Inner Mountain Privacy Policy

Last updated on: [October] [31], 2023

Effective on: [October] [31], 2023

Previous Versions

Introduction:

This Privacy Policy (hereinafter referred to as this “Policy”) applies to the website (innermountai\n.org), products, applications, technologies, software or services provided to you by Beijing Neifeng Technology Co., Ltd., owner of the website (hereinafter referred to as “Inner Mountain”, “Inner Mountain Platform”, “we”, “us” or “our”). When you use the services provided by Inner Mountain, we will collect and use your personal data pursuant to this Policy. It is our intention to clearly tell you how we process your personal data by means of this Privacy Policy, so we advise you to read this Policy in its entirety to help you understand how to protect your privacy.

We try to present this Policy in a concise, clear and understandable manner. Being fully aware of the importance of personal data to you, we will do our best to ensure the security and reliability of your personal data. To maintain your trust in us, we are committed to protecting your personal data by adhering to the following principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. We also undertake to put in place such security measures as consistent with industrially proven security standards to protect your personal data.

Please read and understand this Policy carefully before using our products so that you can better understand our products and the services we provide and make appropriate choices. In order for you to fully understand and be informed of the ways in which we process your personal data, the scope and consequences of such processing and other relevant rules, we have the Key Definitions and Personal Data Processing Instructions section prepared specially for fulfilling our notification obligation to you under the law. It being so, we strongly recommend that you first read those instructions carefully and give your consent or explicit consent on the basis of full understanding of the content of this Policy and the schedule hereto.

This Policy will help you understand:

1. Key definitions and personal data processing instructions
2. How we collect and use your personal data
3. How we protect your personal data
4. Your rights
5. How we process the personal data of children
6. How your personal data moves across borders
7. How this Policy is updated
8. How to contact us

 

1. Key Definitions and Personal Data Processing Instructions

Key terms used in this Policy are defined based on the meaning specified in the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), and appropriate changes are made thereto in consideration of our actual situation. In case of any inconsistency, the provisions of GDPR, CCPA and CPRA shall prevail. You are kindly requested to pay extra attention to the fact that the key purpose of these instructions is to guide you to gain a fully understanding and knowledge of the ways in which we process your personal data, the scope and consequences of such processing and other relevant rules, so as to fulfill our notification obligation to you under the law. It being so, we strongly recommend that you read these instructions carefully and give your consent or explicit consent on the basis of full understanding of the content of these instructions.

• Personal Data, under GDPR, means any information relating to an identified or identifiable natural person (data subject), such as personal phone number, account number of personal data subject, IP address and unique device identifier; and under CCPA, means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, which includes identifiers, personal location information, commercial information, personal financial information, biometric information, personal health information, network activity information, sensory information, and personal education or work information.

In this Policy, information that is personal data will be highlighted in bold to draw your attention; and any personal data that are special categories of personal data under GDPR or sensitive personal information under CCPA and CPRA will be highlighted in bold and indicated by an asterisk (*) to draw your attention and seek your explicit consent. You shall pay extra attention to the enumeration of such information. In addition, in order to help you understand the necessity of collecting personal data, we will distinguish and explain, in the form of lists, whether the personal data you provide to us under a particular business function is necessary personal data.

• Special categories of personal data under GDPR means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and genetic data, biometric data for the purpose of identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not process your special categories of personal data during our services hereunder (“Services”).
• Sensitive personal information enumerated in CPRA includes (A) a consumer’s social security, driver’s license, state identification card or passport number; (B) a consumer’s account login, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (G) a consumer’s identity information. During the Services, we process “bank account information and precise geolocation information”, and we will only process your sensitive personal information to the extent necessary for the purposes of processing described in this Privacy Policy.
• Necessary Personal Data means any personal data that must be collected in order to fulfill a particular basic business function or extended business function, without which, you will not be able to use such business function.
• Optional Personal Data means any personal data, the absence of which will not affect your use of the relevant basic business function or extended business function.

• Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction. For information on how we collect and use your personal data, please refer to “ How We Collect and Use Your Personal Data”.
  • Collect, for the purpose of this Privacy Policy, means obtaining control of personal data, including where personal data is provided to us by the personal data subject voluntarily, or collected through our interaction with the personal data subject or by recording the behaviors of the personal data subject (“automatic collection”), or received by us passively or collected by searching and gathering publicly available information (“indirect collection”). We will state specifically the ways in which we obtain the relevant personal data in the lists in “2. How We Collect and Use Your Personal Data”, in order to let you know the scope of our statutory obligations and inform you of the legal basis for our processing of your personal data. For example, if you object to our collection of any personal data that is necessary personal data for a basic business function, you will not be able to use such basic business function. Accordingly, we will inform you that our processing of such necessary personal data is justified on the grounds that it is necessary for performance of the contract.
  • Use. We will tell you in what scenarios and for what purpose we will use your personal data in the tables in “1 Collection and use of personal data for basic business functions” and “2.2 Collection and use of personal data for extended business functions”. We will not use any information collected for a particular purpose for any other purposes without obtaining your prior consent, except where we are exempt from obtaining your consent by applicable laws, regulations, standards or norms. For the purpose of this Privacy Policy, “use” means specifically the use or utilization of data by performing technical processing of the data in accordance with current laws and upon authorization of the personal data subject to implement data storage, access and display, aggregation and integration, profiling, and for the further purposes of personalized display and automated decision-making:
    1. Aggregation and integration: We hereby emphasize to you that in order to provide you with registration convenience, save you from submitting personal data repeatedly, achieve unified management, or provide more targeted services and ads, you agree, to the extent permitted by laws and regulations, that your personal data obtained by us under this Policy will be stored in a centralized IT system pursuant to our general management rules, and be associated, aggregated, integrated, analyzed or otherwise processed in a practical manner. For example, upon your registration, we will associate the registered account with the same personal data in our existing account system, including your mobile phone number, account profile picture, nickname, etc., so that when you activate any services provided by us or our affiliates, we can provide you with relevant services such as verifying your identity and opening an account for such services. We will put in place appropriate systems and measures, carry out personal data security impact assessments, take appropriate personal data protection measures, and perform other necessary obligations related to personal data protection in accordance with existing laws, regulations, normative documents and relevant national standards.
    2. Profiling and automated decision-making: According to GDPR, profiling means any automated processing of personal data for the purpose of evaluating certain aspects relating to you, in particular to assess your performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements. Automated decision-making means the process of analyzing and evaluating an individual’s behavioral habits, interests and hobbies, or economic, health or credit conditions, etc. based on personal data, and then making decisions in an automated manner using computer systems and algorithm programs. During the Services, when we need to use your personal data for profiling, we will obtain your prior consent and enumerate it in the tables in “ How We Collect and Use Your Personal Data”. In the course of Services, we will show and recommend to you products and services that better suit your potential needs, or send promotional or commercial ads to you on the basis of profiling and automated decision-making, while protecting your right to know, right to object to processing and other rights available to you as a personal data subject. For details, please refer to “4. Your Rights” in this Privacy Policy.
  • In addition, we profile your personal data as needed in the ordinary course of business. We need to use your personal data internally, including for internal audits, data analysis and research; and we will use the information collected for big data analysis. For example, we may use the information collected to analyze and develop a statistical product that does not contain any personal data, to display the overall picture of our services, or to analyze the behavioral patterns of different groups of people. We may disclose to the public and share with our partners statistically processed big data analyses that do not contain any personally identifiable information. In addition, we need to use the information collected to provide and improve the products and services of Inner Mountain, carry out necessary business operations and evaluations, provide customer support, and improve the performance of our products and services, etc.
  • Sharing means, with respect to the Services, the sharing of your personal data by us with external recipients to complete the functions or services you choose. The identities and categories of such recipients (if any) will be disclosed in detail in “4 Sharing”.
  • Anonymization means the technical processing of personal data in such a manner that the personal data subject can no longer be identified or associated with, and the information after such processing cannot be restored. Any information obtained after anonymization is not personal data.
  • Pseudonymization (De-identification) means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Affiliate means, with respect to a person, any other person that has control, joint control or significant influence over such person, and two or more persons are affiliates if they are under the control, joint control or significant influence of the same person.

2. How We Collect and Use Your Personal Data

We will collect from you and process your personal data (as listed below) in a lawful and proper manner where necessary for the purpose of fulfilling relevant functions. We will try our best to disclose information about the collection and use of your personal data to you in a full, complete and timely manner. If you find any errors or omissions in our disclosure, please contact us promptly.

• Collection and use of personal data for basic business functions

Basic business functions refer to the business functions we provide that meet your fundamental expectations and most important needs in choosing and using the services we provide. Basic business functions and the personal data they collect and use will change as the products or services develop, grow and upgrade. Under basic business functions, you may prevent us from collecting relevant personal data by refusing to give consent or turning off relevant functions, but this will result in us being unable to provide you with the relevant services or achieve the service results.

Business Functions and Use Scenarios	Collection and Processing					Retention Period	Use
	Personal Data Field	Type of Personal Data Involved under CCPA	Purpose of Collection	Method of Collection	Legal Basis for Collection
Account registration login	Necessary personal data: Email address	Identifier	(1)    First account registration (2)    Subsequent login verification (3)    Profiling	Provided by you voluntarily	(1) (2): Necessary for performance of the contract (3): Upon consent	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	Personalized advertising and marketing
	Necessary personal data: User account number, password, keys	Identifier	(1)    First account registration (2)    Subsequent login verification	Provided by you voluntarily	Necessary for performance of the contract	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	N/A
	Optional personal data: Gender, date of birth, country	Identifier	(1) First account registration (2) Subsequent login verification (3) Profiling	Provided by you voluntarily	Upon consent	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	Personalized advertising and marketing
Communication and after-sales service	Necessary personal data: Inbox messages Personal phone number *Communication records	Identifier Network activity information	(1)    To ensure communication with the seller during the transaction, as well as query and evidence collection concerning such communication history (2)    After-sales rights protection and service (3)    Profiling	Automatic collection	(1) (2): Necessary for performance of the contract (3): Upon consent	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	Personalized advertising and marketing
Bill payment	Necessary personal data: *Bank account Payment history Transaction and purchase records Records of payments and receipts	Personal financial information	(1)    To complete payment (2)    To ensure transaction security	Provided by you voluntarily	(1) (2): Necessary for performance of the contract and for performance of statutory obligations	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	N/A
Delivery of goods and services	Necessary personal data: Name, contact number, delivery address, transaction records and order information	Identifier Personal financial information	(1) Verification and receipt of goods/services (2) Check on and verification of transaction status (3) Profiling (contact number, delivery address)	Provided by you voluntarily	(1) (2): Necessary for performance of the contract (3): Upon consent	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	Personalized advertising and marketing

 

• Collection and use of personal data for extended business functions

Extended business function refers to any function we provide other than basic business functions. For the following extended business functions, you may prevent us from collecting relevant personal data by refusing to give consent or turning off relevant functions. This will result in us being unable to provide you with the relevant services or achieve the service results, but it will not affect your use of the basic business functions of the Services.

Business Functions and Use Scenarios	Collection and Processing					Retention Period	Use
	Personal Data Field	Type of Personal Data Involved under CCPA	Purpose of Collection	Method of Collection	Legal Basis for Collection
Comments on products/services	Optional personal data: Comments on products	Network activity information	(1) To recommend products for other users’ reference (2) Optimize service experience (3) Profiling	Provided by you voluntarily	(1) (2) (3): Upon consent	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	Personalized advertising and marketing
Product search	Necessary personal data: Common data of the device (hardware serial number, MAC address, unique device ID, etc.), language settings, IP address, and browsing history on the Inner Mountain Platform	Identifier Network activity information	(1) Quickly search for products of interest (2) Risk control (3) Profiling	Automatic collection	(1) (3): Upon consent (2): Necessary for performance of the contract	To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations	Personalized advertising and marketing

 

• How we use cookies and similar technologies
  • Use of cookies and similar technologies

In order to meet your personalized demand for online experience and provide you with an easier access experience, we will send one or more small data files named cookies or similar technical files on your computer or mobile device. The cookies assigned to you are unique, and can only be read by the Web server in the domain that has issued the cookies to you. We send cookies to you to simplify your repeated login steps, and help determine your login status and account or data security.

We will not use cookies for any purpose other than those stated in this Privacy Policy. You may manage or delete cookies based on your preferences. See AboutCookies.org for details. You may remove all cookies saved on your computer. Most Web browsers will accept cookies automatically, but usually you may modify the browser settings as you need to reject cookies. In addition, you may remove all cookies saved in software, but if you do so, you may have to change the user setting in person each time you visit our website, the relevant information you previously recorded will be deleted in its entirety, and the security of the services you use may be affected to some extent. To learn more about how to change your browser settings, please visit the relevant setting page of the browser you use.

• Web beacons and pixel tags

In addition to cookies, we will apply website beacons, pixel tags and other similar technologies to the website. For example, the email we send to you may include a URL that links to the contents of our website. If you click on such link, we can track your click, so as to help us understand your product or service preferences and improve customer services. Generally, website beacon is a kind of transparent image embedded in a website or email. By virtue of pixel tags in an email, we can know whether the email has been opened. If you do not want to be tracked like this, you can unsubscribe from the mailing list at any time.

• Do Not Track

Many Web browsers have the function Do Not Track which can issue Do Not Track requests to websites. At present, major organizations for Internet standardization have not set policies relevant to how websites shall cope with such requests. But if Do Not Track is enabled in your browser, we will respect your choice.

• Sharing
  • We will not share your personal data with any company, organization or individual outside Inner Mountain, except where:
    1. Explicit consent is obtained for such sharing: We will share your personal data with other parties after obtaining your explicit consent.
    2. Such disclosure is required by laws: We may share your personal data to others as required by laws and regulations, or upon mandatory request of competent authorities of the government.
    3. The data is shared with our affiliates: Your personal data may be shared with affiliates of a specific product operator, provided that the personal data will be shared to the extent strictly necessary and subject to the purposes stated in this Privacy Policy. Any affiliate that wishes to change the purpose for which the personal data is processed will seek further consent from you.
    4. The data is shared with authorized partners (service providers): In order to implement certain specific product modules or functions, some of our services will be provided by authorized partners. We may share some of your personal data with such partners in order to provide better customer service and user experience. Such partners include, for example, communications service providers that provide short message services for us.
    5. The data is shared with third-party sellers: Our services involve third-party sellers on the platform, by using such third-party service, you authorize us to share your user name and order information (information about the amount, time, number and type of order) to the relevant third-party seller on the platform so that it can complete its transaction with you based on such information. Such third-party sellers on the platform and us are joint controllers, and we assume personal data protection responsibility to you respectively to the extent required by laws and promised to you, and you may make a claim against either of us.
    6. We will share your personal data for legal, proper, necessary, specific and clear purposes only, and will only share such personal data as necessary to provide services. Our partners have no right to use the personal data shared for any other purpose.
    7. You acknowledge and understand, in case you are the seller in a service, that you may obtain the user name and order information (information about the amount, time, number and type of order) of the buyer to the extent necessary for performance of the contract. You shall perform your personal data protection responsibilities to the buyer in accordance with current laws, regulations and norms, and shall not provide any personal data of the buyer to others without the consent of the buyer and us. You shall be liable for any and all losses of the buyer and us arising from any infringement of the buyer’s personal data caused due to reasons attributable to you.

We may disclose your personal data to third parties for business/commercial purposes in a form that is consistent with GDPR and CCPA (a list of partners is available at: innermountain.org). Detailed information about sharing to third parties is summarized and disclosed in the table below. We will enter into strict data security responsibility agreements with companies, organizations and individuals with whom we share personal data, requiring them to process personal data in accordance with our instructions, this Policy and any other relevant confidentiality and security measures, and not to use the data for any purpose other than performance of the contract. If you are a California resident, in the preceding 12 months, we have disclosed your personal data to the following categories of third parties for commercial purposes, and the categories of personal data disclosed are as listed in the table below:

Name of Third Party (Recipient)	Type of Partner	Purpose of Cooperation	Cooperation Method	Perceived by User or Not	Shared Personal Data Field	Description of Data Security Capabilities of the Partner

 

• For the avoidance of doubt, you shall acknowledge and understand that relevant products may contain links to websites, applications, products or services operated by independent third parties. No warranties, express or implied, are provided by us with regard to such third-party websites, applications, products and services, and such links are provided only to facilitate users’ browsing of relevant pages. When you visit such third-party website, application, product or service links, you shall further agree to the privacy policy or personal data protection terms they provide to you. We and such third-party website, application, product and service providers assume independent personal data protection responsibilities to you respectively to the extent required by laws and mutually agreed.
• Data sharing for direct marketing purposes: The Section 1798.83 of the California Civil Code permits a California resident to request and obtain from us once per year information regarding personal data about you that we shared to a third party for the third party’s direct marketing purposes. If you are a California resident, you may request that we refrain from sharing your personal data with certain affiliates or other third parties for marketing purposes. Please inform us of your preferences using the contact details in Section 8 How to Contact Us in order to make such a request.

• Transfer

We will not transfer your personal data to any company, organization or individual, except where:

• Explicit consent is obtained: We will transfer your personal data to other parties after obtaining your explicit consent;
• The personal data is transferred in connection with a merger, acquisition or bankruptcy and liquidation, provided that we will require the succeeding company or organization that holds your personal data to be bound by this Policy, or alternatively we will require such company or organization to seek consent from you again.

• Public disclosure

We will publicly disclose your personal data only in the following circumstances:

• We have obtained your explicit consent;
• Such disclosure is based on laws: We may publicly disclose your personal data if mandatorily required by laws, legal proceedings, lawsuits or competent authorities of the government.

3. How We Protect Your Personal Data
   • We have taken security measures meeting industry standards to protect the personal data you provide against unauthorized access, public disclosure, use, alteration, damage or loss. We will take all measures reasonably practicable to protect your personal data. For example, your browser is under SSL encryption protection when exchanging data (such as credit card information) with the “server”; we also provide https safe browsing for Inner Mountain website; we will use encryption techniques to ensure the confidentiality of data; we will use reliable protection mechanisms to prevent data from hostile attacks; we will deploy access controls to ensure that access to personal data is limited to authorized persons only; and we will provide security and privacy protection training courses to increase employees’ awareness of the importance of personal data protection.
   • Our data security capabilities: Inner Mountain is equipped with a strong information security department to build complete and advanced data security protection systems for Inner Mountain products, including implementing classification and grading of user information, encrypted storage and division of data access rights; internal data management systems and operating procedures have been formulated, and stringent process requirements are put in place from data collection and use to destruction to protect user privacy data against illegal use; security management responsibilities are made clear for the departments and their persons in charge that have access to users’ personal data; work processes and safety management systems are established for the collection, use or other activities related to users’ personal data; the authority of employees and agents are controlled, and export, reproduction or destruction of personal data in batches is subject to review, and measures are taken to prevent against leaks; any paper, optical, electromagnetic or other types of carriers that record users’ personal data are properly kept and safe storage measures have been taken as appropriate; access to information systems that store users’ personal data is checked, for which anti-intrusion and anti-virus measures are taken; information about the person that operates on users’ personal data, and the time, location and particulars of such operation is recorded; and security and privacy protection training is provided on a regular basis to raise employees’ awareness of personal data protection.
   • We will take all measures reasonably practicable to ensure that no irrelevant personal data is collected. We will retain your personal data only for so long as necessary for achieving the purposes described in specific privacy guidelines, unless the retention period is extended as strictly necessary or as permitted by law.
   • The Internet environment is not 100% secure, and we will use our best efforts to ensure or guarantee the security of any information you send to us. We will be legally liable for any damage to your legitimate rights and interests arising from unauthorized access to or public disclosure, alteration or destruction of information caused by any damage to our physical, technical or organizational protection facilities.
   • Upon the occurrence of a personal data security incident against our will, we will, as required by laws and regulations, promptly inform you of: the basic particulars and potential impacts of such security incident, the responsive actions we have taken or will take, suggestions on how to prevent and reduce risks on your part, and the remedies available to you, etc. We will promptly inform you of the information about the incident by email, letter, phone call, push notification or otherwise, and will, where it is difficult to notify the personal data subjects one by one, issue announcements in a reasonable and effective manner.

In addition, we will actively report the resolution of personal data security incidents as required by supervisory authorities.

Please contact us using the contact details contained herein immediately after you find any leak of your personal data, to enable us to take appropriate measures promptly.

4. Your Rights

In accordance with the general requirements of GDPR, we will try to guarantee that you can exercise the following rights with respect to your personal data. If you are unable to control your personal data through the means notified by us, you may contact us at any time using the contact details provided in Section 8 “How to Contact Us”.

• Right of access, right to rectify
  • You may check and rectify your personal data by visiting My Profile interface (innermountain.org) and opening the user account center page. Please note that although we try our best to allow you to rectify your personal data, some of your personal data cannot be rectified, primarily for reasons of protecting the security of online transactions and determining the objects to whom the online products and services are provided. Such information mainly includes account information (including xx information).
  • You may check and rectify your name, gender, date of birth, country, email address, contact information, social media or device, etc. by visiting My Profile interface (innermountain.org).
  • You may check and rectify your address by visiting the Address Book interface (innermountain.org).
  • You may check your inbox messages by visiting My Message interface (innermountain.org).
  • If you are unable to access your personal data using the said methods, please feel free to send us an email at []. You may also contact us using the contact details provided in Section 8 of this Policy or on the Inner Mountain Platform.
• Right to delete
  • You may request that we delete your personal data under the following circumstances:
    1. The relevant data is no longer necessary for the purposes for which it was collected or processed, and there is a lack of legal basis for us to continue processing your personal data;
    2. You no longer consent to or you object to our processing of your personal data, and there is a lack of legal basis for us to continue processing your personal data;
    3. Our processing of the personal data is in violation of laws and regulations;
    4. Your data relates to the data of any child;
    5. You cease to use our products or services, or you have closed your account;
    6. We cease to provide products or services to you.
  • After you delete any information from our services, we may not immediately delete such information from our backup system, but will delete the same when the backup is updated.
• Right to withdraw consent

As disclosed in “2.1 Collection and use of personal data for basic business functions” and “2.2 Collection and use of personal data for extended business functions”, the justification for our processing of some of your personal data is your “consent”. You may withdraw your consent at any time. We will cease to process the relevant personal data upon withdrawal of your consent, provided that your decision to withdraw your consent shall not affect any processing of personal data based on your consent prior to such withdrawal.

• Right to restrict and object to the processing of your personal data
  • Right to restriction

You may restrict our processing of your personal data in accordance with the provisions of GDPR, in which case, we will store your personal data in accordance with GDPR only and will so notify you in accordance with the law.

• Right to object

As disclosed in “2.1 Collection and use of personal data for basic business functions” and “2.2 Collection and use of personal data for extended business functions”, we need to process your personal data for our own business interests, including for the purpose of profiling or direct marketing. You may exercise your right to object to such processing and profiling activities by sending us an email. If you object to such processing, we will cease to process your personal data for these purposes unless we can demonstrate that our interests outweigh yours, or we process your personal data in connection with legal proceedings.

• Right to data portability
  • You have the right to request us to provide, in electronic form, any personal data of you that have been collected upon your consent or as necessary for the execution and performance of a contract to any third party designated by you in writing.
  • We will use reasonable efforts to protect such right of you subject to technical availability. If data interfaces match, we may also transfer a copy of your personal data directly to a third party designated by you at your request and using communications technology currently available. If such third party refuses to receive the copy of your personal data, resulting in a transmission failure, you shall communicate with such third party in person, and Inner Mountain is not responsible for such transmission failure.
• Right to lodge a complaint with the supervisory authority

If you are dissatisfied with our response, in particular if you believe that our processing of the personal data has damaged your legitimate rights and interests, and negotiation fails, you have the right to lodge a complaint with the [competent supervisory authority for personal data protection].

• Response to your aforesaid requests:
  • For the sake of security, you may be required to submit a written request or otherwise prove your identity. We may ask you to verify your identity before processing your request.
  • We will give a reply within 30 days. You may file a complaint using the methods provided in [Section 8] hereof in case of dissatisfaction.
  • Generally, we do not charge any fee on your reasonable requests, but we will charge a certain fee as appropriate for repeated requests beyond the reasonable limit. We may refuse any requests that are repeated for no reason, call for excessive technical means (e.g., where it is required to develop a new system or fundamentally change the existing practices), pose a risk to the legitimate rights and interests of others, or that are extremely impractical (e.g., requests involving information stored on backup tapes).
• We will be unable to respond to your request in accordance with laws and regulations if such request
  1. is directly related to national security or national defense security;
  2. is directly related to public safety, public health or vital public interests;
  3. is directly related to any criminal investigation, prosecution, trial or execution of judgments;
  4. is made by you out of malice or is an abuse of your rights as shown by sufficient evidence;
  5. if responded to, will cause material damage to the legitimate rights and interests of you or any other individuals or organizations;
  6. involves trade secrets;
  7. cannot be fulfilled due to other situations stipulated by applicable laws.

If you are a California resident, you will have the following rights. We welcome such requests to the extent required by applicable laws and within the time specified by laws.

• Right to know the personal data collected, disclosed or sold

You have the right to request that we disclose to you the categories or specific pieces of personal data that we collected, disclosed or sold about you. Specifically, you have the right to request disclosure of the categories and specific pieces of personal data we have collected, disclosed or sold about you in the preceding 12 months, including the following:

1. The categories of personal data we have collected about you;
2. The categories of sources from which the personal data about you is collected;
3. The business or commercial purpose for which we collect such personal data;
4. The business or commercial purpose for which we sell or disclose such personal data;
5. The categories of third parties with whom we share such personal data;
6. The specific pieces of personal data we have collected about you;
7. The categories of personal data (if any) that we have disclosed or sold about you for monetary or other consideration, and the categories of third parties to whom we disclose or sell such data, by category or categories of personal data for each category of third parties to whom the personal data was disclosed or sold;
8. The categories of personal data that we disclosed or sold about you for a commercial purpose.

• Right to rectification

You have the right to rectify any inaccurate personal data we have collected. According to the requirements of CPRA, we need to verify your identity before allowing you to rectify your personal data.

• Right to delete

You have the right to request that we delete any of your personal data which we have collected from you and retained, but this is a limited right, and based on an exception clause under CCPA or other statutory obligations, we may still retain certain data for a reasonable period of time to the extent permitted by laws. Once we receive, verify and confirm your request, we will delete (and direct our service providers to delete) your personal data from our records, unless otherwise required by laws and regulations, or such third party has obtained separate authorization from you.

• Right to opt-out

We have not sold any personal data in the preceding 12 months. We may use your personal data collected for sale in the future, and you have the right to opt out of the sale of your personal data for monetary or other valuable consideration. You may opt out of the sale by clicking Do Not Sell My Personal Data. We will not sell any personal data we collect from a minor under the age of 16 unless we obtain explicit authorization from the minor’s parent or guardian in accordance with the law.

• Right not to be discriminated against for exercising California privacy rights

We will not discriminate against you because you exercised any rights stated above or any other rights under CCPA, including by:

1. Denying goods or services to you;
2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
3. Providing a different level or quality of goods or services to you; or
4. Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Notwithstanding the foregoing, we may charge you a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to Inner Mountain by your personal data.

• How to exercise your California privacy rights
  • You can exercise your rights by:

Completing and submitting an online request form to us

Email: [social@innermountain.org]

• Please note that where permitted by law, we may take steps to verify your identity before granting you access to information or acting on your request for exercise of rights.
• In certain circumstances, you may appoint an authorized agent to make requests on your behalf. You must provide a written letter of authorization to your authorized agent, and we may request you to verify your identity directly with us.
• In addition, you may only initiate two verifiable requests within a 12-month period.
• We may not be able to fulfill your request under certain circumstances. For example, we will not fulfill a request if we cannot verify your identity or check whether an authorized agent has the authority to make such request on your behalf. In addition, we will not comply with your request in exceptional circumstances, for example, where disclosure of the personal data may have an adverse impact on the rights and freedoms of other consumers, or where we are not subject to the right of access or right to deletion under CCPA with respect to the personal data we store about you.
• We will try to complete your request within 45 days after receipt of the same. If extension is required, we will notify you in writing of the reasons and period of extension.

• Right to cancel account
  • Regardless of whether you are a California resident or not, you may cancel your account registered with Inner Mountain at any time. You may either cancel your account yourself by visiting the relevant page of [innermountain.org], or request us to cancel your innermountain account by sending an email to [social@innermountain.org]. We may ask you to verify your identity to ensure the security of your account.
  • After canceling your account, we will cease to provide services to you, and will, upon your request, delete your personal data within the time specified by applicable laws, unless otherwise specified by laws and regulations or agreed between you and us.

5. How We Process the Personal Data of Children
   • Our products, websites and services are intended for adults only. Children are not allowed to create their own user accounts.
   • Notwithstanding any definition to the contrary given by local laws and custom, we treat anyone under the age of 18 as a child.
   • You should report your age actively. If you are under the age of 16, you shall provide the contact information (e.g., email address, phone number) of your guardian, and we will contact your guardian using such contact information and take reasonable measures to obtain the explicit consent of your guardian. You shall clearly understand that if we find or suspect that you are under the age of 16 in the course of service, we may suspend or terminate the service to you at any time until you provide us with evidence that you have reached the age of 16, or assist us in obtaining the explicit consent of your guardian (for example, making your guardian sign the relevant request of you or provide us with a signed statement that they agree to your use of the service).
   • We will manage to delete any personal data collected from a minor within the shortest time possible if we find that such data is collected by us without obtaining the prior verifiable parental consent.
   • To the extent that you are the parent or guardian of a minor, you may contact us using the contact details in Section 8 below if you have any doubts about the processing of the personal data of the minor under your custody.
6. How Your Personal Data Is Transferred Globally
   • You understand and expressly agree that generally we collect your personal data for storage and processing in [the People’s Republic of China]. We hereby draw your attention to the fact that the People’s Republic of China is not a third country that has an adequate level of protection as determined by the European Commission. We will do our utmost to provide appropriate safeguards for the transfer of your personal data and to enable you to exercise your rights and obtain effective legal remedies. Such data transfer is risky. You should have a full understanding of such risks and hereby authorize us to transfer your personal data to the foreign judicial authorities in the country or region where you use the services, including China.
7. How This Policy Is Updated and Applicable Laws
   • Our privacy policy is subject to change. We will not reduce your rights available under this Policy without your explicit consent. We will issue updated versions of this Policy.
   • For significant changes, we will also provide a more prominent notice (including, for certain services, sending a notification by email explaining the specific changes to this Policy).
   • Significant changes referred to in this Policy include but not limited to:
     1. Significant changes in our service modes, for example, the purpose of processing personal data, the type of personal data processed or the use of personal data, etc.;
     2. Significant changes in our ownership structure or organizational structure, including, among others, change of owners caused by business adjustment, bankruptcy or mergers and acquisitions;
     3. Changes in main objects to whom personal data is shared, transferred or publicly disclosed;
     4. Significant changes in your rights to participate in the processing of personal data or the ways in which they are exercised;
     5. Changes in our responsible departments, contact details and complaint channels in relation to personal data security;
     6. Existence of high risks as indicated in a report of personal data security impact assessment.

8. How to Contact Us
   • Basic information about us:

Company Name: Beijing Neifeng Technology Co., Ltd.

Contact information: [social@innermountain.org]

• We have established a personal data protection department. If you have any questions or advice about this Policy, or if you want us to update information about you or your preferences, you may contact us using the following contact information. Generally, we will give a reply within a reasonable period of time.

Contact information: [social@innermountain.org]

• If you are a disabled person and unable to access and obtain information related to this Privacy Policy, you may contact us using the contact details provided in this section, and we will try our best to provide this Privacy Policy to you in such other formats that are easily accessible by you.