Privacy Policy

Inner Mountain Privacy Policy

Last updated on: [October] [31], 2023

Effective on: [October] [31], 2023

Previous Versions

Introduction:

This Privacy Policy (hereinafter referred to as this “Policy”) applies to the website (innermountai\n.org), products, applications, technologies, software or services provided to you by Beijing Neifeng Technology Co., Ltd., owner of the website (hereinafter referred to as “Inner Mountain”, “Inner Mountain Platform”, “we”, “us” or “our”). When you use the services provided by Inner Mountain, we will collect and use your personal data pursuant to this Policy. It is our intention to clearly tell you how we process your personal data by means of this Privacy Policy, so we advise you to read this Policy in its entirety to help you understand how to protect your privacy.

We try to present this Policy in a concise, clear and understandable manner. Being fully aware of the importance of personal data to you, we will do our best to ensure the security and reliability of your personal data. To maintain your trust in us, we are committed to protecting your personal data by adhering to the following principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. We also undertake to put in place such security measures as consistent with industrially proven security standards to protect your personal data.

Please read and understand this Policy carefully before using our products so that you can better understand our products and the services we provide and make appropriate choices. In order for you to fully understand and be informed of the ways in which we process your personal data, the scope and consequences of such processing and other relevant rules, we have the Key Definitions and Personal Data Processing Instructions section prepared specially for fulfilling our notification obligation to you under the law. It being so, we strongly recommend that you first read those instructions carefully and give your consent or explicit consent on the basis of full understanding of the content of this Policy and the schedule hereto.

This Policy will help you understand:

  1. Key definitions and personal data processing instructions
  2. How we collect and use your personal data
  3. How we protect your personal data
  4. Your rights
  5. How we process the personal data of children
  6. How your personal data moves across borders
  7. How this Policy is updated
  8. How to contact us

 

  1. Key Definitions and Personal Data Processing Instructions

Key terms used in this Policy are defined based on the meaning specified in the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), and appropriate changes are made thereto in consideration of our actual situation. In case of any inconsistency, the provisions of GDPR, CCPA and CPRA shall prevail. You are kindly requested to pay extra attention to the fact that the key purpose of these instructions is to guide you to gain a fully understanding and knowledge of the ways in which we process your personal data, the scope and consequences of such processing and other relevant rules, so as to fulfill our notification obligation to you under the law. It being so, we strongly recommend that you read these instructions carefully and give your consent or explicit consent on the basis of full understanding of the content of these instructions.

In this Policy, information that is personal data will be highlighted in bold to draw your attention; and any personal data that are special categories of personal data under GDPR or sensitive personal information under CCPA and CPRA will be highlighted in bold and indicated by an asterisk (*) to draw your attention and seek your explicit consent. You shall pay extra attention to the enumeration of such information. In addition, in order to help you understand the necessity of collecting personal data, we will distinguish and explain, in the form of lists, whether the personal data you provide to us under a particular business function is necessary personal data.

  1. How We Collect and Use Your Personal Data

We will collect from you and process your personal data (as listed below) in a lawful and proper manner where necessary for the purpose of fulfilling relevant functions. We will try our best to disclose information about the collection and use of your personal data to you in a full, complete and timely manner. If you find any errors or omissions in our disclosure, please contact us promptly.

Basic business functions refer to the business functions we provide that meet your fundamental expectations and most important needs in choosing and using the services we provide. Basic business functions and the personal data they collect and use will change as the products or services develop, grow and upgrade. Under basic business functions, you may prevent us from collecting relevant personal data by refusing to give consent or turning off relevant functions, but this will result in us being unable to provide you with the relevant services or achieve the service results.

Business Functions and Use Scenarios Collection and Processing Retention Period Use
Personal Data Field Type of Personal Data Involved under CCPA Purpose of Collection Method of Collection Legal Basis for Collection
Account registration

login

Necessary personal data:

Email address

Identifier (1)    First account registration

(2)    Subsequent login verification

(3)    Profiling

Provided by you voluntarily (1) (2): Necessary for performance of the contract

(3): Upon consent

To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations Personalized advertising and marketing
Necessary personal data:

User account number, password, keys

Identifier (1)    First account registration

(2)    Subsequent login verification

Provided by you voluntarily Necessary for performance of the contract To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations N/A
Optional personal data:

Gender, date of birth, country

Identifier (1) First account registration

(2) Subsequent login verification

(3) Profiling

Provided by you voluntarily Upon consent To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations Personalized advertising and marketing
Communication and after-sales service Necessary personal data:

Inbox messages

Personal phone number

*Communication records

Identifier

Network activity information

(1)    To ensure communication with the seller during the transaction, as well as query and evidence collection concerning such communication history

(2)    After-sales rights protection and service

(3)    Profiling

Automatic collection (1) (2): Necessary for performance of the contract

(3): Upon consent

To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations Personalized advertising and marketing
Bill payment Necessary personal data:

*Bank account

Payment history

Transaction and purchase records

Records of payments and receipts

Personal financial information (1)    To complete payment

(2)    To ensure transaction security

Provided by you voluntarily (1) (2): Necessary for performance of the contract and for performance of statutory obligations To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations N/A
Delivery of goods and services Necessary personal data:

Name, contact number, delivery address, transaction records and order information

Identifier

Personal financial information

(1) Verification and receipt of goods/services

(2) Check on and verification of transaction status

(3) Profiling (contact number, delivery address)

Provided by you voluntarily (1) (2): Necessary for performance of the contract

(3): Upon consent

To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations Personalized advertising and marketing

 

Extended business function refers to any function we provide other than basic business functions. For the following extended business functions, you may prevent us from collecting relevant personal data by refusing to give consent or turning off relevant functions. This will result in us being unable to provide you with the relevant services or achieve the service results, but it will not affect your use of the basic business functions of the Services.

Business Functions and Use Scenarios Collection and Processing Retention Period Use
Personal Data Field Type of Personal Data Involved under CCPA Purpose of Collection Method of Collection Legal Basis for Collection
Comments on products/services Optional personal data:

Comments on products

Network activity information (1) To recommend products for other users’ reference

(2) Optimize service experience

(3) Profiling

Provided by you voluntarily (1) (2) (3): Upon consent To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations Personalized advertising and marketing
Product search Necessary personal data:

Common data of the device (hardware serial number, MAC address, unique device ID, etc.), language settings, IP address, and browsing history on the Inner Mountain Platform

Identifier

Network activity information

(1) Quickly search for products of interest

(2) Risk control

(3) Profiling

Automatic collection (1) (3): Upon consent

(2): Necessary for performance of the contract

To be retained from the date of collection to the time when user exercises its right to delete, unless a longer retention period is specified by laws and regulations Personalized advertising and marketing

 

In order to meet your personalized demand for online experience and provide you with an easier access experience, we will send one or more small data files named cookies or similar technical files on your computer or mobile device. The cookies assigned to you are unique, and can only be read by the Web server in the domain that has issued the cookies to you. We send cookies to you to simplify your repeated login steps, and help determine your login status and account or data security.

We will not use cookies for any purpose other than those stated in this Privacy Policy. You may manage or delete cookies based on your preferences. See AboutCookies.org for details. You may remove all cookies saved on your computer. Most Web browsers will accept cookies automatically, but usually you may modify the browser settings as you need to reject cookies. In addition, you may remove all cookies saved in software, but if you do so, you may have to change the user setting in person each time you visit our website, the relevant information you previously recorded will be deleted in its entirety, and the security of the services you use may be affected to some extent. To learn more about how to change your browser settings, please visit the relevant setting page of the browser you use.

In addition to cookies, we will apply website beacons, pixel tags and other similar technologies to the website. For example, the email we send to you may include a URL that links to the contents of our website. If you click on such link, we can track your click, so as to help us understand your product or service preferences and improve customer services. Generally, website beacon is a kind of transparent image embedded in a website or email. By virtue of pixel tags in an email, we can know whether the email has been opened. If you do not want to be tracked like this, you can unsubscribe from the mailing list at any time.

Many Web browsers have the function Do Not Track which can issue Do Not Track requests to websites. At present, major organizations for Internet standardization have not set policies relevant to how websites shall cope with such requests. But if Do Not Track is enabled in your browser, we will respect your choice.

We may disclose your personal data to third parties for business/commercial purposes in a form that is consistent with GDPR and CCPA (a list of partners is available at: innermountain.org). Detailed information about sharing to third parties is summarized and disclosed in the table below. We will enter into strict data security responsibility agreements with companies, organizations and individuals with whom we share personal data, requiring them to process personal data in accordance with our instructions, this Policy and any other relevant confidentiality and security measures, and not to use the data for any purpose other than performance of the contract. If you are a California resident, in the preceding 12 months, we have disclosed your personal data to the following categories of third parties for commercial purposes, and the categories of personal data disclosed are as listed in the table below:

Name of Third Party (Recipient) Type of Partner Purpose of Cooperation Cooperation Method Perceived by User or Not Shared Personal Data Field Description of Data Security Capabilities of the Partner
             

 

We will not transfer your personal data to any company, organization or individual, except where:

We will publicly disclose your personal data only in the following circumstances:

  1. How We Protect Your Personal Data
    • We have taken security measures meeting industry standards to protect the personal data you provide against unauthorized access, public disclosure, use, alteration, damage or loss. We will take all measures reasonably practicable to protect your personal data. For example, your browser is under SSL encryption protection when exchanging data (such as credit card information) with the “server”; we also provide https safe browsing for Inner Mountain website; we will use encryption techniques to ensure the confidentiality of data; we will use reliable protection mechanisms to prevent data from hostile attacks; we will deploy access controls to ensure that access to personal data is limited to authorized persons only; and we will provide security and privacy protection training courses to increase employees’ awareness of the importance of personal data protection.
    • Our data security capabilities: Inner Mountain is equipped with a strong information security department to build complete and advanced data security protection systems for Inner Mountain products, including implementing classification and grading of user information, encrypted storage and division of data access rights; internal data management systems and operating procedures have been formulated, and stringent process requirements are put in place from data collection and use to destruction to protect user privacy data against illegal use; security management responsibilities are made clear for the departments and their persons in charge that have access to users’ personal data; work processes and safety management systems are established for the collection, use or other activities related to users’ personal data; the authority of employees and agents are controlled, and export, reproduction or destruction of personal data in batches is subject to review, and measures are taken to prevent against leaks; any paper, optical, electromagnetic or other types of carriers that record users’ personal data are properly kept and safe storage measures have been taken as appropriate; access to information systems that store users’ personal data is checked, for which anti-intrusion and anti-virus measures are taken; information about the person that operates on users’ personal data, and the time, location and particulars of such operation is recorded; and security and privacy protection training is provided on a regular basis to raise employees’ awareness of personal data protection.
    • We will take all measures reasonably practicable to ensure that no irrelevant personal data is collected. We will retain your personal data only for so long as necessary for achieving the purposes described in specific privacy guidelines, unless the retention period is extended as strictly necessary or as permitted by law.
    • The Internet environment is not 100% secure, and we will use our best efforts to ensure or guarantee the security of any information you send to us. We will be legally liable for any damage to your legitimate rights and interests arising from unauthorized access to or public disclosure, alteration or destruction of information caused by any damage to our physical, technical or organizational protection facilities.
    • Upon the occurrence of a personal data security incident against our will, we will, as required by laws and regulations, promptly inform you of: the basic particulars and potential impacts of such security incident, the responsive actions we have taken or will take, suggestions on how to prevent and reduce risks on your part, and the remedies available to you, etc. We will promptly inform you of the information about the incident by email, letter, phone call, push notification or otherwise, and will, where it is difficult to notify the personal data subjects one by one, issue announcements in a reasonable and effective manner.

In addition, we will actively report the resolution of personal data security incidents as required by supervisory authorities.

Please contact us using the contact details contained herein immediately after you find any leak of your personal data, to enable us to take appropriate measures promptly.

  1. Your Rights

In accordance with the general requirements of GDPR, we will try to guarantee that you can exercise the following rights with respect to your personal data. If you are unable to control your personal data through the means notified by us, you may contact us at any time using the contact details provided in Section 8 “How to Contact Us”.

As disclosed in “2.1 Collection and use of personal data for basic business functions” and “2.2 Collection and use of personal data for extended business functions”, the justification for our processing of some of your personal data is your “consent”. You may withdraw your consent at any time. We will cease to process the relevant personal data upon withdrawal of your consent, provided that your decision to withdraw your consent shall not affect any processing of personal data based on your consent prior to such withdrawal.

You may restrict our processing of your personal data in accordance with the provisions of GDPR, in which case, we will store your personal data in accordance with GDPR only and will so notify you in accordance with the law.

As disclosed in “2.1 Collection and use of personal data for basic business functions” and “2.2 Collection and use of personal data for extended business functions”, we need to process your personal data for our own business interests, including for the purpose of profiling or direct marketing. You may exercise your right to object to such processing and profiling activities by sending us an email. If you object to such processing, we will cease to process your personal data for these purposes unless we can demonstrate that our interests outweigh yours, or we process your personal data in connection with legal proceedings.

If you are dissatisfied with our response, in particular if you believe that our processing of the personal data has damaged your legitimate rights and interests, and negotiation fails, you have the right to lodge a complaint with the [competent supervisory authority for personal data protection].

If you are a California resident, you will have the following rights. We welcome such requests to the extent required by applicable laws and within the time specified by laws.

You have the right to request that we disclose to you the categories or specific pieces of personal data that we collected, disclosed or sold about you. Specifically, you have the right to request disclosure of the categories and specific pieces of personal data we have collected, disclosed or sold about you in the preceding 12 months, including the following:

  1. The categories of personal data we have collected about you;
  2. The categories of sources from which the personal data about you is collected;
  3. The business or commercial purpose for which we collect such personal data;
  4. The business or commercial purpose for which we sell or disclose such personal data;
  5. The categories of third parties with whom we share such personal data;
  6. The specific pieces of personal data we have collected about you;
  7. The categories of personal data (if any) that we have disclosed or sold about you for monetary or other consideration, and the categories of third parties to whom we disclose or sell such data, by category or categories of personal data for each category of third parties to whom the personal data was disclosed or sold;
  8. The categories of personal data that we disclosed or sold about you for a commercial purpose.

You have the right to rectify any inaccurate personal data we have collected. According to the requirements of CPRA, we need to verify your identity before allowing you to rectify your personal data.

You have the right to request that we delete any of your personal data which we have collected from you and retained, but this is a limited right, and based on an exception clause under CCPA or other statutory obligations, we may still retain certain data for a reasonable period of time to the extent permitted by laws. Once we receive, verify and confirm your request, we will delete (and direct our service providers to delete) your personal data from our records, unless otherwise required by laws and regulations, or such third party has obtained separate authorization from you.

We have not sold any personal data in the preceding 12 months. We may use your personal data collected for sale in the future, and you have the right to opt out of the sale of your personal data for monetary or other valuable consideration. You may opt out of the sale by clicking Do Not Sell My Personal Data. We will not sell any personal data we collect from a minor under the age of 16 unless we obtain explicit authorization from the minor’s parent or guardian in accordance with the law.

We will not discriminate against you because you exercised any rights stated above or any other rights under CCPA, including by:

  1. Denying goods or services to you;
  2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  3. Providing a different level or quality of goods or services to you; or
  4. Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Notwithstanding the foregoing, we may charge you a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to Inner Mountain by your personal data.

Completing and submitting an online request form to us

Email: [social@innermountain.org]

  1. How We Process the Personal Data of Children
    • Our products, websites and services are intended for adults only. Children are not allowed to create their own user accounts.
    • Notwithstanding any definition to the contrary given by local laws and custom, we treat anyone under the age of 18 as a child.
    • You should report your age actively. If you are under the age of 16, you shall provide the contact information (e.g., email address, phone number) of your guardian, and we will contact your guardian using such contact information and take reasonable measures to obtain the explicit consent of your guardian. You shall clearly understand that if we find or suspect that you are under the age of 16 in the course of service, we may suspend or terminate the service to you at any time until you provide us with evidence that you have reached the age of 16, or assist us in obtaining the explicit consent of your guardian (for example, making your guardian sign the relevant request of you or provide us with a signed statement that they agree to your use of the service).
    • We will manage to delete any personal data collected from a minor within the shortest time possible if we find that such data is collected by us without obtaining the prior verifiable parental consent.
    • To the extent that you are the parent or guardian of a minor, you may contact us using the contact details in Section 8 below if you have any doubts about the processing of the personal data of the minor under your custody.
  2. How Your Personal Data Is Transferred Globally
    • You understand and expressly agree that generally we collect your personal data for storage and processing in [the People’s Republic of China]. We hereby draw your attention to the fact that the People’s Republic of China is not a third country that has an adequate level of protection as determined by the European Commission. We will do our utmost to provide appropriate safeguards for the transfer of your personal data and to enable you to exercise your rights and obtain effective legal remedies. Such data transfer is risky. You should have a full understanding of such risks and hereby authorize us to transfer your personal data to the foreign judicial authorities in the country or region where you use the services, including China.
  3. How This Policy Is Updated and Applicable Laws
    • Our privacy policy is subject to change. We will not reduce your rights available under this Policy without your explicit consent. We will issue updated versions of this Policy.
    • For significant changes, we will also provide a more prominent notice (including, for certain services, sending a notification by email explaining the specific changes to this Policy).
    • Significant changes referred to in this Policy include but not limited to:
      1. Significant changes in our service modes, for example, the purpose of processing personal data, the type of personal data processed or the use of personal data, etc.;
      2. Significant changes in our ownership structure or organizational structure, including, among others, change of owners caused by business adjustment, bankruptcy or mergers and acquisitions;
      3. Changes in main objects to whom personal data is shared, transferred or publicly disclosed;
      4. Significant changes in your rights to participate in the processing of personal data or the ways in which they are exercised;
      5. Changes in our responsible departments, contact details and complaint channels in relation to personal data security;
      6. Existence of high risks as indicated in a report of personal data security impact assessment.
  1. How to Contact Us
    • Basic information about us:

Company Name: Beijing Neifeng Technology Co., Ltd.

Contact information: [social@innermountain.org]

Contact information: [social@innermountain.org]