- AI for a Better Tomorrow
Dear Clients and Users of SenseTime,
This Policy provides an overview of our commitments on personal data protection and stipulate the personal data protection requirements and standards generally applicable to our products and services. We may also formulate specific personal data protection policies, statements, notices, etc. (“Specific Policies”) with respect to certain specific online or offline products or services. If there is any conflict between this Policy and the Specific Policies, these Specific Policies shall govern. For matters not provided in the Specific Policies, this Policy shall govern.
Additionally, this Policy only applies to the products or services we provide to our clients (“Clients”) or Users (including the products or services our Clients provide to Users). However, this Policy does not apply to products or services provided to you by other third parties, and is completely independent from the privacy policies or similar legal documents that Clients or any third parties provide to you.
If Clients and/or Users have any questions, comments or complaints, please contact us through the contact information provided in Section XII. If Clients and/or Users disagree with this Policy, please immediately stop using our products or services. If Clients and/or Users continue using our products or services, subject to the applicable laws, the Clients and/or Users may be deemed consenting to our personal data processing in accordance with this Policy.
In this Policy:
“personal data” shall mean any data relating to an identified or identifiable natural person which has been recorded in electronic or other form, excluding anonymized data.
“sensitive personal data” shall mean any data that once leaked or illegally used may cause individuals to suffer discrimination or serious harm to the security of their person and property.
“end-users” or “Users” shall mean any person who directly uses our products or services, or indirectly use products or services of SenseTime through our Clients.
In particular, when Users use our products and services, we will process two categories of personal data, including
personal data of Users who directly use our products or services, such as an individual developer, or a User who directly use products or services provided by SenseTime on behalf of ourselves; and
personal data of Users who indirectly use our products or services. For example, when Users use product or services provided by our Clients, our Clients may use our products or services and we may collect and use your personal data.
We may process these two categories of personal data in different ways which may deserve your attention. Please carefully note how we collect and use the data and how you exercise your rights. If necessary, Clients and Users should refer to the Specific Policies of each product or service.
This Policy will help Clients and Users understand the following information:
I. Our basic information
II. Our principles on personal data protection
III. How and why we collect and use Users’ personal data
IV. What is our basis for processing data about Users in the EU
VI. How we protect Users’ personal data
VII. How we transfer and store Users’ personal data
VIII. How we share, transfer, and publicly disclose Users’ personal data
IX. Users’ rights to personal data
X. How we process data about minors
XI. Revision to this policy
XII. Contact us
XIII. Effectiveness of this Policy
I. OUR BASIC INFORMATION
SenseTime is a global leading company and the most valuable AI unicorn focused on developing AI technologies that advance the world’s economies, society and humanity for a better tomorrow.
II. OUR PRINCIPLES ON PERSONAL DATA PROTECTION
We adhere to the following principles when processing personal data:
1. Process data in a lawful and proper manner
We commit to abide by the applicable laws which will come into effective from time to time and the principle of lawfulness, fairness and transparency. We will not process personal data for any illegal purpose or by fraudulent, misleading or other wrongful means.
We honor and respect the relevant rights of Users provided by the applicable laws.
2. Comply with principles of transparency and necessity
We process personal data with specific and reasonable purpose, which is limited to the minimum scope for achieving the purpose of processing. Personal data shall not be processed for any purpose irrelevant to the purpose of processing.
We strictly process data in the manner that have the least impact on the rights of personal data subjects. We retain personal data only for the time period necessary for achieving the purpose of processing.
We follow the principles of openness and transparency, and indicate the rules for processing personal data expressly and timely, so that Users can understand how their personal data will be processed and what rights they enjoy.
3. Security and Controllability
We adopt technical and management measures required by the applicable laws and follow the mainstream practices in AI industry to protect Users’ personal data.
We have obtained relevant cybersecurity certificates. We encrypt the transmission and storage of the sensitive personal data, and use the reinforced operating system to store Users’ personal data;
We have set up a dedicated team in charge of data security and personal data protection. We also hold regular training on personal data protection laws for our staff to enhance their awareness of personal privacy protection.
We adopt the principle of minimum authorization for the staff who may access your personal data, monitor any access to your personal data and regularly audit the processing records.
5. AI for a better tomorrow
“AI for a better tomorrow” is our mission and vision.
We adhere to the idea of privacy by design and strictly implement the personal data requirements in the design, R&D, production, application, operation and maintenance of our products and series to build safe and reliable AI products.
III. HOW AND WHY WE COLLECT AND USE USERS’ PERSONAL DATA
In general, we will process two categories of personal data as follows. We may assume different legal responsibilities and comply with different personal data requirements when we process these two categories of personal data. We may formulate Specific Policies for each product or service.
1. Personal data that we directly collect from Users. When you directly use our official website and our various mobile applications, we will decide how to collect and use your personal data. When you use our products or services, please refer to Specific Policies for each product or service which set out how we collect and use your personal data.
We may process personal data for the following business purposes:
to communicate and respond to your requests and inquiries to us;
to deliver functionality on our products, services and websites and for their technical and functional management;
to engage in transactions with Clients, Users, suppliers and business partners and to process orders for our products and services;
to analyze, develop, improve and optimize the use, function and performance of our websites, products and services;
to manage the security of our products, services, websites, networks and systems;
to comply with applicable laws and to operate our business; and
to market our products and services or related products and services and to tailor marketing and sales activities.
These purposes are described below in further detail.
1. To communicate and respond to your requests and inquiries to us
If you get in touch with us (such as by submitting contact forms on our websites, attending SenseTime events or other occasions, sending an email or visiting social media platforms), we process your personal data to communicate with you and to respond to your requests or other inquiries. We may also process your personal data to interact with you on third party social networks.
2. To deliver functionality on our products, services and websites and for their technical and functional management
Sometimes, you need to register an account before using our products and services. When you choose to register with us (such as to make use of our communities), we need to process your personal data so that we can create and manage a personal account for you. Upon creating your account, we may send your personal login data to you. This personal data enables us to administer your account, for example, by changing your password by yourself.
3. To engage in transactions with Clients, Users, suppliers and business partners and to process purchases of our products and services
If you place an order for our products and services, or if you provide services to SenseTime, our employees, customers or partners as a supplier or business partner, we may process your personal data to engage in and administer the relevant transactions (such as by sending invoices and making payments), administer your order, and assist you when you use our products and services.
4. To analyze, develop, improve and optimize the use, function and performance of our websites. products and services
We may process personal data in order to analyze, develop, improve and optimize the use, function and performance of our products, services and websites, including for quality assurance and training purposes, as well as for marketing and sales campaigns. In case the websites permit you to participate in interactive discussions, create a profile, post comments, opportunities or other content, or communicate directly with another user or otherwise engage in networking activities, we may process personal data when moderating these activities.
Additionally, personal data does not include aggregated, non-personally identifying data that does not identify a user or cannot otherwise be reasonably linked or connected with him/her. We may use such aggregated, non-personally identifying data for research purposes and to operate, analyze, improve, and optimize our products, services and websites.
5. To manage the security of our products, services, websites, networks and systems
We may collect and use data of our products, services and websites for security and operations management to keep our products, services, websites, networks and systems secure, or to investigate and prevent potential fraud, including ad fraud and cyber-attacks and to detect bots.
6. To comply with applicable laws and to operate our business
In some cases, we have to process personal data to comply with applicable laws. For example, to respond to a request from a regulator or to defend a legal claim. We may also process personal data in the performance and operation of our business, such as to conduct internal audits and investigations, or for the purposes of finance, accounting, archiving or insurance.
7. To market our products and services or related products and services and to tailor marketing and sales activities
We may use your personal data to notify you about new product releases and service developments, events, alerts, updates, prices, terms, special offers and associated campaigns and promotions (including via newsletters). We may also use personal data to advertise our products and services or related products and services, and also to have our Clients notify you about our products or services or their related products or services (such as via joint sales or product promotions).
If you attend an event, we may process your personal data gathered in relation to the event and share with your company.
IV. WHAT IS OUR BASIS FOR PROCESSING PERSONAL DATA OF USERS IN THE EU
For personal data collected about you in the EU, our basis for processing is the following:
in order to communicate adequately with you and to respond to your requests, we need to process data about you and therefore we have a legitimate interest in processing this data.
in order to engage in transactions with customers, suppliers and business partners, and to process purchases and downloads of our products and services, we need to process your personal data as necessary to enter into or perform a contract with you.
we process personal data for marketing and sales activities based on your consent where so indicated on our websites at the time your personal data was collected, or further to our legitimate interest to market and promote our products and services. We may also collect sensitive personal data upon your explicit consent for one or more specified purposes.
we rely on our legitimate interest to analyze, develop, improve and optimize our products, services and websites, and to maintain the security of our products, services, websites, networks and systems.
In order to comply with applicable laws, such as to comply with a subpoena or other legal process, or to process an opt-out request.
Most web browsers have the function of blocking Cookies. But if you do so, you need to change the user settings by yourself every time you use our products or services. You can learn more about changing browser settings by visiting the following links: <Internet Explorer>、<Google Chrome>、<Mozilla Firefox>、<Safari> and <Opera>.
VI. HOW WE PROTECT USERS’ PERSONAL DATA
We have taken security protection measures in line with the applicable laws and industrial standards to protect your personal data, so as to prevent unauthorized access, public disclosure, use, modification, damage or loss of data.
1. SenseTime has appointed dedicated persons in charge of personal data protection, who is responsible for dealing with all matters relating to the data privacy of our products and services, such as formulating and revising our privacy policies, monitoring the compliance of our data processing, awareness-raising, training, and audits.
2. We have obtained ISO 27001 Information Security Management System Certificate, ISO 29151 Code of Practice for Personally Identifiable Data Protection Certificate, and ISO 27701 Privacy Information Management System Certificate. We have formulated the overall security policies and security strategies for information security and established the security management systems with respect to the hosts, data, applications, management and other aspects. We have set up the information security management committee and the information security executive committee to direct information security work and personal data protection committee to direct personal data protection work. We have delineated the security protection responsibility for each department and position, and formulated security management norms with respect to personnel recruitment and resignation.
3. We will encrypt the transmission and storage of the sensitive personal data, and the encryption robustness meets the security requirements to ensure the confidentiality of the data. Our application systems set up identity authentication, user identity uniqueness verification, role-based access control and other security control mechanisms, and uses HTTPS security protocol for communication. We deploy the access control mechanism on the server side, adopt the principle of minimum authorization for the staff who may contact your personal data, and regularly check the logs of visitors and access. Our operating systems and database systems have password complexity requirements, adopt SSH security protocol for remote management and strictly restrict access to the default accounts. We keep comprehensive audit records for our systems which cover all system users.
4. We deploy security hardening on our server systems for storing User’s personal data. We audit and monitor all the accounts for server operation. If we find any server operating system has any security loopholes, we will upgrade the security protection in time to ensure the security of all server systems and applications.
5. We have formulated the emergency plan for network security incidents and allocated sufficient resources to ensure the implementation of the emergency plan. We conduct training and emergency drill on the emergency plan every year. If our physical, technical or management protection measures are unfortunately damaged, we will launch the emergency plan in time to prevent the expansion of the safety incident, report to the national competent authority in accordance with the requirements of laws, and inform you of the basic situation, possible impact, measures taken or measures to be taken in a reasonable and effective way such as push or announcement, etc.
6. For the employees who may have access to your data, we sign confidentiality agreements with them and have established approval mechanisms for data access, internal or external transmission, and decryption. We also conduct regular training related to personal data protection to strengthen our employees’ awareness of privacy protection.
7. As far as third parties (i.e. external companies) are rendering data processing services for us, we have committed them to the compliance with our data privacy regulations.
VII. HOW WE TRANSFER AND STORE USERS’ PERSONAL DATA
1. How we transfer your personal data
As we operate via a global network of corporate offices, sales and service centers and data centers, it may be necessary to transfer your data to a country outside of the country where it was originally collected or outside of your country of residence or nationality. If your personal data is transferred to our recipients in a country that does not provide an adequate level of protection for personal data, we will adopt adequate measures designed to protect the personal data, such as ensuring that such transfers are subject to the terms of adequate transfer mechanism as required under the applicable laws.
2. How long we store your personal data
We will retain your personal data only for a limited period of time needed to fulfil the purposes of processing mentioned above, unless a longer storage period is required by law. Subject to the applicable laws, the storage period will depend on following standards and the longest period of time shall govern.
a) provide the products or services you agree to use;
b) ensure the safety and quality of our products and services;
c) a longer period you agree to; and
d) other special agreements on the storage period.
Your personal data will be deleted or anonymized after the storage period.
If we stop providing our products or services, we will give a notice to you. At the same time, we will delete or anonymize your personal data and will no longer collect your personal data.
VIII. HOW WE SHARE, TRANSFER, AND PUBLICLY DISCLOSE USERS’ PERSONAL DATA
We will not share your personal data with any company, organization and individual except in the following circumstances:
a) with your explicit consent, we will share your personal data with other parties.
b) we may share your personal data with others in accordance with applicable laws, the needs of litigation dispute settlement, or the requirements of administrative and judicial authorities.
c) to the extent permitted by applicable laws, it is necessary to share your personal data in order to protect us, our affiliates or partners, Users of SenseTime or the public interest, property or security from damage.
d) in order to provide products or services to our Clients and Users, we may share your personal data with our affiliates. However, we will only share necessary personal data, and the use of your personal data by our affiliates is subject to this Policy, Specific Policies or the affiliate’s policy which you accept and provides substantially the same level of protection as this Policy. Our affiliates and us will strictly comply with this Policy and other Specific Policies.
We will not transfer your personal data to any other company, organization or individual except in the following circumstances:
a) obtain your explicit consent or authorization in advance;
b) provide such data in accordance with the applicable laws, requirements of legal procedures, mandatory administrative or judicial requirements;
c) provide such data in accordance with the relevant agreements entered between you and us (including the electronic agreements signed online and the corresponding platform rules);
d) with the development of our business, it is possible for us and our affiliates to carry out merger, acquisition, asset transfer or other similar transactions. If the relevant transaction involves the transfer of your personal data, we will require the company, organization and individual to acquire your personal data to continue to be bound by this Policy, otherwise we will require the company, organization and individual to obtain your consent again.
3. Publicly disclose
We may only publicly disclose your personal data under the following circumstances:
a) after obtaining your explicit consent; and
b) disclosure under the law: we may publicly disclose your personal data as required by laws, under legal procedures, in lawsuits or upon compulsory requirements of competent authorities under the government.
IX. USERS’ RIGHTS TO PERSONAL DATA
1. Users who directly use products or services of SenseTime
Users who directly use our products or services may at any time exercise the rights to your personal data provided by the applicable laws. In order to safeguard the legitimate rights and interests of SenseTime and Users, we may require Users to provide necessary certificates to verify their identity when they exercise their rights. Please note that the rights may vary among Users pursuant to the applicable laws in different countries or regions. The rights may be limited in some circumstances – for example, where we can demonstrate that we have a legal obligation to process your data or where it is needed for proper performance of a contract. In some instances, this may mean that we are able to retain data even if you withdraw your consent.
Residents in European Economic Area may exercise the rights including:
a) access: You have the right to ask us to confirm whether we are processing your personal data, receive data on how your data is processed and ask us to provide a copy of your personal data in a common format.
b) rectification: This enables you to have any incomplete or inaccurate data we hold about you correct, though we may need to verify the accuracy of the new data you provide to us.
c) erase: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your data unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
d) object to processing: You have the right to request us to cease processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.
e) restrict the processing: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
f) withdraw consent: you have the right to withdraw your consent where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
g) data portability: You have the right to request that we provide you or a third party that you designate with certain of your personal data in a commonly used, machine readable format. Please note, however, that data portability rights apply only to personal data that we have obtained directly from you and only where our processing is based on consent or the performance of a contract.
h) request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
i) lodge a complaint with your local data protection authority: You have the right to submit your request and complain at any time to your local supervisory authority in particular in the member state of your habitual residence, place of work or of an alleged infringement of the GDPR. We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance.
Residents in California may exercise the rights including:
a) access: You have the right to ask us to disclose to you the categories of personal data collected about you, the categories of sources from which the personal data is collected, the categories of personal data sold or disclosed, the business or commercial purpose for collecting and selling the personal data, the categories of third parties with whom we share the personal data, and the specific pieces of personal data collected about you over the past 12 months.
b) deletion: You can request that we delete your personal data that we maintain about you, subject to certain exceptions.
c) opt-out: We do not sell personal data. Thus, the opt-out requirement does not apply to us.
d) right to non-discrimination of service or price if you exercise your privacy rights: we will not discriminate against you because you exercised any of these rights, such as denying goods or services, charging different prices or rates for goods or services, providing a different level or quality of goods or services.
2. Users who indirectly use products or services of SenseTime through our Clients
We suggest that you make a direct request to the companies (such as our Clients) that directly provide products or services to you. Those companies may forward your request to us as appropriate. Our Clients shall establish a mechanism to protect Users’ personal data rights and timely report requests to SenseTime.
X. HOW WE PROCESS DATA ABOUT MINORS
Our products and services mainly target adult users. Without the consent of the parents or guardians, minors under the age of 13 may not use our products or services.
For our collection of minors’ personal data with parents’ consent, we will only use or publicly disclose this data subject to laws with the explicit consent of the parents or guardians, or as necessary to protect the minors.
If we find that we have collected minors’ personal data without prior verifiable parents’ consent, we will endeavor to delete the relevant data as soon as possible.
XI. REVISION TO THIS POLICY
We may revise this Policy from time to time. We will not compromise your rights under this Policy without your explicit consent.
In the case of any material change to this Policy, we will provide your prompt and conspicuous notification. You can also browse our official website at any time to view the latest Policy.
For the purpose of this Policy, major changes include but are not limited to:
1. significant changes to our service mode, such as the purposes of processing personal data, categories of personal data to be processed, the ways to use personal data, etc.;
2. significant changes to our ownership structure, organizational structure, etc., such as changes to the owners as a result of business reorganizations, bankruptcy, mergers and acquisitions;
3. changes to recipients with whom we may share or transfer personal data, or public disclosure of personal data;
4. significant changes to your rights to personal data and the ways in which you can exercise such rights;
5. changes to the security policies with respect to personal data, contact information of such department, or complaint channels; and
6. changes made due to high risks identified in the security impact assessment report for personal data.
After such changes and modifications, if you continue to use our products or services, you should be deemed agreeing to be bound by this revised Policy.
XII. CONTACT US
Beijing SenseTime Technology Development Co., Ltd. and our affiliates are operators of our products or services and the controllers of your personal data when we directly collect your personal data. Our registered address and contact address are Rooms 1101-1107, No.58 Northwest 4th Ring Road, Haidian, Beijing. If you have any questions, comments, suggestions or complaints about our Policy and our processing of your personal data, please send email to email@example.com to contact us.
Under normal circumstances, we will respond to your request within fifteen (15) business days.
XIII. EFFECTIVENESS OF THIS POLICY
This Policy was last changed on March , 2021 and will take effect on March , 2021.