DingTalk Privacy Policy

DINGTALK PRIVACY POLICY

Last updated: March 30, 2026

INTRODUCTION

This Privacy Policy sets out how DingTalk (Singapore) Private Limited and DingTalk Limited (hereinafter referred to as “DingTalk”, “we” or “us”) process the Personal Data of visitors and users (including employees, members, or other third parties of our enterprise organization customers who use DingTalk products and services, hereinafter referred to as “User” or “you”).

This Privacy Policy explains how we collect, use, store, share, transfer, or otherwise process your Personal Data when you use DingTalk Services. We may update this Privacy Policy from time to time; see Section 13 for details on how updates are communicated. Depending on your country or region, certain specific terms in the Annexes may also apply to you.

Please read this Privacy Policy carefully. If you have any questions, please send an email to dt_privacy@service.dingtalk.com or contact us through our Customer Service Center.

1. HOW WE COLLECT AND USE YOUR PERSONAL DATA

We collect and process your Personal Data for the following reasons/purposes:

1.1 Registered Account

When you register a DingTalk account using your mobile phone number or email address, DingTalk is the data controller of your Personal Data. We collect and process your Personal Data for the following features:

● Registering a DingTalk Account
○ Create a DingTalk Account: You must provide your mobile phone number or email address and a verification code to create a DingTalk account. Without such information, you will not be able to create an account.
○ Complete Profile Information: You may add optional information to your account, such as a profile picture, nickname, email address, mobile phone number, work experience, education experience, DingTalk ID, gender, birthday, and region.

● Adding Contacts
You must provide certain Personal Data to add contacts. Depending on the method chosen, DingTalk will collect different information or obtain relevant device permissions:
○ Add by entering a mobile phone number, email address, or DingTalk ID;
○ Add by scanning a QR code, requiring camera and/or photo gallery access;
○ Add from your device’s address book, requiring contacts access.

● Using Instant Messaging Features
○ One-to-one or Group Chat: We will collect and process the content of messages you send (including text, voice, files, geolocation, etc.) and sending logs (sending time, sender, receiver, etc.).
○ Audio/Video Calls, Conferences, Live Streaming: We will process communication logs (user nickname, user ID, meeting start/end time, subject, link) and network status data (Wi-Fi network quality). If you use the meeting recording feature, we will store the corresponding recording files, which are saved by the meeting host who can choose to share them.

● Using the Calendar Feature
If you use the Calendar feature to create schedules, subscribe to schedule information, or sync to your device’s local calendar, you need to provide your schedule information. You can also authorize us to access your device’s local calendar to display local schedules within DingTalk Services. Without such authorization, local calendar schedules will not display in DingTalk, but this will not affect other calendar-related features.

● Using DingTalk’s Group Features (General Group)
You need to provide documents, multimedia files, conversations, and other messaging information that you upload, enter, post, transmit, and share. The General Group is owned by you, not any Organization. You can add any contact as a member, and leaving an Organization will not affect your use of the General Group.

● AI Minutes
We process meeting audio/video recordings, AI-generated meeting transcripts, meeting summaries, and action items, as well as operation logs.

Organization Features: If you create (or create on behalf of a specific organization/institution/enterprise) a DingTalk organization (the “Organization”) or join one created by others, you understand and agree that the Organization is the data controller (the “Controller”) of the Personal Data related to Organization features, and we, as a data processor (the “Processor”), process your Personal Data on the Controller’s behalf in accordance with the Controller’s instructions. For your individual account data, DingTalk remains the data controller. In this context, we process Personal Data for the following features:

● Creating a DingTalk Organization
○ Create a DingTalk Organization: You need to provide the organization’s name, region, industry, employee size, and job position information of members.
○ Invite Members: Depending on the method chosen, different Personal Data may be required. If you invite members by copying a link, sharing a QR code, or an organization ID, invitees’ Personal Data is not required. If you add members by entering their mobile phone number or email address, you will need to import those details, and invitees will receive an SMS or email and can join after giving consent.
○ Contact List Management: If you use this feature to set up organizational structure (departments, roles, member assignments), you need to provide the relevant employees’ identity information. The specific fields can be set by the Organization’s administrator (typical fields may include employee ID, name, mobile phone number, department, occupation, employee number, direct supervisor, email address, extension number, office location, notes, onboarding date, and role).

● Using DingTalk for Online Collaboration
○ Docs Feature: If you use online document services (logs, Word, Excel, whiteboards, mind maps, AI sheets, etc.), we will collect and process document content and operation logs (editing, modification, deletion).
○ Wiki: We will process the content of documents within the knowledge base and operation logs.
○ DingTalk Projects (“Teambition”): We will process project content, tasks, and operation logs.
○ Mail: If your Organization uses the mail feature with company-domain email addresses, we will process your email address, sent/received email content, and related log information.
○ DingDrive: We will process and store the content you save to DingDrive and log information for file operations.
○ AI Table: We will process the structured data you enter, create, or import into AI Table, including table content, field configurations, and AI-generated analysis results, as well as operation logs.

● Using DingTalk for Human Resource Management
○ Onboarding/Offboarding Feature: You need to provide employees’ Personal Data, including name, occupation, and contact information. Specific fields may be set by the Organization’s administrator.
○ Attendance Feature: Depending on the attendance method, you need to provide certain Personal Data: facial feature information for face-recognition attendance; location information for geolocation attendance (collected only at the moment you click “Clock In” — we do not continuously track your movement or trajectory); Wi-Fi information for Wi-Fi attendance.
○ OKR Feature: You need to provide the relevant employees’ OKRs and performance results.
○ Payroll Management Feature: You need to provide the relevant employees’ salary information.
○ Recruitment Feature: You need to provide candidates’ resume information.

● Using DingTalk for Business Process Management
○ OA Approval Feature: You need to provide the content uploaded during the approval process.
○ YiDA Feature (“YiDA”): You need to provide the content uploaded during the approval process.

● Using DingTalk’s Group Features (External Group and Internal Group)
You understand and agree that your Organization is the controller of the Personal Data, and we process the following on behalf of the Organization: documents, multimedia files, conversation content, and other messaging information that you upload, enter, post, transmit, and share. Both group types are owned by the Organization. For External Groups, the creator/administrator can add members from both inside and outside the Organization; for Internal Groups, only members from within the Organization can be added. In both cases, if a member leaves the Organization, they will automatically be removed from the group.

● DingTalk Open Platform
○ Organization-Built Application Services: Organizations may use our data interfaces and development documents to develop their own applications. The Personal Data collected by such self-built applications is determined by the developers.
○ Services Provided by Third-Party SaaS Applications and Mini-Programs: Third-party independent software vendors (“ISVs”) can develop and list third-party applications. When you use such third-party services, the ISV will collect and process your Personal Data. Please read and agree to the privacy policies provided by the third party.

1.2 Enterprise Account

If you log in to DingTalk using an Enterprise Account assigned by your enterprise, you are an Enterprise Account User. Your enterprise is the sole data controller of all Personal Data generated through your use of the Enterprise Account, and DingTalk acts exclusively as a data processor, processing your Personal Data on your enterprise’s behalf and in accordance with your enterprise’s instructions.

Enterprise Account Users may use the following features. For each feature listed below, DingTalk processes the described Personal Data on behalf of your enterprise in its capacity as data processor:

● Chat (Instant Messaging)
We process the content of messages you send (including text, voice, files, etc.) and sending logs (sending time, sender, receiver, etc.).

● Mail
We process your enterprise email address, the content of sent and received emails, and related log information.

● Meetings
We process communication logs (user nickname, user ID, meeting start/end time, subject, link), network status data, and real-time translation data. If the meeting recording feature is used, we store the corresponding recording files.

● Calendar
We process schedule information you create, subscribe to, or sync through the Calendar feature.

● Drive (Cloud Storage)
We process and store the files you upload to or save in the cloud storage, as well as log information for file operations (uploading, downloading, sharing, deleting).

● Docs (Online Editing)
We process document content and operation logs (creation, editing, modification, deletion) for online documents.

● AI Table
We process the structured data you enter, create, or import into AI Table, including table content, field configurations, and AI-generated analysis results, as well as operation logs.

● AI Minutes
We process meeting audio/video recordings, AI-generated meeting transcripts, meeting summaries, and action items, as well as operation logs.

● YiDA
We process the content uploaded during approval processes and custom workflows built through YiDA.

Please note that as an Enterprise Account User, the features available to you are determined by your enterprise. All data generated through the use of the Enterprise Account is managed and controlled by your enterprise.

1.3 General Provisions on Data Collection

Cookies: DingTalk Services use cookies or similar technologies. Please see the “Cookies and Similar Technologies” section (Section 6) for details.

System Permissions: To ensure the functionality and safe, stable operation of DingTalk Services, we may request relevant operating system permissions. Your operating system will ask you to grant them through pop-up prompts, and you can decide whether to grant them. As our products are upgraded, the types and purposes of permissions may change, and we will adjust the list accordingly.

Providing certain Personal Data may be a statutory or contractual requirement. If so, we will inform you separately and explain the possible consequences of not providing it. In other cases, provision is optional, but refusing may affect your ability to use certain services.

2. SHARING, TRANSFERRING AND DISCLOSING PERSONAL DATA

Unless we have obtained your consent, we will not share or sell your Personal Data to any third party. Depending on your location and the product features you use, we may share your Personal Data with our affiliates to provide our services; contact us (see Section 14) for affiliate details. We will not share, transfer, or disclose your Personal Data to any non-affiliated third parties, unless for the following reasons:

● Legal Requirements: We will share Personal Data if required by applicable laws, regulations, legal proceedings, or law enforcement requests.
● External Third-Party Data Processing: With your consent (or with the consent or instruction of your enterprise, if you are an Enterprise Account User), we may share your Personal Data with third-party service providers (including website hosting, backend service providers, analytics service providers), contractors, and other third parties, and use such data in accordance with this Privacy Policy. To ensure the stable operation of DingTalk services, we may share your Personal Data with the following third parties:

Names or the Categories of the Third Party	Shared Information	Purpose of Sharing
Mini-program, SaaS applications(applied and used by users / business Organizations)	Subject to what the page displays for authorization (e.g., icon, nickname, phone number)	To provide and access to third-party services
Third-party SDKs	Depends on specific SDKs	To ensure the stable operation and function realization of DingTalk Services so that users can use more services and functions

● Business Transfers: If DingTalk is involved in a reorganization, merger, acquisition, sale of assets, or liquidation, we will continue to ensure the confidentiality of your Personal Data and give affected users notice in advance if Personal Data is transferred or becomes subject to a different privacy policy.
● Interoperability with DingDing: DingTalk is interoperable with DingDing so that you can communicate with DingDing users. When you interact with a DingDing user or use any feature provided by DingDing, we will share your information with DingDing to the extent necessary to facilitate interoperability. When interoperating with DingDing users, you will be subject to the DingDing Privacy Policy and the DingDing Service Agreement.

For Enterprise Account Users, any sharing, transfer, or disclosure of Personal Data will be carried out in accordance with the instructions of your enterprise (as data controller). DingTalk will not independently decide to share Enterprise Account Users’ Personal Data with third parties beyond what is necessary for the provision of DingTalk Services or required by applicable law.

3. MANAGING, MAINTAINING, OR UPDATING YOUR PERSONAL DATA

When using DingTalk Services, you can manage, review, and update your Personal Data via “Settings and Privacy - About DingTalk - Privacy” or by contacting us (see Section 14). Your responsibilities regarding the accuracy and completeness of your Personal Data are set out in Section 10(c).

If you are an Enterprise Account User, the management, review, and update of your Personal Data is subject to the policies and instructions of your enterprise. Please contact your enterprise administrator for requests related to your Personal Data.

4. EXPORTING OR DELETING YOUR PERSONAL DATA

You can export a copy of the Personal Data you have provided to us. You can send your request to dt_privacy@service.dingtalk.com, and we will assist you in exporting your Personal Data in accordance with applicable law.

You can also delete the Personal Data you have provided using the deletion functions we provide. If there is any content you cannot delete, you can contact us (see Section 14). In some cases, we may retain data in accordance with the data retention provisions in Section 12. Please understand that there may be a delay between when you delete certain content and when copies are deleted from our active and backup systems.

If you are an Enterprise Account User, requests to export or delete your Personal Data should be directed to your enterprise (as data controller). DingTalk will assist your enterprise in responding to such requests in accordance with applicable law and your enterprise’s instructions.

5. TERMINATION OF YOUR ACCOUNT

You can terminate your DingTalk account as follows:

● Termination by Organization Administrator: When your administrator decides to terminate the use of our services, we will delete (or anonymize) any Organization-controlled data related to you and retain your DingTalk account as an individual user. If you further wish to terminate your individual account, we will anonymize or delete your Personal Data in accordance with applicable laws. If you are an administrator, you can go to “Me - Settings - My Organization”, select the organization, and click “More - Disband Organization” to disband it.
● Termination of Your Registered Account: You can go to “Me - Settings - Security Center - Account settings - Delete DingTalk Account” to terminate your personal DingTalk account. After termination, we will stop providing DingTalk Services to you and will delete (or anonymize) your Personal Data as required by applicable law. Please carefully consider the impact before terminating your account.
● Enterprise Account Termination: Enterprise Accounts are created, managed, and terminated by your enterprise. You cannot independently terminate an Enterprise Account. When your enterprise deactivates or revokes your Enterprise Account, or when your enterprise terminates its DingTalk paid subscription, we will handle the associated Personal Data in accordance with applicable law and your enterprise’s instructions. If you wish to terminate or deactivate your Enterprise Account, please contact your enterprise administrator. Please note that the termination of an Enterprise Account does not affect any individual DingTalk account you may hold separately.

6. COOKIES AND SIMILAR TECHNOLOGIES

To provide you with more convenient and personalized services, and to ensure the security and functional integrity of our services, we use cookies and similar technologies (such as local storage and Web Beacons).

For detailed information on the specific cookies we use, their functions, expiration periods, and how you can manage your preferences, please refer to our full Cookie Policy.

7. DATA PROTECTION

● Security Measures
We will implement commercially reasonable technical and organizational safeguards in accordance with industry standards to protect your Personal Data from unauthorized or unlawful access, use, loss, or damage.
The measures we adopt include: administrative measures (e.g., data protection policies, a dedicated data protection team, security and privacy training, regular data security audits), technical measures (e.g., SSL encryption, HTTPS protocol, access management, firewalls), and physical measures (e.g., video surveillance).
Please understand that no data transmission over the Internet or wireless network can be guaranteed to be absolutely secure. We recommend that you do not disclose your personal data, such as your account, password, or other confidential data, during your use of DingTalk Services.

● Cross-Border Data Transfer
Our servers are located in Singapore, which has a comprehensive legal framework for personal information protection and is a member of the APEC Cross-Border Privacy Rules (CBPR) system.
As DingTalk is a global platform, your personal information may need to be processed and stored outside your country/region to provide global services and fulfill our contractual obligations. Regardless of where your personal information is processed, we ensure an equivalent level of protection through the following mechanisms:
Legal and Framework Compliance: We comply with applicable data protection laws (e.g., adopting Standard Contractual Clauses when necessary) to ensure data recipients provide adequate protection.
Unified Protection Standards: We apply the same protection measures described in this Privacy Policy worldwide.
Regulatory Cooperation and Complaint Handling: If we receive a complaint regarding data transfer that cannot be resolved directly, we will cooperate with appropriate regulatory authorities.
Immediate Termination of Safeguards: If safeguards are violated or can no longer be fulfilled, we will stop the transfer and processing of the relevant personal information.

8. CHILDREN’S PERSONAL DATA PROCESSING POLICY

We do not knowingly collect or solicit Personal Data from minors under the age of 16 (or the minimum age required by the laws of your country/region to use DingTalk Services). If you are a minor below such age, you must obtain prior consent from your parents/legal guardians before using DingTalk Services. If we become aware that a minor has provided us with Personal Data without prior consent, we will delete such data. You can contact us (see Section 14).

9. SCOPE OF APPLICATION

This Privacy Policy applies to all DingTalk Services. DingTalk Services may contain links to other websites or services not operated or controlled by us (including our affiliates). We cannot control the products, services, or Personal Data processing of any third party, and by providing these links we do not imply endorsement. We strongly advise you to review the privacy policies of any third-party services you use.

If certain terms in this Privacy Policy conflict with legal and regulatory requirements, then to the extent permitted by law, those terms will be replaced by terms consistent with their original intent, and the remaining terms will remain in effect.

For Enterprise Account Users, this Privacy Policy describes DingTalk’s data processing practices as a data processor. Your enterprise’s own privacy policy governs how your enterprise, as data controller, collects, uses, and manages your Personal Data. In the event of any conflict between this Privacy Policy and your enterprise’s privacy policy regarding the enterprise’s controller obligations, your enterprise’s privacy policy shall prevail.

10. YOUR RIGHTS RELATED TO YOUR PERSONAL DATA

You are entitled to the following rights:
a) The right to access your Personal Data;
b) The right to data portability;
c) The right to correction if your Personal Data is incomplete or inaccurate (you are responsible for the truthfulness, accuracy, legality, validity, and completeness of the information you provide, and for updating and maintaining your Personal Data in a timely manner);
d) The right to deletion or restriction of processing of your Personal Data as permitted by law (subject to the data retention provisions in Section 12);
e) The right to object, within the scope permitted by law, to our processing of your Personal Data, for example for direct marketing purposes;
f) The right to withdraw your consent. Withdrawing consent will not affect the lawfulness of processing prior to the withdrawal;
g) The right to terminate your DingTalk account (see Section 5 for methods and consequences).

The exercise of the above rights is free of charge. You can contact us through “DingTalk Customer Service” or by email (see Section 14). If a request is unfounded or manifestly excessive (especially due to its repetitive nature), we may charge a reasonable fee or refuse to comply. Before fulfilling your request, we may ask you to provide identity information to confirm your identity.

We will respond to your requests as timely as possible, in principle within one month. Depending on the complexity and number of requests, this period can be extended by another two months, and we will notify you of such extension within one month. Applicable privacy legislation may allow or require us to refuse your request. If so, we will inform you of the reason, subject to any legal or regulatory restrictions.

Please understand that these rights are not absolute and may be limited in certain situations. For example, if we have a legal basis for processing your data, if providing information would disclose others’ personal data, or if applicable law prohibits disclosure.

Special note for Enterprise Account Users: Since your enterprise is the data controller of your Personal Data generated through the Enterprise Account, you should direct requests to exercise the above data subject rights to your enterprise in the first instance. DingTalk, as data processor, will assist your enterprise in responding to such requests in accordance with applicable law. If your enterprise is unable to address your request, or if you have concerns about how your enterprise processes your Personal Data, you may also contact us (see Section 14), and we will provide reasonable assistance to the extent permitted by applicable law and our contractual obligations with your enterprise.

11. MARKETING

We may send you marketing and promotional materials. If required by applicable laws, we will obtain your prior consent before providing marketing materials. You may withdraw your consent at any time (this will not affect processing prior to the withdrawal). To stop receiving marketing materials, contact us (see Section 14).

For Enterprise Account Users, DingTalk will not send marketing or promotional materials to Enterprise Account Users independently. Any marketing communications to Enterprise Account Users will be subject to the instructions and policies of your enterprise.

12. DATA RETENTION

We will retain your Personal Data for the time necessary to fulfill the purposes described herein. The specific retention period will be determined based on the following criteria:
A. The period necessary to fulfill transaction-related services and maintain corresponding records to respond to your inquiries or complaints;
B. The period necessary to ensure the security and quality of our services;
C. The existence of a legal or regulatory requirement to retain data for a specific period;
D. Whether you have agreed to a longer retention period;
E. The need to resolve disputes and enforce agreements.

Where applicable, we will delete your Personal Data upon receiving your deletion request, unless legally obligated to retain it. We reserve the right to delete your Personal Data at any time without prior notice; in such cases, we are not liable for any compensation arising from the deletion. For more information about specific retention periods, please contact us (see Section 14).

For Enterprise Account Users, the retention of Personal Data is determined by your enterprise (as data controller) in accordance with applicable law. DingTalk will retain or delete Enterprise Account Users’ Personal Data in accordance with your enterprise’s instructions, subject to any overriding legal retention obligations applicable to DingTalk.

13. PRIVACY POLICY UPDATES

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we do, we will take appropriate measures to inform you (e.g., through system messages, by posting the amended Privacy Policy in “Settings and Privacy - About DingTalk - Privacy”, or by other means), and depending on the significance of the changes, we will decide whether to seek your consent as required by applicable law. You can access the latest Privacy Policy via “Settings and Privacy - About DingTalk - Privacy”.

For Enterprise Account Users, DingTalk will notify your enterprise of material changes to this Privacy Policy in accordance with the terms of its agreement with your enterprise. Your enterprise, as data controller, is responsible for informing you of any changes that may affect the processing of your Personal Data.

14. CONTACT US

If you have any questions about this Privacy Policy or wish to contact us for any reason related to our processing of Personal Data, please contact us via “DingTalk App - Me - Help - Customer Service - DingTalk Assistant” or by sending an email to: dt_privacy@service.dingtalk.com.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

If you are an Enterprise Account User and have questions about how your enterprise processes your Personal Data, please contact your enterprise administrator directly.

GENERAL NOTE ON ANNEX APPLICABILITY

Each Annex below applies to DingTalk users located in the specified jurisdiction, supplementing the Privacy Policy above. In the event of any conflict between an Annex and the general terms of the Privacy Policy, the Annex shall supersede.

Note for Enterprise Account Users: Where DingTalk acts as a data processor on behalf of your enterprise (as data controller), the controller-specific obligations described in the Annexes below (such as providing legal bases for processing, responding to data subject rights requests, and determining data retention periods) are the responsibility of your enterprise. DingTalk will assist your enterprise in fulfilling these obligations in accordance with applicable law and your enterprise’s instructions. Enterprise Account Users should refer to their enterprise’s own privacy policy for how the enterprise meets its controller obligations under the applicable jurisdiction-specific laws.

ANNEXI.SPECIFIC TERMS FOR THE EUROPEAN ECONOMIC AREA AND UK

This Annex applies to users located in the European Economic Area (“EEA”) and UK.

1. LEGAL BASIS OF GDPR FOR PROCESSING YOUR PERSONAL DATA

We process your Personal Data for the following purposes and based on the following legal grounds:

· On the basis of our legitimate interests for example when required by us to conduct our business, in particular:

○ use your information to identify you and provide you with a consistent service experience throughout DingTalk Services;

○ use your information to respond to any comments or complaints you may send us;

○ use your information to help us maintain, improve and optimize DingTalk Services;

○ use data to provide personalized display services;

○ use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and

○ notify you about changes to DingTalk Services, where applicable.

· On the basis of your consent:

○ providing you with information relating to DingTalk Services or promotional materials that may be of interest to you, or other communications;

○ place cookies and use similar technologies in accordance with the “COOKIES AND SIMILAR TECHNOLOGIES” section of the Privacy Policy and the information provided to you when those technologies are used; and

○ on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.

· As this might be necessary for compliance with a legal obligation that is applicable to us, such as:

○ in response to requests by government or law enforcement authorities conducting an investigation, or to comply with the requirements imposed by applicable law or any court order.

Aggregated Personal Data refers to data that has been carefully de-identified and anonymized to ensure that it cannot be linked back to any specific individual. We may aggregate Personal Data or collect aggregated data from our users to analyze user behavior, improve features, develop new products and services, conduct research, and similar purposes, helping us make data-driven decisions to enhance the user experience. In some cases, we may also choose to share or publish this aggregated data.

From time to time, we may share or publish aggregated data like general user statistics with third parties. We collect this data through DingTalk Services, through cookies, and through other means described in this Privacy Policy. We will maintain and use de-identified data in anonymous or de-identified form, and we will not attempt to re-identify the data, unless required by law.

2. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA AND UK

To support our global operations, We store the personal information described in section “1.HOW WE COLLECT AND USE YOUR PERSONAL DATA” in servers located in Singapore.

Certain entities within the Group may be granted limited remote access to this information for functions such as system maintenance, technical support, troubleshooting, and security monitoring. Such access is limited, secure, and only granted where necessary under strict security controls and authorization protocols.

We disclose or share personal information with our affiliates, as described in “Section2. SHARING, TRANSFERRING AND DISCLOSING PERSONALDATA”. These entities may be located outside your country of residence and commit to processing information in compliance with applicable privacy laws and implementing appropriate security measures.

When we transfer your information outside of the EEA, the UK, or Switzerland, we rely on Standard Contractual Clauses (“SCCs”) approved by the European Commission to ensure your data receives a level of protection comparable to GDPR standards. To learn more about these safeguards or obtain a copy of the SCCs, you may contact our Data Protection Officer (“DPO”) via the “CONTACT INFORMATION” section of this Annex.

Regardless of processing location, we apply unified high-standard security measures (as detailed in the “Security Measures” section) and ensure all data recipients are bound by strict confidentiality and data protection obligations.

3. CONTACT INFORMATION

If you have any questions about this Privacy Notice or would like to contact us for any reason related to our processing of personal data, please reach out to our Data Protection Officer:

By email: dt_privacy@service.dingtalk.com;
By phone: 400-111-6555;
By mail: 51 Bras Basah Road #03-06, Lazada One; Singapore 18955 Singapore [Attention: Data Protection Officer DingTalk].

We have appointed Alibaba (Netherlands) B.V. as our representative in the EU. You may contact them by sending email to: dingtalk.legalcounsel@service.dingtalk.com.

ANNEXII. SPECIFIC TERMS FOR CALIFORNIAPRIVACY DISCLOSURES

This Annex applies to California residents under the California Consumer Privacy Act of 2018 (“CCPA”) and other California laws.

1. INTRODUCTION

The CCPA grants you specific privacy rights regarding your Personal Data, as detailed in Section 5 below.

2. CATEGORIES OF INFORMATION WE MAY COLLECT

We or the Organization collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“Personal Data”). The following categories of Personal Data may have been collected within the last twelve (12) months:

A. Identifiers, specifically include: DingTalk ID, email address.

B. Personal Data categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), specifically include: name, cell phone number.

C. Protected classification characteristics under California or federal law, specifically include: Gender, Birthday.

D. Internet or other electronic network activity information, such as the usage data we receive when you access or use DingTalk Services, specifically include: logs of audio and video communications relevant to Chat.

E. Sensory data, specifically includes: content of audio and video communications.

F. Professional or employment-related information, specifically includes: Work Experience, identity information of relevant employees (typical fields may include department, occupation, employee number, whether supervisor or not, direct supervisor, onboarding date, Organization), OKR and performance results of employees, resume information of candidates.

G. Inferences that can be drawn from any of the above categories, including your preferences and characteristics.

We obtain the categories of Personal Data listed above from the following categories of sources:

· Information and data directly provided by you on DingTalk Services.

· Information and data indirectly from you through DingTalk Services.

Personal Data does not include:

· Publicly available information from government records.

· Deidentified or aggregated consumer information.

· Information excluded from the CCPA’s scope, like health or medical information covered by the Health Insurance Portability and Accountability Act (“HIPAA”), clinical trial data, or other qualifying research data; and Personal Data covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”) and the Driver’s Privacy Protection Act (“DPPA”).

For more detail on how we collect, use, disclose, and share your information, please review the general terms of the Privacy Policy.

3. PERSONAL DATA WE MAY USE OR DISCLOSE

We may use, disclose, or sell (if authorized) the Personal Data we collect for one or more of the following business purposes:

· To provide you with DingTalk Services or otherwise fulfil the reason for which you provided the information.

· To provide support and respond to your inquiries, including investigating user-reported issues.

· To provide, support, personalize, improve, analyze, and develop DingTalk Services, and to deliver content and offerings relevant to your interests.

· To notify you about changes to our services or this policy, where applicable.

· To carry out our obligations and enforce our rights arising from any contracts entered into between you and us.

· To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

· To help maintain the safety, security, and integrity of DingTalk Services, our databases and other technology assets, and business.

· To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our users is among the assets transferred.

· As described to you when collecting your Personal Data or as otherwise set forth in the CCPA.

4. PERSONAL DATA THAT WE MAY SHARE

We may share your Personal Data by disclosing it to third parties for business purposes under written contracts that describe the specific purposes, require the recipient to keep the Personal Data confidential, and prohibit use for any purpose except performing contract obligations.

As stated in the general terms of the Privacy Policy, we do not sell your Personal Data unless we obtain your consent. We do not knowingly collect Personal Data from individuals under age 16; and therefore, our Personal Data sales do not include information about individuals we know are under age 16.

In the preceding twelve (12) months, DingTalk has shared the following categories of Personal Data to the following categories of third parties:

Personal Data Category

Category of Third-Party Recipients

Sales

Subject to what the page displays for authorization (e.g., icon, nickname, phone number)

Mini-program, SaaS applications

(applied and used by users / business Organizations)

N/A

Depends on specific SDKs

Third-party SDKs

N/A

5. YOUR RIGHTS AND CHOICES

** Right to Know and Data Portability**

The CCPA provides California residents specific rights to know about our collection and use of their Personal Data over the past twelve (12) months (the “right to know”). Once we receive and verify your request, we will disclose to you:

· The categories of Personal Data we collected about you.

· The categories of sources for the Personal Data we collected about you.

· Our business or commercial purpose for collecting or selling (if applicable) that Personal Data.

· The categories of third parties with whom we share that Personal Data.

· If we sold or disclosed (if applicable) your Personal Data for a business purpose, we will provide two separate lists that:

○ identify the Personal Data categories that each category of recipient purchased in connection with sales of your Personal Data; and

○ identify the Personal Data categories that each category of recipient obtained in connection with disclosures of your Personal Data for a business purpose.

· The specific pieces of Personal Data we collected about you (also called a data portability request).

** Right to Delete**

The CCPA provides California residents specific rights to delete their Personal Data that we collected and retained, subject to certain exceptions (the “right to delete”). We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

· Provide the service that you requested from DingTalk Services, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.

· Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

· Debug DingTalk Services to identify and repair errors that impair existing intended functionality.

· Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

· Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

· Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.

· Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

· Comply with a legal obligation.

Once we receive and verify your request, we will delete or de-identify Personal Data and direct our service providers to take similar action unless subject to one of these exceptions.

** How to Exercise the Rights to Know or Delete**

To exercise your rights to know or delete described above, please submit a request via the contact details in the “CONTACT US” section.

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your Personal Data.

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

· Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative, which may include: your identification information, a signed permission authorizing the representative, and any other information permitted or recommended by the CCPA and applicable regulations.

· Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you.

We will only use Personal Data provided in a request to verify the requestor’s identity or authority to make the request, or to review and comply with the request.

** Response Timing and Format regarding Requests to Know or Delete**

We will confirm receipt of your request within fifteen (15) business days. If you do not receive confirmation within this timeframe, please contact us (see Section 14).

We endeavour to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. We may deliver our written response by email.

Any disclosures we provide will only cover the 12-month period preceding receipt of your request. The response will also explain any reasons we cannot comply, if applicable. For data portability requests, we will provide your Personal Data in a readily usable format that allows transmission from one entity to another without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded, or as otherwise permitted by the CCPA. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

** Personal Data Sales Opt-Out Rights**

Under the CCPA, consumers have the right to direct us to not sell their Personal Data at any time (the “right to opt-out”). As stated in the general terms of our Privacy Policy, we do not sell your Personal Data of consumers unless we obtain consent for the sale. Consumers who opt-in to Personal Data sales may opt-out of future sales at any time.

To exercise your right to opt-out, you (or your authorized representative) may submit a request to us (see Section 14).

** Non-Discrimination**

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

· Deny you goods or services.

· Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

· Provide you a different level or quality of goods or services.

· Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

** Other California Privacy Rights**

· Shine the Light Law Disclosure.

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits Users of DingTalk Services that are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, see Section 14.

· “Do Not Track” Disclosure.

We do not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals that provide consumers the ability to exercise choice regarding the collection of personally identifiable data about an individual consumer’s online activities over time and across third-party websites or online services.

When you use DingTalk Services, certain third parties may use automatic information collection technologies to collect information about you or your device. They may collect information, including Personal Data, about your online activities over time and across different websites. We do not control these third parties’ tracking technologies or how they may be used. If you have questions about targeted content, you should contact the responsible provider directly.

· Eraser Law Disclosurefor Minor Users.

If you are a user under the age of 18, California Business and Professions Code Section 22581 allows you to request and obtain removal of content or information you have publicly posted. You can send a request to remove any content or information you posted on DingTalk Services (see Section 14). Please notice that the removal does not ensure the complete or comprehensive removal of your posted content or information in certain circumstances.

ANNEXIII. SPECIFIC TERMS FOR HONG KONG SAR

This Annex applies to users located in Hong Kong SAR (“Hong Kong”). For these Terms, the term “Personal Data” is used as it is defined in the Personal Data (Privacy) Ordinance.

DIRECT MARKETING

We may use your Personal Data for marketing and promotional purposes, including:

· Sending or showing updates on the latest news, offers, and promotions in connection with DingTalk Services.

· Sending or showing joint marketing offers about DingTalk Services, rewards, privileges programmes, promotional offers and related services, and invitations to events.

We may also use Personal Data to analyse our customers’ preferences and market trends and derive insights, which we may use to tailor the types of products and offers presented to you. This may involve combining Personal Data about your use of DingTalk Services with other information we have collected about you and other customers to establish market trends. We may provide these insights to third party partners for their marketing and promotional purposes.

We may communicate marketing, promotions, and research invitations to you by email, system message, or online banner advertisement and, as appropriate and where required, will ask for your consent or provide you with the opportunity to opt out at the time we collect your Personal Data.

You have the right to ask us not to process your Personal Data for direct marketing purposes. You can exercise this right by indicating non-consent at the point of collection, using the unsubscribe or opt-out option on any direct marketing communication, or contacting us (see Section 14).

If you choose to opt out of marketing communication, we will still send you communications about services and products we provide to you, including administrative updates and account summaries.

ANNEXIV. SPECIFIC TERMS FOR INDONESIA

This Annex applies to users located in Indonesia. For these Terms, the term “Personal Data” is used as it is defined in the Indonesia Personal Data Protection Law (Law No.27 of 2022 concerning Personal Data Protection, the “PDP Law”).

1. AGE, PARENTAL, AND GUARDIAN CONSENT

By using DingTalk Services, you represent that you are at least 21 years of age or married or not under guardianship. If you are below 21 years old and you are not married, or under guardianship:

· You must obtain approval from your parents or legal guardians; and

· Your parents or legal guardians are responsible for

○ all your actions in connection with your use of DingTalk Services;

○ your compliance with this Privacy Policy; and

○ ensuring that your use of DingTalk Services will not, in any event, result in any violation of applicable laws and regulations relating to child protection.

If you do not have consent from your parents or legal guardians, you must cease using the DingTalk Services.

2. YOUR PERSONAL DATA RIGHTS

You have the right to access, update, correct, and request the erasure or disposal of Personal Data stored on DingTalk’s servers from time to time in accordance with applicable data privacy laws and regulations in Indonesia.

You may withdraw your consent to DingTalk’s disclosure of Personal Data to third parties. Upon your request, we will cease to display, publish, transmit, disseminate, and/or open access to your Personal Data to third parties.

Please note that by requesting erasure, disposal, or withdrawing consent to disclosure and/or collection of your Personal Data, you may not be able to use some of the features and functionality of DingTalk Services.

To exercise these rights, please contact us (see Section 14).

3. DATA RETENTION

We retain your Personal Data for as long as necessary to provide you with DingTalk Services and thereafter only as long as we have a legitimate business reason or legal obligation to do so. For full details, see Section 12 of the Privacy Policy.

4. DATA BREACH NOTIFICATION

In the event we fail to maintain the confidentiality of your Personal Data, we will notify you through the contact information provided by you or via DingTalk, to the extent required by applicable data privacy laws and regulations in Indonesia.

5. CROSS-BORDER DATA TRANSFER

We may transfer your Personal Data to a controller and/or processor outside the jurisdiction of the Republic of Indonesia per following conditions:

· When the country where the controller and/or processor receiving the transfer has a level of personal data protection at least equivalent to that stipulated in the PDP Law;

· When there are adequate and binding personal data protection measures; or

· When we obtain your consent for the transfer.

ANNEXV. SPECIFIC TERMS FOR THAILAND

This Annex applies to users located in Thailand. For these Terms, the term “Personal Data” is used as it is defined in the Thailand Personal Data Protection Act 2019.

1. YOUR PERSONAL DATA RIGHTS

In accordance with the applicable data privacy laws and regulations in Thailand, you have the following rights:

· You may withdraw your consent to the processing of your Personal Data (only when the legal basis for DingTalk’s processing is consent). Please be aware that if consent is required for the processing of your Personal Data, we may not be able to provide the expected service without it.

· You may request access to, correction of, cessation of any automated processing or profiling (if applicable), discontinuation, restriction of the use or provision of, and/or erasure of your Personal Data.

· You may request us to provide your Personal Data, stored by us in a machine-readable format, to you or a third party.

To exercise these rights, please contact us (see Section 14).

When you make a reasonable request, and when DingTalk cannot waive such request on the basis of a statutory obligation, DingTalk will process your request within no more than 30 days from the date of receipt.

2. TRANSFER YOUR PERSONAL DATA TO A FOREIGN COUNTRY

We may send or transfer your Personal Data to a foreign country or international organization in the following circumstances:

· Where the destination country or international organization has adequate data protection standard, and the transfer complies with rules prescribed by the Personal Data Protection Committee of Thailand;

· Where it is for compliance with the law;

· Where we have obtained your consent;

· Where it is necessary for the performance of a contract to which you are a party, or to take pre-contractual steps at your request;

· Where it is for compliance with a contract between DingTalk and other individuals or juristic persons for your interests;

· Where it is to prevent or suppress a danger to the life, body, or health of you or other individuals, when you are incapable of giving consent at such time;

· Where it is necessary for carrying out activities in relation to substantial public interest.

ANNEXVI. SPECIFIC TERMS FOR PHILIPPINES

This Annex applies to users located in the Philippines. For these Terms, the term “Personal Data” is used as it is defined in the Philippine Data Privacy Act of 2012.

1. CRITERIA FOR LAWFUL PROCESSING OF PERSONAL DATA

The processing of Personal Data shall be permitted only if not otherwise prohibited by applicable laws, and when at least one of the following conditions exists:

· You have given your consent.

· The processing is necessary and related to the fulfillment of a contract with you or to take pre-contractual steps at your request;

· The processing is necessary for compliance with a legal obligation to which we are subject;

· The processing is necessary to protect your vitally important interests (including life and health);

· The processing is necessary to respond to national emergency, comply with public order and safety requirements, or fulfill functions of public authority necessarily including processing Personal Data for its mandate; or

· The processing is necessary for legitimate interests of us or a third party to whom Personal Data is disclosed, except where overridden by your fundamental rights and freedoms under the Philippine Constitution.

2. YOUR RIGHT AS A DATA SUBJECT

You have the right to:

· Be informed whether your Personal Data shall be, are being, or have been processed;

· Reasonable access to the contents, sources, recipients, processing methods, reasons for third-party disclosure, automated decision-making information (if any), and last access/modification date of your Personal Data;

· Suspend, withdraw, or order the blocking, removal, or destruction of your Personal Data upon discovery and substantial proof that the data is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purposes for which it was collected;

· Dispute inaccuracy or error in the Personal Data and have it corrected, unless the request is vexatious or otherwise unreasonable;

· Obtain a copy of data undergoing processing in an electronic or structured format, but only where your Personal Data is processed by electronic means in a structured and commonly used format.

To exercise these rights, please contact us (see Section 14).

ANNEX VII. SPECIFIC TERMS FOR MALAYSIA

This Annex applies to users located in Malaysia. For these Terms, the term “Personal Data” is used as it is defined in the Malaysia Personal Data Protection Act 2010.

1. LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

We may process your Personal Data in the following circumstances:

· If you have given your consent to the processing of your Personal Data; or

· If the processing is necessary

○ for the performance of a contract to which the data subject is a party;

○ for the taking of steps at the request of the data subject with a view to entering into a contract;

○ for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;

○ in order to protect the vital interests of the data subject;

○ for the administration of justice; or

○ for the exercise of any functions conferred on any person by or under any law.

2. YOUR DATA SUBJECT RIGHTS

You are entitled to:

· Make a written data access request, upon payment of a prescribed fee, for information of your Personal Data being processed by or on behalf of DingTalk, and to receive a copy in an intelligible form.

· Make a written data correction request if your Personal Data is inaccurate, incomplete, misleading, or not up-to-date.

· Withdraw your consent to the processing of your Personal Data by written notice.

· Require DingTalk by written notice, at the end of a reasonable period, to cease or not begin processing your Personal Data where such processing is causing or likely to cause substantial and unwarranted damage or distress to you or another person.

· Require DingTalk by written notice, at the end of a reasonable period, to cease or not begin processing your Personal Data for direct marketing purposes.

To exercise these rights, please contact us (see Section 14).

3. TRANSFER OF YOUR PERSONAL DATA TO PLACES OUTSIDE MALAYSIA

We may transfer your Personal Data to a place outside Malaysia if

· Such place is specified by Malaysia’s Digital Minister, by notification published in the Gazette;

· You have given your consent to the transfer;

· The transfer is necessary for the performance of a contract between you and DingTalk;

· The transfer is necessary for the conclusion or performance of a contract between DingTalk and a third party entered into at your request or in your interests;

· The transfer is for the purpose of legal proceedings, obtaining legal advice, or establishing, exercising, or defending legal rights;

· We have reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against you, it is not practicable to obtain your written consent, and if it were practicable you would have given consent;

· DingTalk has taken all reasonable precautions and exercised all due diligence to ensure the personal data will not be processed in that place in any manner that, if that place were Malaysia, would contravene the Malaysia Personal Data Protection Act 2010;

· The transfer is necessary in order to protect your vital interests; or

· The transfer is necessary as being in the public interest in circumstances as determined by Malaysia’s Digital Minister.

ANNEX VIII. SPECIFIC TERMS FOR BRAZIL

This Annex applies to all users located in Brazil (referred to below as “you”, “your”, “yours”), according to the Lei Geral de Protecao de Dados (the “LGPD”). For these Terms, the term “Personal Data” is used as it is defined in the LGPD.

1. LEGAL BASIS OF LGPD FOR PROCESSING YOUR PERSONAL DATA**

We can process your Personal Data solely if we have a legal basis for such processing. Legal bases are as follows:

· With your consent;

· For compliance with a legal or regulatory obligation by us;

· By the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments;

· For carrying out studies by research entities, ensuring, whenever possible, the anonymization of Personal Data;

· When necessary for the execution of a contract or preliminary procedures related to a contract of which you are a party, at the request of the data subject;

· For the regular exercise of rights in judicial, administrative or arbitration procedures;

· For the protection of life or physical safety of you or a third party;

· To protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities;

· When necessary to fulfill the legitimate interests of us or a third party, except when your fundamental rights and liberties requiring Personal Data protection prevail; or

· For the protection of credit.

2. YOUR DATA SUBJECT RIGHTS

You have the right to:

· Obtain confirmation of the existence of processing activities on your Personal Data;

· Access to your Personal Data;

· Have incomplete, inaccurate or outdated Personal Data corrected;

· Obtain the anonymization, blocking or elimination of your unnecessary or excessive Personal Data, or of Personal Data that is not being processed in compliance with the LGPD;

· Obtain, upon your express request, portability of your Personal Data to another service or product provider, provided that our commercial and industrial secrets are protected;

· Delete your Personal Data being processed if the processing was based upon your consent;

· Obtain information about public and private entities with which we have shared your Personal Data with;

· Obtain information about the possibility of denying consent and the consequences of such denial;

· Revoke your consent at any time;

· Submit a complaint related to your Personal Data with data protection authorities or with consumer protection bodies.

To exercise these rights, please contact us (see Section 14).

3. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA

We are allowed to transfer your Personal Data outside of the Brazilian territory in the following cases:

· When the transfer is to countries or international organizations that provide a level of protection of Personal Data that is adequate to the LGPD;

· When we offer and prove guarantees of compliance with the principles, your data subject rights and the regime of data protection provided in the LGPD, in the form of:

○ specific contractual clauses for a given transfer;

○ standard contractual clauses;

○ binding corporate rules;

○ regularly issued stamps, certificates and codes of conduct;

· When the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;

· When the transfer is necessary to protect the life or physical safety of you or of a third party;

· When the national authority authorizes the transfer;

· When the transfer results in a commitment undertaken through international cooperation;

· When the transfer is necessary for the execution of a public policy or legal attribution of public service;

· When you have given your specific, unambiguous and informed consent for the transfer; or

· When the transfer is necessary for compliance with a legal or regulatory obligation, the carrying out of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative, or arbitration procedures.