Your privacy is critically important to us. At Glodon, our fundamental philosophy is “users first”. That value powers all of the decisions we make, including how we collect, use, share, store and respect your personal information. Since this Privacy Policy is closely related to Services (defined as below) we provide, please read this Privacy Policy and the Data Processing Addendum attached to it carefully and make appropriate choices if necessary.

We've crafted this Privacy Policy below to be as clear and straightforward as possible. Our aim is for you—our users—to always feel informed and empowered with respect to your privacy on Glodon.

1. Important Information and Who We Are

(1) When this Privacy Policy Applies

Our Privacy Policy applies to our websites located at [https://account.global.glodon.com] and other websites operated by us through which our Services are provided (“Sites”), our mobile device applications (“Apps”), and our software products available for use via the Apps or via installation on personal computers (collectively, the “Products”). This Privacy Policy applies to only those websites, products, services and applications included within the “Services”, including but not limited to our official website, User Center, Transaction Platform, CAD Reader, Gsite, Innova, Cubicost’s products, XieZhu, Glodon Dongle Programs, and Authorization Platform, Encryption Authorization Platform.

It is important that you read this Privacy Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are processing your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.

Unless otherwise prescribed in the Privacy Policy, the terms in the Privacy Policy shall have the same implications with the terms in the Glodon Account Agreement (if any)

Please note that the Privacy Policy doesn’t apply to the following cases:

In such circumstances, you should refer directly to the privacy policies of the relevant third parties.

(2) Purpose of this Privacy Policy

This Privacy Policy aims to give you information on how Glodon collects, stores and processes your personal data through your use of Services, including any data you may provide through our Services.

(3) Data Controller

Glodon Company Limited is the controller and responsible for your personal data (collectively referred to as "Glodon", "we", "us" or "our" in this Privacy Policy).

(4) Contact Details

If you have any questions about this Privacy Policy or our privacy practices, please contact us in the following ways:

(5) Changes to the Privacy Policy

Our Privacy Policy may change from time to time, and these changes may constitute only a part of the Privacy Policy. If the changes are significant that may affect your rights, we will provide more prominent notice on our home page or inform you by sending emails, or through other means before the amendment takes effect. Under such circumstances, if you continue to use our Services, you will be considered having agreed with our revised Privacy Policy.

(6) Third Party Links

Our Services may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. You shall use these links at your own discretion. When you leave our website, we encourage you to read the privacy policy of every website you visit

2. The Data We Collect about You

Personal data, or personal information, means any information about an individual, from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We collect the following information about you:

(1) Basic Registration Information

If you create an account in connection with your use of any of Services (“Account”), either through our Sites or when you download and install our Products, you need to provide your email address. To use our Services, you may also provide name or account name, gender, birthday, company, address, city, country, Government ID number, phone number, photo, signature, etc. If you enter into a project via our Services, your project administrator may provide us with your department and role, or change the name you provided.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

(2) Information Related to Transactions

When you purchase our Products or subscribe to our Services online (including on behalf of your company), your payment will be directed to third party online payment service providers to proceed your payment, and we will not collect your information relating to the transaction such as your credit and debit card information, your passcode of online payment. In such circumstances, you should refer directly to the privacy policies of the relevant third party service provider for detailed information about how your data relating to the transaction will be processed by them.

To verify your purchase of our Products or your subscription to our Services, we will only collect information, including the payment amount, the Products purchased or Services subscribed, your mailing address, and your company information.

(3) Information Related to Use of the Services

Our servers automatically record certain data about how you uses our Services (“Log Data”) when you install, activate, update, uninstall relevant Products or Services. Log Data may include certain data such as your registration time and date, your use of our services, the access date and time, your internet protocol (IP) address. We use Log Data to administer the Services and we analyze (and may engage third parties to analyze) Log Data to improve, customize and enhance our Services. We may use Aggregated Data such as statistical data to improve our Service. Aggregated Data could be derived from your and others’ personal data but is not personal data as such data will not directly or indirectly reveal your or others’ identities. For example, we may aggregate your Log Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be processed in accordance with this Privacy Policy.

For enjoying some specific services, you may provide your information. For example, if you want to get a demo, become our partner or know more information in our official website, you shall provide your name, email address, address, telephone number, country, department and role, company name and other requirements to make sure that we can contact you and send you information regarding our products and services.

If you are an administrator for enterprise users, you will need to provide your mobile phone number for binding and authentication when first turn on the two-factor authentication. You cannot conduct two-factor authentication if you do not provide your mobile phone number. If you are an end user and your enterprise administrator has applied for and activated the two-factor authentication, you will need to provide your mobile phone number for binding and authentication when logging in for the first time. You cannot use the two-factor authentication function normally if you do not provide your mobile phone number. Your mobile phone number and verification code are required for subsequent login. To turn off the two-factor authentication, please contact the enterprise administrator for application and operation.

We need to access your camera and photo album to collect real-time images or audio-visual information from your album to support features such as QR code login, updating personal avatars, and other basic functions. Additionally, some of the business scenarios, such as issues, site diary and album, require these permissions to complete necessary business operations.

(4) Information Related to the Device

We may collect certain data sent by your device when you use our Services, such as IP address, MAC address, operation system, browser type and the language used as well as the CPU, screen resolution, graphics processing unit, memory, hardware drive, serial number of hard drive, browser, Uniform Resource Locator, International Mobile Device Identity (IMEI) of the mobile phone, unique user ID of our Services.

(5) Information Received from Our Partners and Other Third Parties

We also may link your subscription information with the data we receive from our partners or other third parties (such as Google Analytics, etc.), including but not limited to user ID, domain, the access date and time, new visitor or returning visitor, data sources, to help smoothly facilitate our Services for you, to better understand your needs and to provide you with better Services experience.

(6) Information Collected Using Cookies and Other Web Technologies

The main function of Cookies is to facilitate your use of the Site and/or Services and to help the website to count the number of unique visitors.

Cookies will be sent to your device when you use our Services. We also allow Cookies or the anonymous identifiers to be transmitted to Glodon’s server when you interact with the Services we provide for our partners (such as advertisement and promotional services as well as service functions provided by Glodon that may appear on other sites).

You can choose to turn off Cookies by modifying browser settings. If you choose to turn off Cookies, you may be unable to log in or use the Glodon services or functions that rely on Cookies. If you don’t want Glodon to provide you with personalized promotion information based on Cookies when you visit the Glodon website, you can customize Cookies settings in your browser.

We use Google Analytics tools to better understand how you interact with our online Services. You can opt out from Google Analytics here at (https://tools.google.com/dlpage/gaoptout).

(7) If you Fail to Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you or your employer, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with Products or Services). In this case, we may have to cancel a Product or Service you have with us but we will notify you if this is the case at the time.

3. How We Use Your Information

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

4. Data Profiling

We will use your personal data collected through our Services, including account information, log data, device data, etc. to conduct data profiling. We conduct the data profiling to improve our Services, and you have the right not to be subject to such data profiling. To exercise your right, please contact us as the way we stated in “7. Your Rights in Relation to Our Use of Your Information”.

5. Information We Share

Without asking for your consent in advance, we will not share your personal information with any third party except in the following cases:

(1) Information Shared with Our Services Providers

We may share your personal data with our affiliated companies, partners, third party service providers, contractors and agencies (such as communication service providers that send emails or push SMS notifications on behalf of Glodon, and map service providers like Google Map that provide location data for us; some of them may not be located in your country) for the following purposes: (i) to provide our services for you; (ii) to achieve the targets stated in “The Data We Collect about You”; (iii) to fulfill our obligations or to practice our rights mentioned in Glodon Account Agreement or Privacy Policy; (iv) to provide, maintain and improve our services.

We will take the required steps to make sure the third party would comply with the standards required by this Privacy Policy, so that they would process your personal information in an appropriate and secure way.

(2) Information Disclosed in Connection with Business Transactions

Since we are still rapidly expanding our business, Glodon may conduct mergers, acquisitions, asset transfers or similar transactions. Your personal data may be transferred as a part of a transaction, and we would inform you of these possible transactions in advance where we are able to do so.

(3) Information Required by Law

Glodon cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to respond to claims, legal processes (including subpoenas); (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general; and (iii) to stop any activity that we consider illegal, unethical or legally actionable.

(4) Other Data Shared with Third Parties

We may share aggregated data and non-personal data with third parties for industry research and analysis and other similar purposes.

In addition, we may share your information with companies in the same group as us, as well as other third parties with your consent and/or of which we have informed you. We do not transfer, share, disclose, assign, sell or rent your personal information to third parties, which are not in connection with our business operations.

6. Information Security, Storage and Data Transfer

We only keep your personal information for the purposes stated in the Privacy Policy within the necessary period and time limit permitted by laws and regulations.

Your personal data will be stored on servers provided by our service providers, which are located in the UK, Singapore, and China. If you are a European customer or use a European product, your data will be stored on a server located in the UK. If you are a Chinese customer or use a product from China, your data will be stored on a server located in China. If you are not a customer in Europe and China or are not using products from Europe and China, your data will be stored on a server located in Singapore. No matter where we are, we will strictly abide by the relevant laws and regulations of the corresponding countries and regions to protect your personal information and related data.

We use various technologies to protect your information from being lost, being misused, unauthorized access or leaking. For instance, we use encryption techniques (such as SSL) in some services to protect the personal information you provide. However, please understand that due to limit of technology and various possible malicious means in the internet industry, we cannot guarantee 100% information security all the time even though we try our best to enforce security measures. Besides, you need to understand that when you access to the system and the communication network applied for using our services, problems may occur due to factors out of our control, that Glodon employs two-factor authentication as an additional layer of protection to ensure the security of online services.

Personal information included in the register may only be processed by such people that are in service of Glodon and its affiliated companies and have a justified need for the processing based on their work assignments. All people processing the register are bound by secrecy obligations.

• International Data Transfer

To provide you with our Services, your personal information may be transferred to, and processed in, countries other than the country in which you are resident. Specifically, our Services are hosted in the UK, Singapore, and China. We may process your personal information in any of these countries.

Where we transfer your personal information to countries outside your country, we have taken appropriate safeguards to ensure that your personal information will remain protected in accordance with this policy. The safeguards we use are the European Commission-approved standard contractual clauses, the UK International Data Transfer Agreement, and other legal mechanisms that are applicable in your country. Particularly, we offer a Data Processing Addendum, as part of this Privacy Policy and attached below, which forms an agreement between us and you or your employer for processing your personal information in the context of international data transfer.

7. Your Rights in Relation to Our Use of Your Information

You have rights under data protection law in relation to our use of your information, including to:

If you have any question about these rights or you would like exercise any of them, please contact us by sending an email to G-data-security@glodon.com. You can exercise your right to access, update and delete your information either on our Apps and Products, or you could contact us and we will assist you to exercise your right. Additional details of how to get in touch are set out below.

Please note that if you decide not to provide us with the information that we request, you may not be able to access all of the features of the Services, including but not limited to the following:

8. Our Policy towards Children

To protect children’s privacy and safety, we provide specific protection with regard to children’s personal data. Our Services are not directed to children under the age of 16 years and we do not intentionally or knowingly collect personal data from children. If you are a child under 16, you are not permitted to use and install our products or create your own Account, unless your parent provides verifiable consent.

Once a child downloads, installs or uses any of our Services, in whole or part, such action shall be deemed representing that his/her parents agree with our policies, terms and conditions including but not limited to this Privacy Policy.

Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between Glodon Company Limited (“Glodon”, “we”, or “us”) and you or your employer (“Customer”, or “you”).

1. Data Protection Laws

In this DPA, Data Protection laws means all applicable privacy and data protection laws, regulations, orders and other government requirements.

2. Scope of Processing

This DPA applies to the processing of personal information by Glodon on behalf of Customer for the purposes of providing Customer with Glodon’s Products or Services. The subject matter of the processing is the personal information provided by Customer in respect of the Products or Services provided by Glodon, which is specified in Glodon’s Privacy Policy and other legal agreements with Customer.

3. Security of Processing

We will implement and maintain appropriate technical and organizational measures to protect your personal information, as described in Schedule 1.

4. Sub-processing

You authorize us to engage third parties as sub-processors. Whenever we engage a sub-processor, we will enter into a contract with that sub-processor which imposes data protection terms that require the sub-processor to protect your personal information. A list of our sub-processors is maintain in Schedule 2.

5. Assisting the Customer

Glodon will assist Customer in ensuring compliance with data security and other obligations as required under the Data Protection Laws, taking into account the nature of processing and the information available to Glodon.

6. Cross-border Transfer

Glodon will ensure that, to the extent that any personal information originating from Customer’s country is transferred by Glodon to another country, such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws.

To the extent that Glodon is processing any personal information originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed in Schedule 3, the terms specified therein with respect to the applicable jurisdictions apply in addition to the foregoing terms.

7. Lawful Basis for Processing

Customer warrants that, where required by the Data Protection Laws, it has provided notice to any and all data subjects and has received requisite consent from the data subject or its legally authorised representative or guardian.

8. Audits

The rights for conducting audits are set forth in this DPA. In the absence of such requirements in the DPA, where the Data Protection Laws so require, audits will be: (i) subject to the execution of appropriate confidentiality or non-disclosure agreements; (ii) conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the DPA has been made, upon 30 days written notice and having provided a plan for such review; and (iii) be conducted at a mutually agreed upon time, place, and manner.

9. Change in Data Protection Laws

Notwithstanding anything to the contrary in this DPA, in the event of a change in Data Protection Laws or a determination or order by a government authority or competent court affecting this DPA or the lawfulness of any processing activities under this DPA, we reserve the right to make any amendments to this DPA as are reasonably necessary to ensure continued compliance with Data Protection Laws.

Schedule 1 Technical and Organizational Measures

1. Measures of pseudonymisation and encryption of personal data

Glodon attaches great importance to the protection of personal data, has formulated relevant company policies, and has passed ISO27001 and ISO27701 certification. Regarding the pseudonymisation and encryption of personal data, the measures taken by Glodon include but are not limited to:

(1) Glodon’s business information system has established data encryption and key management strategies. Account and password are required to log in to the business information system and access the data therein.

(2) Personal data is encrypted when it is transmitted between business information systems or externally as well as when it is at rest.

(3) Personal data is processed using pseudonymisation techniques in business information systems, such as hash functions and asterisks replacing the original identifiers, so that unauthorized personnel cannot see the original personal data.

2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

The security of business information systems is the cornerstone of Glodon. The measures taken by Glodon include but are not limited to:

(1) Physical security strategy: Place important equipment such as servers, routers, and firewalls that support business information systems in a physically secure environment, and prevent unauthorized access, damage, and interference through physical isolation and access control systems.

(2) Network security strategy: Implement network security management and network access management, implement access control on devices connected to the company network, install control tools, and monitor and manage networked devices and their network activities.

(3) Remote access security policy: Only authorized VPNs are allowed to access business systems remotely over the public network.

(4) Terminal and system security strategy: Control access to business information systems. All office terminals connected to the company network should be equipped with protection software. For systems running critical business, access is only allowed from secure network nodes to ensure that the system is not damaged by computer viruses or due to system vulnerabilities.

(5) Personnel security strategy: Develop relevant information security operating procedures for relevant employees.

(6) Security incident management strategy: Establish and improve the monitoring, notification, early warning, disposal and rectification mechanism of information security incidents.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Glodon has formulated a backup and recovery system for business information systems. Once a system failure or data damage occurs, the system can be quickly restored to ensure normal operation. The main backup strategies include:

(1) Backup method: Full backup (important systems will also have incremental backup)

(2) Backup frequency: Full backup at least once a week (incremental backup once a day)

(3) Backup storage location: different machine (important systems will also be backed up in a different location)

(4) Retention period: at least the last 7 days of backup data should be retained

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Glodon regularly implements the following measures to ensure the effectiveness of technical and organizational measures:

(1) Regularly test, maintain, exercise, and re-evaluate the security strategy of business information systems.

(2) Track the latest developments in legislation, law enforcement and judicial procedures regarding personal data, and adopt technical and organizational measures as required by law.

(3) Accept ISO certification audits conducted by third parties every year, including ISO27001 and ISO27701.

5. Measures for user identification and authorization

Glodon uses access control and identity verification as basic security measures to prevent unauthorized access to business information systems. Measures taken by Glodon include but are not limited to:

(1) Glodon’s business information system has established data encryption and key management strategies. Account and password are required to log in to the business information system and access the data therein.

(2) All access logs will be recorded and collected to meet the needs of troubleshooting and forensics.

6. Measures for the protection of data during transmission

Glodon has taken protective measures for data transmission both within the company and outside the company, including but not limited to:

(1) When company employees transmit data through the company’s internal network, they should ensure that the data is transmitted within a controlled network and interface. When transmitting important data between systems on the internal network, reliable secure transmission protocols such as https, sftp and SSL should be used.

(2) When important data is transmitted across the Internet between company computer rooms, dedicated network lines must be used for data transmission.

(3) When data is transmitted between the business information system and the external network environment, it should be ensured that the network transmission channel is protected by secure communication protocols and strong encryption algorithms, such as full-site http encryption, digital signatures and authentication.

7. Measures for the protection of data during storage

The data in Glodon’s business information system is mainly stored on the company’s servers and third-party clouds. The protection measures taken by Glodon include but are not limited to:

(1) Glodon’s business information system has established data encryption and key management strategies. Account and password are required to log in to the business information system and access the data therein.

(2) Personal data is encrypted when it is transmitted between business information systems or externally as well as when it is at rest.

(3) Glodon has established a backup and recovery system for business information systems. Once a system failure or data corruption occurs, the system can be quickly restored to ensure normal operation.

8. Measures for ensuring physical security of locations at which personal data are processed

Glodon places important equipment such as servers, routers and firewalls that support business information systems in a physically secure environment. The protection measures taken by Glodon include but are not limited to:

(1) Set up access control so that only authorized employees can enter.

(2) Deploy a video surveillance system.

(3) Without permission, no one may replace the equipment hardware of the business information system, or use software, USB flash drives or CDs of unknown origin.

9. Measures for ensuring events logging

Glodon’s business information system has a log function that can identify and track the use of the system, thereby supporting the identification of illegal processing of personal data and taking appropriate remedial measures when necessary.

10. Measures for ensuring system configuration, including default configuration

The configuration of the Glodon business information system can only be performed by personnel with specific permissions, and all configuration changes must be approved and recorded and monitored.

11. Measures for internal IT and IT security governance and management

Glodon’s IT department has developed a comprehensive information security strategy, including management organization and responsibilities, management principles and strategies, inspection/supervision/assessment, etc.

12. Measures for certification/assurance of processes and products

Glodon has obtained multiple ISO certifications, including ISO/IEC 27001:2022 and ISO/IEC 27701:2019, and also undergoes annual assessment and audit of ISO certification by third parties.

13. Measures for ensuring data minimization

Glodon processes all personal data in accordance with applicable laws, including compliance with legal requirements for data minimization. In addition, Glodon conducts personal data protection impact assessments for its products and services to ensure data minimization.

14. Measures for ensuring data quality

Glodon processes all personal data in accordance with applicable laws, including compliance with legal requirements for data quality. In addition, Glodon provides users with high-quality products and services, ensures data quality, and enables users to have a good user experience.

15. Measures for ensuring limited data retention

Glodon processes all personal data in accordance with applicable laws, including compliance with legal requirements for data retention periods. The data retention period is determined by the period of time customers use Glodon’s products and services and the requirements of applicable laws (such as tax and accounting requirements).

16. Measures for ensuring accountability

Glodon will handle data violations in accordance with the “Employee Behavior Manual” and “Employee Behavior Red Line Management Policy”, and has the right to pursue the legal and economic responsibilities of the relevant responsible persons.

17. Measures for allowing data portability and ensuring erasure

Glodon processes all personal data in accordance with applicable law, including compliance with legal requirements for data portability and erasure. When a user requests to move or delete their personal data, Glodon will handle it in accordance with the law.

18. For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

When Glodon transfers data to a (sub)processor, it will sign an agreement with the (sub)processor to specify the data protection obligations of the (sub)processor and the specific technical and organizational measures it will take.

Schedule 2 List of Sub-processors

Company Information	Location	Processing Purpose
Microsoft Azure	United Kingdom	Cloud infrastructure services
Alibaba Cloud	Singapore	Cloud infrastructure services
Alibaba Cloud	China	Cloud infrastructure services
Huawei Cloud	China	Cloud infrastructure services

Schedule 3 International Data Transfer outside the European Economic Area and United Kingdom

1. To the extent that Customer transfers personal data from the European Economic Area (“EEA”) and the United Kingdom (“UK”) to Glodon located outside the EEA or UK, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:

(1) Customer is the “data exporter” and Glodon is the “data importer”;

(2) the footnotes, Clause 9(a) Option 1, Clause 11(a) Option and Clause 17 Option 1 are omitted, the time period in Clause 9(a) Option 2 is 14 days, and the applicable annexes are completed respectively with the information set out in the DPA;

(3) to the extent that Customer acts as a controller and Glodon acts as a processor, Module Two applies and Modules One, Three and Four are omitted, and to the extent that each party acts as a processor, Module Three applies and Modules One, Two and Four are omitted;

(4) the “competent supervisory authority” is the supervisory authority in the UK;

(5) the Clauses are governed by the law of the UK;

(6) any dispute arising from the Clauses will be resolved by the courts of the UK; and

(7) if there is any conflict between the terms of the DPA and the Clauses, the Clauses will prevail.

2. In relation to transfers of personal data from the UK, the Clauses as implemented under section 1 above will apply subject to the following modifications:

(1) the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018 available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/ (“UK Addendum”);

(2) tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA; and

(3) table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.