Youku Privacy Policy
Effective date: Nov. 16th, 2023
Your privacy is important to us. We respect your privacy when handling your personal information. This Youku Privacy Policy (this “Privacy Policy”) describes our privacy practices, including the types of personal information we collect about you, how we use, store, process, disclose and ensure security of your personal information for the purposes of and in relation to your use of our products and services, and your rights in relation to our use of that information.
This Privacy Policy applies if you are using the application(s), product(s) and/or services under Youku’s businesses, including our mobile-based, web-based or TV-based Youku app, whether or not as a registered user and whether or not as a VIP subscription user (“Youku Services”, or our “Services”). This Privacy Policy does not apply to products and/or services provided by any third party as referred to or linked in our Services, or any other products and/or services which are not provided by us. There may be specific notices given to you or consents obtained in relation to specific products and services – those terms (if any) supplement (but do not replace) this Privacy Policy.
Our Services are provided by Jet Brilliant Limited, a company incorporated under the laws of Hong Kong (referred to as “Youku”, “we” or “us”, including its subsidiaries and affiliates). For the purposes of applicable data protection law, we are a data controller in respect of your personal information.
Please read this Privacy Policy carefully before considering whether to proceed and accept the use of our Services (as defined below). By clicking “Accept”, you acknowledge that you have read and understand this Privacy Policy, and consent to our privacy practices described in this Privacy Policy. If you do not agree to any of the terms under this Privacy Policy, please do not click “Accept” and you should immediately cease your use of our Services.
It is important that you check back often for updates to this Privacy Policy. The most current version of this Privacy Policy will always be available at Me > Settings > Privacy Policy. We may update this Privacy Policy to reflect changes in how we collect and use your personal information or changes in relevant laws. When we do so, we will update the “effective date” above. If any of these updates result in substantial alteration to your rights, collection of more personal information than what you have originally consented to, or changes in the purpose, data transfer recipient or manner in the use or sharing of your personal information, we will notify you of the changes by push notification, announcement or pop-up notice and obtain your consent to the updated terms of the Privacy Policy.
Topics:
· Notice at collection
· How do we collect and use your personal information
· How do we disclose your personal information
· How do we store, retain and protect your personal information
· What are your rights relating to your personal information
· Protection of minors
· Contact us
How do we collect and use your personal information
A. Personal information we collect about you
We will collect and process the following personal information about you (depending on the way you use our Services). “Personal information” means any data relating to a living person who can be identified from that data, either by itself or when that data is combined with other data.
· Information that you provide to us
This includes personal information about you that you provide to us when creating user accounts, by communicating with us, whether by phone, online, by e-mail or otherwise:
o Contact information
When using our Services, we will collect your email address, phone numbers, verification code and password.
o Content of your communications
When you contact us, we may collect the content of your emails, text messages, chats, or phone calls.
o Financial information
When using our Services and making payments via third party payment providers (e.g. Apple Pay and Google Pay), we will collect your third party payment account ID, order number, time and amount of the payment.
o Commercial information
When you create an account, we may collect information about the Services you use.
o Sensitive personal information
When you create an account we may collect and process your account information along with a password or security question that allows access to your account.
o other information about you including your language, your IP address, and your account ID when you create an account or login through a third-party platform account (e.g. Facebook, Google or Apple ID).
· Information we automatically collect and generate about you
When you use our Services, we will collect and generate certain personal information about you relating to your use of our Services, including:
o Information relating to your use of our Services and preferences
When using our Services, we will collect and generate personal information to create inferences about you, such as your search history, browsing and viewing history and purchase information. We collect and generate such personal information in order to provide you with content that you may be interested in.
o Internet, technical or similar network and device activity
When using our Services, we will collect and generate information about you relating to your IP address, device type, device model, name, universally unique identifier, information about your browser (including settings and type), operating system, mobile network information (including operator name and phone number), app version, storage and other related information. We may also collect information as to how your device interacts with our application(s) and/or platform(s), including pages you have visited and links you have clicked. The purpose of collecting such personal information relating to your device is for us to continuously work on our product and services, improve its functionalities, ensure that we protect your account and system, and to be able to provide continuous and stable services for your use of our Services.
o Cookies and log files
When using our Services, we will collect personal information, such as log files relating to your use of our Services (where applicable), which might be obtained via cookies, web beacon, log file, programming script, e-tag or other manners. Please read our Cookies Policyif you want to know more about how we use cookies or other similar technologies and how you may control the personal information collected via cookies and similar technologies.
· Information we obtain from other sources
We may obtain your personal information from other sources, including:
o Information obtained from other parties relating to account set-up
When using our Services, if you use your third-party platform account (e.g. Facebook, Google or Apple ID) to create a Youku account and sign in to our Services, we will obtain your account ID from such third party platform for the purposes of your user account set-up, as well as to protect your account and prevent security risks.
o Information obtained from service providers relating to product purchase
If you purchase our VIP services or any other paid content(s) (as the case may be), we will obtain information relating to your product purchase(s) from our partnering payment service provider (e.g. Google Pay or Apple Pay) for the purposes of verifying your payment status and allowing us to identify your account to assist with enabling your access to the relevant purchased services, products and/or features.
Please note that we will only collect personal information about your purchased product(s), payment reference and your user ID. We do not collect your bank account number, payment password or other types of payment information.
o Information obtained from public sources
We may obtain personal information about you from public sources, such as data published by the Government or publicly-available data from social media platforms.
Other than those specified above, we will not obtain any of your personal information from any third party(ies) without your prior authorisation. If we need to obtain your personal information from any third party(ies) for reasons of business purposes, we will ensure that our collection and use are lawful.
As part of our practice, we will:
o take measures to ensure, to the extent possible, that the other party has either obtained your consent or is sharing your personal information with us within the permitted scope under relevant laws (including but not limited to entering into contracts with such third party, as appropriate);
o require the other party to commit to ensuring that they abide to lawful privacy practice and measures; and
o where the manner or scope of use exceeds the original authorisation, seek (or ask the other party to seek) further consent from you before collecting and using such personal information.
We will ensure that we apply the same level of security safeguards and measures against any personal information collected, whether those collected directly from you or as obtained from other party(ies).
B. Use of your personal information
We will use the personal information collected for the following purposes:
· to perform our obligations to you (under any contractual agreements between us or otherwise) and to manage our Services and your use of our Services;
· to provide software updates, maintenance services and support for our Services;
· to help you manage your account(s) relating to our Services, including to handle any of your registration and log-in request(s), verification and performance of transactions relating to payment;
· to provide you with content that you may be interested in;
· to consider and respond to any of your queries, requests and/or feedback (as relevant);
· to identify, monitor, protect against and prevent any fraud or other legal, security, information or technical risks which may affect the security and/or reliability of our Services;
· to conduct market survey, data and statistical analysis and processing relating to our Services in order to maintain and/or improve our Services;
· to facilitate internal purposes such as auditing; and
· to comply with all legal and regulatory obligations under all relevant laws and to exercise or defend our rights.
If we intend to use your personal information for any other purposes which are not covered under this Privacy Policy, we will first obtain your consent.
How do we disclose your personal information
We will not disclose your personal information other than as specified below:
· Disclosure of your personal information with Youku group companies. In order to provide our Services and improve on the same, we may disclose your personal information to our related companies and/or our affiliates.
· Disclosure to business partners. You understand and acknowledge that some of our Services will be provided with or through collaboration with our business partners, and we may therefore disclose your personal information (as necessary) to them as follows:
o Service providers – this includes any payment agency, and other service providers (e.g. Apple, Facebook, Google, Apple Pay and Google Pay).
o Data processors – this includes data processors providing online advertisement data monitoring, and statistics and data analysis. We disclose your personal information to these data processors to analyse, maintain and improve our Services in order to provide better content and Services. We may disclose relevant information in a summarised form to designated data processor partners (such as your viewing history, advertisement history and terminal model).
o Software development kit (“SDK”) providers – our Services may contain third party SDKs or other similar applications (a latest list of third party SDK providers that we partner with is provided here); if you use such services provided by the SDK provider made available on our platform, please note that you will need to abide by the privacy policy and practices of that SDK provider. Privacy practices of the SDK provider(s) are not governed by this Privacy Policy. However, we commit to having reasonably assessed the privacy standards of such SDK provider and will, to the extent possible, impose requirements for them to comply with certain security and privacy standards. In order to safeguard your personal information’s security, we strongly recommend that you read the SDK provider’s privacy policy carefully prior to the use of such third party SDK. If you notice any risks relating to the use of any of these SDKs, we suggest that you immediately cancel any relevant operations and contact us as soon as possible.
o Any other business partners we have partnered with. Such personal information disclosure will be subject to your consent and we will only disclose your personal information in accordance with relevant laws and data privacy principles.
When disclosing your personal information, we will take adequate measures to protect your personal information, including but not limited to the following:
o we will obtain your prior authorisation and consent as necessary;
o we will bind the recipient of your personal information with responsibilities and obligations to uphold privacy principles;
o we will ensure that our security team conducts a data assessment and security evaluation, and where feasible, try to anonymise such personal information before any disclosure, transfer or processing; and
o where the data disclosure arrangement involves a cross-border transfer, we will abide by all relevant and applicable laws and regulations to ensure that local requirements on data privacy and protection are fulfilled.
· Disclosure to the extent as required by all relevant laws. As required under relevant laws and/or as required by regulators, we may be required to disclose your personal information to such third party (which may include any court, judicial authority, law enforcement agency, government organ, regulators or other similar entities), in order to safeguard your rights, uphold public interest or for other legitimate reasons. We may also disclose your personal information where we are required to do so in order to exercise or defend our legal rights.
· Disclosure consequential to change of control events. If we are engaged in a merger, acquisition, reorganisation, division, bankruptcy, transfer of asset or similar transaction which may involve the potential transfer of your personal information, we will notify you in this regard and request, to the extent possible, that the incoming data controller abide by this Privacy Policy and the privacy practices as stipulated herein.
How do we store, retain and protect your personal information
A. Storage and retention of your personal information
· Cross-border transfers and storage location of personal information. Your personal information is currently stored in a data centre located in the People’s Republic of China. You understand that we may transfer and store your personal information in such data centre that is in compliance with applicable laws.
· Retention period. Generally, we will only store your personal information for no longer than necessary for the provision of our Services, except where we are legally required to retain certain types of information or documents for a longer period of time as required by any relevant laws, court decision, ruling or other legal proceedings, government authorities and/or regulators, or for any other legitimate reasons. Upon the expiration of such period, we will delete and/or anonymise your personal information according to applicable laws. If your personal information is disclosed to any other party(ies), we will require such those party(ies) to do the same.
If our Service(s) cease(s) to operate, we will notify you by way of push notification or announcement and will delete or anonymise your personal information within any timeframe required under applicable laws or in line with our data retention period.
B. Safeguarding your personal information
We adopt certain technical, organizational, and physical measures to safeguard your personal information, including security technology conforming with market standards to support our technological infrastructure and systems, for the purposes of minimising the risks of unauthorised access and disclosure, damage, misuse or alteration of your personal information.
Our safeguards are as follows:
· Technical measures to safeguard data security
We adopt encryption technology such as transport layer security to prevent the data transmission from being tapped or intercepted; adopt security storage measures such as classified and layered disposal of data; adopt strict data access control system and identity verification technology; monitor data processing to avoid illegal access or unauthorised use of data; monitor and audit the full data lifespan to prevent unauthorised access, disclosure, use, alteration, as well as intended or unintended damage or loss of personal information.
· Data security organisation and management measures
We have a designated department specifically designed to handle personal information and data privacy matters. We also have relevant internal control management systems in place to minimise unnecessary employee access to personal information unless otherwise necessary to carry out their job duties and responsibilities, including standards regarding the secure use of business data and standard management system for data cooperatives. We arrange for our employees to participate in relevant data privacy training(s) on a regular basis and take other practicable data security organisation and management measures, such as locking the storage area for personal information and restricting employees’ access to the storage area unless otherwise necessary to carry out their job duties and responsibilities.
· Handling of security incidents
We have set up a Youku emergency response centre and put in place certain security management rules and emergency response plans, which clearly sets out the reporting procedures regarding the handling of security incidents and emergency responses in case of a data breach incident. In case of a data breach incident, we will take appropriate actions under our emergency preparedness plan (EPP) to contain such unauthorised leakage as much as possible, including reporting such incident to the authorities as required under applicable law, and notifying you as soon as reasonably practicable by way of electronic notice, push notification and/or public announcement. Depending upon where you live, you may have the legal right to receive notice of a data breach incident in writing.
Please note and understand that we cannot guarantee that the Internet is 100% secure. Notwithstanding the above measures, we cannot guarantee that your personal information will be 100% secure. If you create an account, or are otherwise provided access to our Services, you are responsible for maintaining the security of your password at all times and for any activity occurring while logged into your account. In order to assist us in protecting your account security, we strongly advise that you create a secure password and ensure that you use your account in a secure manner. If it comes to your notice that your password has been leaked, please contact us immediately for us to take relevant measures to ensure your account security.
What are your rights relating to your personal information
We would like to ensure that you are fully aware of all your personal information protection rights. Privacy and data protection laws in different places may differ from each other, so these rights listed below may apply in some jurisdictions but not others, as indicated. Please also note that by exercising some of these rights below, it may impact the ability for us to provide you (or continue to provide you) with our Services.
Generally, your rights may include:
· Right to be informed
You have the right to be informed of your personal data processing, unless otherwise provided by law.
· Right to access
You can inquire or access your relevant personal information relating to our Services, including usage information (which can be accessed at any time through the related product page, including series history, viewing history and offline downloads).
· Right to rectify
You have the right to request that we rectify your personal information if it is inaccurate or incomplete.
· Right to delete
You can delete your viewing history under “History” at any time. You may also email us at privacy_youku@service.alibaba.com to require us to delete your personal information. However, we may still be legally entitled to retain some of your data under other lawful grounds.
You understand and agree that when you delete your personal information from Youku Services by yourself or with our help, we may not be able to immediately delete your information from the backup system subject to applicable laws and regulations and relevant security technology. We will store your personal information in a secure manner and separate such from any further data processing until such information is deleted or anonymised during the update of our backup system.
· Right to cancel your account
You can cancel your account at any time. You may also email us at privacy_youku@service.alibaba.com to require us to cancel your account, except as otherwise provided under applicable laws or as otherwise agreed under this Privacy Policy.
Once you cancel your account, your rights and interests generated during your use of our Services will no longer apply. All contents, information, data and records relevant to your account will be deleted or anonymised (except as otherwise required by relevant laws or regulators). Your account cancellation is permanent and irreversible.
· Right to obtain a copy of your personal information
If you need to obtain a copy of your personal information, you can contact us via one of the means as stated below under “Contact Us”. Upon verifying your identity, we will provide a copy of such personal information relating to our Services for you within the period prescribed and in accordance with the law, unless otherwise stipulated by the applicable laws or as otherwise agreed upon in this Privacy Policy.
· Right to limit or object to the processing of personal information
You may limit or object to the processing of any part of your personal information if such rights are granted to you according to the laws of your jurisdiction. If so, we will handle your request based on the laws of such relevant jurisdiction.
· Right to withdraw consent
You may withdraw your consent to the continued processing of your personal information, subject to legal or contractual restrictions and reasonable notice.
· Right to complain about the processing of Personal Information
You may lodge a complaint to the relevant data protection authority regarding our processing of your Personal Information if such right is granted to you according to the laws of your jurisdiction.
You may be entitled to other rights in relation to your personal information depending on the applicable law in your jurisdiction. For details of such additional rights, please refer to the Appendix.
Exercising your Rights
You can exercise your rights by emailing us at privacy_youku@service.alibaba.com.
We must verify your identity before responding to your request. We may verify your identity by asking you to provide personal identifiers that we can match against information we may have collected from you previously. We may need to follow up with you to request more information to verify identity. We will not use personal information we collect in connection with verifying or responding to your request for any purpose other than responding to your request.
You may have the right to designate an authorized agent to make a request on your behalf. We may deny a request from an agent that does not submit proof that they have been authorized by you to act on your behalf.
We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response. You have the right to appeal a denial of their request by contacting us as described in the notice of denial.
Protection of minors
You must be 18 years or above to become a member under our Services.
We value the protection of personal information of minors very much. The age classifying minors and relevant rules for minor privacy protection vary in different jurisdictions. If you are 18 or above but are still considered as a minor under local law, you shall read this Privacy Policy under the guardianship and guidance of guardians and submit relevant personal information after the consent of your guardians to this Privacy Policy and submission.
Please note that, considering the features of the Internet and the online anonymity of users, it is difficult for us to identify minors and verify each and every one of these guardian consents. If you are aged below 18, please first obtain the consent of your guardians before proceeding to use our Services.
Where guardians believe that we have collected personal information of minors without first obtaining their consent, we will immediately investigate and as appropriate, delete all relevant information (if any) in a timely manner upon receipt of such notification from the guardians.
Contact Us
If you have any questions, requests, complaints, feedbacks or otherwise relating to our data privacy practices generally or this Privacy Policy for your use of our Services, you may email us at privacy_youku@service.alibaba.com.
For any questions regarding the use of the Youku app or VIP Member Services, please contact us by email at YoukuGlobalService@alibaba-inc.com.
Upon receiving your query or request and except as described above, we will, upon verification of your identity, reply to you within the period of time as prescribed by local laws of your jurisdiction. Generally, this would be done without any service fee or charges. However, please note that we may not be able to respond to your request if it involves any issues relating to the following (depending on applicable local laws):
· national security or national defence security;
· public health and safety or other significant public interests;
· criminal investigation, litigation or trial;
· where there is reasonable evidence suggesting your malice or abuse of rights;
· where a response to your request would severely interfere your legal rights or the rights of other individuals or organisations; and
· any other circumstances as provided by relevant laws and regulations.
To the extent permitted under law, we will provide to you with a notice with an explanation as to why we are unable to respond and act accordingly based on your request.
[Language
In the event of any conflict between the English version of this Privacy Policy with a version translated in another language, the English version will prevail.]
Appendix: Jurisdictional Specific Notices
For Users in the United States:
In addition to the general rights listed above, residents of California, Colorado, Connecticut, Utah, and Virginia of the United States are entitled to the below privacy rights
· Right to know and right to request access to your personal information
Residents of California, Colorado, Connecticut, Utah, or Virginia may request information about the categories and specific pieces of personal information we have collected about you, as well as the categories of sources from which such information is collected, the purpose for collecting such information and the sale, sharing, or disclosure for business purposes of your personal information to third parties.
· Right to data portability
If you are a resident of California, Colorado, Connecticut, Utah, or Virginia, you may have the right to receive the personal data that you have given us in a structured, commonly used, and machine-readable format.
· Right to opt out of a sale or sharing and targeted advertising
If you are a resident of California, Colorado, Connecticut, Utah, or Virginia, you may have the right to opt-out of the sale or sharing of your personal information to third parties.
· Right to limit the use and disclosure of your sensitive personal information
Residents of California have the right to limit the use and disclosure of their sensitive personal information if we use such information to infer characteristics about you.
· Right to opt in to the collection and use of sensitive personal information
If you are a resident of Colorado, Connecticut, or Virginia, you may have the right to opt-in to the processing of your sensitive personal information.
· Right to opt-out of profiling using automated decision-making technology
If you are a resident of California, Colorado, Connecticut, or Virginia, you may have the right not to be subject to a decision solely based on profiling, except under certain exceptions under local law.
· Right to not be discriminated against for exercising any of these rights.
California’s “Shine the Light” Law. Additionally, California permits users who are California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please contact us using the contact information provided below and put “Shine the Light” in the subject line of your request.
Nevada Residents. Residents of the State of Nevada have the right to opt out of the sale of certain pieces of their information to third parties.
We do not sell your personal information under the definition of the California Consumer Privacy Act.
Do Not Track and Opt-Out Preference Signals
The “Do Not Track” (“DNT”) privacy preference is an option that may be made available in some web browsers allowing you to opt-out of tracking by websites and online services. At this time, global standard DNT technology is not yet finalized and not all browsers support DNT. We therefore do not recognize DNT signals and do not respond to them. We currently do not recognize opt-out preference signals, such as the Global Privacy Control (available here), as a request to opt-out of the sale or sharing of your personal information.
For Users in Thailand:
If you are a user in Thailand, please contact our representative and Data Protection Officer via the contact information provided below:
Representative& Data Protection Officer
Contact person/department: Huilong Cai/ Data Security
Address: Room 1901, 19/F, Lee Garden One, 33 Hysan Avenue, Causeway Bay
Email: privacy_youku@service.alibaba.com
For Users in the Philippines:
In addition to the general rights listed above, citizens or residents of Philippines are entitled to the below privacy rights.
· Right to compensation
You may claim compensation if you believe you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data or for violations of your rights as a data subject.
For Users in Vietnam:
In addition to the general rights listed above, users in Vietnam are entitled to the below privacy rights.
· Right to claim damage
You have the right to claim damage when there are violations against regulations on protection of your personal data, unless otherwise agreed by the parties or unless otherwise provided by law.
· Right to self-protection
You have the right to self-protect or request competent agencies and organizations to implement civil right protection methods according to regulations in the local law.