Privacy Policy

Last Updated: October 2023

1. Introduction

Beijing Wanda Star Technology Co., Ltd. ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, and safeguard information in our mobile applications and games across global markets.

Our practices comply with the Google Play Developer Program Policies, the Apple App Store Review Guidelines, and global privacy regulations including GDPR (EU) and CCPA (California).

2. Information Collection

2.1 Personal Information

We may collect information that identifies you, such as your name or email address, only when provided voluntarily (e.g., during support requests or account registration).

2.2 Non-Personal Information

We automatically collect device information, including:

  • Device ID (IDFA for iOS, GAID for Android)
  • Operating system and version
  • IP address and approximate location
  • In-app usage data and performance logs

3. Third-Party Services & Monetization

We partner with various platforms for monetization and analytics. These third parties may collect data according to their own policies:

  • Ad Platforms: Google AdMob, Unity Ads, AppLovin, IronSource.
  • Analytics: Google Analytics for Firebase, AppsFlyer.
  • Payments: Google Play Billing, Apple In-App Purchase.

4. Data Retention & Security

4.1 Data Retention Periods

We retain your data only as long as necessary for the purposes outlined in this policy:

  • Personal Information: Retained for the duration of our business relationship plus 2 years
  • Usage Data: Aggregated and anonymized after 12 months
  • Support Records: Retained for 3 years for quality assurance and training
  • Legal Compliance: Data may be retained longer if required by law

4.2 Security Measures

We implement industry-standard security measures to protect your information:

  • End-to-end encryption for data transmission (TLS 1.3+)
  • Encrypted data storage with AES-256 encryption
  • Regular security audits and penetration testing
  • Access controls and employee background checks
  • Incident response procedures and breach notification protocols

4.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant authorities within 72 hours as required by applicable law.

5. International Data Transfers

As a global company headquartered in Beijing, China, we may transfer your personal data across international borders for processing and storage.

5.1 Transfer Mechanisms

We ensure adequate protection for international data transfers through:

  • Standard Contractual Clauses (SCCs) approved by relevant data protection authorities
  • Binding Corporate Rules (BCRs) for intra-group transfers
  • Compliance with EU-US Privacy Shield Framework (where applicable)
  • Local data residency requirements in specific jurisdictions

5.2 Third-Country Processing

When processing occurs in countries without adequate data protection laws, we implement additional safeguards including:

  • Enhanced encryption and pseudonymization techniques
  • Strict contractual obligations on processors
  • Regular compliance monitoring and audits
  • Data minimization and purpose limitation principles

6. Cookie and Tracking Technologies

We use various tracking technologies to enhance your experience and analyze usage patterns.

6.1 Types of Cookies Used

  • Essential Cookies: Necessary for basic site functionality (cannot be disabled)
  • Performance Cookies: Collect anonymous usage data to improve site performance
  • Functionality Cookies: Remember preferences and personalize experience
  • Targeting Cookies: Used by advertising partners for relevant ad delivery

6.2 Cookie Management

You can manage cookie preferences through:

  • Your browser settings (blocking or deleting cookies)
  • Our Cookie Consent Manager (available on first site visit)
  • Opt-out mechanisms provided by advertising networks

6.3 Other Tracking Technologies

We also use web beacons, pixel tags, and local storage for analytics and functionality purposes.

7. Global Privacy Compliance

7.1 GDPR (European Economic Area)

Users in the EEA have the right to access, rectify, or erase their personal data. We process data based on legitimate interest or your explicit consent.

7.2 CCPA/CPRA (California)

California residents have the right to opt-out of the "sale" of personal information. We do not sell personal data for monetary value, but sharing with ad partners may be considered a "sale" under CCPA.

7.3 Other Jurisdictions

We comply with applicable privacy laws in all jurisdictions where we operate, including PIPEDA (Canada), LGPD (Brazil), PDPA (Singapore), and PIPL (China).

7.4 Cross-Border Compliance

We maintain separate compliance programs for different regulatory regimes and regularly update our practices to reflect evolving legal requirements.

8. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal obligations)
  • Restriction: Request restriction of processing in certain circumstances
  • Data Portability: Request transfer of your data to another service provider
  • Objection: Object to processing based on legitimate interests
  • Withdrawal of Consent: Withdraw previously given consent at any time
  • Automated Decision-Making: Right not to be subject to decisions based solely on automated processing

8.1 How to Exercise Your Rights

To exercise these rights, please contact us at support@bjwdx.com with "Privacy Rights Request" in the subject line.

We will respond to verified requests within 30 days (or as required by applicable law). We may require additional information to verify your identity before processing your request.

8.2 No Discrimination

We will not discriminate against you for exercising your privacy rights under applicable law.

9. Children's Privacy

Our applications are designed for a general audience unless otherwise specified. We do not knowingly collect personal information from children under 13 (or under 16 in certain jurisdictions) without parental consent.

9.1 Age Verification

We utilize Age Gates and strictly follow the Children's Online Privacy Protection Act (COPPA).

9.2 Parental Consent

For services directed to children, we obtain verifiable parental consent before collecting, using, or disclosing personal information from children.

9.3 Data Deletion

If we discover that we have collected personal information from a child without proper consent, we will promptly delete that information from our systems.

9.4 Parental Rights

Parents can review, edit, or request deletion of their child's personal information by contacting us at parents@bjwdx.com.

10. Third-Party Links and Services

Our services may contain links to third-party websites or integrate third-party services.

10.1 External Links

We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any external sites you visit.

10.2 Integrated Services

When we integrate third-party services (such as social media plugins, payment processors, or analytics tools), your data may be shared with these providers according to their own privacy policies.

10.3 Joint Controllership

In some cases, we may act as joint controllers with third parties. In such cases, we have agreements in place defining our respective responsibilities.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements.

11.1 Notification of Changes

The "Last Updated" date at the top of this page will be revised accordingly. For significant changes, we will provide notice through our applications or via email to affected users.

11.2 Material Changes

Material changes include those that affect your rights, introduce new data processing activities, or change the legal basis for processing.

11.3 Continued Use

Continued use of our services after such changes constitutes acceptance of the updated policy.

12. Data Protection Impact Assessments

We conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

12.1 Assessment Criteria

DPIAs are conducted when processing involves:

  • Systematic and extensive evaluation of personal aspects based on automated processing
  • Processing of special categories of data on a large scale
  • Systematic monitoring of publicly accessible areas on a large scale

12.2 Mitigation Measures

Based on DPIA findings, we implement appropriate technical and organizational measures to mitigate identified risks.

13. Records of Processing Activities

We maintain comprehensive records of our data processing activities as required by applicable data protection laws.

13.1 Record Contents

Our records include:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Recipients or categories of recipients
  • International transfers and safeguards
  • Retention periods and erasure criteria
  • Security measures implemented

15. Data Processing Agreements

When we engage third-party processors to handle your personal data on our behalf, we enter into comprehensive Data Processing Agreements (DPAs) that include:

  • Clear specification of processing activities and purposes
  • Confidentiality obligations for processor personnel
  • Security measures and technical safeguards
  • Audit and inspection rights for compliance verification
  • Sub-processing restrictions and approval requirements
  • Data breach notification procedures
  • Data return or deletion upon contract termination

15.1 Processor Compliance Monitoring

We conduct regular audits and assessments of our processors to ensure ongoing compliance with our DPAs and applicable data protection laws.

16. Data Protection Officer Responsibilities

Our appointed Data Protection Officer (DPO) has the following key responsibilities:

  • Monitoring internal compliance with data protection policies and laws
  • Informing and advising the organization about data protection obligations
  • Providing guidance on Data Protection Impact Assessments (DPIAs)
  • Serving as the primary contact point for data subjects and supervisory authorities
  • Conducting privacy training and awareness programs for staff
  • Maintaining records of processing activities

16.1 DPO Independence

Our DPO operates independently and reports directly to senior management, ensuring unbiased oversight of our data protection practices.

17. Data Subject Request Verification Process

To protect your privacy and prevent unauthorized access, we implement a rigorous verification process for data subject requests.

17.1 Identity Verification Requirements

Depending on the nature of the request, we may require:

  • Government-issued photo identification
  • Proof of account ownership (email verification, security questions)
  • Notarized authorization documents for third-party representatives
  • Additional information to confirm the requester's identity

17.2 Request Processing Timeline

Once identity is verified, we process requests within the following timeframes:

  • Access Requests: 30 days (extendable by 60 days for complex requests)
  • Rectification Requests: 30 days
  • Erasure Requests: 30 days (subject to legal retention requirements)
  • Restriction Requests: Immediate implementation pending verification

18. Data Minimization and Purpose Limitation

We strictly adhere to the principles of data minimization and purpose limitation in all our data processing activities.

18.1 Data Collection Scope

We collect only the minimum amount of personal data necessary to achieve the specified purposes, including:

  • Account registration: Only email and basic profile information
  • Service delivery: Only data required for functionality
  • Analytics: Primarily anonymized and aggregated data
  • Marketing: Only with explicit opt-in consent

18.2 Purpose Specification

Each data processing activity has a clearly defined, legitimate purpose documented in our processing records. We do not use data for purposes incompatible with the original collection purpose without additional consent or legal basis.

19. Privacy by Design and Default

We implement Privacy by Design and Privacy by Default principles throughout our product development lifecycle.

19.1 Technical Implementation

Our Privacy by Design approach includes:

  • Data encryption at rest and in transit
  • Pseudonymization and anonymization techniques
  • Granular privacy controls and user preferences
  • Automated data retention and deletion mechanisms
  • Privacy-preserving analytics and measurement

19.2 Organizational Measures

Privacy by Default is ensured through:

  • Default privacy-friendly settings
  • Minimal data collection during onboarding
  • Opt-in rather than opt-out for non-essential processing
  • Regular privacy reviews of new features

20. Employee Data Protection Training

All employees receive comprehensive data protection training appropriate to their role and access level.

20.1 Training Program Components

  • General Awareness: All staff complete annual privacy training
  • Role-Specific Training: Enhanced training for roles handling sensitive data
  • Incident Response: Specialized training for incident response team members
  • Technical Staff: Secure coding and data handling best practices

20.2 Training Effectiveness

We measure training effectiveness through knowledge assessments, incident rates, and compliance audits to continuously improve our program.

21. Data Protection Audits and Assessments

We conduct regular internal and external audits to ensure compliance with our privacy commitments.

21.1 Audit Schedule

  • Internal Audits: Quarterly reviews of high-risk processing activities
  • External Audits: Annual independent assessments by qualified auditors
  • Compliance Reviews: Bi-annual reviews of regulatory compliance status

21.2 Audit Scope

Audits cover technical, organizational, and procedural aspects including:

  • Data security controls and access management
  • Incident response preparedness
  • Third-party processor compliance
  • Data subject rights fulfillment processes
  • Policy implementation and staff awareness

22. International Certification and Standards

We maintain compliance with internationally recognized privacy and security standards.

22.1 Current Certifications

  • ISO/IEC 27001: Information Security Management System
  • ISO/IEC 27701: Privacy Information Management System
  • PCI DSS: Payment Card Industry Data Security Standard (where applicable)

22.2 Certification Maintenance

We undergo regular surveillance audits and recertification processes to maintain our certifications and demonstrate ongoing commitment to privacy and security excellence.

23. Privacy Shield and Cross-Border Frameworks

We participate in international data transfer frameworks to ensure lawful cross-border data flows.

23.1 EU-U.S. Data Privacy Framework

We comply with the EU-U.S. Data Privacy Framework principles for transfers of personal data from the European Economic Area to the United States.

23.2 Other International Frameworks

We monitor and adapt to evolving international data transfer mechanisms including:

  • UK Extension to the EU-U.S. DPF
  • Swiss-U.S. Data Privacy Framework
  • ASEAN Cross-Border Privacy Rules
  • APEC Cross-Border Privacy Rules System

24. Data Localization and Sovereignty

We respect data localization requirements and sovereignty considerations in different jurisdictions.

24.1 Regional Data Centers

Where feasible and required by law, we store and process data in regional data centers to comply with local data residency requirements.

24.2 Sovereignty Compliance

We implement technical and organizational measures to ensure compliance with data sovereignty laws, including:

  • Geographic data segregation
  • Local processing where mandated
  • Jurisdiction-specific security controls
  • Compliance with national security requirements

25. Contact Us

If you have questions about this policy, please contact us at: support@bjwdx.com

Data Protection Officer: For GDPR-related inquiries, you may also contact our designated Data Protection Officer at dpo@bjwdx.com

Mailing Address: Beijing Wanda Star Technology Co., Ltd., Room 212-2952, Town Government Office Building, No. 11, Guyuluwai Street, Gubeikou Town, Miyun District, Beijing, China

Response Time: We aim to respond to all privacy-related inquiries within 5 business days.

Supervisory Authority: If you believe we have not addressed your concerns satisfactorily, you have the right to lodge a complaint with your local data protection supervisory authority.