DingTalk Privacy Policy-EN

DINGTALK PRIVACY POLICY

Last updated: September 2, 2025

INTRODUCTION

This Privacy Policy contains important information as it sets out how DingTalk (Singapore) Private Limited (hereinafter referred to as “DingTalk ”, “we” or “us”) process the Personal Data of visitors and users, including employees/members of customers and other third parties (hereinafter referred to as “you”), of DingTalk products and services, including DingTalk App, DingTalk official website (www.dingtalk.com), DingTalk Open Platform (open.DingTalk.com), and DingTalk smart device or DingTalk features / services integrated within such smart device (hereinafter collectively referred to as “DingTalk Services”).

This Privacy Policy apply only when you are a “DingTalk User”, which means you register and use the service with a mobile phone number that has an international dialing code OTHER THAN +86 (“non-Mainland China mobile number”) or with an email account. If you register using a mobile phone number with the international dialing code +86 (“Mainland China mobile number”), then you are considered a “DingDing User” and the corresponding services you used will be deemed to be provided by DingDing. If you are considered a DingDing User, these Terms do not apply to you, you may refer to the DingDing Privacy Policy and DingDing Service Agreement for further information.

We attach great importance to the protection of your privacy and Personal Data. This privacy policy explains to you how we collect, use, save, share, transfer, or otherwise process your Personal Data when you, or in the case of business users, any individuals acting on your behalf,use DingTalk Servces.

We may from time-to-time revise or add specific instructions, policies, and terms to this Privacy Policy. Whenever we make any changes to this Privacy Policy that are important for you to know about, we will notify you by posting the amended Policy on our official website or on “Settings and Privacy-About DingTalk-Privacy” page of DingTalk, or other means.

Please note that depending on the country or region where you are from, certain specific terms of the country / region may apply to you and form an integral part of this Privacy Policy.

Please read this Privacy Policy carefully. If you have any questions about this Privacy Policy, please send an email to dt_privacy@service.dingtalk.com or contact us through our Customer Service.

1、 COLLECTION AND USE OF YOUR PERSONAL DATA

The types of information we collect depend on how you use DingTalk Services. DingTalk Services have optional features which, if used by you, require us to collect optional information to provide such features. You will be notified of such a collection, as appropriate. If you choose not to provide the information needed to use a feature, you will be unable to use the feature.

We collect and use your Personal Data for the following reasons / purposes / features:

· Register DingTalk.

○ Create User Account. You must provide your cell phone number or email address, and verification code, to create a user account of DingTalk Services. If you do not provide us with such information, you will not be able to create an account to use DingTalk Services.

○ Add Profile Information. You may add other optional information to your user account, such as Profile Picture, Nickname, Email Adress, Cell Phone Number, Work Experience, Education Experience, Verification, DingTalk ID, Gender, Birthday, Area.

· Add Contact.

You must provide certain Personal Data to Add Contacts. Depending on the way you choose to Add Contact, you may:

○ Add by providing cell phone number, email address or DingTalk ID of contacts;

○ Add by scanning QR Code, accessing your camera and / or photo gallery;

○ Add by provide contacts information in your on-device contact list.

· Chat.

○ Send Messages in Chats or Groups. You must provide the content of messages sent by you (including text, voice, files, geolocation, etc.) and the user's sending log (including the sending time, the sender, the receiver, etc.)

○ Audio / Video Calls, Conferences, Live Streaming. The information generated or processed by us as part of the Service are as follows: communication log (user nickname in meeting, user ID, meeting start and end time, meeting subject, meeting link), network status data (WiFi network quality). If you choose to use the Cloud Recording feature, we will store the corresponding recording files and the transcripts of the contents by Flash Minutes. The meeting host will be the owner of corresponding files, and she or he can choose to share the recording files with participants or other relevant personnel.

· Calendar.

If you use the Calendar feature, create a schedule, subscribe to schedule information, or sync the calendar on DingTalk Services to your device's local calendar, you need to provide your schedule information to us.

You may also authorize us to access your device's local calendar to display schedules from the local calendar in DingTalk Services. If you do not provide such authorization to us, we would not be able to display schedules from the local calendar in DingTalk Services, but that will not affect your ability to use other features relevant to Calendar.

If you create (or create on behalf of a specific organization/institution/enterprise) a DingTalk organization (the “Organization”) or join an Organization created by others in DingTalk Services, you will become an organization user (the “Organization User”). You understand that, the creator of the Organization, are the data controller (the “Controller”) of Personal Data processed for the Organization, and we, as data processor (the “Processor”), being entrusted by the Controller to process your Personal Data on Controller’s behalf. As for reasons / purposes / features for the Organization, we may only collect and use such Personal Data according to Controller’s designations and instructions:

· Create Organization.

○ Create Organization. To Create Organization, you must provide us with the Organization’s name, region, industry, size of the staff, and occupation of the founding member within the Organization.

○ Invite Member. You must provide certain Personal Data to invite members to the Organization. Depending on the way you choose to invite members, you may need to provide different Personal Data. If you invite members to join by copying links, sharing QR codes or team numbers, you do not need the Personal Data of the invitees. If you add members by entering cell phone number or email address, you need to enter or import the invitee's cell phone number or email address, and the invitee will receive a text message or email sent by us, and the invitee can join the Organization after agreeing.

○ Contact List Management. If you use the Contact List Management feature to set up the structure of the Organization, (e.g., dividing the Organization into departments at different levels, setting up different roles for each department, assigning departments and setting up roles for members joining the Organization), you need to provide us with identity information of relevant employees, specific fields of which may be set up by the administrator of the Organization (typical fields may include employee ID, name, cell phone number, department, occupation, employee number, whether supervisor or not, direct supervisor, User ID, email address, extension number, office location, notes, onboarding date, activation status, Organization, login name, initial password, activation date, role).

○ Organization Verification. If you want to obtain Organization Verification, you need to submit necessary materials to certify the Organization, that includes the Organization's office address, the company's certificate of incorporation, and the applicant's email address.

· Collaboration.

○ Docs. If you use the Docs feature including logs, Word, Excel, whiteboards, brain maps, and other online documentation services, you need to provide us with document contents, as well as logs of editing, modification, deleting and other operations.

○ Wikis. If you use the Wikis feature to summarize similar documents into the same Wikis for easier access and management, you need to provide us with Wikis entries’ contents, as well as logs of editing, modification, deleting and other operations.

○ Teambition. If you use the Teambition feature to create tasks and designate tasks to certain users, you need to provide us with projects, tasks under projects, and logs of editing, modification, deleting and other operations.

○ Mail. If you use the Mail feature to allow Organization to purchase and use email address with company domain name as the suffix and assign email address to the Organization’s employees, you need to provide us with email addresses and contents of incoming and outgoing emails.

○ CorpPedia. If you use the CorpPedia feature to allow Organizations to set up internal terms and explanations, enabling members to see the meaning of the terms by hitting the phrase in Chat and Group, you need to provide us with contents of CorpPedia entries.

○ Drive. If you use the Drive feature to create documents and save files received in Chat and Group, you need to provide us with contents saved to the Drive.

· Human Resource Management.

○ HRM Service. If you use the HRM Service feature to manage employees’ onboarding, transfer, resignment, etc., you need to provide us with Personal Data including employee's name, occupation, contact information, specific fields of which may be set up by the administrator of the Organization.

○ Attendance. If you use the Attendance feature including geographic location attendance, face attendance, etc., you need to provide us with certain Personal Data based on attendance method. If you take attendance by face recognition, you need to provide us with face recognition information. If you take attendance by geolocation, you need to provide us with location data. When you click "Clock In", we collect your location information at that specific moment. If you stop using the "Clock In" feature, we will no longer collect your geolocation data. Please note that we do not continuously track or collect your movement or trajectory information If you take attendance by WiFi information, you need to provide us with WiFi (approximate city location).

○ Performance. If you use the Performance feature to set performance goals and assess the status of completion, you need to at least provide us with OKR and performance results of relevant employees.

○ Salary. If you use the Salary feature to manage determination, adjustment and payment of salaries, you need to provide us with compensation information of relevant employees.

○ Recruitment. If you use the Recruitment feature to manage the recruit process, you need to provide us with resume information of candidates.

○ Training. If you use the Training feature, you need to at least provide us with course contents, study records and test records.

· Business Process.

○ OA Approval. If you use the OA Approval feature to manage the internal approving process, you need to provide us with contents uploaded during the approving process.

○ YIDA. If you use the YIDA feature to set up personalized approving process for the Organization, you need to provide us with contents uploaded during the approving process.

· Group.

○ General Group. If you use the Group feature to create a General Group, you must provide us with documents, multimedia, conversations, and other relevant messaging information that you upload, enter, post, transmit, and share in the collaboration function of the Group.

A General Group created by you is owned by yourself, you may add any Contact as members of the Group, the status of a Group member in any Organization will not affect her / his status as a Group member.

○ External Group. If you use the Group feature to create an External Group for external collaboration of employees of the Organization with external partners, you understand that the Organization is the controller of the following Personal Data, and we are acting on behalf of the Organization to process the following Personal Data: documents, multimedia, conversations, and other relevant messaging information that you upload, enter, post, transmit and share in collaboration function of the Group.

An External Group created for an Organization is owned by the Organization, owner of the group may add members from both inside and outside the Organization. If a Group member resign from her / his current Organization, she / he will automatically leave the Group.

○ Internal Group. If you use the Group feature to create an Internal Group used for internal communication and collaboration purposes within the Organization, you understand that the Organization is the controller of the following Personal Dataand we are acting on behalf of the Organization to process the following Personal Data: documents, multimedia, conversations, and other relevant messaging information that you upload, enter, post, transmit and share in collaboration function of the Group.

An Internal Group created for an Organization is owned by the Organization, owner of the group may only add members from inside the Organization. If a Group member resign from her / his current Organization, she / he will automatically leave the Group.

· Open Platform.

○ Organization Self-Built Application Service. Organizations may use the data interfaces and development documents provided by us to develop your own applications and use them within the Organization of DingTalk Services. Personal Data collected and used by such self-built applications is determined by the developers according to functions and features of the applications.

○ Third-Party Services from SaaS Application and Mini-program Market. Third-party vendors may also utilize our interfaces, specifications, etc., to develop third-party applications, Organizations may search, integrate and use those third-party services from the SaaS application and Mini-program market. If you use such third-party services, please pay attention to the privacy policy and other statements provided by the specific third parties.

· Other circumstances which benefit the users and us, and do not violate any applicable laws and regulations or other purposes with your consent.

Cookies. The DingTalk Services uses cookies or similar technologies, which will collect information about your use of the service, such as the application used, the site visited, and how to interact with the content provided through the service. Please check the “COOKIES AND SIMILAR TECHNOLOGIES” section for further details.

Permissions of Operation Systems. To ensure the realization of the functions and safe and stable operation of DingTalk Services, we may apply for or use the relevant permissions of the operating system. Your operation system will grant permission before DingTalk applies and uses any of the permissions, and you can manage the relevant permissions according to your actual needs. Per the upgrading of the products, the types and purposes of the application and use of permissions may change, and we will adjust the list according to these changes to ensure that you are promptly informed of the application and use of permissions. Please note that we may also use third-party SDKs, third-party services, etc., for the functionality and security needs of our business and products, and these third parties may also apply for or use related operating system permissions.

It may be that providing certain Personal Data to us is a statutory or contractual requirement, a requirement necessary to enter a contract, or that you are otherwise obliged to provide the data to us. If that is the case, we will inform you of this separately and explain the possible consequences if you fail to provide such Personal Data to us. In all other cases, the provision of the requested Personal Data is optional, but it may affect your ability to use certain services or to participate in certain programs or systems where the information is needed for those purposes.

2、 SHARING, TRANSFERRING AND DISCLOSING INFORMATION

Other than consented by you, we commit that we will not share or sell your Personal Data to any third party. Depending on where you are and which product you asked for, we may share your Personal Data with our affiliates so that we can respond to your request, provide DingTalk Services, or for general purposes. You can obtain the identity and contact details of our affiliates with whom we share your Personal Data by contacting us using the details set out below in the “CONTACT US” section.

We will not share, transfer, or disclose your Personal Data to any non-affiliated third parties, unless:

Legal Reasons

We will share Personal Data if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to meet any applicable law, regulation, legal process/procedure, lawsuit, or enforceable governmental request.

External Processing

To provide you with a better experience through improving the DingTalk Services or otherwise where you have consented, we may share the Personal Data with third-party service providers (in particular, site hosting, backend service provider, analytics service providers), contractors and agents, and use it consistent with this Privacy Policy.

Please note that to ensure the stable operation and functional realization of DingTalk services, we may share your Personal Data with the following third parties:

Names or the Categories of the Third Party

Shared Information

Purpose of Sharing

Mini-program, SaaS applications

(applied and used by users / business Organizations)

Subject to what the page displays for authorization (e.g., icon, nickname, phone number)

To provide and access to third-party services

Third-party SDKs

Depends on specific SDKs

To ensure the stable operation and function realization of DingTalk Services so that users can use more services and functions

Business Transfers

If DingTalk is involved in a reorganization, merger, acquisition, sales of assets or liquidation, we will continue to ensure the confidentiality of your Personal Data and give affected users notice Personal Data is transferred or become subject to a different Privacy Policy in advance.

Interoperability With DingDing

DingTalk is interoperable with DingDing, such that you are able to communicate with DingDing users. You may also be able to use certain features operated by DingDing, in accordance with the applicable terms. When you interact with a DingDing user (or vice versa), or use or receive notifications or invitations from any feature operated by DingDing (together “Interoperable Interaction”), we will share your information with DingDing to the extent necessary to facilitate the Interoperable Interaction. Your Interoperable Interactions will also be subject to the DingDing Privacy Policy and DingDing Service Agreement.

3、 MANAGING, REVIEWING, OR UPDATING YOUR PERSONAL DATA

When using the DingTalk Services, you can always manage, review, and update your Personal Data via “Settings and Privacy-About DingTalk-Privacy” or connect with us via: dt_privacy@service.dingtalk.com . In the meantime, you are responsible for the truthfulness, accuracy, legality, validity, and completeness of the information you provide, and update and maintain your Personal Data in a timely manner to ensure the truthfulness, accuracy, and validity of the Personal Data you provide.

4、 EXPORTING, REMOVING, OR DELETING YOUR PERSONAL DATA

You can export a copy of the Personal Data you provided to us if you want to back it up or use it with a service outside of DingTalk Services via “Settings and Privacy-Personal Information Inquiry & Download” or by sending your request to dt_privacy@service.dingtalk.com. We will help you export your Personal Data based on applicable law and your specific request. You can also remove or delete the Personal Data you provided. If there is any content you cannot remove or delete, please reach us via dt_privacy@service.dingtalk.com. In some cases, we retain data for limited periods when it needs to be kept for legitimate business or legal purposes or to be protected from accidental or malicious deletion. Please understand there may be delays between when you delete something and when copies are deleted from our active and backup systems.

5、 TERMINATION OF YOUR ACCOUNT

You can terminate your DingTalk account, and the termination approaches are as follows:

Organization User

When your Administrator determines to terminate the service of your Organization with us, we will anonymize or delete any Organization-controlled data related to you and keep your DingTalk account as an Individual User. Otherwise, should you decide to terminate your DingTalk account as an Individual User, we will anonymize or delete your Personal Data pursuant to applicable laws and regulations, or if this is not possible, then we will securely store your Personal Data and isolate it from any further processing until deletion is possible. If you are an Administrator, you can log in to the latest version of the DingTalk App via “Me-Settings-My Organization” then choose the Organization you wish to terminate and select “more-Disband Organization” to terminate the DingTalk account for your Organization.

Individual User

If you are an Individual User, you can log in to the latest version of the DingTalk App via “Me-Settings-Security Center-Account settings–Delete DingTalk Account” to terminate your personal DingTalk account. You can also log in to the DingTalk App via “Customer Service-DingTalk AID” to help you apply for account termination.

Please note that after you have terminated your DingTalk account, we will stop providing you with DingTalk Services, delete your Personal Data according to the requirements of applicable laws, or make it anonymous.

Please carefully consider the impact before you terminate your account.

6、 COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and other technologies to collect information and store your online preferences.

Cookies

A cookie is a very small text document, which often includes an anonymous unique identifier. Cookies are created when your browser loads a particular website. The website sends information to the browser, which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the website's server.

Please note that refusing cookies does not mean you will no longer receive online advertising. It does mean that the company or companies from which you opted out will no longer deliver adverts tailored to your web preferences and usage patterns, so you may see a greater number of adverts that are irrelevant to you and your preferences.

Local Storage Technology

We and some third parties may use other local storage technology types associated with DingTalk Services, such as local shared objects (also known as “Flash cookies”) and HTML5 local storage. These techniques are similar to the cookies described above because they are stored in your device and can be used to store certain information about your activities and preferences. However, the devices used by these technologies may differ from standard cookies, so you may not be able to use standard browser tools and settings to control them.

By accessing and using DingTalk Services, you agree to store cookies, other local storage technologies, beacons, and other information on your device. In addition, you also agree that we and these third parties access such cookies, local storage technology, beacons, and information. You may refer to our “Cookie Policy” for further details.

7、 PROTECTING INFORMATION

Security Measures

The security and confidentiality of your Personal Data are very important to us. We have implemented commercially reasonable technical and organizational safeguards in line with industry standards to appropriately protect your Personal Data against accidental, unauthorized, or unlawful access, use, loss, destruction, or damage.

The measures that we utilize are administrative (such as formulate and publish data protection policies, appoint a dedicated data protection team, conduct security and privacy training for employees, and regularly perform data security audits.) and technical (such as SSL encryption, Https protocol, access management, and firewalls), and physical (such as locks and video surveillance).

Please understand no data transmission over the Internet or any wireless network can be guaranteed to be perfectly secure. As a result, while we use appropriate technical and Organizational measures to protect the information we hold for you, we cannot guarantee the security of any information we collect or transmit over the Internet.

For privacy protection reasons, we kindly request you do not disclose certain Personal Data, such as passwords, credit card numbers, or other confidential data during your use of DingTalk Services. Our commitment to safeguarding your privacy is unwavering, but the security of Personal Data also relies on safe user practices.

Data Transfers

Our servers are located in Singapore. As DingTalk is a global platform, your Personal Data may be processed on our servers located outside of the country where you live to bring you DingTalk Services globally and continuously. International data transfer is necessary for us to provide DingTalk Services and fulfill our contractual obligations to you related to DingTalk Services. Regardless of where your Personal Data is processed, we apply the same protections described in this Privacy Policy. We will also keep this Privacy Policy in compliance with significant legal frameworks relating to the transfer of data. If we receive your complaints about data transfers, we will cooperate with appropriate regulatory authorities when we cannot directly resolve them. Some of our recipients of your Personal Data are located in countries that may not – by law – provide the same level of data protection as you are used to in certain countries. If that is the case, we will ensure that adequate safeguards are in place to duly protect your Personal Data, and we guarantee that we are able to and have mechanisms (including standard contractual clause) in place to respect the level of data protection required by applicable data protection laws and that we shall refrain from processing Personal Data in the event of a breach of the concluded safeguarding measures or if we (or our recipients) are no longer able to honor them.

8、 CHILDREN’S POLICY

We do not knowingly collect or solicit Personal Data from minors under 16 or the minimum age required in your country to consent to use DingTalk Services. If you are a minor under the minimum age required in your country, you must obtain prior consent from your parents / legal guardians before using DingTalk Services. If we are aware that a minor has provided us with Personal Data without prior consent, we will delete such information from our servers. If you have reason to believe that a minor has provided Personal Data to us, please contact us via dt_privacy@service.dingtalk.com .

9、 APPLICATION

This Privacy Policy applies to all DingTalk Services.To better enrich your experience, DingTalk Services may also contain links to other websites or services not operated or controlled by us (including our affiliates), which may include payment services. You can choose whether to access such content or links or whether to use the third party’s products or services.

However, we do not have control over the products or services provided by third parties. We cannot control any of your Personal Data held by third parties. By providing these links, we do not imply that we endorse or have reviewed these third-party services. The Personal Data protection issues in connection with your use of any third-party services are not governed by this Privacy Policy. We strongly advise you to review the privacy policy of every site of the products or services provided by third parties.

If provisions from this Privacy Policy are in conflict with the law, they will be replaced by provisions of the same purport that reflect the original intention of the provision, all this to the extent legally permissible. In that case, the remaining provisions remain unchanged and applicable.

10、 YOUR RIGHTS RELATING TO YOUR PERSONAL DATA

You are entitled to the following rights:

a) right of access to your Personal Data;

b) right to data portability;

c) right to correction if your Personal Data is not complete or accurate (you are responsible for the truthfulness, accuracy, legality, validity, and completeness of the information you provide, and update and maintain your Personal Data in a timely manner to ensure the truthfulness, accuracy, and validity of the information). If we agree to correct your personal information, we will take reasonable steps to inform any third parties to whom we have disclosed the relevant personal information, so that they can also correct such information.

d) right to deletion or restriction of your Personal Data, as permitted by law (in some cases, we retain data for limited periods when it needs to be kept for legitimate business or legal purposes or to be protected from accidental or malicious deletion, and there may be delays between when you delete something and when copies are deleted from our active and backup systems);

e) right to object (i.e., objecting to our processing of your Personal Data) (e.g., in case we process your data for direct marketing purposes), as permitted by law;

f) right to withdraw your consent where we had asked for your consent at any time with future effect and without affecting the lawfulness of processing of your Personal Data based on the consent you provided before you withdrew it；

g) right to terminate your DingTalk account, where the termination approach depends on the type of your DingTalk account. After termination, we will stop providing you with DingTalk Services, delete your Personal Data according to the requirements of applicable laws, or make it anonymous.

Where we have asked for your consent, you may at any time withdraw your consent with future effect and without affecting the lawfulness of processing of your Personal Data based on the consent you provided before you withdraw it. You may withdraw your consent via “Settings and Privacy”.

The exercise of the abovementioned rights is free of charge and can be carried out by contacting us through “DingTalk Customer Service” or by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular, because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request.We may request specific information from you to help us confirm your identity before we comply with a request from you concerning one of your rights.

We will provide you with information about the follow-up to the request without undue delay and, in principle, within one month of receipt of the request. Depending on the complexity of the request and the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. The applicable privacy legislation may allow or require us to refuse your request. If we cannot comply with your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Please understand these rights are not absolute, and they may be limited in some situations. For example, if we can demonstrate that we have a legal requirement to process your data, if making the information available to you would reveal Personal Data about another person, or if we are legally prevented from disclosing such information. In some instances, this may mean that we are able to retain data even if you withdraw your consent.

We hope that we can satisfy any queries you may have about the way we process your data. In the event you still have unresolved concerns, you also have the right to lodge a complaint with a supervisory authority, in particular to the data protection authority in the country of your habitual residence or place of work.

11、 MARKETING

We may send you marketing and promotional materials. If we are legally required to do so, we will seek your prior consent before providing you with promotional materials or information. You may withdraw your consent at any time (this will not affect the processing of your Personal Data undertaken until the withdrawal). If you want to stop receiving promotional materials, etc., you can do so at any time by communicating with us.

12、 DATA RETENTION

We will retain your Personal Data for as long as is necessary to carry out the purposes set out herein. We will also retain your Personal Data deemed necessary to comply with legal obligations, settle disputes, and enforce agreements. The specific retention period will be determined based on the following criteria:

The period necessary to fulfill the purpose of the transaction-related services and to maintain the corresponding transaction and business records, which are required to respond to your inquiries or complaints.
The period necessary to ensure the safety and quality of the services we provide to you.
The existence of a legal or regulatory requirement to retain the data for a specific period of time.
Whether you have agreed to a longer retention period.
The need to resolve disputes and enforce agreements.

Where applicable, we will delete your Personal Data upon your request, unless we are legally obligated to retain it. We reserve the right to delete your Personal Data without notice. In such cases, we are not liable for any compensation as a result of the deletion of your Personal Data.

If you want further information about the retention periods applied to your Personal Data, you may contact us at dt_privacy@service.dingtalk.com.

13、 PRIVACY POLICY UPDATES

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update the Privacy Policy, we will take appropriate measures to inform you (such as by system message, publicize the amended Privacy Policy at “Settings and Privacy-About DingTalk-Privacy”, or other means) and may obtain your consent, consistent with the significance of the changes we make and as required by applicable law. You may visit the latest Privacy Policy via “Settings and Privacy-About DingTalk-Privacy”.

14、 CONTACT US

The data controller for your Personal Data will be DingTalk (Singapore) Private Limited.

If you have questions about this privacy notice or wish to contact us for any reason in relation to our Personal Data processing, please contact us via “DingTalk App-Me-Help-Customer Services-DingTalk AID” or at dt_privacy@service.dingtalk.com .

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

ANNEX I. SPECIFIC TERMS FOR THE EUROPEAN ECONOMIC AREA

If you are a DingTalk user located in the European Economic Area (“EEA”), the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede.

1. LEGAL BASIS OF GDPR FOR PROCESSING YOUR PERSONAL DATA

We process your Personal Data for the following purposes and based on the following legal grounds:

· On the basis of our legitimate interests for example when required by us to conduct our business, in particular:

○ use your information to identify you and provide you with a consistent service experience throughout DingTalk Services;

○ use your information to respond to any comments or complaints you may send us;

○ use your information to help us maintain, improve and optimize DingTalk Services;

○ use data to provide personalized display services;

○ use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and

○ notify you about changes to DingTalk Services, where applicable.

· On the basis of your consent:

○ providing you with information relating to DingTalk Services or promotional materials that may be of interest to you, or other communications;

○ place cookies and use similar technologies in accordance with the “COOKIES AND SIMILAR TECHNOLOGIES” section of the Privacy Policy and the information provided to you when those technologies are used; and

○ on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.

· As this might be necessary for compliance with a legal obligation that is applicable to us, such as:

○ in response to requests by government or law enforcement authorities conducting an investigation, or to comply with the requirements imposed by applicable law or any court order.

Aggregated Personal Data refers to data that has been carefully de-identified and anonymized to ensure that it cannot be linked back to any specific individual. We may aggregate Personal Data or collect aggregated data from our users, which is essential for enhancing the functionality and performance of DingTalk Services. This enables us to analyze user behavior, improve features, develop new products and services, conduct research, and other similar purposes. We use this data to gain insights into overall usage patterns and trends, helping us make data-driven decisions to enhance the user experience. In some cases, we may also choose to share or publish this aggregated data.

In addition, from time to time, we may share or publish aggregated data like general user statistics with third parties. We collect this data through DingTalk Services, through cookies, and through other means described in this Privacy Policy. We will maintain and use de-identified data in anonymous or de-identified form, and we will not attempt to re-identify the data, unless required by law.

We are committed to adhering to relevant privacy and data protection regulations and our Privacy Policy in all our data aggregation activities. If you have any questions or concerns regarding data aggregation, please read our full Privacy Policy for more details on how we handle and safeguard your Personal Data. Your privacy and security are our top priorities.

2. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA

In situations where we transfer your Personal Data outside the EEA to a third country which may not be subject to an adequacy decision by the EU Commission (GDPR Art. 45) or considered adequate as determined by applicable data protection laws, we will take steps to ensure that your Personal Data continues to receive a standard of protection that is at least comparable to that provided under the applicable laws by using the European Commission-approved Standard Contractual Clauses (GDPR Art. 46), a vendor’s Processor Binding Corporate Rules (GDPR Art. 47) or by relying on other data transfer mechanisms available under applicable data protection laws, and further (organisational / contractual / technical) supplementary measures necessary to ensure the effectiveness of the transfer mechanisms.

A copy of the relevant mechanism can be obtained for your review on request via the contact details displayed in the “CONTACT INFORMATION” section of this Annex.

3. CONTACT INFORMATION

If you have any questions about this Privacy Notice or would like to contact us for any reason related to our processing of personal data, please reach out to our Data Protection Officer:

By email: dt_privacy@service.dingtalk.com;
By phone: 400-111-6555;
By mail: 51 Bras Basah Road #03-06, Lazada One; Singapore 18955 Singapore [Attention: Data Protection Officer DingTalk].

We have appointed Alibaba (Netherlands) B.V. as our representative in the EU. You may contact them by sending email to: dingtalk.legalcounsel@service.dingtalk.com.

ANNEX II. SPECIFIC TERMS FOR CALIFORNIA PRIVACY DISCLOSURES

If you are a California resident, the following additional privacy disclosures under the California Consumer Privacy Act of 2018 (“CCPA”) and other California laws may be applicable to you and allow you to exercise your rights regarding your Personal Data. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede.

1. INTRODUCTION

If the CCPA is applicable, you have the right to know and understand how we collect, use, disclose, and share your Personal Data, to access your information, to request that we delete specific information, to exercise your rights to opt-out, and also not be discriminated against when exercising your privacy rights granted under the CCPA.

2. CATEGORIES OF INFORMATION WE MAY COLLECT

We or the Organization collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly, or indirectly, with a particular consumer, household, or device (“Personal Data”). We or the Organization may have collected the following categories of Personal Data from users within the last twelve (12) months:

A. Identifiers, specifically include: DingTalk ID, email address.

B. Personal Data categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), specifically include: name, cell phone number.

C. Protected classification characteristics under California or federal law, specifically include: Gender, Birthday.

D. Internet or other electronic network activity information, such as the usage data we receive when you access or use DingTalk Services, specifically include: logs of audio and video communications relevant to Chat.

E. Sensory data, specifically includes: content of audio and video communications.

F. Professional or employment-related information, specifically includes: Work Experience, identity information of relevant employees (typical fields may include department, occupation, employee number, whether supervisor or not, direct supervisor, onboarding date, Organization), OKR and performance results of employees, resume information of candidates.

G. Inferences that can be drawn from any of the above categories, including your preferences and characteristics.

We obtain the categories of Personal Data listed above from the following categories of sources:

· Information and data directly provided by you on DingTalk Services.

· Information and data indirectly from you through DingTalk Services.

Personal Data does not include:

· Publicly available information from government records.

· Deidentified or aggregated consumer information.

· Information excluded from the CCPA’s scope, like health or medical information covered by the Health Insurance Portability and Accountability Act (“HIPAA”), clinical trial data, or other qualifying research data; and Personal Data covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”) and the Driver’s Privacy Protection Act (“DPPA”).

To better understand how we collect your information, please review the general terms of the Privacy Policy.

3. PERSONAL DATA WE MAY USE OR DISCLOSE

We may use, disclose, or sell (if authorized) the Personal Data we collect for one or more of the following business purposes:

· To provide you with DingTalk Services or otherwise fulfil or meet the reason for which you provided the information.

· To provide you with support and to respond to your inquiries, including investigating user-reported issues and addressing your concerns.

· To provide, support, personalize, improve, analyze, and develop DingTalk Services for user experience and operational stability.

· To personalize user experience and to deliver content and products and service offerings relevant to your interests.

· To notify you about changes to our services or this policy, where applicable.

· To carry out our obligations and enforce our rights arising from any contracts entered into between you and us.

· To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

· To help maintain the safety, security, and integrity of DingTalk Services, our databases and other technology assets, and business.

· To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our users is among the assets transferred.

· As described to you when collecting your Personal Data or as otherwise set forth in the CCPA.

To better understand how we use and disclose your information, please review the general terms of the Privacy Policy presented above.

4. PERSONAL DATA THAT WE MAY SHARE

We may share your Personal Data by disclosing it to third parties for business purposes. We only make these business purpose disclosures under written contracts that describe the specific business purposes, require the recipient to keep the Personal Data confidential, and prohibit using the disclosed information for any purpose except performing the obligations under the contract.

As stated in the general terms of the Privacy Policy, we do not sell your Personal Data unless we obtain your consent. We do not knowingly collect Personal Data from individuals under age 16; and therefore, our Personal Data sales do not include information about individuals we know are under age 16.

In the preceding twelve (12) months, DingTalk has shared the following categories of Personal Data to the following categories of third parties:

Personal Data Category	Category of Third-Party Recipients	Sales
Personal Data Category	Business Purpose Disclosures	Sales
Subject to what the page displays for authorization (e.g., icon, nickname, phone number)	Mini-program, SaaS applications (applied and used by users / business Organizations)	N/A
Depends on specific SDKs	Third-party SDKs	N/A

To better understand how we share your information, please review the general terms of the Privacy Policy presented above.

5. YOUR RIGHTS AND CHOICES

Right to Know and Data Portability

The CCPA provides California residents specific rights to know about our collection and use of their Personal Data over the past twelve (12) months (the “right to know”). Once we receive your request and confirm your identity, we will disclose to you:

· The categories of Personal Data we collected about you.

· The categories of sources for the Personal Data we collected about you.

· Our business or commercial purpose for collecting or selling (if applicable) that Personal Data.

· The categories of third parties with whom we share that Personal Data.

· If we sold or disclosed (if applicable) your Personal Data for a business purpose, we will provide two separate lists that:

○ identify the Personal Data categories that each category of recipient purchased in connection with sales of your Personal Data; and

○ identify the Personal Data categories that each category of recipient obtained in connection with disclosures of your Personal Data for a business purpose.

· The specific pieces of Personal Data we collected about you (also called a data portability request).

Right to Delete

The CCPA provides California residents specific rights to delete their Personal Data that we collected from them and retained, subject to certain exceptions (the “right to delete”). We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

· Provide the service that you requested from DingTalk Services, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.

· Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

· Debug DingTalk Services to identify and repair errors that impair existing intended functionality.

· Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

· Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

· Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.

· Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

· Comply with a legal obligation.

Once we receive your request and confirm your identity, we will delete or de-identify Personal Data and direct our service providers to take similar action unless subject to one of these exceptions above.

How to Exercise the Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request via the contact details displayed in the “CONTACT US” section.

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your Personal Data.

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

· Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative, which may include: your identification information, a signed permission authorizing the representative to submit the request on your behalf, and any other information permitted or recommended by the CCPA and applicable regulations.

· Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you.

We will only use Personal Data provided in the request to verify the requestor's identity or authority to make the request.

Response Timing and Format regarding Requests to Know or Delete

We will confirm receipt of your request within fifteen (15) business days. If you do not receive confirmation within the fifteen (15) business days timeframe, please contact us via the contact details displayed in the “CONTACT US” section.

We endeavour to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. We may deliver our written response by email.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded, or as otherwise permitted by the CCPA. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Data Sales Opt-Out Rights

Under the CCPA, consumers have the right to direct us to not sell their Personal Data at any time (the “right to opt-out”). As stated in the general terms of our Privacy Policy, we do not sell your Personal Data of consumers unless we obtain consent for the sale. Consumers who opt-in to Personal Data sales may opt-out of future sales at any time.

To exercise your right to opt-out provided under CCPA, you (or your authorized representative) may submit a request to us via the contact information provided in the “CONTACT US” section.

We will only use Personal Data provided in an opt-out request to review and comply with the request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

· Deny you goods or services.

· Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

· Provide you a different level or quality of goods or services.

· Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

Other California Privacy Rights

· Shine the Light Law Disclosure.

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits Users of DingTalk Services that are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please refer to the “CONTACT US” section.

· “Do Not Track” Disclosure.

We do not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personal identifiable data about an individual consumer's online activities over time and across third-party websites or online services.

When you use the DingTalk Services, certain third parties may use automatic information collection technologies to collect information about you or your device. The information they collect may be associated with your Personal Data or they may collect information, including Personal Data, about your online activities over time and across different websites and other online services websites. We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

· Eraser Law Disclosure for Minor Users.

If you are a user under the age of 18, California Business and Professions Code Section 22581 allows you to request and obtain removal of content or information you have publicly posted. You can send a request to remove any content or information you posted on DingTalk Services via the contact information provided in the “CONTACT US” section. Please notice that the removal does not ensure the complete or comprehensive removal of your posted content or information in certain circumstances.

ANNEX III. SPECIFIC TERMS FOR HONG KONG SAR

If you are a DingTalk user located in Hong Kong SAR (“Hong Kong”), the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Personal Data (Privacy) Ordinance.

DIRECT MARKETING

DingTalk may use your Personal Data for marketing and promotional purposes, including:

· For sending or showing updates on the latest news, offers, and promotions in connection with DingTalk Services.

· For sending or showing joint marketing offers about DingTalk Services, rewards, privileges programmes, promotional offers and related services, and invitations to events.

DingTalk may also use Personal Data to analyse its customers’ preferences and market trends and derive insights, which DingTalk may use to tailor the types of products and offers that DingTalk presents to you. This may involve DingTalk combining Personal Data that DingTalk holds about your use of DingTalk Services with information that DingTalk has collected about your usage. DingTalk may also combine information that DingTalk has collected about you with information that DingTalk has collected about other customers in order to derive these insights and establish market trends. DingTalk may provide these insights to third party partners for their marketing and promotional purposes.

DingTalk may communicate marketing, promotions, and research invitations to you by email or system message or via online banner advertisement and, as appropriate and where required, DingTalk will ask you for your consent, or otherwise provide you with the opportunity to choose not to receive marketing, at the time DingTalk collects your Personal Data.

You have the right to ask DingTalk not to process your Personal Data for direct marketing purposes. You can exercise this right to prevent such processing by indicating that you do not consent to direct marketing at the point at which DingTalk collects your Personal Data. DingTalk will also provide an option to unsubscribe or opt out of further communication on any direct marketing communication sent to you. You may also opt out by contacting DingTalk with the contact information provided in the “CONTACT US” section.

If you choose to unsubscribe or opt out of marketing communication, DingTalk will still send you communications about any of the services and products that DingTalk provides to you, including administrative updates and account summaries.

ANNEX IV. SPECIFIC TERMS FOR INDONESIA

If you are a DingTalk user located in Indonesia, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Indonesia Personal Data Protection Law (Law No.27 of 2022 concerning Personal Data Protection, the “PDP Law”).

1. AGE, PARENTAL, AND GUARDIAN CONSENT

By using DingTalk Services, you represent that you are at least 21 years of age or married or not under guardianship. If you are below 21 years old and you are not married, or under guardianship:

· You must obtain approval from your parents or legal guardians; and

· Your parents or legal guardians are responsible for

○ all your actions in connection with your use of DingTalk Services;

○ your compliance with this Privacy Policy; and

○ ensuring that your use of DingTalk Services will not, in any event, result in any violation of applicable laws and regulations relating to child protection.

If you do not have consent from your parents or legal guardians, you must cease using the DingTalk Services.

2. YOUR PERSONAL DATA RIGHTS

You have the right to access, update, correct, and request the erasure or disposal of Personal Data stored on DingTalk’s servers from time to time in accordance with applicable data privacy laws and regulations in Indonesia. Please note that by requesting us to erase and dispose of your Personal Data, you may not be able to use some of the features and functionality of DingTalk Services.

You may withdraw your consent to DingTalk’s disclosure of Personal Data to third parties. Upon your request, we will cease to display, publish, transmit, disseminate, and/or open access to your Personal Data to third parties. Please note that by withdrawing your consent to the disclosure and/or collection of your Personal Data, we may not be able to fulfill your requests, and you may not be able to use some of the features and functionality of DingTalk Services.

If you wish to make such requests, please contact us by contact information provided in the “CONTACT US” section.

3. DATA RETENTION

We retain your Personal Data for as long as necessary to provide you with DingTalk Services. When your Personal Data is no longer needed to provide DingTalk Services to you, we retain it only for as long as we have a legitimate business reason to do so. However, there are instances where we may retain this data for an extended duration to comply with legal obligations or where it is essential for the establishment, exercise, or defence of legal claims.

4. DATA BREACH NOTIFICATION

In the event we fail to maintain the confidentiality of your Personal Data, we will notify you through the contact information provided by you or via DingTalk, to the extent required by applicable data privacy laws and regulations in Indonesia.

5. CROSS-BORDER DATA TRANSFER

We may transfer your Personal Data to a controller and/or processor outside the jurisdiction of the Republic of Indonesia per following conditions:

· When the country where the controller of personal data and/or processor of personal data receiving the transfer of personal data has a level of personal data protection that is at least equivalent to that stipulated in the PDP Law;

· When there are adequate and binding personal data protection measures; or

· When we obtain your consent for the transfer.

ANNEX V. SPECIFIC TERMS FOR THAILAND

If you are a DingTalk user located in Thailand, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Thailand Personal Data Protection Act 2019.

1. YOUR PERSONAL DATA RIGHTS

In accordance with the applicable data privacy laws and regulations in Thailand, you have the following rights:

· You may withdraw your consent to the processing of your Personal Data (only when the legal basis for DingTalk’s processing is consent). Please be aware that if consent is required for the processing of your Personal Data, we may not be able to provide the expected service without it.

· You may request access to, correction of, cessation of any automated processing or profiling (if applicable), discontinuation, restriction of the use or provision of, and/or erasure of your Personal Data.

· You may request us to provide your Personal Data, stored by us in a machine-readable format, to you or a third party.

If you wish to make such requests, please contact us by contact information provided in the “CONTACT US” section.

When you make a reasonable request, and when DingTalk cannot waive such request on the basis of a statutory obligation, DingTalk will process your request within no more than 30 days from the date of receipt of such request.

2. TRANSFER YOUR PERSONAL DATA TO A FOREIGN COUNTRY

We may send or transfer your Personal Data to a foreign country or international organization in the following circumstances:

· Where the destination country or international organization that receives such Personal Data have adequate data protection standard, and the transfer is carried out in accordance with the rules for the protection of Personal Data as prescribed by the Personal Data Protection Committee of Thailand;

· Where it is for compliance with the law;

· Where we have obtained your consent;

· Where it is necessary for the performance of a contract to which the you are a party, or in order to take steps at your request prior to entering into a contract;

· Where it is for compliance with a contract between DingTalk and other individuals or juristic persons for your interests;

· Where it is to prevent or suppress a danger to the life, body, or health of you or other individuals, when you are incapable of giving the consent at such time;

· Where it is necessary for carrying out the activities in relation to substantial public interest.

ANNEX VI. SPECIFIC TERMS FOR PHILIPPINES

If you are a DingTalk user located in Philippines, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Philippine Data Privacy Act of 2012.

1. CRITERIA FOR LAWFUL PROCESSING OF PERSONAL DATA

The processing of Personal Data shall be permitted only if not otherwise prohibited by applicable laws, and when at least one of the following conditions exists:

· You have given your consent.

· The processing of Personal Data is necessary and is related to the fulfillment of a contract with you or in order to take steps at the request of you prior to entering into a contract;

· The processing is necessary for compliance with a legal obligation to which we are subject to;

· The processing is necessary to protect your vitally important interests (including life and health);

· The processing is necessary to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of Personal Data for the fulfillment of its mandate; or

· The processing is necessary for the purposes of the legitimate interests of us or a third party or parties to whom the Personal Data is disclosed, except where such interests are overridden by fundamental rights and freedoms of you which require protection under the Philippine Constitution.

2. YOUR RIGHT AS A DATA SUBJECT

You have the right to:

· Be informed, before processing of your Personal Data, whether your Personal Data shall be, are being or have been processed;

· Reasonable access to, upon request, the following

○ contents of your Personal Data that we process;

○ sources from which we collected your Personal Data;

○ names and addresses of recipients of the Personal Data (if any);

○ methods we utilize to process your Personal Data;

○ reasons for the disclosure of the Personal Data to any third parties (if any);

○ information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect you (if any); and

○ date when your Personal Data were last accessed and modified.

· Suspend, withdraw or order the blocking, removal or destruction of your Personal Data, upon discovery and substantial proof that the Personal Data are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected;

· Dispute the inaccuracy or error in the Personal Data and have it corrected, unless the request is vexatious or otherwise unreasonable;

· Obtain a copy of data undergoing processing in an electronic or structured format that is commonly used, but only where your Personal Data is processed by electronic means and in a structured and commonly used format.

If you wish to make requests to exercise your data subject right, please contact us by contact information provided in the “CONTACT US” section.

ANNEX VII. SPECIFIC TERMS FOR MALAYSIA

If you are a DingTalk user located in Malaysia, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Malaysia Personal Data Protection Act 2010.

1. LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

We may process your Personal Data in the following circumstances:

· If you have given your consent to the processing of your Personal Data; or

· If the processing is necessary

○ for the performance of a contract to which the data subject is a party;

○ for the taking of steps at the request of the data subject with a view to entering into a contract;

○ for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;

○ in order to protect the vital interests of the data subject;

○ for the administration of justice; or

○ for the exercise of any functions conferred on any person by or under any law.

2. YOUR DATA SUBJECT RIGHTS

You are entitled to:

· Make a data access request in writing to DingTalk, upon payment of a prescribed fee,

○ for information of your Personal Data that is being processed by or on behalf of DingTalk; and

○ to have communicated to you a copy of your Personal Data in an intelligible form.

· Make a data correction request in writing to DingTalk that DingTalk makes the necessary correction to your Personal Data, if your personal data being held by DingTalks is inaccurate, incomplete, misleading or not up-to-date;

· Withdraw your consent to the processing of Personal Data by notice in writing, in respect of which you are the data subject;

· Require DingTalk at any time by notice in writing to DingTalk at the end of such period as is reasonable in the circumstances to

○ cease processing your Personal Data; or

○ not begin the Personal Data processing,

Where

○ the processing is causing or is likely to cause substantial damage or distress to you or another person,

○ and the damage or distress is or would be unwarranted.

· Require DingTalk by notice in writing to a data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing your Personal Data for purposes of direct marketing.

If you wish to make requests to exercise your data subject right, please contact us by contact information provided in the “CONTACT US” section.

3. TRANSFER OF YOUR PERSONAL DATA TO PLACES OUTSIDE MALAYSIA

We may transfer your Personal Data to a place outside Malaysia if

· Such place is specified by Malaysia’s Digital Minister, by notification published in the Gazette;

· You have given your consent to the transfer;

· The transfer is necessary for the performance of a contract between you and DingTalk;

· The transfer is necessary for the conclusion or performance of a contract between DingTalk and a third party which—

○ is entered into at your request; or

○ is in your interests;

· The transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;

· We have reasonable grounds for believing that in all circumstances of the case—

○ the transfer is for the avoidance or mitigation of adverse action against you;

○ it is not practicable to obtain you consent in writing to that transfer; and

○ if it was practicable to obtain such consent, you would have given your consent;

· DingTalk has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of the Malaysia Personal Data Protection Act 2010;

· The transfer is necessary in order to protect your vital interests; or

· The transfer is necessary as being in the public interest in circumstances as determined by Malaysia’s Digital Minister.

ANNEX VIII. SPECIFIC TERMS FOR BRAZIL

If you are a DingTalk User located in Brazil, the following Terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these Terms and the general terms of the Privacy Policy, these terms shall supersede.

These Terms applies to all Users located in Brazil (Users are referred to below, simply as “you”, “your”, “yours”), according to the Lei Geral de Proteção de Dados (the “LGPD”), and for these Terms, the term “Personal Data” is used as it is defined in the LGPD.

1. LEGAL BASIS OF LGPD FOR PROCESSING YOUR PERSONAL DATA

We can process your Personal Data solely if we have a legal basis for such processing. Legal bases are as follows:

· With your consent;

· For compliance with a legal or regulatory obligation by us;

· By the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments;

· For carrying out studies by research entities, ensuring, whenever possible, the anonymization of Personal Data;

· When necessary for the execution of a contract or preliminary procedures related to a contract of which you are a party, at the request of the data subject;

· For the regular exercise of rights in judicial, administrative or arbitration procedures;

· For the protection of life or physical safety of you or a third party;

· To protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities;

· When necessary to fulfill the legitimate interests of us or a third party, except when the your fundamental rights and liberties which require Personal Data protection prevail; or

· For the protection of credit.

2. YOUR DATA SUBJECT RIGHTS

You have the right to:

· Obtain confirmation of the existence of processing activities on your Personal Data;

· Access to your Personal Data;

· Have incomplete, inaccurate or outdated Personal Data corrected;

· Obtain the anonymization, blocking or elimination of your unnecessary or excessive Personal Data, or of Personal Data that is not being processed in compliance with the LGPD;

· Obtain, upon your express request, the portability of your Personal Data to another service or product provider, provided that our commercial and industrial secrets are protected;

· Delete your Personal Data being processed if the processing was based upon your consent;

· Obtain information about public and private entities with which we have shared your Personal Data with;

· Obtain information about the possibility of denying consent and the consequences of such denial;

· Revoke your consent at any time;

· Submit a complaint related to your Personal Data with data protection authorities or with consumer protection bodies.

If you wish to make requests to exercise your data subject right, please contact us by contact information provided in the “CONTACT US” section.

3. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA

We are allowed to transfer your Personal Data outside of the Brazilian territory in the following cases:

· When the transfer is to countries or international organizations that provide a level of protection of Personal Data that is adequate to the LGPD;

· When we offer and prove guarantees of compliance with the principles, your data subject rights and the regime of data protection provided in the LGPD, in the form of:

○ specific contractual clauses for a given transfer;

○ standard contractual clauses;

○ binding corporate rules;

○ regularly issued stamps, certificates and codes of conduct;

· When the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;

· When the transfer is necessary to protect the life or physical safety of you or of a third party;

· When the national authority authorizes the transfer;

· When the transfer results in a commitment undertaken through international cooperation;

· When the transfer is necessary for the execution of a public policy or legal attribution of public service;

· When you have given your specific, unambiguous and informed consent for the transfer; or

· When the transfer is necessary for compliance with a legal or regulatory obligation, the carrying out of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative, or arbitration procedures.