Global Data Solutions Co., Ltd. Beijing Wanguo Chang'an Science & Technology Co., Ltd. and its affiliates (hereinafter collectively referred to as "GDS" or "We") strictly comply with the laws and regulations governing personal information protection in China, and are committed to protecting the personal information you provide to us.

The purpose of the GDS Privacy Policy (hereinafter referred to as "the Policy") is to inform you how we collect, use, store, share and protect your personal information when you use our services, visit our official website or social media accounts or use our mobile applications, access our offices or data centers, and use the facilities or network of our offices or data centers. Please take the time to read the Policy carefully and pay particular attention to the terms and conditions in bold, and make sure you fully understand and agree to the Policy before starting to use the services we provide.

The Policy will help you understand the following:

I. How We Collect and Use Your Personal Information

II. How We Protect Your Personal Information

III. How We Store Your Personal Information

IV. How We Share, Transfer, and Publicly Disclose Your Personal Information

V. Your Rights

VI. Use of Cookies

VII. Protection of Minors

VIII. Changes to the Policy

IX. Contact Us

I. How We Collect and Use Your Personal Information

"Personal Information" refers to all kinds of information relating to an identified or identifiable natural person that is electronically or otherwise recorded, excluding information that has been anonymized.

"Sensitive Personal Information" refers to Personal Information that, if leaked or used illegally, can easily lead to the violation of a natural person’s human dignity or endanger the safety of the person or property, including information on biometric identification, religious beliefs, specific identity, medical and health information, financial accounts, tracking personal whereabouts, etc., as well as the Personal Information of minors under the age of 14 (we will highlight the Sensitive Personal Information we collect in the Policy by bolding and underlining it).

We collect your Personal Information for the purposes described in the Policy in strict accordance with the principles of lawfulness, fairness, necessity and transparency. In case we use your Personal Information for other purposes not contained in the Policy or collect your Personal Information for other specific purposes, we will inform you in a reasonable manner and obtain your consent again.

We may collect and process your Personal Information in the following scenarios:

1. Visit our official website or social media accounts

When you visit our website or interact with us through social media, we may obtain from that social media platform your [name, online identify information (account name, account nickname, password and password protection questions and answers related to your personal account), email address, friend list, photo, age, gender, location. As part of our efforts to optimize our website and to provide you with personalized service in a timely manner, we may automatically collect your log files information, including [browsing, click-through, search queries, and IP address, date and time of access].

2. Visit our offices or data centers (including data centers under construction)

In order to safeguard you and other users, services and property, when you enter or leave our offices or data centers (including data centers under construction), we may collect your [name, phone number, ID number, passport number or other identification number, contact address, email address, fax number, personal photo, name of your company, job title] and your biometric information and personal image, for example, facial recognition, fingerprint scan, personal image or other biometric assessment technologies that may be used by GDS when you enter or leave our data centers, as well as information relating to personal medical and health information and tracking personal whereabouts collected for pandemic prevention purposes.

3. Establish and manage business relationships

We may collect the following Personal Information from you for basic business needs or where necessary for compliance and risk management for business relationships:

• Your basic Personal Information: [name, residential address, phone number, email address, ID number and other relevant Personal Information];

• Information about your identity registration with any of our subsidiaries, affiliates and/or other business partners, including [name, phone number, ID number, passport number and other identification number, contact address, email address, and personal photo];

• Your personal work information: company name, job title and relevant contact information;

• Other Personal Information necessary for maintaining business relationships.

4. Use of our network, business system or mobile applications (APPs) 

When you use our network in our offices or data centers, to safeguard you and other users, services, and property, we may collect information on your name, phone number, and email address.

When you use our business system, including relevant APPs, we may collect your Personal Information through our system or APPs with your express consent and authorization, including your [name, gender, phone number, types and number of identity certificates, email address, company name, facial recognition, Microphone/Camera/Contacts/Photos authorizations, location information, operation records, device information and other information necessary for performing business contracts].

We will not collect or process the Personal Information you submit when downloading our APPs (such as [the Personal Information you submit when downloading our APPs from the Android App Store, Apple’s App Store or Samsung’s Galaxy Apps Store]), and we are not involved in the further processing of such Personal Information.

5. Market research and related activities

To analyze user data and research, and upgrade our products and services, we may invite you to participate in our market research and related activities. We may collect and process information on [your name, name of your company, job title, ID number and other identification number, online friend list, residential address, phone number, email address, photos or videos] that you voluntarily provide to us when participating in such activities, as well as information relating to personal medical and health information and tracking personal whereabouts collected for pandemic prevention purposes.

6. Information provided to us by third parties

We may obtain your Personal Information from your authorized third parties. For example, if you use our products or services through a third party (such as our service providers, business partners or social media platforms), such third party may provide us with your Personal Information.

In accordance with our agreement with the third party, we will use and process your Personal Information in compliance with applicable laws and regulations after verifying the legitimacy of the source of the Personal Information.

In addition, if the Personal Information you share with us is not your own Personal Information, you need to ensure that such information shared by you is collected based on and through legitimate purposes and methods. If you share with us Personal Information that is not your own, you need to notify the individuals or employees whom you act on behalf of or any other persons that requires authorization (such as contractors, business partners or authorized third parties) and obtain consent to the following:

• The Personal Information collected and submitted by you will be processed by GDS;

• GDS will process such Personal Information in accordance with this Policy and applicable laws and regulations.

7. Your Personal Information is collected and processed for reasonable and other necessary purposes

We may collect and process your Personal Information without obtaining your authorization or consent under the following circumstances:

• It is necessary for the purpose of concluding and performing a contract with you;

• It is necessary for the performance of legal duties or legal obligations;

• It is necessary to respond to public health emergencies or to protect your life, health and property or that of others in case of emergency;

• Your Personal Information is processed within a reasonable scope in order to carry out news reporting, supervision by public opinion and other activities in the public interest;

• Your Personal Information that has been disclosed at your own discretion or has been lawfully made public is processed within a reasonable scope; and

• Other circumstances specified in laws and administrative regulations.

Please understand that, certain information in the aforementioned service functions that cannot be used alone to identify you does not constitute your Personal Information. If we combine such non-personal information with other information such that it can be used to identify you, we will deem and protect such information as Personal Information for the duration of the combined use, unless we obtain your authorization or otherwise stipulated by law or regulation.

Please also understand that the services we provide to you are in constant updating and development. If certain service is not covered in the preceding description and requires the collection of your information, we will communicate to you the content, scope, processing purpose and method of the collection of Personal Information through page prompts, push notifications or additional signed agreements or other methods in order to obtain your authorization or consent.

II. How We Protect Your Personal Information

1. Security measures

To ensure the safekeeping of your Personal Information, GDS undertakes to employ appropriate hardware, technical and organizational measures for the protection of the collected Personal Information in accordance with applicable laws and regulations. We attach great importance to the Personal Information security compliance and maintain a well-established information security management system. We have obtained ISO27001 information security management system certification issued by an international authoritative certification body and regularly carry out Level III Certification for the Classified Protection of Cybersecurity administered by the Ministry of Public Security for data centers. We reasonably determine the scope of operational authority of Personal Information processing in accordance with the law, and routinely provide safety education and training to personnel to enhance their awareness of the significance of protecting Personal Information.

2. Security incident handling

For the purpose of coping with possible risks such as leakage, falsification and loss of Personal Information, GDS carries out categorized management of Personal Information, and puts forth internal management measures and operation procedures for the handling of Personal Information security incidents. In response to security incidents, we take appropriate security technical measures such as encryption and de-identification. In addition, in order to properly handle Personal Information security incidents, we assign dedicated personnel to respond to and handle security incidents, adopt effective security plans for different security incidents, formulate and take measures to mitigate losses and remedy damages in a timely manner, and actively cooperate with relevant government authorities.

In the event of a security incident such as Personal Information leakage, we will activate the emergency response plan in accordance with the laws and inform you in a timely manner by email, letter, telephone, push notification, etc. of the basic information of the security incident, the possible impact, the measures we have taken or will take in response, the preventive and remedial measures available for your consideration, and our contact information. In an emergency where it is impossible to inform the individual in time in order to protect the life, health and property of a natural person, we will inform the individual in a timely manner after the emergency is resolved. Meanwhile, we will also take the initiative to report the handling of Personal Information security incidents in accordance with the requirements of relevant government authorities.

The Internet is not an absolutely secure environment, and it is impossible to determine whether email, instant messaging, social networking software and other means of communication with other users are fully encrypted. We recommend that you use complex passwords when using such tools and take care to protect the security of your Personal Information.

III. How We Store Your Personal Information

1. Storage location

All Personal Information collected and generated by GDS within the People's Republic of China is stored within the territory of China. We will not transmit your Personal Information abroad.

In the event that we need to transfer your Personal Information outside China, we will obtain your specific consent in advance. In such cases, we will require the recipient to process your Personal Information in accordance with our agreement, the Policy, and any other relevant confidentiality and security measures, and to ensure that your Personal Information will at least enjoy the same protection as it does in the People's Republic of China.

2. Retention period

We only retain your Personal Information for the minimum period necessary to fulfill the purposes of the Policy, except where applicable laws and regulations require or permit a longer retention period. After the expiration of the retention period of your Personal Information, or upon your request to delete your Personal Information, we will delete or anonymize your Personal Information according to applicable laws and regulations.

IV. How We Share, Transfer, and Publicly Disclose Your Personal Information

1. Sharing

GDS will not share your Personal Information with any company, organization or individual without your specific consent.

If we need to share your Personal Information with our affiliates, service providers and other third parties for providing services to you, we will strictly follow the principles of lawfulness, fairness and necessity, and obtain your specific consent.

2. Transfer

We will not transfer your Personal Information to any company, organization or individual, except under the following circumstances:

• We will transfer your Personal Information to other third parties after obtaining your express consent or authorization;

• In the event that Personal Information is transferred in connection with a merger, division, dissolution, bankruptcy, etc., we will require the new recipient of your Personal Information to continue to be bound by this Policy, otherwise we will require the recipient to obtain your authorization or consent again.

3. Public disclosure

We will disclose your Personal Information to the public only under the following circumstances:

• With your specific consent, we may disclose your Personal Information to the public;

• If we are required to provide your Personal Information under the provisions of laws and regulations, mandatory administrative law enforcement or judicial request, we may disclose your Personal Information to the public according to the type of Personal Information and the means of disclosure requested.

4. Exceptions to your consent

In compliance with laws and regulations and national standards or for the purpose of fulfilling the requirements of administrative or judicial authorities, no authorization or consent is required for the sharing, transfer or public disclosure of your Personal Information under the following circumstances:

• It is necessary for the purpose of concluding and performing a contract with you;

• It is necessary for the performance of legal duties or legal obligations;

• It is necessary to respond to public health emergencies or to protect your life, health and property or that of others in case of emergency;

• Your Personal Information is processed within a reasonable scope in order to carry out news reporting, supervision by public opinion and other activities in the public interest;

• Your Personal Information that has been disclosed at your own discretion or has been lawfully made public is processed within a reasonable scope; and

• Other circumstances specified in laws and administrative regulations.

Please be advised that, in accordance with applicable laws and regulations, if we take technical measures and other necessary measures to anonymize your Personal Information, the sharing, transfer, or public disclosure of such processed information will not require separate notification to you or your consent.

V. Your Rights

You are entitled to the following rights under applicable laws and regulations at any time:

1. Access, copy and transfer your Personal Information

You have the right to access the Personal Information you have provided to us and to obtain a copy of your Personal Information from us, subject to any exceptions prescribed by law or regulation.

If you request to transfer your Personal Information to other Personal Information processors designated by you, we will provide the means of transfer accordingly in compliance with the conditions stipulated by the Cyberspace Administration of China.

2. Correct and supplement your Personal Information

When you notice any error or omission in your Personal Information collected and processed by us, you have the right to request us to correct or supplement such information.

3. Delete your Personal Information

We will voluntarily delete your Personal Information under the following circumstances; you may also make a request to us to delete your Personal Information:

• If the purposes for which we process your Personal Information have been fulfilled, cannot be fulfilled, or such purposes are no longer necessary;

• If the retention period of your Personal Information has expired;

• If our processing of Personal Information violate laws and regulations;

• If we collect and use your Personal Information without your consent;

• If our processing of Personal Information breaches our agreement with you;

• If you no longer use our services; or

• If we no longer provide services to you.

When the retention period specified by laws and administrative regulations has not expired, or when it is technically difficult to delete your Personal Information, we will stop processing activities other than storage and carrying out necessary protective measures.

4. Change the scope of your authorization and consent

Where permitted by applicable laws and regulations, you may reject or change the scope of your consent and authorization for our collection and processing of your Personal Information at any time, or withdraw your authorization.

Please understand that once you reject or withdraw your consent or authorization, we will not be able to continue to provide you with the underlying services for which you have rejected or withdrawn your consent or authorization, nor will we process your corresponding Personal Information. Nevertheless, your decision to withdraw your consent or authorization will not affect the processing of Personal Information on the basis of your prior authorization.

5. Respond to your above-mentioned requests

For the protection of Personal Information, when you exercise your rights, we demand that you provide us with proof of identity for our verification before processing your request.

You fully acknowledge that we are unable to respond to your request in the following circumstances:

• In connection with our performance of the obligations under the laws and regulations;

• Directly related to national security and defense security;

• Directly related to public security, public health, and major public interests;

• Directly related to criminal investigations, prosecutions, trials and enforcement of court decisions, etc.;

• Where there is sufficient evidence of subjective malice or abuse of right by the subject of Personal Information；

• For the purpose of safeguarding the life, property and other major legal rights and interests of the subject of Personal Information or those of other individuals but it is difficult to obtain consent from the individual concerned;

• Where response to your request will result in serious damage to the legitimate rights and interests of the subject of Personal Information or other individuals or organizations;

• In relation to trade secrets; and

• Other circumstances specified in laws and regulations.

VI. Use of Cookie

In order for you to have a better user experience, some pages of our website use "Cookies" and other tracking technologies. Cookie is a type of small data folder that is written to your hard drive when you visit our website. Cookie files may contain the user ID and other information, which are used by the website to track the webpages you visit, but the only Personal Information that can be contained in Cookies is the information provided by you. Cookie cannot read data located outside your hard drive or Cookie files created by other websites. Cookies stored on your computer will remain valid indefinitely after your first visit to the website. In this way, we can confirm how useful our information is for users and see how effective our navigation structure is in helping users obtain information. We will not link this information with your Personal Information, nor will we share or sell this information to any third party.

You can change the settings of your browser to reject our Cookies according to your needs, and you can remove all Cookies saved in the software. Please note that if you choose to delete or disable Cookies, you will need to re-enter your original user ID and password when you visit some parts of the website. Tracking technologies can record information such as domain and host names, Internet portal (IP) addresses, browser software, the type of the operating system, click through rate, the date and number of visits to our websites, etc. By using Cookies and other tracking technologies we can improve our website and your online experience. We may also analyze your Personal Information that does not contain trends or statistics.

VII. Protection of Minors

GDS attaches great importance to the protection of minors' Personal Information. We do not collect Personal Information from minors (under the age of eighteen) except as required by applicable laws and regulations. Minors should not provide Personal Information to us without the consent of their guardians. If minors have provided Personal Information to us without the consent of their parents or guardians, we will delete such information as soon as possible.

VIII. Changes to the Policy

We may update the Policy in due course to reflect changes in our business and operations or changes in applicable laws.

We will not reduce your rights under the Policy in the absence of your express consent. We will announce any changes to the Policy on this page, and please keep visiting our platform to stay informed of the latest Personal Information Protection Policy.

For major changes, we will provide a more conspicuous notice (we will communicate specific changes to the Policy via email, text message, push notification, or a special notice on the browser page).

Major changes to the Policy include, but are not limited to:

• Major changes in our service mode, e.g. the purpose of processing Personal Information, the type of Personal Information processed, and the method of processing Personal Information;

• Changes of the main object which Personal Information is publicly disclosed to, shared with, or transferred to;

• Major changes in your rights to participate in the processing of personal information and how they are exercised; and

• Changes of our responsible department, contact information and complaint channels for Personal Information protection.

If you do not endorse these changes, you may stop using our related services. If you continue using our services, you will be deemed to have agreed to the update protection policy.

IX. Contact Us

If you have any questions or suggestions regarding the Policy, or if you wish to exercise any of your above rights, please contact us at: GDSPrivacyOffice@gds-services.com (email address) or Legal and Compliance Department, Fifth Floor, Tower C, Senlan International Mansion, 999 Zhouhai Lu, Pudong District, Shanghai (mailing address). We will generally respond within 15 days. If you are dissatisfied with our response, specifically if you believe that our processing of your Personal Information has infringed upon your lawful rights and interests, you can also file a complaint or report to regulatory agencies such as the relevant telecommunications regulatory authority, Cyberspace Administration of China, and the relevant administration for market regulation.

The latest version of this Policy is issued on August 19, 2022 and shall come into effect immediately.