Privacy Policy

RingConn Privacy Policy

Last updated and effected: October [22^nd], 2024

You can view this Privacy Policy in RingConn App and/or on the bottom of our website (https://www.ringconn.com) .

This Privacy Policy covers:

1. Introduction
2. What data we collect
3. How we use your data
4. Legal basis for processing data
5. Policy for children
6. How data is shared and disclosed
7. How we store and transfer data
8. How we safeguard your data
9. Data retention
10. What are your rights
11. Policy for European users
12. Policy for California users
13. Update to this privacy policy
14. Severability
15. Dual language
16. SDK partners
17. Who we are and how to contact us
18. Vulnerability Handling Strategy

1.INTRODUCTION

Shenzhen Ninenovo Technology Limited, a company established under the laws of People’s Republic of China or Ninenovo-affiliated Company (collectively “RingConn”, “we” or “us”) “RingConn” knows how important privacy and personal data are to our customers.

This Privacy Policy is meant to help you understand what data we collect, why we collect it, how we process, store and protect it and how you can update, manage, export, and delete your data. Please take a moment to carefully review this policy.

This Privacy Policy applies to personal data collected and processed by us through our “Services” which includes: our RingConn devices (“Devices”), Application (“App”), websites, software, APIs, emails ,newsletters and our services.

By clicking “Agree” in the "Personal Information Protection Guidelines" when installing our App, you give consent to our processing of your data in accordance with this Privacy Policy and the applicable laws, and you give consent to and agree to be bound by the terms and conditions of this Privacy Policy.

If you do not agree with the terms contained herein, please do not use our Services.

2. WHAT DATA WE COLLECT

When you use our Services, we collect the following types of data.

2.1 RINGCONN DEVICE DATA

Your RingConn device collects measurement data to estimate a variety of metrics: PPG sensors data, accelerometer data and your skin temperature data. We use the measurement data to calculate and generate data like heart rate, heart rate variability, respiratory rate, calories burned, sleep phases, step count, stress levels and activity intensities throughout the day.

When your RingConn device synchronizaes with our App or software, data recorded on your device are transferred from your device to our servers.

2.2 APP DATA

When you access or use our Services, we collect data about App activity, including information about your interactions with our Services:

2.2.1 Device Information: synchronised RingConn device information, information about the mobile terminal device on which the Application is installed (including device and Application identifiers), IP address information, browser type information, system language information.

2.2.2 App activity: application interaction information, in-app search history, other user-generated content, other user activity information.

2.2.3 Application information and performance: crash logs, application performance diagnostic information, other application performance data.

Some of our integrated third-party SDKs may collect mobile device parameters and system information, App logs, Location information (depending on the permissions you grant us), etc., in the course of their normal operation. For information collected by third-party SDKs, please refer to the description in section "16. SDK partners”.

Some of our integrated SDKs may collect device MAC address and software installation list information during their normal operation.however, please note that we do not authorise or require these SDKs to collect such information.

2.3 LOCATION DATA

If you enable your seld access to or use any of our location-based services, such as by enabling GPS-based activity tracking through your App, we may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, GPS, and/or Wi-Fi data.

We request location permissions only to ensure the normal connection and data transmission of Bluetooth devices and the normal use of some third-party SDKs.

We do not process such location data without first obtaining your consent. You may disable such location processing at any time via using your mobile device’s location permission settings. We may also derive your approximate location from your IP address.

2.4 DATA YOU PROVIDE

To create an account on our Services, you may provide us with data that includes: your user name, year and month of birth, gender (female, male or you choose not to disclose), height, weight, email address, mobile telephone number, password and country information. This is the data you have to provide to create an account with us. You may also choose to provide other types of information, such as a profile photo. If you contact us or participate in a survey, contest, or promotion, we collect the data you submit such as your name, contact information, and message.

If you enable the "[Menstrual Cycle Tracking]" feature in the Application and have agreed to our Privacy Notice, you agree to provide us with the following data: menstrual cycle timeline, typical period length etc. when you first participate in the questionnaire; menstrual cycle timeline, symptoms, flow level, whether you drink alcohol or take medication, and data on the measurements and metrics that you authorise us to collect from your RingConn device. You consent to the collection of this data in order for us to provide you with a complete service; if you do not consent to the collection of this data, please do not activate the "[Menstrual Cycle Tracking]" feature and opt out of our Privacy Notice.

If you enable the "Sleep Apnea Monitoring" feature in the Application and have agreed to our Privacy Notice, you agree to provide us with the following data: height, weight, age, BMI, sex, [neck circumference], medical history, OSA symptoms, sleep quality etc. For the purpose of generating an OSAHS assessment report，using the data you provide about sleep quality, OSA symptoms, etc. as well as authorising us to collect measurement data and generate metrics data collected by your RingConn device. You consent to the collection of this data in order for us to provide you with a complete service; if you do not consent to the collection of this data, please do not activate the "OSAHS" feature and opt out of our Privacy Notice.

2.5 DATA FROM THIRD PARTIES

When you choose to access to our Services via Google or Apple account, we collect its account name and profile photo.

3. HOW WE USE YOUR DATA

We use the data we collect for the following purposes.

3.1 To provide and maintain our Services

We process personal data to provide our Services. For example, to provide you with daily insights about your heart rate variability, sleep, and activity.

There may be automatic or associated startup actions (depending on the notification permissions you grant us), primarily used for sending notifications, including reminders and other information related to the app's functionality, to enhance the user experience and ensure that you receive important information promptly.

3.2 To improve and develop our products and services

We use third-party SDKs to optimise our products and services, including to enable application crash detection, push notifications, third-party account login, location, maps and navigation. Please refer to section "16. SDK Partners" in this Privacy Policy to learn about the privacy policies of third-party SDKs.

We process data about your use of RingConn devices and App with the help of the Sensors Data SDK, which may collect data including Device information, App logs, Location information (IP address resolved location information, GPS location information), App identifier information, ANDROID ID. This data is collected to improve our services and develop new features. When possible, we will do this using only pseudonymized, aggregated, or non-personally identifiable data.

In the event that you agree for us to access your location data, and in the event that you agree to enable the positioning, mapping and navigation features in the App, we will provide you with the relevant services with the help of third-party mapping SDK(s), which may collect data such as your location information, device information, device parameters and system information.

3.3 To provide customer service

We process personal data for the purpose of providing customer service and managing our customer communication. If you contact our customer support with questions regarding your app data, we may use the provided data to answer your questions and for solving any issues you may have.

3.4 To comply with statutory obligations

In certain cases, we must process certain data when it is required by applicable laws and regulations. Such statutory obligations are related, for example, to accounting and tax requirements, legal claims, or other legal purposes.

4. LEGAL BASIS FOR PROCESSING DATA

Our lawful basis for processing your data depends on the particular processing purposes, including:

4.1 Contract

When processing personal data for the purpose of providing Services we process it on the basis of a user contract, which is formed when you create your account and accept of our terms and conditions.

4.2 Consent

We process your health-related data only with your consent. Please note that some of the personal data we process, including any data concerning your health, is considered special or sensitive personal data. Under applicable law, such data is processed only if you have given your consent for processing.

4.3 Legitimate Interest

We process your personal data based on our legitimate interests when we process it for the purposes of marketing our products and services, providing our customer service and improving our products and services. When choosing to use your data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy, in compliance with applicable law.

4.4 Legal obligation

We must process certain information to comply with statutory obligations which may vary in each country.

5. OUR POLICY FOR CHILDREN

Persons under the age of 18, or any higher minimum age in the jurisdiction where that person resides, are not permitted to create RingConn accounts. If we learn that we have collected the personal data of a child under the relevant minimum age, we will take steps to delete the data as soon as possible. Parents who believe that their child has submitted personal data to us and would like to have it deleted may contact us (see “How To Contact Us” below).

6. HOW DATA IS SHARED AND DISCLOSED

We do not sell personal data of our users. We do not share your personal data except in the limited circumstances described below.

6.1 FOR EXTERNAL PROCESSING

We share your personal data with certain trusted partners, including our affiliates, service providers, and other partners, so that we can provide you with our services and operate our business. (For affiliates, service providers and other partners currently involved in this situation, please refer to section "16. SDK Partners" of this Privacy Policy.) We require our partners to process your personal data based on our instructions, and in compliance with this policy and any other appropriate confidentiality and security measures. We also require these partners to protect your personal data to at least the same standards that we do.

We use external processing services such as:
(1) storing our users’ data;
(2) providing customer services;
(3) managing and organizing our marketing activities. We only share website usage data with our advertising network partners for the purposes of analyzing and optimizing our marketing. We do not share the health-related data or other sensitive personal data with third party advertisers.
(4) analyzing information regarding the use of our online service to improve our service quality.

6.2 WHEN YOU AGREE OR DIRECT US TO SHARE

You may direct us to disclose your information to others, for example, when you give a third-party application such as Apple Health or Google Fit permission to access to your data, and we may share your data with this third-party based on your requirements. Remember that their use of your data will be governed by their privacy policies and terms. Please carefully read their latest policies and terms. You can revoke your consent to share with third-party applications via using your account settings. We also reserve the right to disclose personal data when we have your express consent to do so.

RingConn use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

RingConn will use:
https://www.googleapis.com/auth/fitness.sleep.writehttps://www.googleapis.com/auth/fitness.sleep.readhttps://www.googleapis.com/auth/fitness.heart_rate.writehttps://www.googleapis.com/auth/fitness.body_temperature.writehttps://www.googleapis.com/auth/fitness.oxygen_saturation.writehttps://www.googleapis.com/auth/fitness.body.writehttps://www.googleapis.com/auth/fitness.activity.write
to write health data to Google Fit, including sleep, activity, body, blood oxygen, heart rate and other information, so that users can view the data generated by the ring through Google Fit, and synchronize the health data with Google Fit.

6.3 FOR LEGAL REASONS

We reserve the right to disclose personal data to protect our legal rights and property; and to comply with valid legal requirements.

We may preserve or disclose data about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the physical safety of any person.

We may share non-personal data that is aggregated so that it cannot reasonably be used to identify an individual with or without combining additional information. We may disclose such data publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking data we provide to users of our subscription services.

We will not transfer your personal information to any companies, organisations or individuals, except in the following circumstances:

a) Transfer with explicit consent: We will transfer your personal information to other parties after obtaining your explicit consent;
b) In cases involvingmerger, acquisition, or sale of assets, we will continue to take measures to protect the personal data privacy and give affected users notice before transferring any personal data to a new entity. Where a transfer of personal data is involved, we will require the new entity to continue to be bound by this privacy policy before we requested to seek independent consent from you to collect and process your data.

7. HOW WE STORE AND TRANSFER DATA

We process and back up personal data through a global operating and control infrastructure. Currently, we use cloud services deployed in United Kingdom for processing personal data of users from the United States, United Kingdom and EEA.

We rely on multiple legal basis to lawfully transfer personal data around the world. These include your consent and EU Commission approved model contractual clauses, which require certain privacy and security protections. You may obtain copies of the model contractual clauses by contacting us. We are subject to the oversight of the US Federal Trade Commission and remains responsible for personal data that we transfer to others who process it on our behalf as described in “HOW DATA IS SHARED AND DISCLOSED” section.

In cases where personal data is processed outside of the jurisdiction in which it was collected, we always ensure your personal data is protected with appropriate safeguards in accordance with applicable privacy and data protection laws. Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a RingConn account and click “I agree” to data transfers.

If you have a complaint about our international data transfer, please contact us by means described in “HOW TO CONTACT US” section. You may make a complaint to the competent regulatory authority in your jurisdiction.

8. HOW WE STORE, TRANSMIT AND RETEND YOUR DATA

As we provide our Products or Services through resources and servers around the world, by submitting your consent to this Privacy Policy, you agree that:

(1) If you use our Services, the personal information we collect from and generate in the People's Republic of China will be stored on servers in the People's Republic of China;

(2) If you use our Services, the personal Information that we collect and generate outside the People's Republic of China will be stored on servers outside of the People's Republic of China, including in jurisdictions other than the one in which the data was collected, or subject to access from such jurisdictions;

(3) Currently, we use cloud servers deployed in the [UK] to process personal data of users in the United States, the United Kingdom and the European Economic Area (EEA).

Where personal data is processed in a jurisdiction other than the one in which it was collected, we will always ensure that your personal data is appropriately protected in accordance with applicable privacy and data protection laws. You are aware and fully understand that different jurisdictions have their own regulatory requirements for the collection, storage, use, and sharing of data and processing of personal information and may have lesser protections than the laws in your jurisdiction. When you create a RingConn account and click "I agree" to data transfers, you agree to assume this risk.

We may provide your personal information to third party entities (located in or outside of the country where the data was collected) after fulfilling our obligations under the law: (1) as expressly required by applicable law; and (2) with your sole consent. In the foregoing cases, we will keep your personal data secure as required by law in accordance with this Privacy Policy.

By submitting your consent to this Privacy Policy, you agree to enable third-party SDK services (see section "16. SDK Partners" in this Privacy Policy), and that we will store, transfer and retain personal and non-personal data collected in accordance with the requirements of the third-party's privacy policy.

The retention period for your personal data generally depends on the duration of your RingConn account lifecycle. Your personal data will be deleted when it is no longer needed for the purpose it was originally collected, unless we have a legal obligation to retain data for a longer period of time. For example, your measurement data regarding your sleep, stress and activity is stored only so long as your RingConn account is active.

We also have legal obligations to retain certain personal data for a specific period of time, such as for tax purposes. These required retention periods may include, for example, accounting and tax requirements, legal claims, or for any other legal purposes. Please note that obligatory retention periods for personal data vary based on the relevant laws.

If you wish, you may request deletion of your RingConn account by contacting data_protect@ringconn.com.

9. HOW WE SAFEGUARD YOUR DATA

We use technical and organizational safeguards to keep your data safe and secure. Where appropriate, these safeguards include measures such as anonymization or pseudonymization of personal data, strict access control, and the use of encryption to protect the data we process. We also use industry standard data protection measures to safeguard all international transfers of personal data through data protection agreements with our service providers. However, no method of transmitting or storing data is completely secure. If you have a security-related concern, please contact us by means described in “HOW TO CONTACT US” section.

We also ensure that our staff receives adequate training to ensure personal data is processed only in accordance with our internal policies, consistent with our obligations under applicable law. We also limit access to your sensitive personal data to personnel that have specifically been granted such access.

We regularly test our service, systems, and other assets for possible security vulnerabilities. We also update the RingConn App and the RingConn device firmware regularly. We recommend that you make sure that you always have the latest App and firmware versions installed in order to maximize protection of your data.

If you enable "Shared with friends and family" feature in the Application and have agreed to our Privacy Notice, you consent to us sharing your weekly health report data, sleep data, activity data, stress data, vital sign data, high heart rate abnormalities, including measurements and metrics collected by your RingConn device and data you provide to us in the course of your use of the Application, with other registered users of the Application whom you have designated to be invited. Shared with friends and family is accomplished through the creation of a share link that is a one time effective link for each single invitation you share with other Application user, and you may choose to stop sharing your weekly health report data, sleep data, activity data, stress data, vital sign data, high heart rate abnormalities with other users by removing any user from your sharing list which is under your sole management . You consent to the sharing of these data in order for us to provide you with a complete service; if you do not consent to the sharing of these data, please do not activate the "Shared with friends and family" feature and opt out of our Privacy Notice. When you choose to remove any user from your sharing list, the historical report data that you have shared with other users will no longer be accessible by the removed user. YOU AGREE THAT WHEN YOU ARE INVITED BY ANOTHER REGISTERED USER TO ACCESS ANOTHER PERSON'S WEEKLY HEALTH REPORT DATA,SLEEP DATA, ACTIVITY DATA, STRESS DATA, VITAL SIGN DATA, HIGH HEART RATE ABNORMALITIES, YOU SHOULD NOT DISCLOSE, TRANSMIT, COPY, DOWNLOAD OR OTHERWISE SHARE THE USER'S DATA WITH OTHER INDIVIDUALS OR ORGANISATIONS THAT HAVE NOT BEEN AUTHORISED BY THE USER, AND THAT ANY ACTIONS THAT RESULT IN A VIOLATION OF PRIVACY LAWS ARE NOT ENCOURAGED OR PERMITTED, AND THAT WE WILL NOT BE RESPONSIBLE FOR ANY LEGAL LIABILITIES THAT MAY ARISE FROM ANY OF YOUR INAPPROPRIATE ACTIVITIES.

 

10. WHAT ARE YOUR RIGHTS

10.1 YOUR RIGHTS UNDER APPLICABLE LAWS

You have rights and choices to your data under applicable laws. Some of these rights apply generally, while others will only apply in certain circumstances. Depending on the scenario, these rights may be subject to some limitations. Please note that by exercising some of your following rights, for example, by withdrawing your consent to our Privacy Policy, we may not be capable to maintain our Services to you.

You may choose to exercise the following rights about your data :

(1) Right of confirmation and access. You can ask us to confirm whether your data has been processed, or request access to your data and receive a copy of personal data we have collected and stored about you.

(2) Right of rectification. You can update, rectify or change your data in the account settings of App. You can ask us to update, rectify or change your data where that data is not accurate.

(3 ) Right of erasure. You have right as provided by applicable laws to request us to erase, destroy, or anonymize your personal data. You may request us to cease the supply of personal data to a third party under certain circumstances according to applicable laws.

(4) Right of portability. You have the right to data portability in circumstances where we rely on contractual necessity and consent as our legal basis. This means that you have the right to receive your data in a structured, commonly used, and machine-readable format and to share it with a third party.

(5) Right to withdraw consent. You can withdraw consent to the processing of personal data based on your consent, unless such withdrawal is restricted by the law or by contract.however, withdrawal does not affect the legitimacy and effectiveness of how we process your personal data based on your consent before the withdrawal is made.

a. You can withdraw your consent in the account settings of your App;

b. If you want to unsubscribe from the electronic communications, please see your notification settings under account settings of your App to control our marketing communications to you.

(6) Right to object or restrict processing. You have the right to object to or restrict our processing of your data in certain circumstances, relying on legitimate interest or public interests on the basis of applicable laws. For example, according to applicable laws, you may require us to cease or not to begin processing their personal data for purposes of direct marketing. You may object to decision-making based solely on automated processing related to your profile, under certain circumstances according to applicable laws.

In submitting an objection or restriction request, you should explain what specific processing activity you are objecting to or should be restricted, and why the processing should be stopped. We will stop the particular processing if we don’t have compelling legitimate grounds to continue that processing or don’t need it for legal claims.

10.2 HOW TO EXCERCISE YOUR RIGHTS

You may exercise these rights by logging into your account and using your account settings, or contacting us as specified in the “How To Contact Us” section in writing or by other means permitted by applicable laws.

We will ensure you can exercise your rights in accordance with the applicable laws. Depending on the applicable laws, there may be situations where we may refuse your requests, for example, when refusing is in pursuant to a court order, or exercising your rights would adversely affect the rights and freedom of others.

When you need to exercise your rights, we may ask you to authenticate your identification, such as through your RingConn account.

Normally, you don’t have to pay us when you’re exercising your rights under the applicable laws; however, we reserve the right to charge you a reasonable fee for the processing of any data access, correction request or other scenarios where charge of fee is permitted by applicable laws.

We will respond to your requests within the time limits provided under applicable laws in the country/regions of your residence.

If you have any questions regarding this Privacy Policy or about exercising your rights, you may send your request in writing to the email address we provide below in “How to Contact Us”.

If you are of the opinion that the processing of your personal data by us is not in compliance with this Privacy Policy or applicable laws, you have the right to make a complaint to the competent regulatory authority in your jurisdiction.

11.POLICY FOR EUROPEAN USERS

If you live in the European Economic Area (EEA), United Kingdom (UK) or Switzerland, please review these additional privacy policy terms under the European Union’s General Data Protection Regulation (“GDPR”).

11.1 YOUR DATA CONTROLLER

Shenzhen Jiu Zhi Technology Co.Ltd, a company established under the laws of People’s Republic of China, is your data controller and provides the Services if you live in the EEA, UK or Switzerland. For our contact information, please see the How To Contact Us section.

11.2 HEALTH AND OTHER SPECIAL CATEGORIES OF PERSONAL DATA

To the extent that data we collect is health data or another special category of personal data subject to the GDPR, we ask for your explicit consent to process the data. We obtain this consent separately when you take actions leading to our obtaining the data, for example, when you pair your device to your account. You can use your account settings in App and settings in your mobile device to withdraw your consent at any time, including by unpairing your device, or deleting your data or your account.

11.3 HOW TO EXCERCISE YOUR LEGAL RIGHTS

Please review the “WHAT ARE YOUR RIGHTS” section for how you may exercise your rights under GDPR.

Under the GDPR, you have a general right to object to the use of your data for direct marketing purposes. Please see your “Reminder Settings” under “Me” in App to control our marketing communications to you about our Services.

12. POLICY FOR CALIFORNIA USERS

If you are a California resident, please review these additional privacy policy terms under the California Consumer Privacy Act ("CCPA").

12.1 HOW WE COLLECT, USE AND SHARE YOUR INFORMATION

Where a customer interacts with our Services, we collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device, defined as “Personal Information” under CCPA.

Information about the categories of personal information we collect, the purposes for which your personal Information is processed, and any sharing of your personal information can be found from relevant sections of this privacy statement above.

We never sell (in the manner defined by CCPA) the personal information of our users.

12.2 CALIFORNIA CONSUMER RIGHTS

If you are a California resident, you have certain rights under the CCPA:

(1) Right to know about the personal information we collect and share

The CCPA gives you the right to request that we disclose the personal information we have collected about you over the past 12 months, which we do after we receive and validate your request. Once we receive and confirm your verifiable consumer request, we will disclose to you:

a. The categories of personal information we have collected about you;

b. The categories of personal information we have disclosed about you (if any);

c. The categories of sources for the personal information we have collected about you;

d. Our business or commercial purposes for collecting or selling that personal information;

e. The categories of third parties with whom we share that personal information; and

f. The specific pieces of personal information we have collected about you.

(2) Right of deletion

You have the right to request erasure of your personal information, subject to certain exceptions, such as where we have a legal obligation to retain the data in question. After we receive and validate your request, we will delete your personal information, as well as direct our service providers to delete your personal information unless an exception applies.

(3) How to exercise your privacy rights under CCPA

If you are a California resident, you can request disclosure, access to, and/or deletion of your personal as described above by submitting a verifiable consumer request to us by either:

Sending an e-mail to data_protect@ringconn.com, including the following information along with your request: your full name, company name (if applicable), address, e-mail address and a phone number. We may request that you provide additional information if necessary to confirm your identity. This is for security purposes and is required by law in some cases.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.

You have the right to make a free request up to two times in any 12-month period. We will respond to all validated requests within 45 days since receiving your request, unless we request an extension. In the event that we reasonably require an extension in order to respond to your request, we will notify you of any such extension within the initial 45-day period.

12.3 NON-DISCRIMINATION

We do not discriminate against users who request exercise their privacy rights under the CCPA. Unless an exception applies, this includes our promise not to:

a. Deny you goods or services;

b. Charge you different prices or rates for goods or services, including granting discounts or other benefits, or imposing penalties;

c. Provide you a different level or quality of goods or services; or

d. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

13. UPDATE TO THIS PRIVACY POLICY

We will notify you before we make material changes to this policy and give you an opportunity to review the revised policy before deciding if you would like to continue to use the Services. You can review previous versions of the policy at our website ( https://www.ringconn.com ).

We will not reduce your rights under this Privacy Policy without your express consent. We will post any changes to this policy on this page.

For material changes, we will also provide more prominent notice (including, for certain Services, email notification of specific changes to the Privacy Policy ).

Material changes within the meaning of this Policy include, but are not limited to:

a. Significant changes to our service model. For example, the purpose of processing personal information, the type of personal information processed, and how personal information is used;
b. Significant changes in our ownership structure, organisational structure, etc. Such as changes in ownership caused by business restructuring, bankruptcy and mergers and acquisitions;

c. Changes in the primary recipients of personal information shared, transferred, or publicly disclosed;

d. Significant changes in your right to participate in the handling of personal information and the manner in which it is exercised;
e. Changes in the department responsible for handling personal information security, contact information and complaint channels;
f. When the security impact assessment report of personal information indicates that there is a high risk.

14. SEVERABILITY

If any part of this Privacy Policy is found by any court or other competent authority to be invalid, unlawful or unenforceable then such part shall be severed from the rest of the provisions of this Privacy Policy which shall continue to be valid and enforceable to the fullest extent permitted by law.

15. LANGUAGE

For users outside the People’s Republic of China, this Privacy Policy is made in English language and in the language of your residence country (if applicable). For users outside the People’s Republic of China, English version and other language versions are equally authentic. In case of any discrepancy among different versions, the English version shall prevail.

16. SDK PARTNERS

We may use or work with Mobile SDKs to collect information, such as Mobile IDs, and information related to how mobile devices and their users interact with our App. The SDK is computer code that app developers can include in their apps to enable data to be collected, and related services to be implemented.

17. WHO WE ARE AND HOW TO CONTACT US

If you have questions about this policy, or need help exercising your privacy rights, please contact our Data Protection Officer at
data_protect@ringconn.com

You may contact us at:
Shenzhen Ninenovo Technology Limited

Room 1403, Building 2, Chongwen Park, Nanshan Zhiyuan, No.3370, Liuxian Avenue, Fuguang Community, Taoyuan Street, Nanshan District,Shenzhen, Guangdong, China..
Customer Support Email Address：
cs@ringconn.com

Telephone:+86 755 26401874

18. Vulnerability Handling Strategy

18.1 The company's principles for vulnerability management

Our company has always regarded the construction and comprehensive implementation of an "end-to-end global network security protection system" as one of its important development strategies, and has established a sustainable and trustworthy vulnerability management system in terms of policies, organization, processes, management, technology, and regulations. We work together with external stakeholders in an open manner to address the challenges of vulnerabilities.

To clarify our company's basic stance and proposition on vulnerabilities, we propose five fundamental principles for vulnerability management:

18.1.1 Reduce harm and minimize risk

Reducing or eliminating the harm caused by product and service vulnerabilities to customers, and reducing the potential security risks posed by vulnerabilities to customers/users, is not only our vision for vulnerability management, but also the value guidance we follow in vulnerability disposal and disclosure.

18.1.2 Reduce and mitigate vulnerabilities

Although industry consensus loopholes are inevitable, we will still strive to:

1) Take measures to reduce vulnerabilities in products and services;

2) Once vulnerabilities are discovered in products and services, promptly provide risk mitigation solutions to customers/users.

18.1.3 Proactive management

The vulnerability issue requires joint efforts from upstream and downstream of the supply chain to solve. We will proactively identify our own responsibilities in vulnerability management and clarify jurisdictional boundary requirements, including regulatory requirements, contract requirements, and applicable public standard requirements for business operations. We will build a management system and take the lead in management.

18.1.4 Continuous optimization

Network security is a constantly evolving dynamic process, and as threats evolve, defenders also need to continuously innovate. We will continue to optimize the workflow and standards related to vulnerability management, constantly draw on industry standards and excellent practices, and enhance our maturity in vulnerability management.

18.1.5 Open collaboration

We will uphold an open and cooperative attitude, strengthen the connection between the supply chain and the external security ecosystem, including upstream and downstream of the supply chain, security researchers, security companies, security regulatory agencies, etc; And strengthen collaboration with stakeholders in vulnerability related work, building trustworthy cooperative relationships.

18.2 Vulnerability Handling Process

The company is committed to enhancing product security and fully supporting the secure operation of customer networks and businesses. The company attaches great importance to vulnerability management in product development and maintenance, and establishes a complete vulnerability handling process in accordance with standards such as ISO/IEC 30111 and ISO/IEC 29147 to enhance product security and ensure timely response when vulnerabilities are discovered.

18.2.1 Vulnerability Awareness: Accept and collect suspected vulnerabilities in the product;

18.2.2 Verification&Evaluation: Confirm the effectiveness and scope of impact of suspected vulnerabilities;

18.2.3 Vulnerability patching: Develop and implement vulnerability patching plans;

18.2.4 Vulnerability Patch Information Release: Release vulnerability patch information to customers;

18.2.5 Closed loop improvement: Continuously improve based on customer feedback and practice.

The first perception of vulnerabilities is an important prerequisite for timely response. On the one hand, the company encourages security researchers, industry organizations, customers, and suppliers to proactively report suspected vulnerabilities to PSIRT, and constrains upstream suppliers to promptly report vulnerabilities in deliverables to the company. On the other hand, the company actively monitors well-known public vulnerability libraries, open source communities, security websites, and other information sources to timely perceive product related vulnerability information. The company will manage suspected vulnerabilities and verify the impact of all non EOS (End of Service&Support) product versions. Based on industry best practices, it is strongly recommended that customers regularly review whether their products are still supported in order to enjoy the latest software updates.

For any suspected vulnerabilities reported to PSIRT, PSIRT will work with the product team to analyze/validate the vulnerabilities, assess the severity level of the vulnerabilities based on their actual impact on the product, determine patch priorities, and develop vulnerability repair plans (including mitigation measures, patches/versions, and other customer executable risk mitigation plans). The company releases vulnerability information to stakeholders based on the principles of reducing harm and risk, supporting customers in assessing the actual risks of vulnerabilities to their networks.

If the company discovers vulnerabilities in the supplier's products or services during product development, delivery, or deployment, it will proactively communicate repair requirements to the supplier. For open source software vulnerabilities, the company will follow the vulnerability management strategy of the open source community, submit suspected vulnerabilities to the open source community, promote timely release of patch solutions, and actively contribute vulnerability patch solutions in the open source community.

PSIRT will coordinate with the vulnerability reporter to handle the vulnerability, acting as a coordinator or through a third-party coordination center, reporting the vulnerability to other vendors, standard organizations, etc., and promoting vulnerability resolution. If the vulnerability involves standard protocols, it is recommended that the reporter submit it to PSIRT and also inform industry organizations at the same time. For example, vulnerabilities related to 3GPP communication protocols can be simultaneously submitted to the GSMA Coordinated Vulnerability Disclosure Plan (CVD).

Based on the principle of continuous optimization, the company will continuously improve product security, vulnerability handling processes, and other aspects.

Throughout the entire vulnerability handling process, PSIRT will strictly control the scope of vulnerability information and only transmit it between personnel involved in handling the vulnerability; We also request the reporter to keep this vulnerability information confidential until our client obtains a complete solution.

The company will take necessary and reasonable protective measures for the data obtained based on legal compliance requirements. Unless explicitly requested by the affected customers or required by law, the above data will not be voluntarily shared or disclosed to other parties.

18.3 Vulnerability Severity Level Assessment

The company adopts industry standards to assess the severity level of suspected vulnerabilities in its products. Taking CVSS (Common Vulnerability Scoring System) as an example, the model includes three indicator groups: basic indicator group, time indicator group, and environment indicator group. The company will provide basic vulnerability ratings, and in some cases, time vulnerability ratings and environmental vulnerability ratings in typical scenarios. The company encourages end users to evaluate the environmental vulnerability score based on their actual network situation, which serves as the final vulnerability score for this vulnerability in the user's specific environment, supporting the deployment decision of user vulnerability mitigation plans.

For cloud services, the company will determine the priority level of handling based on the risk assessment results of vulnerabilities being exploited in the cloud; For the intelligent automotive business, product vulnerabilities will refer to the ISO/SAE 21434 standard, and the severity level of vulnerabilities will be evaluated based on their actual impact on the product to determine the priority of vulnerability patching.

Because different industries follow different standards, companies use the Security Severity Rating (SSR) as a simpler grading method. SSR classifies vulnerabilities into five levels based on the comprehensive score of vulnerability severity assessment: Critical, High, Medium, Low, and Informational.

18.4 Third party software vulnerabilities

Due to the diversity of ways and scenarios in which third-party software/components are integrated into the product, the company will adjust the vulnerability rating of third-party software/components based on the specific scenarios of the product to reflect the true impact of the vulnerability. For example, if the affected module of a third-party software/component is not called, it is considered that the vulnerability "cannot be exploited and is not affected". If the existing evaluation system cannot cover the dimensions of evaluation, the company is responsible for interpreting the evaluation results.

If all three criteria are met simultaneously, the company will label this vulnerability as "High Profile":

• CVSS score of 4.0 or above.
• This vulnerability has attracted widespread public attention.
• The vulnerability is likely to have or already has available exploits, and may be actively exploited.

For third-party vulnerabilities in the 'High profile', the company will verify all non EOS product versions and, upon confirmation of the 'High profile' vulnerability, issue an SN (Security Notice) within 24 hours to notify relevant customers of the company's handling of the vulnerability. When there is a vulnerability repair plan, the company will provide risk decision-making and mitigation support to affected customers through SA (Security Notice). For third-party vulnerabilities that are not classified as' High profile ', the company explains them in the version/patch manual.

18.5 Release vulnerability information announcement

18.5.1 Announcement Form

The company adopts the following three forms to release vulnerability information and patch solutions to the public:

• Security Advisory (SA), which includes information such as vulnerability severity level, business impact, and patch solutions, is used to communicate vulnerability patch solutions. Security Notice (SA) is used to release critical and high level vulnerability information and patch solutions directly related to the product. The Security Notice (SA) provides an option to download the Common Vulnerability Reporting Framework (CVRF) content, designed to describe vulnerability information in machine-readable format (XML file) to support tool usage by affected customers.
• Security Notice:  (SN), which includes responses to public security topics related to the product (including vulnerability and non vulnerability related topics). Security Notice (SN) is used to publish information related to SSR assessment as Informational, such as information discussed in public forums (such as blogs or discussion lists). At the same time, in special scenarios where there may be widespread public attention to vulnerabilities in product versions or where the company has observed active exploitation of vulnerabilities, security notices (SN) are also used as a response method to enable relevant customers to understand the company's response progress to this vulnerability.
• Version/Patch Manual: RN (Release Note), which includes information on patched vulnerabilities. As part of the accompanying deliverables for product version/patch releases, it is used to illustrate vulnerabilities assessed as medium and low levels by SSR. For the convenience of customers to comprehensively evaluate the vulnerability risks of versions/patches from a version/patch perspective, the version/patch manual (RN) also includes vulnerability information and patch solutions released through security notices (SA). For private cloud scenarios, the company's version documentation for cloud service products includes. For terminal scenarios, the company includes it in routine patch announcements.

18.5.2 Announcement channel

The company issues Security Notices (SA) and Security Notices (SN) to support relevant customers in obtaining vulnerability patch information. The Version/Patch Manual (RN) is a part of the accompanying deliverables for product version/patch release, and customers can obtain it through the product version/patch acquisition channel.

18.5.3 Announcement Plan

When one or more of the following conditions are met, the company will issue an SN or SA to provide customers with on-site risk decision support.

• Security Severity Level (SSR) is defined as a "Critical" or "High" vulnerability, and the company completes the vulnerability response process and can provide vulnerability patching solutions to support customers in reducing network risks.
• When the vulnerability in the product version may attract widespread public attention or the company has observed active exploitation of the vulnerability, which may increase the risk faced by customers, the company will accelerate the response process and notify customers within 24 hours of determining that the above conditions are met, and continuously update the progress of the vulnerability response.
• To maximize the reduction of global cyber risks, the company follows a collaborative vulnerability disclosure strategy (CVD) to determine announcement plans when coordinating disclosure with third parties.

18.5.4 Announcement Rhythm

In order to better support customers in developing patch deployment plans and conducting risk assessments, the company will routinely release SA on Wednesdays. At the same time, the company may release SA outside of the release schedule, and the following situations (not fully listed) may lead to unplanned SA releases:

• The company has observed active exploitation of vulnerabilities.
• The company has discovered widespread public attention to vulnerabilities in its products.
• The company collaborates with third parties to disclose vulnerabilities.

Note: For cloud scenarios, the company will refer to the information and patch solutions in the "Cloud Security White Paper". For terminal scenarios, companies usually release information and patch solutions in routine announcements.

18.5.5 Instructions for obtaining software updates

Vulnerability management is based on the lifecycle milestones of the product/software version, and PSIRT will manage vulnerabilities in all product versions prior to the end of service and support (EOS). Vulnerability patching will be provided before EOFS (End of Full Support), and critical or high vulnerabilities in SSR will be patched as appropriate after EOFS. The product team may have milestone points outside of this strategy, and for such vulnerability fixes, specific product documentation should be consulted to understand the repair support provided.

Customers can upgrade to new product/software versions or install the latest patches to mitigate vulnerability risks based on the contract. Customers can only obtain and use software versions that have purchased valid licenses (currently activated licenses). Products/versions that fix vulnerabilities do not grant customers the right to obtain new software licenses, other software features/characteristics, or major version upgrades. Customers can contact service engineers or obtain versions/patches:

If you are an end customer, you can use online upgrade or access

https://apps.apple.com/us/app/ringconn/id6444470583

End customers please refer to the Enterprise Product Lifecycle Termination Policy (Maintenance Years) https://ringconn.com/policies/terms-of-service, Understand the detailed content of vulnerability patching within the product lifecycle.

Please refer to the product lifecycle announcement for the specific vulnerability patching capabilities of the product/software version https://ringconn.com/policies/terms-of-service .

18.5.6 Disclaimer&Reserved Permissions

If there are multiple language versions of this article, and there are differences between different languages, the "Chinese" version shall prevail. The strategy description in this article does not constitute a guarantee or commitment, nor does it form part of any contract, and the above strategy may be adjusted at discretion.

The company reserves the right to change or update this document at any time. We will update this policy statement as necessary to increase transparency or respond more actively, such as:

• Feedback from customers, regulatory agencies, industries, or other stakeholders.
• Changes in overall strategy.
• Introduction of best practices, etc.

When making changes to this policy statement, we will revise the 'Update Date' at the bottom of this policy.

18.6 Definition

The following definitions are used in this strategy: