This Privacy Policy ("Policy") describes how Hangzhou Xiangsu Technology Co., Ltd. ("Company", "we", "us", or "our") — a company incorporated under the laws of .P.R.C. — collects, uses, stores, transfers, discloses, and protects Personal Information in connection with our global cloud-based video platform Services. Our infrastructure operates across globally and sets three nodes in certain geographic regions outside China: the United States (primary node), Germany (EU node), and Singapore (APAC node).
By completing account registration, clicking to confirm acceptance, or continuing to use our Services (including after any Policy update), you (including Business Customers and their authorized representatives) acknowledge and accept all contents of this Policy. If you disagree with any part of this Policy, you must immediately stop using our Services, and we will cease processing your Personal Information accordingly.
This Policy does NOT directly apply to the Personal Information that Business Customers independently collect from their own End Users through products built on our platform. In that context, Business Customers are the Data Controller and we are the Data Processor under a Data Processing Agreement ("DPA"). This Policy also does NOT apply to products, services, or websites of third parties displayed on, linked to, or repackaged within our Services — third parties operate under their own privacy policies and we bear no liability for their data practices.
We adhere to the following core principles in all Personal Information processing activities, in compliance with applicable data protection laws:
Primary Governing Laws:
Core Principles:
For Business Customers (B2B Relationship): the Company acts as Data Controller for Personal Information of Business Customers' authorized representatives (account administrators, billing contacts, technical contacts).
For End Users (B2B2C Relationship):
| Data Subject | Our Role | Controller Identity | Legal Basis |
|---|---|---|---|
| End Users of Business Customers' applications | Data Processor ONLY | The Business Customer is the sole Data Controller | DPA and Business Customer instructions |
| Business Customer representatives | Data Controller | Hangzhou Xiangsu Technology Co., Ltd. | This Privacy Policy and Service Agreement |
Critical Clarification:
We do not have any direct legal relationship with End Users. All End User Personal Information is processed:
Liability Framework:
Our obligation and liability as Data Processor are strictly limited to:
We expressly disclaim any responsibility to the extent permitted by law for:
The following terms are used throughout this Policy. Terms not defined here shall have the meanings given in applicable data protection law of the relevant jurisdiction.
All kinds of information recorded by electronic or other methods that can identify the identity of a specific natural person alone or in combination with other information — including name, date of birth, identity document number, telephone number, email address, physical address, financial account information, personal biometric information, device identifiers, IP address, location data, video/audio content, and online behavior. Irreversibly anonymized information is excluded.
A sub-category of Personal Information whose unauthorized disclosure or misuse may cause disproportionate harm. Includes: personal biometric information (facial features, voiceprints, fingerprints, iris patterns, gait recognition); financial account information (bank card numbers, payment account numbers, transaction passwords); precise location information (real-time GPS coordinates); personal health and physiological information; information of minors; communication content and private interaction records; and other information recognized as sensitive under applicable law. We process Sensitive Personal Information only when strictly necessary and with enhanced safeguards including end-to-end encryption and strict access controls.
The identified or identifiable natural person whose Personal Information is processed by us — including authorized representatives of Business Customers and End Users of Business Customers' applications.
De-identification: Personal Information is technically modified so that it cannot identify a specific Data Subject without additional separately-held information. Anonymization: an irreversible process that permanently eliminates the possibility of re-identification by any technical means. Anonymized information is no longer Personal Information.
Device: any electronic device that can access our Services (desktop/laptop computers, tablets, smartphones, smart TVs, set-top boxes, wearable devices, IoT devices). Unique Device Identifier: a string uniquely identifying a Device, including IMEI, IMSI, IDFV, OAID, GAID, hardware serial number, and MAC address. We collect only the minimum identifiers necessary and exclude sensitive identifiers (IMEI, MAC address) unless expressly required by law.
Automatic collection methods include: (1) Cookies — small text files stored on Devices, including Session Cookies (deleted on browser close) and Persistent Cookies (retained for a defined period); (2) Web Beacons / Pixel Tags — transparent images or scripts tracking page/email interactions; (3) Log Files — server records of IP address, browser/OS type, access times, and usage data; (4) ETag — HTTP headers used for device/session identification; (5) JavaScript — client-side scripts collecting Device and behavior data; (6) SDK/API Data Collection — our SDKs/APIs integrated by Business Customers, automatically collecting Device, usage, and interaction data from End User Devices with prior End User consent.
Business Customer: an enterprise, institution, organization, or other legal entity that registers an account with the Company, signs a service agreement, and purchases/uses our Services for commercial purposes. End User: a natural person who uses a Business Customer's application that incorporates our Services. Data Processing Agreement (DPA): the legally binding contract between the Company and a Business Customer governing our processing of Personal Information as Data Processor on behalf of the Business Customer.
We collect and use Personal Information in accordance with the principles of lawfulness, legitimacy, necessity, and good faith — collecting only what is necessary for stated purposes and clearly informing Data Subjects of collection types, purposes, and methods.
Mandatory: full legal name; valid business email; valid mobile phone number (for 2FA/verification); position within the Business Customer; login password (stored as salted cryptographic hash only). Voluntary: work avatar/photo; WeChat/WhatsApp/other IM accounts; work address and fax number.
Purpose: create and manage the Business Customer account; verify identity and Business Customer legitimacy; complete account activation; provide Services per the service agreement; conduct daily business communication.
Personal electronic signature for the service agreement; payment-related contact information (phone number and email for payment notices and invoices); Business Customer billing information (billing contact name, phone, email; VAT/GST/tax ID where required).
Purpose: complete the service application and purchase process; sign the electronic service agreement; process payment and issue invoices; provide paid Services per the agreement; track service delivery.
Identity verification information (name, phone, email, position); contents of communications (questions, technical issues, service requests, complaints, attachments); call/video recordings (with prior notice and required consent) and chat logs.
Purpose: verify inquirer identity; respond to and resolve issues; process service requests and complaints; improve service quality; maintain records for dispute resolution and legal compliance.
Full name, phone, email, position; work unit and industry; event preferences (voluntary). Image, voice, and video captured at events (with your consent to recording/photography).
Purpose: event registration; event communications; on-site arrangement; post-event materials and follow-up. We will NOT use image, voice, or video for commercial advertising without explicit written consent.
IP address; browser type/version; OS type/version; referring/exit page URL; access date/time; page view records; console operation behavior (functions used, settings modified, data viewed, API calls); service usage metrics (API call frequency, resource consumption, SDK version); device type, screen resolution, network status.
Purpose: improve Site and console experience; ensure stable operation and security; conduct service usage analytics; prevent unauthorized access and malicious attacks; troubleshoot technical problems.
We do not have a direct contractual relationship with End Users. End User Personal Information is collected through Business Customers — either provided by the Business Customer, or automatically collected by our SDK/API integrated by the Business Customer on End User Devices with prior End User consent. We process End User Personal Information solely as a Data Processor under Business Customer instructions. Business Customers bear primary legal responsibility for lawful End User data collection. We will not independently collect or use End User Personal Information without Business Customer instructions and End User consent.
End User name, phone, email (for account binding and identity verification); End User ID and nickname on Business Customer's product (for service interaction and identification).
Purpose: account binding with our video cloud service; identity verification for video service access; service security; personalized video functions.
Unique Device Identifier (IDFV, OAID, hardware serial number — excluding IMEI and MAC unless permitted by law); device type, brand, model, OS type/version; screen resolution, memory, CPU information; IP address, network type (Wi-Fi/cellular), operator, signal strength; system language, time zone.
Purpose: ensure normal operation and compatibility; optimize streaming speed and quality; performance monitoring and troubleshooting; active device counting.
Video viewing behavior (content viewed, viewing time, duration, progress, pause/play/rewind); video interaction behavior (comments, likes, shares, gifts, other interactive operations); streaming status (start/end time, bitrate, resolution — for live streaming users); End User-uploaded video content (with explicit End User consent); service error logs (error type, code, time, associated Device/network information).
Purpose: provide core video cloud services; optimize service experience; troubleshoot technical problems; conduct content compliance review; provide service usage statistics to Business Customers.
Sensitive Personal Information categories that may arise in specific service scenarios: facial feature information (AI face recognition, video enhancement/beauty functions); voiceprint information (AI voice interaction, voice recognition in video services); precise location information (location-based video content push — with real-time End User consent); communication content (video call and real-time voice interaction services). We will not disclose or transfer any End User Sensitive Personal Information to any third party without the joint explicit consent of both the Business Customer and the End User.
In addition to the above, we may collect and use Personal Information in the following legally-permitted circumstances without prior consent:
AI Model Training Prohibition: We will NOT use your Personal Information — or any End User Personal Information — to train any artificial intelligence (AI) model, including but not limited to large language models (LLMs), computer vision models, speech recognition models, video understanding models, or any other machine learning system, without your explicit prior written consent.
China-Specific AI Compliance:
Where our Services involve providing algorithmic recommendation services or generative AI services to users in mainland China, we additionally comply with:
Business Customers using our AI media processing capabilities to serve users in mainland China must:
We reserve the right to suspend AI-related services to Business Customers found in violation of China AI governance requirements.
Personal information security is a core operational priority. We have established a comprehensive data security protection system — encompassing technical measures, managerial systems, and emergency response mechanisms — compliant with ISO 27001 and SOC 2.
As a company incorporated in the People's Republic of China, we comply with data localization requirements under PIPL, DSL, and CSL. Personal Information is stored according to the following default rules:
| User Category | Storage Location | Legal Characterization | Compliance Framework |
|---|---|---|---|
| Business Customer representatives (account admins, billing, technical contacts) | Nearest regional node based on registration location | Standard cross-border transfer | PIPL Art. 38 (if China-based) / GDPR / Other applicable law |
| End Users located in EU/EEA | Germany node exclusively; data does not leave the European Economic Area | Intra-EEA processing | GDPR Art. 6; no transfer mechanism required |
| End Users located in UK | Germany node | Adequacy decision or IDTA | UK GDPR |
| End Users located in Singapore/APAC | Singapore node | PDPA compliance | PDPA Section 26 |
| End Users located in Americas | US node | Local processing | CCPA/CPRA; state laws |
For End Users located in mainland China, Personal Information is processed exclusively within our China node infrastructure, physically located in mainland China.
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| B-Customer authorized representative data | Duration of account + 7 years after closure; extended if outstanding dispute | Legal compliance; audit; contractual dispute resolution |
| End User Personal Information | Per Business Customer written instructions; default: until End User terminates use + 1 year for troubleshooting. Sensitive PI deleted immediately after service completion. | Business Customer instruction; operational necessity |
| Customer service / support records | 5 years from end of communication | Dispute resolution; service quality |
| Transaction and payment records | 7 years from transaction date | U.S. tax/accounting law; financial audit |
| Operation, API, and security logs | 6 months rolling; thereafter de-identified/anonymized data retained for statistical analysis | Security monitoring; technical diagnostics |
| Cloud recording files | Per Business Customer's service configuration | Business Customer instruction |
| Real-time audio/video streams (not recorded) | Not stored; transit-only processing during active session | Zero retention |
| Marketing consent records | Until consent withdrawn + 3 years for evidence | Legal compliance; demonstrate consent |
Upon expiry of the applicable retention period, Personal Information is securely deleted using: data overwriting, formatting, and physical deletion for electronic data (ensuring irrecoverability); shredding or incineration for paper documents. Backup deletion follows the 90-day rotation cycle. Account closure: cessation of processing within 5 business days; written deletion confirmation within 60 days. Separate retention schedule for China data in accordance with PIPL requirements.
Despite our comprehensive technical and organizational measures, you acknowledge that:
We strongly encourage Business Customers to implement complementary security controls, rotate API keys regularly, enforce multi-factor authentication, and report suspected incidents to support@xiangsutech.com.
Government access obligations and liabilities are allocated based on our role in the data processing ecosystem.
| Scenario | Our Role | Government Access Responsibility |
|---|---|---|
| Data in our infrastructure (US/Germany/Singapore nodes) | Infrastructure provider | Respond to valid legal process directed to us; limited to data in our possession |
| Data in Business Customer's independent systems | Processor | No obligation; direct request to Business Customer as Controller |
| End User data collection practices | Processor | No responsibility — Business Customer solely responsible for their collection, consent, and disclosure practices |
We do not have direct contractual or legal relationship with End Users. Any government access request targeting End User data collected by Business Customers independently must be directed to the relevant Business Customer as Data Controller. Our obligations are limited to data in our possession or control as processor.
As a PRC-incorporated entity, we are subject to PIPL, DSL, CSL, and other applicable laws. We may be required to disclose Personal Information to Chinese governmental authorities only where all following conditions are met and only to the extent of our processor role:
| Condition | Requirement | Our Implementation |
|---|---|---|
| Specific legal basis | Explicitly cited statute (PIPL Art. 13, CSL Art. 28, Criminal Procedure Law, etc.) | Legal team verification; rejection of vague or overbroad requests |
| Proper authority | Agency with statutory jurisdiction | Authority verification; escalation if unclear |
| Scope limitation | Strictly necessary and proportionate | Minimal disclosure; challenge excessive requests |
| Due process | Statutory procedures followed | Documentation review; procedural compliance check |
Your Responsibilities as Business Customer:
You acknowledge and agree that:
| Node | PRC Government Access | Foreign Government Access | Risk Mitigation |
|---|---|---|---|
| China | PIPL/DSL/CSL; CAC supervision | Not applicable—data does not leave China | Encryption; local compliance; data sovereignty |
| US | MLAT required; CLOUD Act does not apply to PRC entities | US legal process applies | Encryption; US counsel review |
| Germany | PIPL Art. 38 + EU legal process; challenge extraterritorial assertions | EU law; GDPR blocking statutes | EU SCCs limitations; local counsel |
| Singapore | PDPA and internal security law limitations | Singapore legal process | Contractual restrictions |
No Immunity Representation: We make no representation that government access can be prevented in any jurisdiction. Technical safeguards mitigate but do not eliminate risk. We implement technical and organizational measures to mitigate government access risks as required by GDPR Article 32, and applicable law. Our liability for failure to implement such measures is governed by Section 6.7.3 and applicable mandatory law.
| Complainant | First Contact | Our Role |
|---|---|---|
| End User | Must contact Business Customer (you) | No direct relationship; no obligation to respond |
| Business Customer | support@xiangsutech.com | Processor support only |
| Regulatory Authority | Directed to Business Customer as Controller; copied to us if named | Cooperative response per legal obligation |
End Users' claims against us as Processor are limited to the scope of our processor obligations under GDPR Article 82 and applicable DPA terms. All claims exceeding such scope must be directed to the Business Customer as Controller.
Where we face conflicting legal obligations:
| Priority | Action | Cost Allocation |
|---|---|---|
| Technical minimization | Implement controls to limit data exposure | Our cost |
| Legal challenge | Contest requests where viable | Shared cost; your advance funding required for extended litigation |
| Compliance | Disclose minimum necessary under applicable law | Your responsibility for consequences to End Users |
| Termination | Suspend service to affected data if legally permissible | No liability for service interruption |
Complaint Routing:
| Complainant | First Contact | Escalation Path |
|---|---|---|
| End User | Must contact Business Customer (you) | You may escalate to us only per DPA terms |
| Business Customer | support@xiangsutech.com | / |
| Regulatory Authority | Directed to Business Customer as controller; copied to us if we are named | Cooperative response per legal obligation |
| Complainant | First Contact | Escalation Path |
End Users have no direct claim against us for government access disclosures. All claims must be brought through the Business Customer as Data Controller, subject to the liability limitations in Section 6.7.3 and your service agreement.
We respect and protect Data Subject rights in accordance with applicable data protection law. Authorized representatives of Business Customers may exercise rights directly by contacting us per Section 14. End Users should first contact the Business Customer (Data Controller) whose application they use. If the Business Customer fails to respond adequately, End Users may contact us directly at support@xiangsutech.com.
Access (GDPR Art.15; CCPA/CPRA; PDPA; APPs; PIPA; APPI)
Request confirmation of whether we hold your Personal Information and obtain a copy, along with: the categories and content of data held; purpose and method of processing; categories of third-party recipients; storage period or determination criteria; and other processing information required by applicable law. Submit a Subject Access Request (SAR) to support@xiangsutech.com with subject line 'Access Request — [Your Name]'.
Correction / Rectification (All Jurisdictions)
Request correction of inaccurate, incomplete, or outdated Personal Information. For account profile data: update directly in the management console under Account Settings. For other data: contact support@xiangsutech.com with corrected information and supporting evidence.
Deletion / Erasure (GDPR Art.17; CCPA/CPRA; PDPA; PIPA)
Request deletion where: our processing violates applicable law; we collected/used data without your consent; our processing violates the agreement with you; you no longer use our Services or have submitted a valid account closure request; we no longer provide Services to you; or the storage period has expired without other lawful retention basis. Upon verification, active system deletion within 30 days; backup deletion within 90 days; written confirmation provided. Legally-required retention obligations will be communicated in our response.
Data Portability (GDPR Art.20; CCPA/CPRA)
Where processing is based on contract or consent and conducted by automated means, receive your Personal Information in a structured, machine-readable format (JSON or CSV) for transmission to another controller. Submit a 'Data Portability Request' to support@xiangsutech.com.
Restrict Processing (GDPR Art.18)
Request restriction where: you contest data accuracy (for the verification period); processing is unlawful but you prefer restriction over erasure; we no longer need the data but you need it for legal claims; or you have objected to processing pending legitimate interests verification.
Object to Processing (GDPR Art.21; PIPA)
Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds overriding your rights. Unconditional right to object to direct marketing processing — honored immediately without justification required.
Withdraw Consent
Withdraw consent at any time by: adjusting communication preferences in Account Settings; clicking ‘Unsubscribe’ in marketing emails; or sending a withdrawal notice to support@xiangsutech.com. Withdrawal does not affect the lawfulness of prior processing.
Account Cancellation
Submit a request via management console [Console] > [Requests] > [Submit Request] or by email to support@xiangsutech.com. After identity verification and notification of associated risks, account cancellation will be processed. All Services under the account will cease. Legally-required data retained per Section 6.2; all other data securely deleted within 60 days, with written confirmation.
| Jurisdiction | Applicable Law | Initial Response | Maximum Extension |
|---|---|---|---|
| EU/EEA | GDPR Art. 12(3) | 30 calendar days | +60 days with notice |
| United Kingdom | UK GDPR / DPA 2018 | 30 calendar days | +60 days with notice |
| California (USA) | CCPA/CPRA | 45 calendar days | +45 days with notice |
| Australia | Privacy Act 1988 (Cth) | 30 calendar days | Reasonable extension |
| Singapore | PDPA 2012 | 30 calendar days | Reasonable extension |
| Japan | APPI (as amended 2022) | 2 weeks (target) | N/A |
| South Korea | PIPA Art. 35 | 10 days | N/A |
| All other jurisdictions | Applicable local law | 15 business days | + 15 business days |
We do not charge fees for reasonable rights requests. For manifestly unfounded, excessive, or repetitive requests, we may charge a reasonable administrative fee (with written estimate provided) or decline with written explanation. The right to lodge a complaint with the relevant supervisory authority is always preserved — see Section 14 and Appendix A.
If the Company ceases operations, we will promptly stop collecting Personal Information, notify Data Subjects via official announcement, and proceed to delete or anonymize all held Personal Information in accordance with applicable law.
Our Services are designed exclusively for business entities and authorized adult representatives. We do not target, market to, or knowingly collect Personal Information directly from minors.
Business Customers must: not use our Services to collect, process, or store minors' Personal Information without verifiable parental/guardian consent; establish age verification mechanisms appropriate to risk level; promptly notify us and delete relevant data if minors' Personal Information is collected without valid consent; cooperate with us in minors' data protection; provide advance written notice to the Company before deploying child-directed applications; enter into supplementary data processing terms as required by the Company. Violations may result in suspension or termination of Services.
Upon discovery of inadvertent minors' data collection: notify relevant Business Customer within 48 hours; immediately suspend further processing; delete or return affected data within 5 business days; notify regulatory authorities if required by law. Parents or guardians may contact support@xiangsutech.com for highest-priority treatment.
As an entity with infrastructure nodes outside China in the United States, Germany, and Singapore, Personal Information may be transferred, stored, and processed across these jurisdictions and in jurisdictions where our affiliated companies, entrusted service providers, or business partners are located. We strictly comply with applicable cross-border data transfer requirements and take appropriate safeguards to ensure equivalent protection in destination jurisdictions.
For Personal Information of individuals located outside China (e.g., EU, US, Singapore), we ensure compliance with applicable data protection laws of the originating jurisdiction:
| Mechanism | Description | Applicable Scenario |
|---|---|---|
| Adequacy Decision | The destination jurisdiction is recognized as providing adequate data protection | EU/EEA to adequate jurisdictions |
| EU Standard Contractual Clauses (SCCs) | Commission Implementing Decision 2021/914 | EU/EEA to non-adequate jurisdictions |
| UK International Data Transfer Agreement (IDTA) | ICO-approved transfer mechanism | UK to non-adequate jurisdictions |
| UK-U.S. Data Bridge | For transfers to certified U.S. entities | UK to U.S. (where applicable) |
| ASEAN Model Contractual Clauses | For ASEAN region transfers | Singapore and APAC region |
| Contractual Necessity | Transfer necessary for service agreement performance | Global service delivery |
For transfers to jurisdictions without an adequacy decision, we conduct Transfer Impact Assessments evaluating:
Copies of applicable SCCs, TIAs, and transfer records are available upon request from support@xiangsutech.com.
This Section applies to California residents whose Personal Information is processed by the Company in our capacity as a “Business” under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, “CCPA/CPRA”), regulated and enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. In the event of any conflict between this Section and the rest of the Policy as applied to California residents, this Section governs.
| CCPA Category | Examples of Data Collected | Source | Disclosed for Business Purpose to |
|---|---|---|---|
| Identifiers | Name; email; phone; IP address; account username; App ID; device identifier | Direct; Auto | Sub-processors (cloud, payments, support, security) |
| Commercial Information | Transaction history; subscription tier; billing records; service agreement terms | Direct | Sub-processors (payment processors, invoicing) |
| Internet / Network Activity | Console session logs; API call logs; pages viewed; SDK version; network metrics | Auto | Analytics sub-processors (data anonymized) |
| Geolocation (approximate) | Country/region inferred from IP address (city/country level only — no GPS) | Auto | Not shared with third parties |
| Professional / Employment Info | Job title; department; company name; industry | Direct | Affiliated companies |
| Inferences | Profile attributes inferred from console usage | Auto | Not shared with third parties |
| Audio/Visual (if applicable) | Voice recordings in customer support calls (with consent); event video | Direct (with consent) | Customer support sub-processors (for quality review only) |
We do not sell or share Personal Information without your prior written consent.
We do not collect, use, or disclose Sensitive Personal Information (as defined under CCPA/CPRA Section 1798.140(ae)) beyond what is reasonably necessary and proportionate to provide our Services. Accordingly, we do not offer a 'Limit the Use of My Sensitive Personal Information' link, as all uses are limited to service delivery purposes.
See Section 6.2 for detailed retention schedules applicable to each category of Personal Information collected.
Email: support@xiangsutech.com — subject line: 'California Privacy Rights Request'.
We will verify your identity before processing your request. Authorized agents may submit requests on your behalf with a valid written authorization letter or a certified Power of Attorney. We respond to verified California requests within 45 calendar days; a one-time 45-day extension is available with notice if the request is complex.
If you are a California resident, you may request information about how we share your Personal Information with third parties for their own direct marketing purposes. As stated above, we do not share Personal Information with third parties for direct marketing purposes without your explicit consent.
In compliance with CPRA Section 1798.185(a)(20) and CPPA regulations, we do not use any dark patterns, deceptive user interface design, or manipulative techniques to subvert, impair, or interfere with your ability to make free and genuine privacy choices. Our consent interfaces are designed to make opting in and opting out equally easy and prominent.
Pursuant to CPRA requirements effective January 1, 2023, we collect, use, retain, and share your Personal Information only to the extent reasonably necessary and proportionate to achieve the disclosed purposes for which it was collected. We do not collect additional categories of Personal Information or use Personal Information for material additional, incompatible, or unrelated purposes without providing you notice and, where required, obtaining your consent.
As required under CPRA and CPPA regulations, we conduct and document privacy risk assessments (also referred to as Data Protection Impact Assessments) for processing activities that present significant risks to consumers' privacy or security. These assessments are filed with the CPPA upon request.
If you (as a Business Customer) integrate the capabilities, Products, and Services provided by the Company,into your own products, services, or business operations, or use our Services in any form — including but not limited to embedding our SDK/API, using our cloud hosting and streaming services, adopting our interactive video solutions, utilizing our AI media processing capabilities, or accessing our real-time communications infrastructure — to provide video-related products and services to your End Users, you shall unconditionally undertake all of the following obligations in accordance with the laws of the relevant jurisdictions and the provisions of this Privacy Policy.
The obligations set forth in this Section 11 are incorporated by reference into your Service Agreement with the Company. Your failure to perform these obligations shall constitute a material breach of the service agreement between you and the Company, and we have the right to suspend or terminate the provision of Products and Services to you and to pursue your corresponding legal liabilities without prejudice to any other rights or remedies available to us.
Suggested disclosure wording (adapt to your style while retaining all substantive elements):
This application uses video cloud infrastructure and related services provided by Hangzhou Xiangsu Technology Co., Ltd. When you use video, audio, recording, or streaming features, certain technical data — including your audio/video stream (if you participate), session metadata, device information, and IP address — may be transmitted to and processed by Hangzhou Xiangsu Technology Co., Ltd.'s infrastructure located in the United States, Germany, and/or Singapore.
Hangzhou Xiangsu Technology Co., Ltd. acts strictly as a data processor on our behalf and processes such data solely for the purpose of providing video cloud infrastructure services to us. All processing is governed by a data processing agreement that requires Hangzhou Xiangsu Technology Co., Ltd. to implement appropriate technical and organizational measures to protect your data and to process it only in accordance with our instructions. For more information about our use of sub-processors, please refer to Section 5.1 of our Privacy Policy.
| Jurisdiction | DPA Module | Your Specific Obligations |
|---|---|---|
| EU/EEA, UK | EU SCCs (Module 2: Controller-to-Processor) or UK IDTA | Complete Transfer Impact Assessment; provide records |
| Mainland China | PIPL Chapter III Addendum | Complete PIPL Art. 38 compliance BEFORE transmission; provide certification; obtain and document separate End User consent |
| Singapore | PDPA Section 26 safeguards | Ensure PDPA-compliant collection |
| Other | Standard DPA terms | Comply with local data protection law |
You use our Services at your own risk with respect to data protection law compliance, subject to the liability framework in Section 6.7.3.
This Policy applies only to Personal Information processed by Hangzhou Xiangsu Technology Co., Ltd. Our Services may contain links to, or integration with, third-party websites, applications, or services. We do not control, review, or take responsibility for the content, security, or privacy practices of third parties. Third parties have their own privacy policies — you should carefully read and understand them before providing any Personal Information. We are not responsible for any loss or damage caused by third-party acts or omissions. Sub-processors are subject to contractual data protection obligations as described in Section 5.1.
We may update this Policy from time to time to reflect changes in applicable law, our business, our Services, industry practices, or sub-processor relationships. Updated versions are marked with a new last modified date and effective date.
Material changes include: significant changes in the purpose, scope, method, or legal basis of processing; introduction of new categories of Sensitive Personal Information; significant changes in third-party data sharing/transfer arrangements; significant changes in Data Subject rights or exercise methods; significant changes in security measures, cross-border transfer safeguards, or the incident response plan; DPO identity or contact information changes; and any other changes with significant impact on your rights under applicable law.
For material changes: at least 30 days' advance notice via prominent announcement on our website and management console, special notification email to the Business Customer's registered email address, and push notification through bound communication channels. Non-material changes (wording adjustments, contact updates): posted without individual notice. Your continued use after the effective date constitutes acceptance. If you disagree, you must stop using our Services and notify us; we will cease processing and delete/anonymize your Personal Information in accordance with applicable law.
If you have questions, comments, or requests regarding this Policy, our data practices, or your privacy rights, please contact us through the following channels. Our DPO and privacy team will respond in a timely and professional manner.
For privacy complaints, first submit a written complaint to support@xiangsutech.com. We will investigate and provide a formal written response within 30 business days. If unsatisfied with our response, you may: lodge a complaint with the relevant data protection supervisory authority; seek professional dispute resolution mediation; or file a lawsuit with a court of competent jurisdiction.
EU-U.S. DPF Third-Party Dispute Resolution: In accordance with EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF requirements, we have designated TRUSTe as our third-party dispute resolution provider for EU/EEA, UK, and Swiss users. If your complaint cannot be resolved through our internal channels, submit to TRUSTe at: https://feedback-form.truste.com/watchdog/request (free of charge). For unresolved DPF complaints, binding arbitration is available under the DPF Annex I arbitration process.
| Region | Role | Contact | Applicable Law |
|---|---|---|---|
| Mainland China | Personal Information Protection Officer | support@xiangsutech.com | PIPL/DSL/CSL |
| EU/EEA | GDPR Art. 27 Representative | GDPR | |
| United Kingdom | UK GDPR Art. 27 Representative | UK GDPR / DPA 2018 | |
| Singapore | PDPA Data Protection Officer | Personal Data Protection Act 2012 | |
| Australia | Privacy Officer | Privacy Act 1988 (Cth) | |
| South Korea | Chief Privacy Officer (CPO) | PIPA | |
| Japan | Personal Information Manager | APPI (as amended 2022) |
EU Representative Clause:
Pursuant to Article 27 of the GDPR, we have designated an EU representative for data subjects in the European Economic Area. If you are located in the EEA, you may contact our EU representative regarding GDPR-related matters at the address above, or contact our Data Protection Officer directly at support@xiangsutech.com.
The following Addenda supplement the main Privacy Policy for individuals in specific jurisdictions. In case of conflict between an Addendum and the main Policy, the Addendum governs for the relevant jurisdiction. These Addenda apply to B-Customer contacts and, to the extent the Company acts as Data Controller, to End Users in the relevant jurisdictions.
| Appendix | Jurisdiction | Status | Key Focus |
|---|---|---|---|
| A.1 | Mainland China (PIPL/DSL/CSL) | Core Addendum | PIPL compliance, outbound transfers, sensitive PI, automated decision-making |
| A.2 | EU/EEA (GDPR) | Regional Addendum | SCCs, EU representative, GDPR rights |
| A.3 | UK (UK GDPR/DPA 2018) | Regional Addendum | UK IDTA, UK representative |
| A.4 | Australia (Privacy Act) | Regional Addendum | APPs, NDB scheme |
| A.5 | Singapore (PDPA) | Regional Addendum | ASEAN MCCs, PDPA 2020 amendments |
| A.6 | Japan (APPI) | Regional Addendum | APPI 2022, third-party provision records |
| A.7 | South Korea (PIPA) | Regional Addendum | PIPA 2023 amendments, CPO |
A.1.1 Applicability and Primary Law
This Addendum applies to the processing of Personal Information of individuals located in mainland China. All such processing occurs exclusively within mainland China; no cross-border transfer to overseas nodes is permitted.
For End Users of Business Customers' Applications:
| Aspect | Our Position | Your (Business Customer) Obligation |
|---|---|---|
| Legal basis for processing | Processor only; no independent legal basis | Ensure PIPL Art. 13 lawful basis exists (consent, contract necessity, etc.) |
| Consent validity | Not verified by us; reliance on your representation | Obtain and maintain valid consent; ensure separate consent for sensitive PI and outbound transfer |
| Data accuracy | No obligation to verify | Ensure accuracy and completeness of data you transmit |
| Rights requests | Forward to you as Controller; 48-hour response required from you | Respond to End User access, correction, deletion, portability requests per PIPL Chapter IV |
| Data breach notification | Notify you within 24 hours; your responsibility to notify End Users and regulators | Notify affected End Users and CAC per PIPL Article 57; assume all regulatory liability |
| Government access | Limited to data in our infrastructure; notify you where permitted | Respond to requests for data in your control; notify End Users as required |
A.1.2 Data Security Governance (DSL / CSL)
Data Classification: We have established a data classification system in accordance with DSL Article 21:
| Classification Level | Definition | Applicable Safeguards |
|---|---|---|
| General Data | Ordinary business data | Standard security measures |
| Important Data | Data that may endanger national security, economic operation, social stability, or public health if leaked | Enhanced access controls; encryption; localization review; security assessment if exported |
| Core Data | Data related to national security, lifeline of national economy, important aspects of people's livelihood, and major public interests | Not processed in current infrastructure; separate China node required |
A.1.3 Personal Information Protection Officer
If our processing of Personal Information reaches the threshold prescribed by the national cyberspace administration department, we will designate a Personal Information Protection Officer responsible for:
Contact: support@xiangsutech.com
A.1.4 Legal Bases for Processing (PIPL Article 13)
We process Personal Information only under the following conditions:
A.1.5 Sensitive Personal Information (PIPL Articles 28-32)
Under PIPL, Sensitive Personal Information includes:
We process Sensitive Personal Information only when:
A.1.6 Separate Consent Requirements
The following processing activities require separate consent:
| Activity | Legal Basis | Consent Mechanism |
|---|---|---|
| Processing Sensitive Personal Information | PIPL Article 29 | Explicit separate consent |
| Providing Personal Information to other processors | PIPL Article 23 | Separate consent + notification of recipient identity |
| Cross-border transfer of Personal Information | PIPL Article 39 | Separate consent + detailed notification (Section 9.1.1) |
| Public disclosure of Personal Information | PIPL Article 25 | Separate consent |
| Processing in public places for security purposes | PIPL Article 26 | Separate consent + prominent signage |
A.1.7 Automated Decision-Making (PIPL Article 24)
We ensure transparency and fairness in automated decision-making:
A.1.8 Data Localization
All Personal Information of individuals located in mainland China is stored and processed exclusively within mainland China, in compliance with PIPL data localization requirements. No cross-border transfer occurs.
A.1.9 Rights of Personal Information Subjects (PIPL Chapter IV)
You may exercise the following rights by contacting support@xiangsutech.com:
| Right | PIPL Article | Response Time |
|---|---|---|
| Right to know and decide | Article 44 | 15 working days |
| Right to access and copy | Article 45 | 15 working days |
| Right to correct and supplement | Article 46 | 15 working days |
| Right to deletion | Article 47 | 15 working days |
| Right to portability | Article 45(3) | 15 working days |
| Right to withdraw consent | Article 15 | Immediate effect |
| Right to explanation of processing rules | Article 48 | 15 working days |
A.1.10 Regulatory Authorities and Complaints
You may also file complaints with local cyberspace administration departments at provincial/municipal levels.
A.1.11 China Node Operational Status – Full Service Availability
Our service availability for China-based End Users is:
We expressly disclaim liability for service interruption due to:
A.2.1 Scope and Controller Identity
Applicable law: Regulation (EU) 2016/679 (GDPR). For Personal Data of EU/EEA-based B-Customer contacts, the Company is the Data Controller. For End User Personal Data processed through B-Customer deployments, the relevant B-Customer is the Data Controller and the Company is the Data Processor (Art. 28 GDPR). The Company's EU representative (Art. 27 GDPR) and DPO are identified in Section 14.
A.2.2 Legal Bases for Processing
All legal bases are set out in the main Policy. Summary: contractual necessity (Art. 6(1)(b)) for account management and Service delivery; legal obligation (Art. 6(1)(c)) for tax and regulatory compliance; legitimate interests (Art. 6(1)(f)) for security, analytics, and B2B communications (balancing tests documented and available to supervisory authorities); consent (Art. 6(1)(a)) for marketing and non-essential cookies (withdrawable at any time). For special categories of Personal Data (Art. 9), we rely on explicit consent (Art. 9(2)(a)) or legal claims defense (Art. 9(2)(f)).
A.2.3 International Transfers — SCCs and Transfer Impact Assessments
EU/EEA Personal Information is processed exclusively within the European Economic Area (Germany node) and is not transferred to our U.S. or Singapore nodes. No international transfer mechanism is required for such processing. For any limited transfers necessary for global business management (e.g., EU-based Business Customer representatives accessing global console), we implement EU SCCs (Module 2) with Transfer Impact Assessments.
A.2.4 EU-U.S. Data Privacy Framework (DPF)
We do not transfer EU/EEA Personal Data to the United States for processing, and therefore do not rely on the EU-U.S. Data Privacy Framework for such transfers. Any limited transfers to the U.S. (e.g., for customer support by U.S.-based staff) are conducted under EU SCCs with supplementary measures.
A.2.5 Data Protection Impact Assessments (DPIAs)
Where processing is likely to result in high risk to EU/EEA data subjects (Art. 35 GDPR — including systematic profiling, large-scale processing of sensitive data, or monitoring of public areas), the Company conducts DPIAs. B-Customers whose applications involve high-risk processing should conduct their own DPIAs and may request the Company's cooperation via support@xiangsutech.com. Results of DPIAs may be shared with the lead supervisory authority upon request.
A.2.6 Automated Decision-Making and Profiling (Art. 22 GDPR)
We do not currently make solely automated decisions that produce legal or similarly significant effects about EU/EEA data subjects. All profile-based features (e.g., personalized console recommendations) involve human oversight and do not constitute automated decision-making under Art. 22 GDPR. If we introduce such processing in the future, we will: update this Policy with at least 30 days' advance notice; provide meaningful information about the logic involved; and implement the right to obtain human review, express your point of view, and contest the decision.
A.2.7 Supervisory Authority and Complaint Rights
EU/EEA data subjects may lodge complaints with the supervisory authority in their member state of habitual residence, place of work, or the place of the alleged infringement. The full list of EU data protection supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. The Company’s lead EU supervisory authority will be determined based on the country of establishment of our EU representative. We commit to cooperating fully with the relevant supervisory authority.
A.2.8 Adequacy Decisions Applicable to Data Transfers
The European Commission has issued adequacy decisions for: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, United States (for DPF-certified organizations), and Uruguay. We reference these decisions where applicable to our sub-processor arrangements. For transfers to non-adequate countries, we rely on SCCs plus TIAs.
Applicable law: UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018. The substantive provisions of Addendum A.2 apply with the following UK-specific modifications:
A.4.1 Applicable Framework
Applicable law: Privacy Act 1988 (Cth) ("Privacy Act"), the 13 Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act, effective February 22, 2018). We are an APP entity and comply with all applicable APPs. Note: the Privacy Act is currently subject to significant reform proposals (Privacy Act Review Report 2022 and Government Response 2023) — we will update this Addendum as reforms are enacted.
A.4.2 Collection and Use
We collect Personal Information in accordance with APP 3 (collection of solicited personal information) and APP 4 (unsolicited personal information). Personal Information is used and disclosed only for the primary purpose of collection or a directly related secondary purpose, or as otherwise required or authorized by law (APP 6). We take reasonable steps to ensure Personal Information is accurate, up to date, and complete before use (APP 10).
A.4.3 Cross-Border Disclosure (APP 8)
Before disclosing Personal Information about an individual to an overseas recipient (including transfers to our U.S. and Singapore infrastructure nodes), we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information. Contractual arrangements with overseas recipients (including DPAs and SCCs) are used to ensure APP-equivalent protection. Individuals acknowledge that by consenting to use of our Services, they accept that their Personal Information may be processed by our overseas infrastructure nodes.
A.4.4 Notifiable Data Breaches (NDB) Scheme
Where we become aware of an eligible data breach — one that is likely to result in serious harm to any of the individuals to whom the information relates — we will, as soon as practicable: assess whether an eligible data breach has occurred; notify the Australian Information Commissioner (OAIC) if the assessment confirms an eligible breach; and notify affected individuals at risk of serious harm. We aim to complete the assessment within 30 days of becoming aware of the circumstances. The statement to the OAIC will include: the identity and contact details of the entity; a description of the eligible data breach; the kind or kinds of information involved; and recommendations for steps that individuals should take.
A.4.5 Access, Correction, and Complaints
Australian individuals may request access to Personal Information under APP 12 and correction under APP 13 by contacting support@xiangsutech.com (30-day response). We will not charge a fee for making an access request. Privacy complaints should be directed first to support@xiangsutech.com. If unresolved within 30 days, individuals may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): online at www.oaic.gov.au; phone 1300 363 992; post: GPO Box 5218, Sydney NSW 2001.
A.5.1 Applicable Framework
Applicable law: Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA"), as amended by the Personal Data Protection (Amendment) Act 2020 ("PDPA Amendment Act"), effective February 1, 2021. Key provisions of the 2020 amendments applicable to us include: mandatory data breach notification obligations; enhanced consent framework (deemed consent by contractual necessity and legitimate interests); data portability obligation (when operationalized by PDPC); and increased financial penalties.
A.5.2 Collection, Use, and Disclosure
We collect, use, and disclose Personal Data only for purposes that a reasonable person would consider appropriate and for which we have notified you (or obtained consent, unless an exception applies). We do not require individuals to consent to the collection, use, or disclosure of Personal Data beyond what is reasonably necessary as a condition of contracting with us.
A.5.3 Mandatory Data Breach Notification (PDPA Part VIA)
Under the PDPA Amendment Act, we are required to assess and notify data breaches on a two-track timeline: (a) If the breach is one that likely results in significant harm to affected individuals — notify the PDPC within 3 calendar days of the assessment confirming such likelihood, and notify affected individuals as soon as practicable; (b) In all other notifiable data breach cases — notify the PDPC within 30 calendar days of becoming aware that a notifiable data breach has or may have occurred. Notification will include: the date and nature of the breach; the Personal Data involved; the likely number of affected individuals; the measures taken or being taken to contain the breach; and measures taken to prevent recurrence.
A.5.4 Transfer Limitation Obligation and Cross-Border Transfers
Under PDPA Section 26 (Transfer Limitation Obligation), we transfer Personal Data outside Singapore only where the recipient is bound to a standard of protection comparable to the PDPA. Mechanisms used include: ASEAN Model Contractual Clauses for Cross Border Data Flows; EU Standard Contractual Clauses for EEA-origin data; and contractual Data Processing Agreements with our Singapore node infrastructure providers. Our Singapore DPO (support@xiangsutech.com) is registered with the PDPC as required.
A.5.5 Rights of Individuals and Complaints
Individuals in Singapore may withdraw consent (with communicated consequences), request access to Personal Data, and request correction of Personal Data by contacting support@xiangsutech.com. Response within 30 days. Complaints: Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg or by email to support@xiangsutech.com.
A.6.1 Applicable Framework
Applicable law: Act on the Protection of Personal Information (Act No. 57 of 2003), as significantly amended by the 2020 Amendment (effective April 1, 2022) ("APPI 2022"). Key changes in APPI 2022 include: introduction of pseudonymously processed information and its handling rules; strengthened opt-out provisions for third-party provision; enhanced conditions for foreign transfers; introduction of a duty to report data breaches to the PPC; and increased individuals' rights.
A.6.2 Purpose Specification and Use
We handle Personal Information in compliance with APPI and PPC guidelines. The purpose of use is specified to the extent possible (APPI Art. 17) and disclosed to individuals at the time of collection (APPI Art. 21). We will not use Personal Information beyond the specified purpose without prior consent, except where permitted by law (APPI Art. 18).
A.6.3 Third-Party Provision and Opt-Out
We do not provide Personal Information to third parties without prior consent (APPI Art. 27), except where: required by law; protecting life, property, or health and consent is difficult to obtain; necessary for public interest purposes; or we have provided public notice and an opportunity to opt out (opt-out procedure under APPI Art. 27(2), subject to PPC notification requirements). Under APPI 2022, individuals can request records of third-party provision (APPI Art. 33).
A.6.4 Foreign Transfers (APPI Art. 28)
When transferring Personal Information to a country outside Japan, we ensure the recipient either: (a) is located in a country/region designated by the PPC as having equivalent personal information protection standards (currently only the European Union and UK); or (b) has implemented measures equivalent to APPI requirements by contractual means; or (c) we obtain the data subject's informed consent specifically covering the cross-border transfer, including information about the legal framework of the destination country and any deviation from APPI standards. Transfer to the U.S., if occurs, shall be conducted under contractual safeguards (DPAs incorporating standard terms).
A.6.5 Data Breach Reporting (APPI 2022)
Under APPI 2022 (effective April 2022), we are required to report to the PPC and notify affected individuals in the event of a leak, loss, or damage of Personal Information that meets the reporting thresholds (including: leakage of sensitive personal information; leakage potentially causing property damage by unauthorized third-party use; leakage resulting from unauthorized access; or leakage affecting 1,000 or more individuals). The report to the PPC must be submitted promptly (within a reasonable period, generally understood as 3-5 days for the initial report and 30 days for the full report).
A.6.6 Rights of Data Subjects
Japanese individuals have the right to: request disclosure of Personal Information (APPI Art. 33); request correction, addition, or deletion of inaccurate Personal Information (APPI Art. 34); request suspension of use or deletion of improperly processed Personal Information (APPI Art. 35); and request suspension of third-party provision (APPI Art. 36). Requests: support@xiangsutech.com (2-week response target). We will not charge fees for reasonable requests. Complaints: Personal Information Protection Commission (PPC) at www.ppc.go.jp.
A.7.1 Applicable Framework
Applicable law: Personal Information Protection Act (PIPA, Act No. 16930), as amended by the 2023 PIPA Amendment (effective September 15, 2023). The 2023 amendments transferred all PIPA enforcement to the Personal Information Protection Commission (PIPC), consolidating authority previously split between the PIPC, KISA, and other ministries. The 2023 amendments also strengthened collective redress mechanisms, introduced enhanced obligations for pseudonymized information, and increased financial penalties to up to 3% of total revenue.
A.7.2 Chief Privacy Officer (CPO)
Our CPO for South Korea PIPA purposes is designated and contactable at support@xiangsutech.com. The CPO is an independent position responsible for managing personal information processing activities and communicating with the PIPC.
A.7.3 Domestic Representative
The Company has designated a domestic representative in South Korea as required by PIPA Art. 39-11 (applicable to foreign businesses processing personal information of South Korean data subjects in the course of providing services). Our domestic representative information is: [Name and contact details of the Korean domestic representative — to be inserted before publication].
A.7.4 Overseas Transfer Notice
If we transfer Personal Information (개인정보) of Korean individuals to infrastructure nodes in the United States and Singapore, in accordance with PIPA Art. 28-8, we inform Korean data subjects of: the name of the overseas recipient and country; the date and method of transfer; the categories of Personal Information transferred; the recipient's retention and use period; and the data subject's right to refuse transfer and the consequences of refusing. This information is set out in this Policy and in the account registration consent interface. Transfers are conducted under contractual safeguards (DPAs) binding the overseas recipient to PIPA-equivalent standards.
A.7.5 Rights of Korean Data Subjects (PIPA Art. 35-39)
Submit requests to support@xiangsutech.com. We will respond within 10 days as required by PIPA.
A.7.6 Security Measures (PIPA Art. 29 and 'Standards for Ensuring Safety of Personal Information' — Ministry of Interior Notice)
We implement the following measures as required: (a) Managerial: establishment and operation of an internal management plan; designation of CPO and data protection team; regular employee training; (b) Technical: encryption of Personal Information in transit and at rest; access control system installation; management of Personal Information system access rights; regular security software updates; (c) Physical: restrictions on access to data rooms and server rooms; controls over entry/exit of documents and storage media containing Personal Information.
A.7.7 Additional Use and Provision (PIPA Art. 15(3)/17(4))
In accordance with the 2023 PIPA amendments, the Company may use or provide Personal Information beyond the initial purpose of collection without additional consent, within a reasonably foreseeable scope, if: the additional use is related to the original purpose; it is foreseeable based on collection circumstances; it does not unfairly infringe on data subjects' interests; and adequate security measures (pseudonymization, encryption) have been taken.
A.7.8 Complaint Resources
• Personal Information Protection Commission (PIPC): www.pipc.go.kr | Tel: 182
• Personal Information Dispute Mediation Committee: www.kopico.go.kr | Tel: 1833-6972
• Supreme Prosecutors' Office Cyber Investigation Division: www.spo.go.kr | Tel: 1301
• National Police Agency Cyber Bureau: ecrm.cyber.go.kr | Tel: 182