Privacy Policy
Effective date: June 30, 2026. This policy applies to botongsh.com and to every Botong Sihai application published on Google Play.
Privacy Policy
鈿?Effective 30 June 2026 路 Review: 30 June 2027 路 Authority: Data Protection Officer, Beijing Botong Sihai Property Management Co., Ltd.
We build for "data never leaves your device". We do not require accounts. We do not sell personal data. We do not use behavioural advertising profiling for our own analytics. Our apps monetize through legitimate in-app advertising (IAA) and in-app purchases (IAP) 鈥?both implemented under the strictest regional standards.
1. Introduction & Scope
Beijing Botong Sihai Property Management Co., Ltd. (the "Company", "we", "us", "our") operates the website botongsh.com (the "Website") and publishes a portfolio of mobile applications on Google Play (the "Apps"). This Privacy Policy describes how we collect, use, disclose and protect personal information in connection with the Website and the Apps.
This Policy is designed to satisfy, in a single document, the disclosure obligations imposed by, among others: the Google Play Developer Distribution Agreement & User Data Policy; the IAB Europe Transparency & Consent Framework v2; the EU General Data Protection Regulation (GDPR); the UK GDPR & Data Protection Act 2018; the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA); the Brazilian Lei Geral de Prote莽茫o de Dados (LGPD); Canada's Personal Information Protection and Electronic Documents Act (PIPEDA); the Children's Online Privacy Protection Act (COPPA); the UK Age-Appropriate Design Code (AADC); Japan's Act on the Protection of Personal Information (APPI); South Korea's Personal Information Protection Act (PIPA); China's Personal Information Protection Law (PIPL); Australia's Privacy Act 1988; Singapore's Personal Data Protection Act (PDPA); India's Digital Personal Data Protection Act (DPDPA) 2023; and other applicable privacy laws.
2. Definitions
- Personal Data / Personal Information 鈥?any information that identifies, or can reasonably be linked to, an individual.
- Process / Processing 鈥?any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
- SDK 鈥?Software Development Kit, including our advertising and analytics dependencies.
- IAA 鈥?In-App Advertising, the monetization model in which ad networks display ads inside our Apps.
- IAP 鈥?In-App Purchase, the monetization model in which users purchase digital content or subscriptions.
- User 鈥?any person who installs, accesses, or interacts with the Website or the Apps.
- Child / Minor 鈥?persons below the age required for consent under the law of their residence (commonly 13 under COPPA, 16 under GDPR, 13鈥?6 under various state laws).
3. Data We Collect
3.1 Data You Provide to Us Directly
We collect only the data you voluntarily submit through our Website's contact form and email channels. This may include: full name, email address, organization, country/region, the topic of your inquiry and the free-form message content. We use this data only to respond to your inquiry and maintain a record of communication.
3.2 Data Collected Automatically (Website)
When you visit botongsh.com, basic technical information may be collected by our web server and (only if you accept) by cookies and third-party scripts:
- IP address (truncated where feasible), user-agent, referrer URL, requested URL, response status, bytes transferred.
- Aggregate, non-identifying statistics on pages viewed, time on page and country (Google Analytics 4 only with consent).
- No behavioural profiling, no fingerprinting, no cross-site tracking.
3.3 Data Collected by Our Apps
Our Apps are designed around the principle of local-first storage. By default they:
- Do not collect your name, email, phone number, address or any account identifier.
- Do not require sign-up, login, or device-binding.
- Do not transmit user-generated content (routes, collections, drafts, training logs, receipts, habit entries) off the device.
- May request only the minimum Android runtime permissions necessary for the feature (e.g., camera for OCR, location for offline GPS 鈥?both opt-in).
3.4 Data Collected by Third-Party Advertising SDKs
When ads are shown inside our Apps, the ad networks listed in Section 8 receive certain technical signals necessary to deliver, measure and prevent fraud in advertising. The categories of data may include: Advertising ID (GAID / IDFA), IP address, coarse device information (OS version, device model, language), coarse location (country/city derived from IP), app bundle ID, ad unit ID, timestamp, and a randomized session identifier. No content you create in the Apps is shared with ad networks.
4. Legal Basis for Processing (GDPR & Equivalents)
We rely on the following legal bases under Article 6 GDPR:
- Consent (Art. 6(1)(a)) 鈥?for the placement of non-essential cookies and for the loading of personalized advertising. Consent is obtained through the IAB Europe TCF v2 compliant Consent Management Platform integrated in our Apps and Website.
- Contract (Art. 6(1)(b)) 鈥?for processing necessary to respond to your inquiry, deliver a service you request, or complete an in-app purchase.
- Legitimate Interests (Art. 6(1)(f)) 鈥?for fraud prevention, security, system integrity, and aggregated reporting. We conduct and document a Legitimate Interests Assessment (LIA) before relying on this basis.
- Legal Obligation (Art. 6(1)(c)) 鈥?for tax, accounting, and regulatory record-keeping obligations imposed on us by Chinese and other applicable law.
5. How We Use Your Data
We use the limited personal data we receive for the following purposes:
- To respond to your inquiries and provide customer support.
- To deliver the Website and Apps, maintain service quality, and prevent abuse.
- To serve advertising through the SDKs listed in Section 8 (only after user consent where required).
- To honor in-app purchases, refunds, and subscription management via Google Play.
- To comply with legal obligations and respond to lawful requests from authorities.
- To send service-related operational communications (e.g., a single confirmation email when you contact us 鈥?never marketing).
6. Sharing & Disclosure of Personal Data
We do not sell, rent, or trade personal data. We disclose personal data only to:
- Advertising SDKs for the purpose of serving and measuring advertising (per Section 8).
- Payment Processors: Google Play's official billing system handles all transactions; we never see your full payment card number. We receive only the purchase token, product ID, purchase state and country.
- Service Providers: hosting providers (alibaba Cloud, AWS, Google Cloud) hosting this Website; email delivery providers (for transactional contact-form emails).
- Authorities: where compelled by valid legal process or to protect our legal rights, in accordance with applicable law.
- Corporate transactions: in the event of a merger, acquisition, or asset sale, personal data may be transferred under confidentiality obligations equivalent to those in this Policy.
7. Google Play Apps 鈥?Data Safety & Disclosure
Each of our Apps publishes an up-to-date Data Safety form on its Google Play listing, summarising the data collected, the legal basis (consent vs. legitimate interest), and whether data is encrypted in transit, deleted upon request, or transferred to specific regions. The information below is the canonical disclosure:
| Category | Disclosure |
|---|---|
| Account info (name/email) | Not collected 鈥?apps have no account system. |
| User content (routes / drafts / fitness logs / receipts / habits) | Not shared 鈥?stored locally on the device, never transmitted to us or to third parties. |
| Photos / camera (receipt OCR only) | Processed in real-time on-device, never uploaded. Optional permission only. |
| Location (route parser only) | Optional; processed on-device for distance/elevation; never uploaded by us. |
| Advertising ID (GAID) | Accessed by SDKs in Section 8 only after user consent (TCF v2). Optional; revocable in OS settings. |
| Device & app identifiers | Accessed by advertising SDKs for frequency capping / fraud prevention. |
| Diagnostics & crash data | Not collected in our own code. Google Play's built-in crash reporting, if enabled by the user, is governed by Google's policies. |
| Data is encrypted in transit | Yes (TLS 1.2+ for any optional outbound SDK call). |
| User can request deletion | Yes 鈥?uninstalling the App removes all local data; for in-app account-bound data write to privacy@botongsh.com. |
| Children-directed | No 鈥?see Section 11. |
8. Advertising SDK Disclosure (AdMob & IAA Partners)
Our Apps may serve ads through the following advertising networks. Each network is integrated under signed Master Service Agreements, GDPR Data Processing Addenda, and Standard Contractual Clauses where applicable, and is configured to serve contextual (non-personalised) advertising by default. Personalised advertising is only enabled after explicit TCF v2 consent. Each SDK's own privacy disclosures are linked below.
Our App integrates the Google Mobile Ads SDK (AdMob), which is governed by Google's Privacy Policy. AdMob is configured with the following settings: child-directed treatment = NO; consent for personalised ads = OPT-IN (TCF v2); ad content filtering restricted = YES (when required by region). For users in the EEA, UK and other TCF jurisdictions, AdMob only serves non-personalised advertising until consent is provided.
8.1 Network Inventory
| Network | Compliance Documents |
|---|---|
| Google AdMob & Ad Manager (Google Mobile Ads SDK) | Google Privacy Policy 路 Google Ads Policy 路 TCF v2 Compliant 路 IAB TCF v2 registered |
| Meta Audience Network (Facebook) | Meta Privacy Policy 路 Meta Audience Network SDK with Limited Data Use (LDU) mode for California users |
| Unity Ads | Unity Privacy Policy 路 GDPR/CCPA-compliant APIs 路 Privacy Manifest V2 |
| AppLovin MAX / AppLovin Exchange | AppLovin Privacy Policy 路 IAB TCF v2.2 CMP integration |
| ironSource (now part of Unity) | ironSource Privacy Policy 路 SDK integrations follow Unity privacy stack |
| Vungle (Liftoff) | Vungle Privacy Policy 路 GDPR & CPRA-compliant SDK |
| Chartboost (now part of Zynga / Digital Turbine) | Chartboost Privacy Policy |
| AdColony (now part of Digital Turbine) | AdColony Privacy Policy 路 IAB TCF v2 registered |
| Tapjoy | Tapjoy Privacy Policy |
| InMobi | InMobi Privacy Policy 路 IAB TCF v2 路 GDPR DPIA available |
| Pangle (ByteDance) | Pangle Privacy Policy 路 China PIPL compliant 路 IAB TCF v2 in EU |
| Mintegral | Mintegral Privacy Policy 路 IAB TCF v2 路 GDPR/CCPA compliant |
| Digital Turbine (AdColony, Digital Turbine Exchange) | Digital Turbine Privacy Policy |
| Smaato | Smaato Privacy Policy (optional inclusion in EU) |
| Liftoff (Vungle & MoPub legacy) | Liftoff Privacy Policy |
| Ogury | Ogury Privacy Policy (optional inclusion) |
| BidMachine | BidMachine Privacy Policy |
| Yahoo (Verizon Media) | Verizon Media Privacy Policy |
8.2 Mediation & Bidding
Ads are typically served through AppLovin MAX, Google Ad Manager or Unity LevelPlay as mediation layers. Each network participating in real-time bidding receives only the signals described in Section 7, and only after TCF v2 consent when in scope. We configure mediation waterfalls to exclude bidders that fail regional compliance checks.
8.3 Frequency Capping & Audience Segmentation
By default, frequency capping and audience segmentation are off. When a user consents to personalised advertising, the SDKs may cap ad frequency at the session level (typically 1 ad per format per minute) and may include the user in coarse, short-lived segments (e.g., "interests in outdoor sports"). No cross-app behavioural profile is built across publishers by our code.
8.4 Do Not Sell / Do Not Share (CCPA/CPRA)
We honor Global Privacy Control (GPC) signals. For California users, we treat personalised ad selection as "sharing" under CPRA 搂1798.140 and provide a single in-app toggle in the Privacy Choices menu to opt out at any time 鈥?which is propagated to every integrated SDK via the IAB TCF v2 purpose 1 signal.
9. Ad Formats Inventory
The following ad formats may be displayed by our Apps, served exclusively through the SDKs listed in Section 8. Each format is described below together with its frequency cap and any data signals used.
| Format | Description | Default Frequency | Data Signals Used |
|---|---|---|---|
| App-Open (Splash) | Full-screen ad shown briefly when the app is launched or resumed after backgrounding. Skippable after 3 seconds. | 1 per cold launch | App ID, device locale, orientation |
| Rewarded Video | User opts-in (via button) to watch a full video in exchange for a digital reward (e.g., an extra feature unlock for one day). The reward is yours whether or not you finish. | User-initiated | App ID, format type, reward ID, completed flag |
| Interstitial | Full-screen ad shown at natural app transition points (e.g., between sections or after completing a recordable action). | 1 per minute per session | App ID, format type, app state |
| Banner | Rectangular ad embedded in a content area (e.g., footer of a list). Always labelled "Advertisement". | 1 visible at a time | App ID, format type, screen size bucket |
| Native | Ad rendered using a custom template matched to surrounding UI (e.g., a sponsored card inside a list). Always clearly marked as sponsored. | 1 visible at a time | App ID, format type, slot ID |
| MREC (Medium Rectangle) | 300脳250 (or similar) banner style used inside content cards. | 1 per screen | App ID, slot ID |
For users identified as under the age of consent in their jurisdiction (see Section 12), only contextual advertising is served. We treat the Advertising ID as zeroed-out via Android's isLimitAdTrackingEnabled() / iOS ATTrackingManager; we set the SDK's tagForChildDirectedTreatment flag to -1 (treat as mixed audience unless we know the user is in the child age band) and comply with Google's Families Policy & the Apple Kids Category requirements.
10. In-App Purchases (IAP)
Our Apps offer optional In-App Purchases to unlock premium features, remove ads, or subscribe to recurring services. All financial transactions are processed exclusively by Google Play's billing system under the Google Play Developer Distribution Agreement. The Company does not directly receive your full payment card number. We receive only:
- The purchase token (randomly generated by Google).
- The product ID (e.g.,
com.botongsh.route.pro.yearly). - Purchase state (purchased, cancelled, refunded, expired).
- Country (for tax compliance).
Refunds, cancellations, family library sharing, and subscription management are all handled by Google Play under their policies. Family library settings in your Google account determine whether purchases are shared.
11. Children's Privacy (COPPA / AADC)
11.1 COPPA (Children's Online Privacy Protection Act 鈥?United States)
Our Apps are not directed to children under 13. We do not knowingly collect personal information from children under 13. We do not permit behavioural or interest-based advertising to users we know to be under 13. We configure every advertising SDK with the tagForChildDirectedTreatment = -1 flag (meaning "treat as mixed audience unless the publisher identifies the user as a child") and honour isLimitAdTrackingEnabled = true as a contextual-only signal. The Google Play Store settings we use include the Designed for Families selection only where appropriate, and we maintain a separate "No Interest-Based Ads For Users Under 13" overlay on all integration code. We submit to COPPA Safe Harbor principles and respond to verified parental requests to delete any data within 15 calendar days.
11.2 UK Age-Appropriate Design Code (AADC)
Where our Apps are accessible in the United Kingdom and may be used by children, we have completed an AADC Data Protection Impact Assessment (DPIA) covering: data minimisation, default privacy settings (highest by default), transparency, no nudge techniques, no profiling of children, no use of "dark patterns", and best-interest design. The DPIA summary is available on request to privacy@botongsh.com.
11.3 EU GDPR Article 8
In the European Economic Area, processing of personal data of a child under 16 (or the lower age set by a Member State, which may not be below 13) is lawful only where consent is given or authorised by the holder of parental responsibility. Our Apps do not target children and do not request data from children.
11.4 China PIPL 鈥?Minors
Under PIPL Article 31, we apply special protection to personal information of minors and process their data only with the consent of a parent or guardian. We do not require parental consent on first launch because we do not collect any personal information of users under 14 by default.
11.5 India DPDPA 2023 鈥?Children
Section 9 of the Digital Personal Data Protection Act, 2023, prohibits processing personal data of children under 18 without verifiable parental consent. We do not knowingly process such data.
12. Age-Gating Policy by Region
The following minimum age thresholds are enforced through the Google Play Store-age gate at install time, by the in-app Privacy Choices menu, and by the IAB TCF v2 special feature 1 signal (precise geolocation) and purpose 1 signal:
| Region | Min. Age for Consent | Verification Mechanism | Behaviour Below Threshold |
|---|---|---|---|
| United States (COPPA) | 13 | Declared at install; Google Play age gate; OS-level Advertising ID reset | Contextual ads only; no ad profiling; no IAP without IAP gate |
| European Economic Area & UK (GDPR / AADC) | 16 (default; lower via MSLA) | TCF v2 purposes & special features defaulted off; AADC DPIA controls | Contextual ads only; no profiling; no device-level advertising identifiers exposed |
| Brazil (LGPD) | 13 (under 13 require parental consent) | Google Play age gate; in-app regional setting | Contextual ads only; data minimisation applied |
| Canada (PIPEDA / Quebec Law 25) | 13 (Quebec: 14) | Google Play age gate; in-app Quebec setting for Law 25 controls | Contextual ads only |
| Japan (APPI) | 18 (for opt-in marketing) 鈥?apps: no age-gate, but no personal info from minors without consent) | Google Play age gate; APPI "Do-Not-Send" signal | No opt-in marketing; OPTOUT APIs respected |
| South Korea (PIPA) | 14 | Google Play age gate; in-app "below 14" toggle; Korea Communications Commission registration | Contextual ads only; parental consent required if any data is collected |
| Mainland China (PIPL) | 14 | Real-name verification via Google Play China-region settings; in-app toggle | No processing; parental consent required for any personal data |
| India (DPDPA 2023) | 18 | Google Play age gate; in-app parental consent flow if any PI collected | No processing |
| United Kingdom (Children's Code / AADC) | 13 | AADC DPIA controls; TCF v2 special feature defaults | Highest privacy defaults; no profiling; no nudge |
| Singapore (PDPA) | 13 | Google Play age gate; PDPC Do-Not-Call registry honoured | No marketing; contextual ads only |
| Australia (Privacy Act) | 15 (per APP 16B review) | Google Play age gate | No direct marketing; OPT-OUT honoured |
13. Data Security
We implement industry-standard technical and organisational measures to protect personal data:
- Encryption in transit: all communications with our servers use TLS 1.2+.
- Encryption at rest: any cached personal data on the Website is stored encrypted in our database (AES-256).
- Local-only data: App user content is stored on the device using platform-provided secure storage (Android EncryptedSharedPreferences / iOS Keychain) or in a user-chosen folder under app-private storage.
- Access control: principle of least privilege within our team; multi-factor authentication on production systems; role-based access.
- Penetration testing: annual third-party penetration test of the Website and supporting infrastructure.
- Vulnerability scanning: continuous automated dependency and SAST scanning on our codebases.
- Incident response: documented IRP with 72-hour breach notification aligned to GDPR Art. 33 and equivalent regional timelines (CCPA, LGPD, PIPL, APPI).
- Sub-processor due diligence: each sub-processor is required to maintain equivalent security and a signed Data Processing Addendum.
- Employee training: mandatory annual privacy & security training for all employees handling personal data.
14. Data Retention
We retain personal data only for as long as necessary for the purposes collected, or as required by law:
- Inquiry emails: 24 months from last contact.
- Server logs: 90 days.
- IAP records: 7 years (tax compliance in China and other jurisdictions).
- Local App data: until you uninstall. Deleting the App deletes all local data.
After expiry, data is securely erased from active systems within 30 days and from backups within 90 days.
15. GDPR (EEA / UK)
15.1 Controller
For the purpose of GDPR, the Data Controller is Beijing Botong Sihai Property Management Co., Ltd. of 101, 1st floor, office building, located 600 meters north of Shilibao Village, Shilibao Town, Miyun District, Beijing, 100000, CN.
15.2 EU Representative (Article 27)
Pursuant to Article 27 GDPR, our designated EU representative is reachable via the contact details published in the Website footer. You may also contact us directly through privacy@botongsh.com.
15.3 UK ICO Registration
The UK Information Commissioner's Office (ICO) registration fee and notification comply with the Data Protection Act 2018. Our ICO registration number is published on request.
15.4 Supervisory Authority
You have the right to lodge a complaint with the supervisory authority in your habitual residence, place of work or place of the alleged infringement. A list of EU supervisory authorities is available at edpb.europa.eu.
15.5 Standard Contractual Clauses
Where personal data is transferred outside the EEA/UK, we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Agreement (IDTA), or adequacy decisions. Transfers to China are governed by the EU-China SCC framework (where in force at the relevant time).
16. CCPA / CPRA (California)
16.1 Categories of Personal Information Collected (last 12 months)
- Identifiers: email address (only when you contact us); IP address (server logs).
- Commercial information: in-app purchase history (purchase token only).
- Internet/Network activity: aggregate browsing on our Website.
- Inferences: none. We do not build consumer profiles.
16.2 Business / Commercial Purposes
As described throughout this Policy.
16.3 "Do Not Sell or Share My Personal Information"
We do not sell personal information. We honor Global Privacy Control (GPC) signals as a valid opt-out of "sharing" (cross-context behavioural advertising) and provide an in-app toggle under Privacy Choices 鈫?California.
16.4 California Rights
- Right to Know what personal information we collect, use, disclose or sell.
- Right to Delete personal information we have collected from you.
- Right to Correct inaccurate personal information.
- Right to Opt-Out of the sale or sharing of personal information.
- Right to Limit the use of sensitive personal information (we collect none).
- Right of Non-Discrimination for exercising these rights.
To exercise these rights, email privacy@botongsh.com or use our in-app Privacy Choices menu. Authorised agents may submit requests under 11 CCR 搂 7063.
17. LGPD (Brazil)
The Lei Geral de Prote莽茫o de Dados (Law 13.709/2018) applies to our processing of the personal data of persons located in Brazil. You have the rights set out in Article 18 LGPD (confirmation, access, correction, anonymization, portability, deletion, sharing information, consent revocation, opt-out from automated decisions). Requests may be sent to privacy@botongsh.com. Complaints may be lodged with the Autoridade Nacional de Prote莽茫o de Dados (ANPD).
18. PIPEDA (Canada)
We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), including the principles of accountability, consent, limiting collection/use/disclosure/retention, accuracy, safeguards, openness, access, and challenging compliance. In Qu茅bec, where Law 25 applies, we implement enhanced consent, privacy officer designation and breach notification within statutory timelines. Canadian users may exercise access, correction and withdrawal rights by writing to privacy@botongsh.com.
19. APPI (Japan) / PIPA (Korea)
19.1 Japan APPI
We comply with the Act on the Protection of Personal Information (APPI) and respect the
19.2 South Korea PIPA
We comply with the Personal Information Protection Act (PIPA) and the Act on Promotion of Information and Communications Network Utilization and Information Protection (the Network Act). We have registered with the Korea Communications Commission where required and respond to user requests for access, correction, deletion and suspension under Article 35鈥?7 PIPA within 10 days.
20. PIPL (Mainland China)
For users in Mainland China, we comply with the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Measures for the Security Assessment of Outbound Data Transfers. As the operator of a small-volume global SaaS, we have elected to enter the Standard Contract for Cross-Border Transfer of Personal Information with our overseas recipients, and have completed (or are exempt from) the security assessment for outbound data due to the volume threshold under current CAC regulations. Personal information of PRC users is stored in PRC-located servers; cross-border transfer occurs only where required for global service (e.g., AWS Singapore for the contact form email delivery), under the SCC framework. PIPL rights of PRC users (Articles 44鈥?0) 鈥?including the right to know, decide, access, correct, delete, and portability 鈥?are all supported.
21. Other Regions
- Australia (Privacy Act 1988 + 13 APPs): We honour the Australian Privacy Principles and opt-out from direct marketing.
- Singapore (PDPA): We honour the Do Not Call registry; access, correction and withdrawal rights are available.
- India (DPDPA 2023): We comply with consent and reasonable security obligations; notice given in 12 Indian languages on the Google Play listing.
- New Zealand (Privacy Act 2020): We comply with the 13 IPPs.
- South Africa (POPIA): We honour the rights of data subjects under Section 5.
- Thailand (PDPA): We comply with consent and sensitive-data rules.
- Indonesia (PDP Law): We comply with consent and cross-border transfer registration.
- Switzerland (revFADP): The GDPR-equivalent disclosures apply, with SCCs for transfers.
- Turkey (KVKK): Equivalent GDPR-aligned obligations are met.
22. International Data Transfers
We process personal data primarily in the jurisdictions where you interact with us. Where data is transferred internationally (e.g., between our Beijing office and our email delivery provider in Singapore), we use the lawful transfer mechanisms recognised by the source jurisdiction, including the EU Standard Contractual Clauses (2021/914), the UK IDTA, equivalent PIPL Standard Contract, and equivalent agreements for other regions. A list of sub-processors is maintained at the bottom of this Policy and updated quarterly.
23. Your Rights & Choices
Regardless of jurisdiction, you may:
- Ask what personal data we hold about you.
- Request a portable copy of the data you have provided (where processing is by automated means).
- Request correction of inaccurate data.
- Request deletion of your data, subject to legal retention obligations.
- Withdraw consent for processing that was based on consent.
- Object to processing based on legitimate interests.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, send your request with proof of identity to privacy@botongsh.com. We respond within 30 calendar days (45 days in California under specific circumstances, 10 days in Korea for access under PIPA).
24. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated in-app and on this page, with a new "Effective date" at the top and a summary of changes in our News section. Where a change expands the categories of personal data processed or the purposes, we will re-obtain consent as required by applicable law.
25. Contact Us
For any privacy question, complaint or rights request, contact our Data Protection Officer:
Attn: Data Protection Officer
101, 1st floor, office building,
located 600 meters north of Shilibao Village,
Shilibao Town, Miyun District,
Beijing, 100000, China
Email: privacy@botongsh.com
General support: support@botongsh.com
Key clients: renruili@botongsh.com
Sub-processor & Vendor List (current)
| Sub-processor | Purpose | Location |
|---|---|---|
| Alibaba Cloud / Aliyun | Website hosting (primary) | Singapore, Frankfurt, US (with SCCs) |
| Amazon Web Services | Email delivery, backup storage | Multiple regions |
| Google Cloud | Analytics (Google Analytics 4, with consent) | Global |
| Cloudflare, Inc. | CDN, DDoS protection, security | Global edge network |
| Mailgun / Postmark | Contact-form email delivery | United States (SCCs) |
| Google LLC (Firebase) | Crashlytics (opt-in, for applicable legacy versions) | United States |
漏 2018鈥?026 Beijing Botong Sihai Property Management Co., Ltd. This Privacy Policy is published under the lawful ownership of the company; reproduction in whole or in part requires written authorisation.