Data Protection Addendum For Mainland China

Last updated: 6th Feb, 2023

This Privacy and Data Protection Addendum For Mainland China (“Chinese DPA”) supplements the Terms of Service available at https://gameanalytics.com/terms/, and any other agreements (“Agreement”) as updated from time to time between you, either an individual or a legal entity that you represent as an authorized employee or agent (“Partner”), and GameAnalytics Ltd (“GA”) for GA’s products and services (“Service(s)”). This Chinese DPA is an agreement incorporated into and form part of the Agreement. This Chinese DPA shall be effective since the effective date of the Agreement, and survive termination or expiry of the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Chinese DPA, this Chinese DPA supersedes and replaces such prior agreements. In case of any conflict between a provision of this Chinese DPA and the Agreement, as it relates to Personal Information, the provision of this Chinese DPA shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.

This Chinese DPA applies when GA collects or processes Personal Information which is transferred or made available by Partner and which is protected or otherwise regulated by Data Protection Laws. The parties hereby agree to comply with the following provisions.

1. Definitions

1.1. “Affiliates” means with respect to a Party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with such Party.

1.2 “Child” or “Children” means child or children younger than 14 years old.

1.3 “Data Protection Rules” means any applicable laws, regulatory policy, national standard, industry standard of the mainland areas of the People’s Republic of China (for the sole purpose of this Chinese DPA, the Hong Kong S.A.R of People’s Republic of China, Macao S.A.R. of People’s Republic of China, and Taiwan areas of People’s Republic of China are not included) and/or any applicable policy of any platform that is engaged in providing service for GA and Partner with respect to the processing of Personal Data which GA or Partner is subject to, including but not limited to any law or regulation, regulatory policy, national standard, industry standard, policy pursuant to the Agreement that is similar, equivalent to, successors to, or that are intended to or implement the laws or regulations.

1.4 “Data Subject” means the individual to whom Personal Information is related to.

1.5 “Entrusted Handler” means an organization or individual who is entrusted by a Personal Information Handler to process Personal Information strictly in accordance with the Persona Information Handler’s instructions regarding the purpose and method of the processing.

1.6 Privacy Requirements means any applicable Data Protection Rules, any industry standard, rule or guideline of GA.

1.7″GA Privacy Policy” means the privacy policy available at GA’s official website at https://gameanalytics.com/privacy/隐私政策/ which may be updated from time to time.

1.8 “Personal Data” or “Personal Information” means information relating to an identified or identifiable Individual, anonymous data (as defined in Data Protection Rules) is excluded from the scope of Personal Data.

1.9 “Personal Information Handler” means an organization or individual who autonomously decides the purpose and method of processing in the Personal Information processing activities; it has the same meaning as “个人信息处理者” defined in Data Protection Rules.

1.10 “process” or “processing” “process” or “processing” includes collection, storage, use, process, transmit, making available, disclose to the public, erasure, etc.

1.11 “Service(s)” means Services provided by GA and/or its Affiliates to Partner according to the Agreement.

1.12 “User” means end users who visits or uses Partner’s Product (including mobile application).

2. Compliance with Privacy Requirements

Each party confirms that it has complied, and will continue to comply with the applicable obligations related to personal data protection as set out by Privacy Requirements.

3. Processing by Partner

3.1 With respect to the processing activities of Personal Information for the purpose of providing Services, Partner acknowledges that it acts as a Personal Information Handler. Partner shall read carefully and ensure that its privacy policy and any process of Personal Data comply with the Privacy Requirements, provisions of this Chinese DPA, rules issued by GA’s official website, agreements signed between both parties, GA Privacy Policy, etc. before integrating GA’s SDK.

3.2 Partner acknowledges and agrees that GA’s SDK has the function to process Personal Data, and agrees that the processing of Personal Data by GA’s SDK is for the necessity of providing Services.

3.3 Partner guarantees that it shall prominently announce and display its privacy policy in its Products in accordance with the Privacy Requirements and this Chinese DPA. The display and content of such privacy policy shall meet the following (without limitation) requirements:

3.3.1 Partner’s privacy policy shall be independently written, easily understandable and clearly reminding. After the User enters the main function interface, he or she can access to the privacy policy within no more than 4 time’s click or swipe.

3.3.2 Partner warrants that when the Product runs for the first time, the User will be notified to read its privacy policy by pop-up window and other obvious ways. After the User confirms and agrees to the privacy policy, GA’s SDK is authorized by Partner to process the Personal Data.

3.3.3 The User should be given the choice to choose actively whether to accept Partner’s privacy policy, which means the User’s acceptance should not be obtained by default or deceived.

3.3.4 The content Partner should clearly inform its User through its privacy policy and other documents includes but not limited to: (a) the type of Personal Data processed by Partner, the purpose, the processing method, the retention period, etc.; (b) Partner has chosen GA and/or its Affiliates as its partner, Partner has used GA’s and/or its Affiliates’ Services, and related information including but without limitation to, GA’s and/or its Affiliates’ company name and contact information, the types, processing purposes, and processing methods of Personal Data processed by GA and/or GA’s Affiliates, and any other information that shall be notified to Users according to Privacy Requirements; (c) that GA and/or its Affiliates will process Personal Data only as an Entrusted Handler of Partner in accordance with GA Privacy Policy, and User shall be notified of the link to GA Privacy Policy and be able to access the GA Privacy Policy by clicking on the link, or otherwise be notified of the processing activities stated therein; (d) whether Partner conducts (including being deemed to conduct) a cross border transfer of Personal Information under Data Protection Rules; and (e) any other information that needs to be included to meet the Privacy Requirements.

3.4 Partner warrants that it has provided appropriate notices to and obtained valid consents from Users with regard to the processing of Personal Data by GA’s SDK, to the extent necessary for GA to process as an Entrusted Handler the Personal Data and any data related to the Agreement according to GA Privacy Policy for the purpose of providing Services. Partner shall also warrants that the ways, methods, procedures, etc.of obtaining Users’ consent does not violate the Privacy Requirements.

3.5 Upon request of GA, Partner shall provide GA with all the records of consents of Users. Partner understands and agrees that GA’s requirement for Partner to provide Users’ consents records does not relieve Partner’s legal liability arising out of making available the Personal Data to GA by Partner, nor does it constitute or lead to GA’s legal liability arising out of making available Personal Data to GA by Partner.

3.6 If Partner’s Product target to the Users or some Users who are defined as Children, GA will not provide Services to such Product and such Child User, and in this circumstance, Partner is not allowed to transfer or make available any Child User’s Personal Data to GA, unless Partner has complied with the following requirements:

3.6.1 Partner has obtained prior consent of GA;

3.6.2 Partner warrants that it shall comply with any Privacy Requirement related to Personal Data protection of Children and minors. If Partner may transfer or make available Personal Data of Child User who are under the age of 14 to GA, Partner warrants that is has taken related measures and has obtained valid and explicit consents from its parents or any other authorized guardian (including the ways, manners and procedures shall be legal), and make reasonable effort to confirm that such consents are provided from parents or any other authorized guardian, to the extent for Partner and GA to process the Personal Data of Child User pursuant to this Chinese DPA and the Agreement.

3.6.3 Partner shall comply with any other provision directed by GA.

3.7 Due to the restriction of the current status of technology and the business mode, it is difficult for GA to actively identify Child User’s Personal Data. If Partner realizes any processing of Child User’s Personal Data by GA without GA’s acknowledgement or without any verifiable consent of parent or guardian, Partner shall notify GA in a timely manner. GA will try its best effort to delete such Personal Data. If GA realizes the above-mentioned situation by itself, GA will also delete the Personal Data in a timely manner, except for any retention as required by laws and regulations.

3.8 Partner warrants that it has provided adequate notices to, and obtained valid consents from, its employees, in each case, to the extent necessary for GA and/or its, Affiliates to (a) make necessary communication with Partner’s employees for the purpose of providing Services, And (b) to send them direct marketing email in relation to the products and services of GA and/or its Affiliates, both in accordance with the GA Privacy Policy. (For the avoidance of doubt, with respect to GA’s use of Partner’s employees’ Personal Data to send direct marketing email (i.e. (b) above), GA acts as a Personal Information Handler.) Partner will provide on request records of all consents obtained from its employees to GA and shall notify GA in writing within 24 hours of Client receiving employee’s objection to or withdrawal of consent.

3.9 Partner shall not cause GA to violate any Privacy Requirement when processing Personal Data in accordance with this Chinese DPA and GA Privacy Policy due to its acts or omissions, or cause GA to process Personal Data beyond the scope of User’s authorization and consent in accordance with this Chinese DPA and GA Privacy Policy.

3.10 Partner shall provide Users with easy-to-operate mechanisms to access, correct, delete their Personal Data, revoke or change their authorization and consent, and cancel their personal accounts, etc., to ensure that Users can realize their personal data rights in accordance with Privacy Requirements.

3.11 Partner guarantees that the retention of the relevant Personal Data (including the retention of the relevant Personal Data by GA as an Entrusted Handler of Partner) provided to GA (or allowed to be collected by GA) does not exceed the legally necessary storage period which is necessary for Partner to process such Personal Data, nor does it exceed the legally necessary storage period which is necessary for providing Services based on such Personal Data.

3.12 Partner guarantees that it will not steal or obtain Personal Data in other illegal ways, or illegally sell or illegally provide Personal Data to any third party (including GA). Partner will not disclose, tamper with, or destroy Personal Data it collected.

3.13 GA will from time to time update the SDK due to the upgrade and optimization of the SDK and the Products, improvement of safety performance, legal and regulatory requirement, etc. Different version of SDK may collect different types of data. In order to ensure the cooperation between both parties legal and compliant, and to practically fulfill the obligation to protect Users’ Personal Data, Partner shall ensure that it has upgraded the GA SDK to the officially most updated version so as to avoid any illegal issue arising out of using the SDK old version and any risk of being fined by the regulatory authority by Partner or GA. GA will inform Partner in effective ways such as notifications, station letters, announcements, etc., after the GA SDK is upgraded. Partner shall pay close attention to it and update the SDK version as soon as possible.

3.14 If any Personal Information processing activities for the purpose of providing Services is or is deemed a cross border transfer of Personal Information under Data Protection Rules, Partner as a Personal Information Handler shall comply with any and all cross border transfer obligations thereunder, including without limitation submitting for an “outbound data transfer security assessment”, executing standard contract clauses, and etc.

4. GA’s Processing

4.1 GA and/or its Affiliates will process Personal Information only as an Entrusted Handler of Partner for the purpose of providing Services, and shall process such Personal Information strictly in accordance with Data Protection Rules and GA Privacy Policy, including without limitation the purpose, period, method, type of Personal Information of GA’s and/or its Affiliates’ processing activities stated therein.

4.2 Upon the revocation, rescind, invalidation, termination or expiry of the Agreement or this Chinese DPA, GA and/or its Affiliates shall return to Partner or delete all the Personal Information the processing of which is for the purpose of providing Services.

4.3 Without the consent of Partner, GA and/or its Affiliates shall not engage any sub-Entrusted-Handler. For the purpose of providing Services, Partner hereby consents that GA will use the technical services provided by AWS, GCP, and Imply, including data storage and retrieve.

5. Limitation of Access

Each party will limit access to Personal Information to those personnel who require such access only as necessary to fulfill such party’s obligation under the Agreement. Each party is responsible to make sure that all relevant personnel of such party adhere to this Chinese DPA.

6. Information Security

Each party will maintain appropriate administrative, physical, organizational and technical safeguards aimed at maintaining an appropriate level of security, confidentiality and integrity of the Personal Information, in accordance with applicable Data Protection Laws, and official guidelines as provided by the competent authorities and good industry practice. Each party undertakes to regularly monitor compliance with these safeguards and will not materially decrease the overall security controls during the term of the Agreement.

7. Assistance

The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Data Protection Laws, including in order to enable the other party to respond to (if required by Data Protection Rules): (a) any request from a Data Subject or a Child Data Subject’s legal guardian (if any) to exercise any of its rights under Data Protection Law; (b) any other correspondence, enquiry or complaint received from a Data Subject, a Child Data Subject’s legal guardian (if any), regulator or other third party in connection with the processing of the Personal Information (“Correspondence”). GA shall make commercially reasonable effort to promptly inform Partner if it receives any Correspondence or becomes aware of a data breach.

8. Audit

Partner will make available all information necessary, including records of consents referred to in Section 4 as above under this Chinese DPA, to demonstrate Partner’s compliance with this Chinese DPA and will permit and contribute to any data audits reasonably required by GA upon GA’s prior written request and advanced notice.

9. Indemnification

The parties will indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss (including but without limitation reasonable attorney fee, arbitration cost or litigation cost, investigation cost) which they cause each other as a result of their breach of any of the provisions of this Chinese DPA. Any limitation of liability specified in the Agreement will not be applicable to this Chinese DPA.

10. Governing Law and Dispute Resolution

The governing law and dispute resolution specified in Article 16.1 of the Terms of Service will also apply to this Chinese DPA.

11. Miscellaneous.

11.1. Any alteration or modification of this Chinese DPA is not valid unless made in writing and executed by duly authorized personnel of both parties.

11.2. Invalidation of one or more of the provisions under this Chinese DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

11.3. Partner acknowledges that GA and/or its Affiliates may disclose this Chinese DPA and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law. Such disclosure will not constitute a breach of GA’s confidentiality obligation under the Agreement.