise the right;

5) Changes in the department responsible for personal information security, our contact information and complaint channels;

6) The Personal Information Security Impact Assessment Report suggests a high risk.

If you do not agree with the revised Personal Information Protection Policy, you have the right to and should immediately stop using our products or services. If you continue to use our products or services, you will be deemed to have accepted the changes we have made to the relevant terms of this Policy.

 

XI Definition of Terms

"Personal information" refers to various information of identified or identifiable natural persons that is recorded electronically or by other means, excluding anonymized information. Personal information includes name, date of birth, ID number, personal biometric information, address, communication method, communication records and contents, account password, property information, credit information, whereabouts, accommodation information, health and physiological information, and transaction information, etc.

"Sensitive personal information" refers to personal information that, once leaked or illegally used, is likely to lead to the infringement of a natural person's human dignity or endanger his or her personal safety or property safety. Sensitive personal information includes ID number, personal biometric information, bank account number, communication records and contents, property information, credit information, whereabouts, accommodation information, health and physiological information, transaction information, and personal information of children under 14 years old (inclusive).

“Third parties” refer to companies or persons that are not related because of common ownership or control (i.e. non-affiliated companies) or other unrelated individuals.

“Personal information subject” refers to the owner of personal information, i.e. an identified or identifiable natural person.

“Personal information processor” refers to an organization or individual that decides the purpose and method of personal information processing on its own.

A "fiduciary" is an organization or individual that processes personal information on behalf of the personal information processor.

"Processing" refers to any single operation or series of operations performed on personal information or personal information series, whether or not such operations are performed in an automated manner, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, accessing, using, transmitting, disclosing, disseminating or otherwise making available, adjusting, combining, limiting, deleting or destroying.

"Consent” refers to the personal information subject's autonomous, specific, informed and explicit permission with regard to the processing of his or her personal information which is based on his or her intention and made through a statement or an explicit affirmative action.

"Delete" is the act of removing personal information from the systems used to achieve daily business functions so that the information cannot be retrieved or accessed.