1. Organization: Lollipop Technology (Hangzhou) Co., Ltd.

2. Processing purposes

2.1 Our company operates and sells in the female health market by offering hardware (e.g., smart health products) and software (e.g., apps) and combines AIoT (Artificial intelligence of Internet of Things) technology for users to quantify and manage health and access digital health services.

2.2 Therefore, the processing purposes for business and operation can be generalized as follows: data investigation and analysis (outputs containing only conclusive numbers and texts, without personal data); user data management and records; spending habits; app optimization; product distribution and delivery; product maintenance and optimization; and user services and correspondence.

2.3 It is worth noting that our company also processes user data for marketing and advertising purposes. If you do not consent, please use the app function or directly contact privacypolicy@lollitech.com. We will handle it as soon as possible, to ensure your personal data is no longer processed for marketing or advertising purposes.

3. Legal basis for processing

The purposes stated in the second point above are to operate the hardware or software for users and the legal basis for personal data processing is contractual relations such as the service agreement with app users; legal relations with regard to hardware purposes; and acquisition of consent from data subjects (e.g., privacy policy or privacy statement).

4. Types of personal data: The personal data processed by our company for processing purposes and on legal basis comes in the following types:

4.1 General data: names, passwords, contact information (such as emails) and regions of app users

4.2 Personal features: photos, gender, height and weight

4.3 Device data: IMEI, IP address, hardware product number, smart device brands and software information, cookies

4.4 Health data: menstruation cycles, pregnancy, diseases, eating habits or other physical conditions

4.5 Sexual activity data

5. Sources of personal data

5.1 The personal data retained by our company primarily comes from the personal data provided by users.

5.2 Our company also commissions third parties to assist the collection of consumers’ browsing or experiencing data on social media (e.g., Facebook or other similar platforms) and transmit such data to our company, so that we can profile and compare such data and the data internally retained to identify our app users. This enables investigation, statistics and analysis of marketing channels and assessment of resource investment precision.

5.3 Our software (such as apps) uses service analytics tools to track advertisements and service flows and applies the SDK technology to collect usage data. However, we do not accept or request for any personal data, or use such data independently or jointly with other data for identification of any individuals.

6. Disclosure of personal data or sharing data with other companies or individuals

6.1 Our company does not disclose or share the collected personal data of any users with other companies or individuals.

6.2 As explained in 5.3, our software (such as apps) uses service analytics tools to track advertisements and service flows and applies the SDK technology to collect usage data. However, we do not disclose or share any user’s personal data in the process with other companies or individuals.

7. Cross border transfer

7.1 The personal data provided by users in Europe to access our software (e.g., apps) is stored on Amazon Web Services’ servers in Frankfurt. Unless with prior consent from data subjects, we do not transfer personal data to outside the European Economic Area (EEA).

7.2 The personal data provided by users in the U.S. to access our software (e.g., apps) is stored on Amazon Web Services’ servers in the U.S. Unless with prior consent from data subjects, we do not transfer personal data to outside the U.S.

8. Retention period of personal data

Unless otherwise requirements by local laws, the setup of our retention period for personal data is based on the following three principles:

8.1 Disappearance of the purposes of business operation described in 2.1

8.2 No login by data subjects for five years to access software (e.g., apps) and use relevant functions

8.3 Data subjects’ exercise of the right to erasure

9. Rights exercised by users and exercise routes

Our company offers data subjects the exercise of the following rights. If you wish to exercise any of these rights, please email privacypolicy@lollitech.com to provide information, so that we can proceed internally.

9.1 Identity confirmation

Our company will ask to confirm the identity of data subjects in response to any request issued. This is to verify whether you are the data subject who has the right or is the authorized person, so as to ensure the personal data retained by our company is not erroneously disclosed or provided to third parties, correct

9.2 Right of access

Data subjects may request our company to provide their own personal data free of charge. However, this may be declined in event of special circumstances or statutory situations.

9.3 Right to rectification

If a data subject believes that his/her personal data retained by our company is inaccurate or incomplete, he/she may request our company for supplement or rectification to complete his/her personal data. This right may be exercised in conjunction with the right to restriction of processing, to ensure that inaccurate or incomprehensive personal data is not processed before rectification.

9.4 Right to restriction of processing

In case of the following circumstances, data subjects may request our company to stop processing their personal data. Whilst our company will retain such personal data, it will not be processed further.

9.4.1 Personal data incomplete or inaccurate

9.4.2 Illegal processing of personal data

9.4.3 No more necessity for our company to process the personal data but retention of such data required by certain laws and regulations

9.4.4 Objection raised and request submitted by data subjects to restrict the processing until the confirmation of processing status

9.5 Right to erasure

If the processing purposes have disappeared, a request may be submitted to our company for erasure of personal data. Our company will adopt reasonable measures to ensure the erasure of such data.

9.6 Right to object

Data subjects may refuse our company’s processing of personal data for the following circumstances:

9.6.1 Marketing and advertisement broadcasting

9.6.2 The services provided by our company do not use automated profiling or decision-making functions. In case of any concern with services or data utilization, you are welcome to email and get in touch with our company.

9.7 Right to data portability

You as data subjects may consent and request our company for duplication of your personal data. Our company will provide the data in a structured, commonable used and machine readable format.

9.8 Right to withdraw the consent

Data subjects may request, at any time, our company to withdraw consent for processing of personal data. Once our company has accepted the indication, we will no longer process their personal data. Please note that the indication by data subjects to withdraw consent does not affect the legality of our company’s processing of data based on the original consent.

10. Security measures

Our company adopts all the necessary technologies and organizational security measures to protect personal data and stores such data in a secure operating environment without open access. Where possible, we use encryption technology to protect personal data during transmission.

Please note that no website, transmission, system or technological equipment is absolutely secure, despite all the reasonable measures taken by our company for data protection. In the unfortunate event of personal data leakage or damage, our company will inform data subjects as soon as possible in an appropriate manner.

11. Impact on our services rendering due to users not providing personal data

11.1 If personal data is not provided or personal data provided is incomplete, our company may postpone or may not proceed on time with the following procedures:

11.1.1 Software functions only available to specific registered accounts

11.1.2 Information about newest products and functions of such products

11.1.3 Correspondence for warranty or maintenance services

11.1.4 Exercises rights mentioned in this policy, make a complaint or consult on personal data process or protection

11.2 Please note that our company still collects personal data for trials (try-it-out mode) of our software, in order to maintain the basic functions provided by software services and for user experience under the trial (Get Started) mode.

12. Contact us: In case of any questions, suggestion, complaints or opinions regarding this Privacy Policy or our company’s processing of personal data, please email privacypolicy@lollitech.com to get in touch with our company.

Lollipop Technology (Hangzhou) Co., Ltd.

GDPR Compliance Officer

Xiang Xiaotong

13. Our company maintains confidentiality in the dealing of any questions, suggestion, complaints or opinions raised. You are cordially reminded that you may file a complaint with local regulatory bodies governing data privacy should you be dissatisfied with the way our company processes personal data and handles complaints, or your privacy has been or might be infringed.

14. Revision of Privacy Policy

Our company strives to maintain the accuracy and truthfulness of this policy. Therefore, we reserve the right to update our company’s Privacy Policy anytime if necessary and without further notices. You are advised to check anytime or regularly whether our Privacy Policy has been updated.

15. This policy was formulated on June 25, 2021.