Introduction
Shanghai Huizhitu Education Technology Co., Ltd. ("we", "us", or "the Company") recognizes the importance of personal information and is committed to protecting personal data in accordance with applicable laws and regulations. This Privacy Agreement explains how we collect, use, store, share, transfer, and disclose personal information, and outlines your rights as a data subject.
We align our operations with legal and regulatory standards across major jurisdictions, including but not limited to: PIPL, Cybersecurity Law, Data Security Law, and related Chinese data regulations; GDPR and related EU transparency guidance; CCPA/CPRA and associated requirements; COPPA and relevant FTC policy developments; LGPD; PDPA; PIPEDA; and APPI.
1. Information We Collect and Use
Personal information means information related to identified or identifiable natural persons, excluding anonymized data. Sensitive personal information means data that, if leaked or misused, may infringe personal dignity or endanger personal or property safety.
1.1 Information You Provide
- Account registration and login details: mobile number, email, or third-party account information (for example WeChat, Apple ID, Google account).
- Identity verification details: legal name, ID/passport number, date of birth, and education background for specific service scenarios.
- Consultation and communication details: inquiry content and contact details provided via support channels.
- Payment information: transaction records such as order details and amount paid. Sensitive payment credentials are collected directly by payment institutions and are not stored by us.
- Creative content details: project assets, copy, and design requirements supplied for creative production services.
1.2 Automatically Collected Information
- Device information: model, OS version, unique identifier, IMEI, MAC address, advertising identifiers (IDFA/AAID), and IP address.
- Log information: visit time, session duration, page access, operational records, and crash logs.
- Approximate location inferred from IP address for regional service adaptation.
- Cookies and similar technologies used for preference memory, service quality, and security.
1.3 Purpose and Legal Basis
| Purpose | Data Type | Legal Basis |
|---|
| Account management and security verification | Account and device data | Contract necessity; PIPL lawful basis |
| Study abroad consulting and application services | Identity, education, and contact data | Contract necessity; consent where required |
| Personalized recommendations | Usage records and preferences | Consent; opt-out rights where applicable |
| In-app advertising (IAA) | Identifiers, IP, ad interaction data | Consent in EEA; lawful interest/opt-out in other regions where permitted |
| Service improvement and analytics | Logs, crash data, anonymized analytics | Legitimate interests and lawful processing grounds |
| Legal compliance obligations | Transaction and verification records | Legal obligations |
1.4 Third-Party SDK Disclosure
| SDK | Provider | Data Types | Purpose | Policy |
|---|
| Google AdMob | Google LLC | Identifiers, IP, ad interaction, rough location | Advertising and monetization | https://policies.google.com/privacy |
| Meta Audience Network | Meta Platforms, Inc. | Identifiers, IP, app usage data | Advertising and monetization | https://www.facebook.com/privacy/policy |
| Unity Ads | Unity Technologies | Device data, IP, ad interaction | Advertising and monetization | https://unity3d.com/legal/privacy-policy |
| AppLovin MAX | AppLovin Corporation | Identifiers, IP, ad preference data | Ad mediation and monetization | https://www.applovin.com/privacy/ |
| Google Analytics for Firebase | Google LLC | Device and app usage data, crash data | Analytics and performance | https://policies.google.com/privacy |
| WeChat Open Platform | Tencent Technology (Shenzhen) Co., Ltd. | Device and network status information | Third-party sign-in and sharing | https://privacy.qq.com/ |
| Sign in with Apple | Apple Inc. | Name and email (including private relay option) | Third-party sign-in | https://www.apple.com/legal/privacy/ |
1.5 Permission Access Explanation
| Permission | Usage Scenario | Can User Refuse? |
|---|
| Storage (Android) | File save and image cache | Yes, with potential feature limitations |
| Camera | QR scan and document photo upload | Yes, requested only when needed |
| Photo Album | Image upload | Yes, requested only when needed |
| Network | Core service connectivity | No |
| Notification | Service and status alerts | Yes |
2. Cookies and Similar Technologies
We use cookies and similar technologies to support service functionality, preserve user preferences, enhance security, and analyze usage quality.
For advertising technologies, we and our partners may use identifiers (for example IDFA and AAID) and cookies for delivery, frequency capping, attribution, and measurement. In the EEA we rely on explicit consent via UMP SDK and support IAB TCF standards. In California, users may exercise rights to opt out of sale or sharing where required. In jurisdictions requiring opt-in for identifiable analytics and advertising cookies, we obtain explicit consent.
3. Sharing, Transfer, and Public Disclosure
We do not share personal data with non-affiliated entities except in lawful and necessary circumstances such as user consent, affiliated service delivery, ad monetization partnerships, school application operations, statutory obligations, or protection of lawful rights and safety.
When we engage processors, we sign data processing agreements and require strict compliance with our instructions and security requirements.
We do not transfer personal data ownership except with user consent or corporate transactions such as merger, acquisition, or restructuring, subject to equivalent data protection obligations by the recipient.
Public disclosure occurs only with explicit consent or when legally required.
4. Cross-Border Data Transfers
Personal data is primarily stored within mainland China. For overseas education application processing and certain global service infrastructures, cross-border transfers may occur with separate consent where required.
We implement legal safeguards including security assessments, certifications, standard contractual clauses, adequacy mechanisms, and other lawful transfer tools depending on applicable jurisdictional requirements.
5. Security Protection Measures
- Technical safeguards: SSL/TLS encryption, firewall mechanisms, intrusion detection, access controls, and periodic security testing.
- Organizational safeguards: internal data security rules, personnel training, least-privilege access management, and auditable processing logs.
- Incident response: emergency plans and legally compliant user/regulator notifications when incidents occur.
- Compliance audits: regular personal information protection audits and risk assessment mechanisms where required.
- Management framework: privacy governance aligned with ISO/IEC 27701 standards and continuous improvement.
6. Your Rights
Depending on jurisdiction, you may have rights of access, correction, deletion, restriction, portability, objection, withdrawal of consent, and rights related to automated decision-making. You may submit requests through our contact channels, and we respond within statutory timelines (typically 15 to 30 days depending on legal framework).
7. Protection of Minors
Our services are intended for adult users. Minors should use our services with parent or guardian authorization and supervision. We do not knowingly collect personal data from children below legal age thresholds in applicable jurisdictions and provide removal mechanisms upon verified guardian request. We implement age-screening mechanisms at registration and comply with local minor protection obligations.
8. IAA Compliance Provisions
Advertising identifiers are used for ad delivery, capping, and attribution. On iOS, access to IDFA follows ATT authorization. We support lawful consent and opt-out frameworks for EEA, California, mainland China, Brazil, and other relevant jurisdictions. Partner platforms may include Google AdMob, Meta Audience Network, Unity Ads, and AppLovin MAX.
9. Data Retention and Deletion
We retain personal data only for the minimum period necessary for stated purposes or legal obligations. Typical durations include account data until account closure, financial records per statutory requirements, and log records for approximately six months unless required otherwise.
After retention periods or valid deletion requests, data is deleted or anonymized within applicable legal timelines.
10. Automated Decision-Making
Automated decision technologies may be used for personalization and ad matching. We conduct required assessments and provide transparency as required by law. Users may object to decisions that significantly affect rights and interests where legally available.
11. Updates to This Agreement
We may update this Privacy Agreement from time to time. In case of material changes, we notify users via in-app notice, push message, or email and request renewed consent where required.
12. Contact Us
Company: Shanghai Huizhitu Education Technology Co., Ltd.
Address: Room 201, Area A, No. 2388 Hutai Road, Baoshan District, Shanghai
Email: support@huizhitu.com
VIP and Key Accounts: liyanhong@huizhitu.com
Data Protection Officer (GDPR matters): dpo@huizhitu.com
Personal Information Protection Lead (PIPL matters): privacy@huizhitu.com
We respond within 15 business days or applicable statutory deadlines.
