Release date of this version: June 22, 2018

Effective date: July 21, 2018

Overview

This policy will help you understand:

I. How We Collect Personal Data

II. How We Use Cookie, Beacon, Proxy and Other Technologies

III. How We Store and Protect Personal Data

IV. How We Use Personal Data

V. How We Disclose Personal Data

VI. How You Access and Manage Your Personal Data

VII. Statement on Third Party Liability

VIII. Special Provisions on Privacy Rights of Minors

IX. Application and Revision of the Policy

X. Notes to Key Terms Used in the Policy

Ant Financial (hereinafter also referred to as “we”, “our” or “us”) respects and protects your piracy. When you use our services (e.g., Huabei, Ant Jiebei, Ant Fortune platform services, Ant Insurance platform services, Ant Forest, Ant Farm, and Easy Rent), relevant service providers will collect, store, use and disclose your personal data in accordance with this privacy policy (the “Policy”).We will also explain to you, through the Policy, how we provide services for you to access, update, manage and protect your information. The Policy is closely associated with your use of the services of Ant Financial. We suggest you carefully read and understand all of the Policy and make choices you deem appropriate. We try to use plain and concise language, and for provisions herein that are vital to your rights or interests, use words in bold for your attention.

Relevant service providers will collect, store, use and disclose your information as required in order to comply with the requirements of PRC laws and regulations and regulatory requirements, to provide services to you and to improve the quality of such services. You agree that the relevant service providers will process your information in accordance with the Policy to enable you to access quality, convenient, efficient and personalized services and to better protect your account and funds.

How we collect personal data

When you use the services of Ant Financial, relevant service providers may need to collect your certain information in the following circumstances in order to provide you with services, improve the quality of our services provided to you, safeguard the security of your account and funds, and comply with PRC laws and regulations and regulatory requirements:

1. To perform obligations under laws and regulations and regulatory requirements

With respect to the services, relevant service providers need to perform the obligations under applicable laws and regulations or regulatory requirements (e.g., real-name management, anti-money laundering, measures to prevent risks, and investor suitability management). Relevant service providers will specify in the relevant users’ service agreements your personal data needed to be collected in order to perform relevant legal obligations. For example, when you need to use Ant Fortune platform services, the operator of Ant Fortune platform may collect your identity information, contact details, account and verification information from its affiliates and cooperative financial institutions in order to meet the requirements of applicable laws and regulations on real-name management to verify your identity. In addition, in order to verify the accuracy and completeness of the information provided by you, relevant service providers will check the same with other government authorities, financial institutions, public institutions and enterprises that lawfully store your information (“verification institutions”).If in the process of such verification relevant service providers need to collect your information from such verification institutions, relevant service providers will request the relevant verification institutions to explain the source of such personal data pursuant to applicable laws and regulations, and will verify the legality of the source of such personal data.

2. To provide you with services

In order to provide you with services and to facilitate your access to your transaction status or records of previous transactions, relevant service providers will store necessary information generated or submitted when you apply for or use the relevant services.

3. To assess business risks

In order to provide you with better services, to safeguard against risks arising from your use of services or to assess liability for breach of contract, you authorize relevant service providers to access your credit information (e.g., credit rating or credit report) from Sesame Credit Management Co., Ltd. and other credit agencies in the context of certain businesses. Relevant service providers will explain to you in the relevant users’ service agreements should they need to collect your credit information.

4. To prevent risks and ensure security

In order to reinforce the security when you use the services and prevent unauthorized access by lawbreakers to your funds or personal data, relevant service providers need to record the type and method of services you use, the operating information when using the services such as your device model, your IP address, the version of the software of your device, your device identity number, the device identifier, your location, your habit of using the Internet and other log information regarding the services. You may not be able to complete the relevant risk control verification if you do not agree to provide such information.

5. To provide personalized services and improve the quality of services

In order to improve your experience of our services and to improve the quality of our services or to recommend you even better or more suitable services:

(1) you may choose voice input using your microphone (e.g., voice message and voice search). When you use such features, relevant service providers may need to collect and process the contents of such voice;

(2) you may authorize the provision of your location information so as to accept recommendation of personalized services based your location; and

(3) relevant service providers will collect relevant information regarding your search history when you use the services, the information you provided when you contact the customer service, and information about your responses to our questionnaires.

6. In order to comply with relevant laws, regulations and national standards, it may be necessary for us to collect and use your personal data without seeking your consent under the following circumstances:

(1) directly related to national security and defense;

(2) directly related to public safety, public health and major public interests;

(3) directly related to criminal investigation, prosecution, trial and enforcement of judgment;

(4) the life, property or other material legitimate rights and interests of you or others need to be protected but it is difficult to obtain consent from you;

(5) the personal data thus collected is disclosed to the public by yourself;

(6) the personal data is collected from the information legitimately disclosed to the public, such as legitimate news reports, or government information disclosure;

(7) it is necessary in order to execute and perform relevant contracts upon your request;

(8) it is necessary in order to protect the secure and stable operation of the services provided, such as identification and dealing with any failure of the products or services; and

(9) any other circumstances provided in applicable laws and regulations.

How we use cookie, beacon, proxy and other technologies

For easier user experience, we may identify you through small data files when you visit the website of Ant Financial or use any service provided by Ant Financial, which could save you the trouble of repeatedly entering login information or help to determine whether your account is safe. Such data files may include cookies, flash cookies or other local storages provided by your browser or linked applications (collectively referred to as “cookies”). Please understand that some of our services are only available through cookies. You can change the cookie acceptance level or refuse our cookies if it is allowed by your browsers or browser add-ons. The “Help” section of the toolbar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, and how to disable cookies altogether. Additionally, you can disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-on settings or by visiting the website of the developer. However, such actions may under certain circumstances affect your secure access to the website of Ant Financial or use of services provided by Ant Financial.

In addition, our website may include some electronic images (referred to as “single-pixel GIF files” or “web beacons”). Through web beacons, a website can help to calculate the number of users visiting the webpage or access some cookies. Relevant service providers will use web beacons to collect data regarding your webpage browsing activities, such as webpage address visited by you, the reference page previously visited by you, your browser environment and your display settings.

If you use any service provided by any third party other than Ant Financial through our website or APP, we are unable to guarantee that such third parties will take protective measures as required by us. To keep your account secure and for safer user experience, we may use a private network protocol and proxy technology (referred to as “private network channel” or “network proxy”). With the private network channel, we can help you identify high risk sites that are already known to us and thus reduce risks associated with phishing and account breaches arising from those sites. The private network channel can also better protect the common rights and interests of you and third parties by preventing lawbreakers from tampering with the services expected by you and the third party, including advertisements injection and illegal contents tampering caused by unsecure routers and illegal base stations. Meanwhile, relevant service providers may obtain and preserve information about your computer, such as IP address and hardware ID.

How we store and protect personal data

1. Personal data collected and generated by us within the People’s Republic of China will be stored in the People’s Republic of China (the “PRC”). If relevant service providers are required to transmit to any overseas institutions relevant personal data collected within the PRC in case of any cross-border businesses involved in certain products, relevant service providers will follow the provisions of applicable laws and regulations and regulatory requirements, and will require such overseas institutions to keep confidential your personal data thus received by executing relevant agreements, on-site inspections and other effective measures. We will only preserve your personal data for the period necessary for the purposes set forth in the Policy and within the timeframe required by laws and regulations and regulatory requirements.

2. We undertake to maintain our data protection at a leading security level. To safeguard your personal data, we are dedicated to exploiting various security technologies and supporting management systems to reduce the risks of your data being divulged, corrupted or lost, misused, revised, accessed or disclosed without authorization, including encrypted data transmission and storage by using network Secure Sockets Layer (SSL), strictly restricting access to the data center and using private network channels and network proxies. We have established a department responsible for personal data protection, developed a relevant internal control system, and adopted the authorization principle of minimal and sufficient use by employees who may have access to your personal data. We systematically monitor the data processing activities of our employees, provide them with regular training on and raise their awareness to applicable laws and regulations and privacy and security guidelines, and organize on an annual basis employee exams on security. In addition, we engage external independent third parties to evaluate our data security management system annually.

3. We have formulated emergency plans for personal data security incidents, and regularly arrange relevant internal personnel to receive emergency response training and to conduct emergency exercise, so that they are able to master the responsibilities of their position and the strategies and procedures for emergency response. If, unfortunately, any personal data security incident occurs, relevant service providers will act in accordance with the laws and regulations and inform you in a timely manner of the basic information and possible impact of the security incident, measures taken or to be taken by relevant service providers, suggestions for you to take precautions on your own and to reduce risks, remedial measures taken for you, etc. Relevant service providers will promptly update you on the status of the incident by APP push notification, email/SMS, etc. Where it is difficult to inform all personal data subjects individually, relevant service providers will take a reasonable and effective approach to make a public announcement. At the same time, relevant service providers will take the initiative to report, as required by the regulators, how the personal data security incident is being handled. If your legal rights and interests are compromised, relevant service providers shall bear the corresponding legal liabilities.

4. Please ensure that you keep your account login name and other identity elements in a safe manner. When you use the services, relevant service providers will identify you by your account login name and other identity elements. Once you divulge such information, you may suffer from losses and adverse legal consequences against you. If you find that your account login name and/or other identity elements may be or have been divulged, please contact the relevant service providers immediately so that the latter may take appropriate measures to avoid or mitigate the relevant losses therefrom.

5. Upon your termination of using a service, relevant service providers will stop collecting and using your information, except as otherwise provided by laws and regulations or required by regulatory authorities. If relevant service providers cease operations, relevant service providers will promptly stop collecting your personal data, and will inform you of the cease either on an individual basis or by making a public announcement, and delete or anonymize the personal data held by them.

How we use personal data

1. To comply with PRC laws and regulations and regulatory requirements, to provide you with services and to improve service quality, or to safeguard the security of your account and funds, relevant service providers will use your personal data under the following circumstances:

(1) Achieving the purpose set forth in “How we collect personal data” under the Policy;

(2) Sending you a service notification by relevant service providers to update you on the status of the services used by you;

(3) Using your information by relevant service providers for authentication, security, fraud monitoring, prevention or prohibition of illegal activities, risk mitigation, archiving and backup purposes to ensure the stability and security of the services;

(4) Reporting to the relevant authorities in accordance with laws, regulations or regulatory requirements;

(5) Inviting you to participate in customer survey and research in respect of various products or services;

(6) Conducting comprehensive statistical analysis and processing of your information to provide you with more accurate, personalized, smooth and convenient services, or to help assess, improve or design products, services and operational activities, etc. We may provide you with marketing notifications, commercial electronic messages or advertisements you may be interested in based on the above information. If you do not wish to receive such information, you may unsubscribe the same by following our guidelines.

2. When we use relevant information for any purpose other than those set forth herein, we will obtain your consent again in the form of confirmation agreements or document confirmation action in special circumstances pursuant to applicable laws, regulations and national standards.

How we disclose personal data

1. Share

I. Share for business

We undertake to keep your personal data confidential. Unless otherwise provided in applicable laws, regulations or by relevant regulators, your personal data will be shared with third parties only under the following circumstances. Such third parties include affiliates, cooperative financial institutions and other partners. Prior to providing such data to relevant third parties, relevant service providers will use commercially reasonable efforts to evaluate the legitimacy, justification and necessity of the collection of such data by the third parties. Relevant service providers will enter into relevant legal documents with the third parties and require the third parties, when using your personal data, to comply with the laws and regulations and procure the third parties to take security measures on your information.

(1) Some products or services may be provided by a third party or jointly by relevant service providers and a third party. Therefore, it is only possible to provide the products or services you need by sharing your information. For example, when you purchase any insurance through Ant Insurance platform, the operator of Ant Insurance platform needs to provide your information to relevant insurance institutions for the purpose of executing and performing relevant insurance contracts. Another example: when you purchase any finance products through Ant Fortune platform, the operator of Ant Fortune platform needs to provide its cooperative financial institutions with your valid ID information and contact details so as to enable you to comply with the compliance requirements involved in the purchase and to ensure accurate registration of your assets;

(2) If you elect to participate in any lottery, competition or similar promotional campaigns launched by relevant service providers together with a third party, relevant service providers may share the personal data which are generated during the campaign and which are necessary for completing the campaign with the third-party so that the third party can promptly award the prize or provide you with the services. Relevant service providers will in accordance with the requirements of applicable laws, regulations or national standards inform you, on the page explaining the rules of such campaign or in other ways, of the personal data to be provided to the third party if required;

(3) With your prior and express consent, to the extent permitted by applicable laws and regulations and without violation of public order and good custom, relevant service providers will share your information with third parties in accordance with your authorization.

II. Complaints handling

To protect the legitimate rights and interests of you and others, the relevant service provider may, when you lodge a complaint about others or are complained by others, provide your name and valid ID number, contact information, and the relevant contents of the complaints to the consumer rights protection authority and the regulatory authorities to resolve such complaints or disputes in a timely manner, except where expressly prohibited by laws and regulations.

2. Transfer

Relevant service providers will not transfer your personal data to any company, organization or individual, except:

(1) as explicitly consented by you in advance;

(2) as required by laws and regulations or mandatory administrative or judicial requirements;

(3) that in the case of asset transfer, acquisition, merger, reorganization or bankruptcy liquidation, if personal data transfer is involved, we will inform you of the transfer and require such company and/or organization that will possess your personal data to continue to be bound by the Policy. In case of change of purpose of using your personal data, we will require such company and/or organization to re-obtain your explicit consent.

3. Public disclosure

Except in the case of an announcement of the winners list for any marketing event where desensitized mobile phone numbers or account login names of the winners may be displayed, relevant service providers in principle will not disclose your information publicly. If public disclosure is required, relevant service providers will inform you of the purpose of such disclosure, the type of the information to be disclosed and the sensitive information that may be involved, and obtain your explicit consent therefor.

4. Delegation of processing

In order to improve efficiency, reduce costs or improve accuracy of information processing, relevant service providers may delegate to competent affiliates or other professional agencies to process user information on behalf of the relevant service providers, provided that relevant service providers will, by means of written agreements, on-site audit or otherwise, require the delegated company to comply with strict confidentiality obligations and take effective measures to prohibit such information from being used for purposes not authorized by you. Upon termination or rescission of the delegation, the delegated company will no longer preserve any personal data. Relevant service providers undertake to be liable therefor.

5. In order to comply with relevant laws, regulations and national standards, it may be necessary for us to share, transfer, or disclose your personal data without seeking your consent under the following circumstances:

(1) directly related to national security and defense;

(2) directly related to public safety, public health and major public interests;

(3) directly related to criminal investigation, prosecution, trial and enforcement of judgment;

(4) the life, property or other material legitimate rights and interests of you or others need to be protected but it is difficult to obtain consent from you;

(5) the personal data is disclosed to the public by yourself; and

(6) personal data is collected from the information legitimately disclosed to the public, such as legitimate news reports, or government information disclosure.

How you access and manage your personal data

1. We will take appropriate technical measures to ensure that you can access, update and correct your personal data. You may carry out the relevant operations by yourself based on the prompt provided on relevant pages or contact us through relevant customer service hotlines or online customer services.

2. In the event that you satisfy the conditions for account deregistration and you deregister an account in respect of a service, all your information in the account will be removed, and the relevant service providers will no longer collect, use or disclose any personal data in respect of the account, provided however that relevant service providers shall still keep the information provided by you or generated during your use of the service for the period required by regulatory authorities, and that competent authorities shall have right to inquire about the information during such period.

3. If you become aware that any collection or use of your personal data by relevant service providers is in violation of applicable laws and regulations or has breached any agreement with you, you can call the corresponding customer service hotlines or use the online customer services to request the deletion of the corresponding information.

4. Notwithstanding the foregoing, we may not be able to respond to your request under any of the following circumstances in accordance with applicable laws and regulations or national standards:

(1) directly related to national security and defense;

(2) directly related to public safety, public health and major public interests;

(3) directly related to criminal investigation, prosecution, trial and enforcement of judgment;

(4) there is sufficient evidence that you have malicious intents or have abused rights;

(5) the legitimate rights and interests of other individuals or entities will be severely damaged if any response is made to your request; or

(6) any trade secret is involved.

5. Ant Financial Group has established a privacy protection office (“Privacy Protection Office”). If you have any questions about the Policy or have any complaints or comments on the processing of your personal data, please contact us through relevant customer service hotlines or online customer services, and the customer service department, together with the Privacy Protection Office, will respond to you in a timely manner. We may need to verify your identity and credentials to protect your information security. We have established a customer complaint management mechanism, including a tracking process. In general, we will complete the processing within three business days once the verification is completed. In special cases, we will respond to you within no more than 30 days or such other period as prescribed by laws and regulations. If you are not satisfied with our response, you can file a complaint with the consumer rights protection authority or initiate legal proceedings in a court of competent jurisdiction.

Statement on third party liability

Please note that your counterparty under a transaction, any third party operator of a website that you visit, any third party which offers services through us (such as services provided by third parties in our APP), and third parties that receive your personal data through Ant Financial may have their own privacy policies; when you browse webpages created by third parties or use applications developed by third parties, these third parties may place their own cookies or pixel tags that are beyond our control and without being subject to the Policy. We will use commercially reasonable efforts to require these entities to take measures to protect your personal data, but we cannot guarantee that these entities must take protective measures as requested by us. You are kindly asked to contact these entities directly to understand details of their privacy policies. If you find that there exists any risk in webpages created by or applications developed by these third parties, you are recommended to cease the use to protect your legal rights and interests.

Special provisions on privacy rights of minors

1. We expect parents or guardians to provide guidance to minors in using the services. We will protect the confidentiality and security of minors’ personal data in accordance with applicable laws and regulations of the country.

2. If you are a minor, it is advisable to ask your parent or guardian to read the Policy and use our services or provide your information with consent from your parent or guardian. In the event that your information is collected with the consent of your parent or guardian, relevant service providers will only use or publicly disclose such information to the extent permitted by law, expressly agreed by your parent or guardian or as necessary to protect your rights and interests. If your guardians disagree to your use of our services or provision of information to us in accordance with the Policy, please cease immediately the use of our services and notify relevant service providers promptly so that relevant service providers can take appropriate actions.

3. If you, acting as a parent or guardian of a minor, have any questions in respect of the personal data processing for the minor under your guardianship, please contact us as set forth above.

Application and revision of the policy

Unless there is a separate privacy policy for relevant services (e.g., the Alipay Privacy Policy) or there are any special provisions in the relevant users ‘service agreement, the Policy is applicable to all the services of Ant Financial.

We may update the Policy in due course upon any significant changes as follows:

(1) Changes in our basic situation, such as: changes in ownership arising out of any mergers, acquisitions and restructuring;

(2) Changes in the scope, purpose and rules of collecting, storing and using personal data;

(3) Changes in the object, scope and purpose of disclosing personal data;

(4) Changes in the way you access to and manage your personal data;

(5) Changes in data security capabilities and information security risks;

(6) Changes in the channels and mechanisms for user inquiries and complaints, and in external dispute resolution agencies and the contacts thereof;

(7) Other changes that may have a material effect on your rights and interests in respect of your personal data.

If the Policy is updated, due to the large number of our users, we will notify you by means of APP push notifications, emails/SMS or announcements on our official website. In order for you to receive such notifications in a timely manner, it is advisable that you notify us promptly upon any update of your contact information. If you continue to use relevant services after the Policy updates become effective, you are deemed to have fully read, understood and accepted the updated Policy and be willing to be bound thereby.  

You may view the Policy on the homepage of our official website.

Definitions of key terms used in the policy

1. For the purpose of the Policy, “Ant Financial” means: Ant Small and Micro Financial Services Group Co., Ltd. and affiliates of Ant Small and Micro Financial Services Group Co., Ltd., including Jifenbao Nanjing Enterprise Management Co., Ltd., Ant Zhixin (Hangzhou) Information Technology Co., Ltd., Chongqing Ant Shangcheng Micro Loan Co., Ltd., Chongqing Ant Xiaowei Micro Loan Co., Ltd., Shangrong (Shanghai) Commercial Factoring Co., Ltd., Hangzhou Zisheng Information Technology Co., Ltd., Ant Dake (Shanghai) Equity Crowdfunding Services Co., Ltd., Hangzhou Ant Shangshu Information Technology Co., Ltd., Ant (Hangzhou) Fund Sales Co., Ltd., Ant Wealth (Shanghai) Financial Information Services Co., Ltd., and Ant Shengxin (Shanghai) Information Technology Co., Ltd. “Affiliate” means any company or legal entity controlled by, controlling or under common control with, a party currently or in the future, and legal successors of such company or legal entity.

2. For the purpose of the Policy, “identity elements” mean the information used by relevant service providers to verify your identity, such as your account login name, password, SMS verification code, telephone number, mobile number, ID number and biometric identification information (such as fingerprint and face information).

Advertisement

In order to facilitate your access to quality, convenient, efficient and personalized services, we may display programmatic advertisements to you on some pages based on your data. You may learn more on the setting page of the programmatic advertising display.

The Chinese version of this Policy shall prevail if there is any inconsistency between the English version and the Chinese version of this Policy.