MeituEve Data Protection Policy

Last Revision Date: [       ]

This Data Protection Policy applies to individuals who access and use the Service (as defined in the MeituEve Terms of Use) and/or sign up for an Account (as defined in the MeituEve Terms of Use).

We attach great importance to the privacy of your Personal Data (defined below), and we are also committed to maintaining your trust in us. We are committed to taking reasonable security protection measures designed to protect your Personal Data in accordance with industry security standards. Please take a moment to read this Data Protection Policy so that you know and understand how we collect, use and disclose your “personal information”, “personal data” and other similar information as defined under applicable data protection laws (collectively, “Personal Data”).

By accessing the Service and/or signing up for an Account, you agree Meitu (China) Limited and its affiliates (collectively “Meitu”) and their respective branches, subsidiaries and related corporations (collectively, the "Companies"), as well as their respective representatives and/or agents (“Representatives”) (the Companies and Representatives collectively referred to herein as "us", "we" or "our") may collect, use, disclose and share amongst themselves your Personal Data, and disclose such Personal Data to the Companies' authorised service providers and relevant third parties in the manner set forth in this Data Protection Policy, on the following basis:

(a)   in jurisdictions which allow for legitimate-interest based processing, on the basis of such legitimate interests including as set out in this Data Protection Policy; and

(b)   in all other jurisdictions, on the basis of your consent which you hereby give.

This Data Protection Policy supplements but does not supersede nor replace any other consents you may have previously provided to us in respect of your Personal Data, and your consents herein are additional to any rights which any of us may have at law to collect, use and/or disclose your Personal Data.

1.          Collection of Personal Data

1.1.  In order to make full use of the features of the Service, you need to provide your mobile phone number and/or your email address (to create a personal skin file, enable facial recognition features and confirm your identity). After providing the above information and agreeing to the MeituEve Terms of Use and this Data Protection Policy, you can make full use of the features of the Service. If you do not provide the above information, you will not be able to do so. If you do not agree to enable the Service’s facial recognition features, you can still continue to use the Service and your mobile phone number and/or your email address will be used to confirm your Account.

1.2.  Generally, in relation to the Service, we collect Personal Data in the following ways: 

(a)       when you access or use the Service;

(b)       when you submit any queries in connection with the Service;

(c)       when you sign up for an Account;

(d)       when you interact with the Service’s customer service officers or any of our staff, for example, via face-to-face meetings, telephone calls, letters, online forms (such as any “Contact Us” forms on our websites), social media platforms and emails;

(e)       when you request that we contact you;

(f)        when you respond to our requests for additional Personal Data;

(g)       when you ask to be included in an email or other mailing list;

(h)       when you respond to our market surveys, promotions and other initiatives; and

(i)         when you submit your Personal Data to us for any other reason.

1.3.  If you provide us with any Personal Data relating to a third party (e.g. information on your customers, spouse, children, parents, and/or employees), by submitting such information to us, you represent to us that you have obtained the consent of such third party to you providing us with their Personal Data for the respective purposes.

1.4.  You should ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with products and services you have requested.

How We Process Children's Personal Data

1.5.  We will not collect or request Personal Data from those under 16 years of age (or any other specified age in accordance with applicable laws in your area). If you are less than 16 years of age, please do not send your Personal Data to us, including your name, address, telephone number or e- mail address. If you think we might have any information belonging to children under the age of 18, please contact us using the channels listed below.

2.          Purposes for the Collection, Use and Disclosure of Your Personal Data

2.1.  Where permitted under applicable data protection laws, we collect, use and disclose your Personal Data for the following purposes:

(a)       providing you the Service, including without limitation analysing your skin condition and sending you reports on the same (this may require collecting, using and/or disclosing your Personal Data, including: gender, age, birth information, data relating to your skin condition, imaging of your skin etc.;

(b)       responding to, processing and handling complaints, queries, requests, feedback, customer service requests and/or suggestions relating to the Service - if you believe your relevant rights have been violated, you can file a complaint and report in accordance with our infringement complaint process. In the process, we will ask you to provide valid Personal Data to verify the authenticity of the complaint and report. As this can be sensitive information, we will take strict confidentiality measures and will not share it with any third parties except those necessary to resolve your inquiry;

(c)       verifying your identity;

(d)       to safeguard national interests such as national security, national defence, public safety, public health and public information;

(e)       to protect your or other individual’s life, reputation and other important legal rights and interests;

(f)        complying with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities;

(g)       processing your application for an Account;

(h)       maintaining and administering your Account;

(i)         signing and fulfiling contracts required by you;

(j)         maintaining the safe and stable operation of the Service, such as identifying or dealing with any failure of the Service;

(k)       protecting the security of your Account, network, operation, and system, and to prevent phishing, website fraud and Trojan horse viruses - this may require collecting, using and/or disclosing information about your device, including non-changeable device unique identifiers (such as IMEI numbers, MAC address, AndroidID, IDFA) and GUID;

(l)         assisting our business partners in profiling and management of their respective customers;

(m)      facilitating R&D and market research in the skin care industry;

(n)       managing your preferences - we will analyse the characteristics of your preference, habits and location, and create user profiles (such user profiles are anonymized or de-identified as data analysis results will not be related to specific user identities) based on the collected information, in order to present content that is more in line with your needs;

(o)       sending you news and offers from the Companies, the Related Corporations, and/or the Representatives that may be of interest to you;  

(p)       tailoring information and product or service offerings to you in accordance with your preferences and purchase history and/or other transactions with us;

(q)       conducting market research, understanding and analysing customer behaviour, location, preferences and demographics to enable us to improve the Service;

(r)        using online advertising and other technologies in connection with the above; and/or

(s)       any other purpose directly relating to any of the above.

2.2.  Please understand that the functions and services we provide to you are constantly evolving. If we intend to collect, use and/or disclose your Personal Data for an additional purpose not listed above, we will amend this Data Protection Policy and/or use page prompts, interactive processes, website announcements, etc. separately to explain the content, scope and purpose of these additional purposes, so as to obtain your consent where required by applicable laws.

2.3.  The legal bases we rely on for processing your Personal Data will vary depending on the applicable law. Our legal bases for processing your Personal Data for the purposes described above include: (a) processing that is necessary for the performance of our contract with you (such as where necessary to provide you with our products or services); (b) processing that is necessary for our legitimate interests (such as to carry out analytics in order to improve our service); (c) processing that is necessary to comply with our legal obligations (such as to respond to a subpoena or other legal process); and (d) where required by applicable law, your consent.

2.4.  In relation to particular products or services or in your interactions with us, we may also have specifically notified you of other purposes for which we collect, use or disclose your Personal Data. If so, we will collect, use and disclose your Personal Data for these additional purposes as well, unless we have specifically notified you otherwise.

3.          Disclosure of Personal Data

3.1.  We will take reasonable steps in an effort to protect your Personal Data against unauthorised disclosure. Subject to the provisions of any applicable law, your Personal Data may be provided, for the purposes listed above (where applicable), to the following entities or parties, regardless of the jurisdiction they are located in:

(a)       amongst ourselves;

(b)       our retail partners that you interact with via your use of our Service (“Retail Partners”). By using our Service, you are directing Meitu to share your Personal Data with the Retail Partner. Your Personal Data will also be subject to the Retail Partner’s privacy policy. Please note that we do not control, and we are not responsible for the Retail Partner’s processing of your Personal Data;

(c)       our authorized partners - for the purposes stated in this Data Protection Policy, some of our services will be provided by authorized partners (including the Third Parties (as defined in the MeituEve Terms of Use)), including product analysis services, technical support services and etc. We may share some of your Personal Data with our partners to provide better customer service and user experience. We will only share your Personal Data for legal, legitimate, necessary, specific, and clear purposes, and we will only share the Personal Data necessary to provide the services; at the same time, we will sign a strict confidentiality agreement with the companies, organizations and individuals with whom we share Personal Data with, requiring them to process Personal Data in accordance with our Data Protection Policy and any other relevant confidentiality and security measures;

(d)       the various departments within the Companies;

(e)       agents, contractors or third-party service providers who provide operational services to us, such as telecommunications, information technology, payment, processing, training, market research, storage, archival, customer support investigation services or other services to us;

(f)        vendors or other third-party service providers in connection with promotions and goods/services offered on the Service;

(g)       our professional advisers such as our auditors and lawyers;

(h)       relevant government regulators, government ministries, statutory boards or authorities, and/or law enforcement agencies, whether local or overseas, to comply with any directions, laws, rules, guidelines, regulations or schemes issued or administered by any of them, as well as to comply with listing and other requirements or directions of any relevant securities exchange;

(i)          other external parties we, in good faith, believe doing so is required or appropriate to respond to legal process, to protect your, our, or others’ rights, property, or safety, or to assist with an investigation and prosecution of suspected or actual illegal activity; and

(j)         any other party to whom you authorise us to disclose your Personal Data to.

3.2.  Except as set out in this Data Protection Policy, we will not actively share or transfer your Personal Data to third parties. If there are other situations which require the sharing or transfer of your Personal Data or if you need us to share or transfer your Personal Data to a third party, we will directly confirm that the third party has obtained your consent for such acts if required by applicable law or we otherwise believe it is appropriate. In addition, we may conduct a risk assessment for the provision of your Personal Data to such third party.

3.3.  At present, we will not actively obtain your Personal Data from third parties. As for future business development where we may need to obtain your Personal Data indirectly from a third party, we will express to you the source of your Personal Data, the type of Personal Data and our scope of use of your Personal Data. For instance, if we are aware that the Personal Data processing activities required by us to conduct business is beyond the scope of the authorization and consent originally provided to the third party, we will obtain your explicit consent before processing such Personal Data; in addition, we will strictly abide by relevant laws and regulations and we will require third parties to obtain the consents required under applicable laws before they provide such information.

Transfer

3.4.  Except as set out in this Data Protection Policy, we will not transfer your Personal Data to any company, organization or individual, unless:

(a)       we have obtained your explicit consent; and/or

(b)       in the case of merger, acquisition or bankruptcy liquidation, if it involves the transfer of Personal Data, we will require new companies and organizations holding your Personal Data to continue to be bound by this Data Protection Policy, otherwise we will require the company or organization to seek your consent again.

3.5.  Because we provide the Service through resources and servers around the world, this means that, with your authorized consent, your Personal Data may be transferred to or accessed from jurisdictions other than the jurisdiction in which you use the Service.

3.6.  Such other jurisdictions may have different data protection laws or even no data protection laws. In such cases, we will ensure that your Personal Data is adequately protected. For example, we may implement security measures such as data de-identification prior to cross-border data transfer.

Public Disclosure

3.7.  We only disclose your Personal Data publicly if:

(a)       we have obtained your explicit consent; and/or

(b)       we are required to do so by laws, legal procedures, lawsuits or mandatory requirements of government authorities.

4.          Data Security

4.1.  We use industry-standard security measures designed to protect Personal Data in our possession or our control by making reasonable security arrangements designed to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. For example:

(a)       when you exchange data (such as credit card information) between your browser and the Service, it is protected by SSL encryption;

(b)       we provide HTTPS secure access to the supporting web services provided by the Service;

(c)       we use encryption technology designed to ensure the confidentiality of data;

(d)       we use trusted protection mechanisms designed to prevent data from being maliciously accessed;

(e)       we deploy access control mechanisms designed to ensure that only authorized personnel can access Personal Data; and

(f)        we organize security and privacy protection training courses to strengthen our employees’ awareness of data privacy concerns.

4.2.  We will take reasonably practicable steps to ensure that irrelevant Personal Data is not collected. We are committed to keeping your Personal Data within the period required by law or reasonably necessary to implement features and services in connection with the Service. We will delete, de-identify, or anonymize Personal Data after the retention period expires.

4.3.  However, we cannot completely guarantee the security of any Personal Data we may have collected from or about you, or that no harmful code will infiltrate our website or application (for example viruses, bugs, trojan horses, spyware or adware).

4.4.  Whilst we strive to protect your Personal Data, we cannot ensure the security of the information you transmit to us via the Internet, and we urge you to take every precaution to protect your Personal Data when you use such platforms.

4.5.  If applicable, you undertake to keep any information relating to your Account (including any link to your skin analysis report) secure and confidential and shall not disclose or permit it to be disclosed to any unauthorised person, and to inform us as soon as reasonably practicable if you know or suspect that the confidentiality of any information relating to your Account has been lost, stolen or compromised in any way or that actual or possible unauthorised access has taken place. We are not liable for any damages resulting from any security breaches, on unauthorised and/or fraudulent access of any information relating to your Account.

4.6.  In the event of an unfortunate Personal Data security incident, we will act in accordance with the requirements of applicable laws and regulations, to keep you informed of the basic details and the possible impact of the security incident, the measures we have taken or will take, suggestions to you to reduce any risks, remedial measures and more. We will promptly inform you about the event by email, letter, phone, push notification, etc. in accordance with the requirements of applicable law. When it is difficult to notify you individually, we will take a reasonable and effective way to make an announcement. At the same time, we will proactively report the handling of Personal Data security incidents in accordance with the requirements of regulatory authorities.

5.          Third-Party Sites

5.1.  The Application (as defined in the MeituEve Terms of Use) may contain links to other websites operated by third parties. We are not responsible for the privacy practices of websites operated by third parties that are linked to the Application. We encourage you to learn about the privacy policies of such third-party websites. Some of these third-party websites may be co-branded with our logo or trademark, even though they are not operated or maintained by us. Once you have left the Application, you should check the applicable privacy policy of the third-party website to determine how they will handle any information they collect from you. 

6.          Contacting Us - Feedback, Withdrawal of Consent, Access and Correction of your Personal Data

6.1.  If you:

(a)       have any questions or feedback relating to your Personal Data or this Data Protection Policy;

(b)       believe we have infringed your rights to your Personal Data;

(c)       would like to withdraw your consent to any use of your Personal Data as set out in this Data Protection Policy; or

(d)       would like to obtain access and make corrections to your Personal Data records, you can approach us via the following channels:

 

Email

[insert contact   details];

compliance@meitu.com

(Please quote “MeituEve” in your email title)

 

6.2.  You may also write to our Data Protection Officer as follows:

Unit   8106B, Level 81, International Commerce Centre, 1 Austin Road West, Hong Kong

Attn: Legal Department, Meitu

 

6.3.  Please note that if your Personal Data has been provided to us by a third party, you should contact such third party directly to make any queries, feedback, and access and correction requests to us on your behalf.

6.4.  If you withdraw your consent to any or all use of your Personal Data, depending on the nature of your request, we may not be in a position to continue to provide the Service to you or administer any contractual relationship already in place. This may also result in the termination of any agreements you have with us (e.g. termination of your Account), and your being in breach of your contractual obligations or undertakings. Our legal rights and remedies in such event are expressly reserved.

7.          How This Policy Will Be Updated

7.1.  This Data Protection Policy is subject to change at any time. We will post any changes to this Data Protection Policy on this page. For major changes, we may inform you via additional means, such as via email. Subject to your rights at law, you agree to be bound by the prevailing terms of this Data Protection Policy as updated from time to time by us.  

7.2.  Major changes referred to in this policy include, but are not limited to:

(a)       changes to the purposes for which we process Personal Data, the types of Personal Data we process, and how we use your Personal Data;

(b)       your rights to participate in the processing of Personal Data and how you exercise them have changed; and

(c)       when a Personal Data security impact assessment report indicates that there is a risk.

8.          Country-Specific Terms

Countries which allow processing of Personal Data on the basis of legitimate interest

Japan

8.1.  If you are located in Japan, your Personal Data as described in section 1.1 or elsewhere in this Data Protection Policy may be jointly used by Meitu (China) Limited and its affiliates for the purposes described in section 2.1 or elsewhere in this Data Protection Policy. Meitu (China) Limited will be the party responsible for such joint use of Personal Data.

 

8.2.  If you are located in Japan, please contact us at the contact details in section 6 above if you want to request us to disclose to you the purposes of the use of; or to disclose; or to correct, add to, delete, or cease to use; or to cease to provide to third parties, Personal Data that we hold about you. For us to process your request, please also submit an identification certificate and other documents which we may request. We will charge JPY500 per request. We will use the Personal Data provided by you in relation to any of the aforementioned requests for the purpose of processing and responding to your request.

 

8.3.  If you are located in Japan and provide us with your email address and/or a telephone number, you consent for us and our affiliates to send marketing materials via email, text message or telephone.

 

Korea

8.4.  When processing (i.e., collect, use, (overseas) transfer, etc.) your Personal Data to enable your access and use of our Services, we will secure proper legal grounds under the Korean privacy laws for the processing of your Personal Data (including, but not limited to, acquisition of your prior express consent).  We do not assume your consent for the processing of your Personal Data only by your access/use of our Services or submission of your information to us.

8.5.  We do not collect and/or store cookies.

8.6.  We shall transfer your Personal Data to the brand that we are cooperating with. Further, we will also transfer your Personal Data to the following affiliates of Meitu:

 

Recipient   Name

Country   where Recipient is Located

Time   and Method of Transfer

Recipient’s   Purpose of Using the Personal Data

Items of   Personal Data to be Transferred

Retention Period of   Recipient

Xiamen Home Meitu Technology Co., Ltd.

China

Online transfer

a.Customer portrait analysis;

b.Skin algorithm development

a.Client   name

b.Gender

c.Birthday

d.E-mail

e.Cosmetic   surgery history

f.Allergies

g.Skin   types

h.Skin   issues

i.Client photos

Permanent   data retention or deletion after contract expiration

Xiamen Meitu Technology Co., Ltd.

 

China

Online transfer

a.Customer portrait analysis;

b.Skin algorithm development

a.Client   name

b.Gender

c.Birthday

d.E-mail

e.Cosmetic   surgery history

f.        Allergies

g.Skin   types

h.Skin   issues

i.       Client photos

Permanent   data retention or deletion after contract expiration

Xiamen Meitu Mobile Technology Co., Ltd.

 

China

Online transfer

a.Customer portrait analysis;

b.Skin algorithm development

a.Client   name

b.Gender

c.Birthday

d.E-mail

e.Cosmetic   surgery

f.Allergies

g.Skin   types

h.Skin   issues

i.Client photos

Permanent   data retention or deletion after contract expiration

 

For the performance of Services, we delegate the processing of your personal data to the following external professional service providers:

 

8.7.1. Domestic Delegation

Delegatee’s Name

Descriptions of Delegated Works

 

8.7.2. Overseas Delegation

Delegatee’s   Name

Country   where Delegatee is Located

Time   and Method of Transfer

Descriptions   of Delegated Works

Items of   Personal Data to be Transferred

Retention Period of   Delegatee

Huawei Cloud

China

During the contract; Cloud storage

Data storage

a.Client name

b.Gender

c.Birthday

d.E-mail

e.Cosmetic surgery

f.Allergies

g.Skin types

h.Skin issues

Client photos

Deletion after contract expiration

Google Cloud

The United States

During the contract; Cloud storage

Data storage

a.Client name

b.Gender

c.Birthday

d.E-mail

e.Cosmetic surgery

f.Allergies

g.Skin types

h.Skin issues

Client photos

Deletion after contract expiration

 

 

8.7.  In principle, we will immediately destroy your Personal Data if: (a) you terminate your use of our Services or (b) the purposes of collection and use of Personal Data have been achieved.  However, if we are required to retain your Personal Data for a longer period of time under applicable laws and regulations, we will retain your Personal Data for the period as required under such applicable laws and regulations.  

 

8.8.  When destroying Personal Data, measures will be taken to make the Personal Data irrecoverable or irreproducible. Electronic files which contain Personal Data will be deleted permanently using a technical method which makes the files irreproducible.  Any other records, print-outs, documents or any other recording media will be shredded or incinerated.

United States of America

8.9.  You agree that Meitu may use facial recognition technology to collect biometric information from the photos or images you provide. Meitu may use such information to verify your identity, to provide and improve the Service, and for our internal research purposes. Where required by law, we will delete your biometric information within three years of your last interaction with the Service. 

8.10.           If you are a California resident, section(s) 8.10 – 8.13 apply to our processing of your Personal Data. The California Consumer Privacy Act (“CCPA”) provides California residents with the right to know what categories of Personal Data we have collected about them:

8.11.            

Category of Personal Data

Collected by Meitu?

Identifiers

Yes

Personal information   categories listed in Cal. Civ. Code § 1798.80(e)

Yes

Characteristics of protected   classifications under California or federal law

No

Commercial information

Yes

Biometric information

Yes

Internet activity or   electronic network activity information

Yes

Geolocation data

No

Audio, electronic, visual,   thermal, olfactory, or similar information

Yes

Professional or   employment-related information

No

Non-public education   information (per the Family Educational Rights and Privacy Act (20 U.S.C.   Section 1232g, 34 C.F.R. Part 99))

No

Inferences drawn from other   personal information to create a profile

Yes

 

8.12.        We use this Personal Data to provide and improve the Service and for the purposes set forth above.

 

8.13.       California residents have the right to: (i) receive a copy of Personal Data that you have provided to us, or ask us to send that Personal Data to another company; and (ii) request erasure of Personal Data held about you by us, subject to certain exceptions prescribed by law. To exercise these rights, please contact us as set forth in section 6. For purposes of the CCPA, we do not “sell” your Personal Data.

 

8.14.       California residents also have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the California Consumer Privacy Act.

Singapore

8.15.           If you have provided your Singapore telephone number(s) and have indicated that you consent to receiving marketing or promotional information via your telephone number(s), then from time to time, we may contact you using such telephone number(s) (including via voice calls, text , fax or other means) with information about our products and services (including discounts and special offers).

9.          Language

9.1.  This Data Protection Policy is prepared and drafted in English, but may be translated into other languages (e.g. Japanese and Korean). Should any conflict arise between the English language version of this Data Protection Policy and any translation hereof, the English language version shall be controlling.