Personal Data Protection Addendum for Mainland China ("Chinese PIPL Addendum") European Data Protection Addendum ("European Addendum") and the California Consumer Privacy Act Addendum ("CCPA Addendum") supplements any agreement entered into between Mobvista International Technology Limited or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for promoting Client’s product or service (or those of a third party) ("Agreement"). Please refer to the below content for all these addendum. For your convenience, you can just click on the above link to refer to the respective addendum.
Personal Data Protection Addendum for Mainland China
This Personal Data Protection Addendum for Mainland China ("Chinese PIPL Addendum") supplements any agreement entered into between Mobvista International Technology Limited or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for promoting Client’s product or service (or those of a third party) ("Agreement"). This Chinese PIPL Addendum shall be incorporated into and form part of the Agreement and be deemed to have become effective as of the date both Client and Nativex have executed the Agreement. In case of any conflict between a provision of this Chinese PIPL Addendum and the Agreement, as it relates to Personal Data, the provision of this Chinese PIPL Addendum shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.
1. Definition
1.1 "Affiliates" means with respect to a party, all entities which, directly or indirectly, control, are being
controlled by, or are under common control with such party.
1.2 "Client" means any business partner that
have signed Agreement with Nativex for engaging Nativex to promote its product or service (or those of third party).
1.3 "Data Protection Rules" means any applicable laws, regulatory policy, national standard, industry standard of the mainland areas of the People’s Republic
of China (for the sole purpose of this Chinese PIPL Addendum, the Hong Kong S.A.R of People’s Republic of China, Macao S.A.R. of
People’s Republic of China, and Taiwan areas of People’s Republic of China is not included) with respect to the processing of
Personal Data which Nativex or Client is subject to, including but not limited to any law or regulation, regulatory policy, national standard,
industry standard, any applicable policy of any platform that is engaged in providing digital marketing service for Nativex and Client pursuant
to the Agreement that is similar, equivalent to, successors to, or that are intended to or implement the laws or regulations.
1.4 "Individual" means
a natural person to whom Personal Data relates.
1.5 "Nativex Privacy Policy" means the privacy policy
available at Nativex’s official website at https://www.nativex.com/en/privacy which may be updated from time to time.
1.6 "Personal Data" means information relating to an
identified or identifiable Individual, and as defined in the Chinese Personal Data Protection Law.
1.7 "process" or "processing" means any operation or set of operations which is or are performed upon Personal Data, whether or not by automatic means, such as
collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.8 "Services" means
the services provided by Nativex to Client in accordance with the Agreement, including activities that are required, usual, or appropriate in
performing such services, including to (a) carry out such services or the business of which the services are a part, (b) maintain records
relating to the services, or (c) comply with any legal or self-regulatory obligations relating to the services.
1.9 "User" means
a Data Subject who is an end-user accessing a mobile application/website and accessing ads served by Nativex or its business partners (e.g.
publishers).
2. Application
2.1 This Chinese PIPL Addendum shall apply only to the extent that the Data Protection Rules apply to the processing of any Personal Data under
or in connection with the Agreement.
2.2 Each party confirms that it has complied, and will continue to comply, with its obligations
relating to the processing of Personal Data that apply to it under the Data Protection Rules.
3. Obligation of the Parties
3.1 Client acknowledges and confirms that Nativex may receive User’s Personal Data from Client or any third party designated by Client (or
may collect User’s Personal Data under the authorization of Client) (hereinafter referred to as "Client Personal Data"). Client confirms
and agrees that Nativex is authorized to process the Personal Data for the following purposes:(i) ads attribution and making settlement,
detecting fraud and resolving dispute related to the Agreement (the "Major Activities") and (ii) profiling Users, tracking Users and serving
Users with interest-based ads or personalized ads for any ad campaigns through Nativex Platform (the "Additional Activities").
3.2
Client guarantees that, regarding Nativex's processing of Client Personal Data, it has provided Users with appropriate notices and obtained
their valid consents in accordance with Data Protection Rules, and that the ways, methods and procedures for obtaining consent will not violate
Data Protection Rules, to the extent necessary for Nativex to process Client Personal Data or other information related to the Agreement in
accordance with Nativex Privacy Policy and this Chinese PIPL Addendum, including but not limited to Nativex’s or Nativex Affiliates’
processing of Personal Data for Major Activities as well as Additional Activities.
3.3 At the request of Nativex, Client shall
provide Nativex with records of all Users’ consents. Client shall notify Nativex in writing within 24 hours after receiving User’s
notice of rejection or withdrawal of consent for any data processing.
3.4 Client guarantees that its privacy policy shall comply with
Data Protection Rules as well as this Chinese PIPL Addendum, including but not limited to:
(1)Client warrants that it shall prominently
announce and display its privacy policy in its Products in accordance with this Chinese PIPL Addendum. The privacy policy shall be independently
written and clearly reminding. After the User enters the main function interface, he or she can access to the privacy policy within no more than
4 time’s click or swipe.
(2)Client ensures that when the Product runs for the first time, the User will be notified to read its
privacy policy by pop-up window and other obvious ways. After the User confirms and agrees to the privacy policy, Nativex is authorized by
Client to process Personal Data.
(3)The User should be given the choice to choose actively whether to agree Client’s privacy
policy, and the User’s authorization should not be obtained by default or deceived.
(4)The content that Client should clearly
inform the user through its privacy policy and other documents includes but is not limited to: (a) the type of Personal Data processed by
Client, the purpose, the processing method, the retention period, etc.; (b) Client has chosen Nativex as its partner, the Client has used
Nativex's Services, and Nativex related information, including without limitation, Nativex's company name and contact information, the types,
processing purposes, and processing methods of Personal Data processed by Nativex/Nativex’s Affiliates and its traffic providers, and any
other information that shall be notified to Client according to Data Protection Rules; (c) Specifically, Nativex or Nativex’s Affiliates
may process the Personal Data for purpose of providing personalized information or commercial marketing information though automated
decision-making, and the right that Users legally enjoyed to opt out such personalized marketing; (d) that Nativex will process Personal Data in
accordance with Nativex Privacy Policy for personal information, and User shall be notified of the link to Nativex Privacy Policy, and User can
access the Nativex Privacy Policy by clicking on the link; (e) any other information that needs to be included to meet the Data Protection
Rules.
3.5 Client is obliged to provide Users with convenient ways to ensure that Users can refuse personalized information push and
commercial marketing provided to them through automated decision-making methods, or should provide Users with options that are not specific to
their personal characteristics. If Client refuses the personalized recommendation, Client must inform Nativex in an appropriate way, and Nativex
will cooperate with the relevant requirements of the User.
3.6 If Client’s Product is targeted at a child user as defined by
applicable laws related to protection of Personal Data of Children in mainland China, Nativex will not provide Services to the Product, and
Client shall not transfer the Personal Data of such children to Nativex unless Client has complied with and fulfilled all of the following
requirements:
(1)Client has obtain prior written consent of Nativex;
(2)Client guarantees to comply with all relevant laws and
regulations on the protection of minors and children's Personal Data. If Client's Products may provide Services to children under the age of 14
and may be transferred to Nativex, Client warrants to take relevant measures and ensure that it has obtained the valid and clear consent of the
child’s parent or other authorized guardians (including the way, method and procedure of consent shall be legal), and make reasonable
efforts to confirm that such consent is authorized by parents or other authorized guardians, so as to ensure that Client and
Nativex/Nativex’s Affiliates can process the Personal Data of child Users in accordance with this Chinese PIPL Addendum and Nativex
Privacy Policy;
(3)Client has complied with any other requirements as directed by Nativex.
3.7 Client shall provide Users with
easy-to-operate mechanisms to access, correct, delete their Personal Data, revoke or change their authorization and consent, and cancel their
personal accounts, etc., to ensure that Users can realize their personal data rights in accordance with Data Protection Rules.
3.8
Client guarantees that the relevant Personal Data and data provided to Nativex (or allowed to be collected by Nativex) does not exceed the
legally necessary storage period which is necessary for Client to process such Personal Data and data, nor does it exceed the legally necessary
storage period which is necessary for providing related services based on such Personal Data and data. The processing of such Personal Data and
data due to the cooperation between Client and Nativex has not exceeded the above-mentioned period.
3.9 Client guarantees that it
will not steal or obtain Personal Data in other illegal ways, or illegally sell or illegally provide Personal Data to any third party (including
Nativex). Client will not disclose, tamper with, or destroy Personal Data it collected.
3.10 When Nativex discloses or makes
available Personal Data "Nativex Personal Data") to Client (or third party designated by Client) to the extent necessary for the purpose of
providing digital marketing service, Client warrants that Client shall process the Personal Data solely for purpose of ads attribution and
settlement pursuant to the Agreement.Without written consent of Nativex, Client is not entitled to disclose or make available Nativex Personal
Data to any third party. For any international transfer of personal data, Client warrants that it shall comply with any applicable law and take
any measure to ensure that the international transfer is in compliance with any applicable law.
3.11 Client shall not cause Nativex
to violate any Data Protection Rule when processing Personal Data in accordance with this Chinese PIPL Addendum and Nativex Privacy Policy due
to its acts or omissions, or cause Nativex to process Personal Data beyond the scope of User's authorization and consent in accordance with this
Chinese PIPL Addendum and Nativex Privacy Policy.
4. Personal Data of Client’s Employees
Client warrants that it has provided adequate notices to, and obtained valid consents from, its employees, in each case, to the extent necessary for Nativex and/or its, Affiliates to send direct marketing by email to Client’s employees in relation to the products and services of Nativex and/or its Affiliates, in accordance with the Nativex Privacy Policy https://www.nativex.com/en/privacy. Client will provide on request records of all consents obtained from its employees to Nativex and shall notify Nativex in writing within 24 hours of Client receiving employee’s objection to or withdrawal of consent.
5. Duration
This Chinese PIPL Addendum will remain in effect until the expiry or termination of the Agreement.
6. Miscellaneous
6.1 Nativex may amend this Chinese PIPL Addendum from time to time by notifying and posting an amended version at its website. Such amendment
will be deemed accepted and become effective when Client continues to use Nativex’s Services, unless Client first gives Nativex written
notice of rejection of the amendment.
6.2 Invalidation of one or more of the provisions under this Chinese PIPL Addendum will not
affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially
the same objectives.
6.3 Client acknowledges that Nativex and/or its Affiliates may disclose this Chinese PIPL Addendum and any relevant privacy provisions in the
Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the Data Protection Laws or any
other applicable law. Such disclosure will not constitute a breach of Nativex’s confidentiality obligation under the Agreement.
European Data Protection Addendum
This European Data Protection Addendum ("European Addendum") supplements any agreement entered into between Mobvista International Technology Limited or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for promoting Client’s product or service (or those of a third party) ("Agreement"). This European Addendum shall be incorporated into and form part of the Agreement and be deemed to have become effective as of the date both Client and Nativex have executed the Agreement. In case of any conflict between a provision of this European Addendum and the Agreement, as it relates to Personal Data, the provision of this European Addendum shall prevail. In case of any conflict between the provisions of the Standard Contractual Clauses and the provisions of the Agreement and/or this European Addendum, the provisions of the Standard Contractual Clauses shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.
1. Definition
1.1 "Affiliates" means with respect to a party, all entities which, directly or indirectly, control, are being
controlled by, or are under common control with such Party.
1.2 "Controller" means the entity which
determines the purposes and means of the processing of Personal Data.
1.3 "Client" means any business
partner that have signed Agreement with Nativex for engaging Nativex to promote its product or service (or those of third party).
1.4 "Data Protection Laws" means any applicable UK, European Union or Member State laws with respect to the processing of Personal Data which Nativex or Client is
subject to, including but not limited to the EU General Data Protection Regulation ("EU GDPR") as implemented by countries within the European
Economic Area ("EEA"), the EU e-Privacy Directive 2002/58/EC as implemented by countries within the EEA, the UK Data Protection Act 2018, the UK
Privacy and Electronic Communications (EC Directive) Regulations 2003, the EU GDPR as retained as UK law by the European Union (Withdrawal) Act
2018 ("UK GDPR"), and and/or other laws or regulations that are similar, equivalent to, successors to, or that are intended to or implement the
laws or regulations.
1.5 "Individual" means a natural person to whom Personal Data relates, also referred
to as "Data Subject" pursuant to Data Protection Laws.
1.6 "Nativex Privacy Policy" means the privacy
policy available at Nativex’s official website at https://www.nativex.com/en/privacy/ which may be updated from time to time.
1.7 "Personal Data" means information relating to an
identified or identifiable Individual, and as defined in Data Protection Laws.
1.8 "process" or "processing" means any operation or set of operations which is or are performed upon Personal Data, whether or not by automatic means, such as
collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.9 "Processor" means
the entity which processes Personal Data on behalf of the Controller.
1.10 "Services" means the services
provided by Nativex to Client in accordance with the Agreement, including activities that are required, usual, or appropriate in performing such
services, including to (a) carry out such services or the business of which the services are a part, (b) maintain records relating to the
services, or (c) comply with any legal or self-regulatory obligations relating to the services.
1.11 "Standard Contractual Clauses" means the standard contractual clauses for international transfers pursuant to Regulation (EU) 2016/679 of the European Parliament and of
the Council (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en ), in each case as may be amended or replaced from time to time;
1.12 "Subprocessor" means any entity
engaged by the Processor to process Personal Data in connection with the Services.
1.13 "User" means a
Data Subject who is an end-user accessing a mobile application/website and accessing ads served by Nativex or its business partners (e.g.
publishers).
2.Application
2.1 This European Addendum shall apply only to the extent that the Data Protection Laws apply to the processing of any Personal Data under or in
connection with the Agreement.
2.2 Each party confirms that it has complied, and will continue to comply, with its obligations
relating to the processing of Personal Data that apply to it under the Data Protection Laws.
3.Role of the Parties
3.1 To the extent Nativex is processing Personal Data for the purpose of providing Services to Client pursuant to the Agreement, the parties
acknowledge that Client is processing such Personal Data as a Controller and Nativex is processing such Personal Data as a Processor. For the
avoidance of doubt such processing by Nativex shall include ads attribution, monitoring traffic, making settlement with Client as well as with
other publisher partners engaged in delivering ads of Client during Nativex’s performance of the Agreement, anti-fraud related activities,
and handling legal claims related to the Agreement and this European Addendum. In these circumstances, section 4 of this European Addendum shall
apply.
3.2 The parties acknowledge that for all other processing of Personal Data, Nativex shall be a Controller. For the avoidance
of doubt such processing by Nativex may include building profiles of Users, tracking Users and serving Users with online behavioral ads for ad
campaigns through Nativex and/or any of its Affiliates.
4.Nativex acting as Processor
4.1The subject matter and duration of Processing, nature and purpose of Processing, the types of Personal Data processed and the categories of
Data Subjects whose Personal Data will be processed are set forth in Appendix A to this European Addendum.
4.2 As a Processor,
Nativex shall:
(a)process the Personal Data only on documented and written instructions of the Client (including to the extent
necessary to provide the Services and to comply with its obligations under the Agreement), unless Nativex is otherwise required to process the
Personal Data under applicable laws to which it is subject. In such a case, Nativex shall promptly notify the Client of those applicable legal
requirements unless such applicable law prohibits such information on important grounds of public interest;
(b)ensure that persons
authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality;
(c)implement appropriate technical and organizational security measures in relation to the Personal Data and
shall, taking into account the nature of Nativex’s processing of Personal Data and the information available to Nativex, without undue
delay notify Client of personal data breaches in relation to the Personal Data that it becomes aware of and at Client’s cost and request,
provide reasonable assistance to Client in relation to such personal data breaches;
(d) taking into account the nature of
Nativex’s processing activities and at Client’s cost and request, reasonably assist Client in connection with communications from,
or requests made by Data Subjects, as they relate to Personal Data processed in connection with the Agreement;
(e) taking into
account the nature of Nativex’s processing of Personal Data and of the information available to Nativex and at Client’s cost and
request, provide reasonable assistance to Client with undertaking an assessment of the impact of processing Personal Data, and with any
consultations with a supervisory authority, if and to the extent an assessment or consultation is required to be carried out under Data
Protection Laws; (f) at the choice and request of the Client and where technically feasible, Nativex shall , as a processor, delete or return
all the Personal Data to Client at the expiry or termination of the Agreement, unless UK, EU or Member State law requires storage of the
Personal Data beyond such term;
(g) make available to Client at Client’s cost, all information necessary to demonstrate
compliance with the obligations laid down in this Section 4.2 and and with prior written notice of thirty (30) business days allow for and
audits, including inspections, conducted by auditor mandated by Client and Nativex or under the Data Protection Laws: (i) once every twelve (12)
months; (ii) where a supervisory authority requires this under Data Protection Laws; or (iii) following a personal data breach in relation to
the Personal Data; provided that Nativex shall notify Client in writing if it believes in good faith that the exercise of rights under this
section 4.2(g) would infringe Data Protection laws. Such audits shall not be duplicative of any additional audit right provided in the
Agreement. If the audit is to be performed by a third party, such third party shall execute a confidentiality and non-disclosure agreement as
presented by and for the benefit of the parties. Upon completion of the audit, Client shall promptly provide Nativex with a summary of the
findings from each report prepared in connection with any such audit;
(h) be generally authorised to engage a Subprocessor to process
Personal Data, subject to Nativex entering into a written agreement with each Subprocessor which includes equivalent data protection obligations
as contained in this section 4.3. Nativex shall make available to Client the current list of Subprocessors on request provided that Client keeps
such information confidential in accordance with the confidentiality provisions in the Agreement, and Nativex shall provide notification of a
new Subprocessor before authorizing any new Subprocessor to process Personal Data of Client. Client may object to Nativex’s use of a new
Subprocessor by notifying Nativex promptly in writing within ten (10) business days after receipt of Nativex’s notice. In the event Client
objects to a new Subprocessor, Nativex will use reasonable efforts to avoid the processing of Personal Data by the objected-to new Subprocessor.
If Nativex is unable to accommodate the objection within a reasonable period of time, Client may terminate the Agreement;
(i) be
permitted to share Personal Data with its publishers for purpose of ads attribution, making settlement, detecting fraud, resolving disputes
related to ad campaigns under the Agreement; and
(j) shall only transfer Personal Data outside of the EEA/UK in accordance with Data
Protection Laws and Section 6 below.
5.Obligations of the Client
5.1Client expressly warrants that:
(a)adequate notices have been provided to Users, and valid consents have been obtained from Users,
in each case, to the extent necessary for Nativex to process the Personal Data whether on the instructions of Client as a Processor or, as a
Controller for purposes as described in the Nativex Privacy Policy which shall include (without limitation) purposes such as building profiles
of Users, tracking Users and serving Users with online behavioral ads for ad campaigns through Nativex and/or any of its Affiliates. For these
purposes Client shall use the IAB Consent Transparency Framework. To further clarify, an acceptance of Client’s terms and conditions by
Users does not constitute valid consent under the Data Protection Laws. Instead, Client must display a valid consent prompt (e.g. a
“Cookie Banner”) to Users, and only start collecting Personal Data after Users have voluntarily agreed, without limiting
Users’ access to all app functionalities if no consent is given.
(b) it will on request provide to Nativex records of all
consents obtained;
(c) it shall notify Nativex in writing within 24 hours upon receiving User’s objection to the processing of
Personal Data or the withdrawal of User’s consent to the processing of Personal Data ;
(d) it will not by act or omission,
cause Nativex to violate any Data Protection Laws, notices provided to (including, as applicable the Nativex Privacy Policy), or consents
obtained from, Users as result of processing the Personal Data;
(e) where Nativex is processing Personal Data as a Processor, any
processing instructions the Client issues to Nativex, shall be compliant with Data Protection Laws;
(f) it has the right to transfer
and/or disclose the Personal Data to Nativex for processing; and
(g) it will not (nor permit or enable any third party) to disclose
any special categories of personal data (as defined under Data Protection Laws) to Nativex.
6.International Transfer
6.1 Where Personal Data are transferred by Client in the EEA/UK (the “Data Exporter”) to Nativex, its Affiliates or Subprocessors
(collectively, the “Data Importer”) outside of the EEA/UK, the Standard Contractual Clauses shall apply and will be incorporated
into this European Addendum by this reference. For the avoidance of doubt, MODULE TWO shall apply while section 3.1 of this European Addendum
applies and MODULE ONE shall apply while section 3.2 of this European Addendum applies. The Standard Contractual Clauses apply as follows:
(a)
When MODULE TWO applies: both parties agree to choose OPTION 2: GENERAL WRITTEN AUTHORISATION of Clause 9. Specifically, Data Exporter generally
agrees that Data Importer is entitled to engage its cloud servers and its traffic providers as its sub-processors;
(b) Both parties
agree to choose OPTION 1 of Clause 17 as the following:
[OPTION 1: These Clauses shall be governed by the law of one of the EU Member
States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Netherlands.]
(c)
As for Clause 18 (b), both parties agree that the Dutch courts shall be choice of forum.
(d) The APPENDIX is attached as Appendix of
this European Addendum.
6.2 If the Standard Contractual Clauses, which are incorporated herein, are at any time no longer deemed to
provide adequate protection for Personal Data transferred, or if the implementation of an updated set of Standard Contractual Clauses are issued
by the European Commission or a new transfer mechanism is required by any Data Protection Laws, each party agrees to enter into such Standard
Contractual Clauses as are amended or replaced and take all further steps as reasonably requested by the other party to comply with any legal
and/or regulatory requirements under any Data Protection Laws regarding international transfers of Personal Data.
7.Duration of the European Addendum
This European Addendum will remain in effect until the expiry or termination of the Agreement.
8.Miscellaneous.
Nativex may amend this European Addendum from time to time by posting an amended version at its website and sending Client written notice
thereof. Such amendment will be deemed accepted and become effective 10 days after such notice unless Client first gives Nativex written notice
of rejection of the amendment.
Invalidation of one or more of the provisions under this European Addendum will not affect the
remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same
objectives.
Client acknowledges that Nativex and/or its Affiliates may disclose this European Addendum and any relevant privacy
provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the Data
Protection Laws or any other applicable law. Such disclosure will not constitute a breach of Nativex’s confidentiality obligation under
the Agreement.
Appendix
ANNEX I
A.LIST OF PARTIES
Data exporter: Client
Address: As specified in the Agreement
Contact person’s name, position and contact details: As specified
in the Agreement
Activities relevant to the data transferred under these Clauses: As specified in section 3 of the European Addendum
Role
(controller/processor): controller
Data importer: Nativex
Address: As specified in the Agreement
Contact person’s
name, position and contact details: As specified in the Agreement
Activities relevant to the data transferred under these Clauses: As
specified in section 3 of the European Addendum
Role (controller/processor): controller/processor
B.DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:Users
Categories of personal data transferred:
(a)Mobile Identifiers: GAID, IDFA;
(b)Other device data: UUID, android id, mobile mac address, country code, device operation
system (“OS”, i.e. Android or iOS), OS platform, OS version, device model, IP address, user agent (UA), device brand, package name
of the publisher;
(c)Users' interaction with the Nativex’s ads: an indication that an User installs the Client’s app
following a click on or a view of an ad served by Nativex; information about actions an User performs within Client’s app following such
an install, such as in-app purchases, and the number of times the User opens the app; and other information that Client decides to share with
Nativex.
Sensitive data transferred: No sensitive data will be transferred
The frequency of the transfer(e.g. whether the data is transferred on a one-off or continuous basis):continuous during the whole term of the Agreement.
Nature of the processing:Personal Data will be subject to automated and manual processing operations by Nativex, including collection, use, analysis, transfer, storage
and erasure.
Purpose(s) of the data transfer and further processing:while Data Importer is acting as a data
processor, to provide the Services as set out in the Agreement; while Data Importer is acting as a data controller, for building profiles of
Users, tracking Users and serving Users with online behavioral ads for ad campaigns through Nativex and/or any of its Affiliates.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:while Data Importer is acting as a data processor, in accordance with section 4 of the European Addendum; while Data Importer is acting as a
data controller, in accordance with Nativex Privacy Policy.
C.COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: the competent supervisory authority/ies are as provided in Clause
13 of the Clauses.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure
an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and
freedoms of natural persons.
Nativex has implemented physical, technical and administrative security measures for the Services that
comply with applicable laws and industry standards. For example, Nativex uses firewalls, encryption technology and other automated software
designed to protect against fraud and identity theft; Nativex’s data is only stored in centers that provide high-level security for
Users’ information. Physical access is strictly controlled both at the perimeter and at building ingress points by our staff utilizing
video surveillance and other electronic means.
Nativex also protects User’s privacy by seeking to minimize the amount of
sensitive data that it stores on its servers. Nativex also seeks appropriate contractual protection from its partners regarding their treatment
of User data.
Nativex also has completed the ISO27001 audit and has received the SOC2 Type1 audit report which provides detailed
information and assurances about its security, availability, processing integrity, confidentiality and privacy controls, based on its compliance
with the Trust Services Criteria (“TSC”) of the American Institute of Certified Public Accountants (AICPA).
CCPA Addendum
This California Consumer Privacy Act Addendum (the "CCPA Addendum") supplements any agreement entered into between Mobvista International
Technology Limited and/or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for
promoting Client’s products and service (or those of a third party) ("Agreement"). This CCPA Addendum shall be incorporated into and form
part of the Agreement and be deemed to have become effective as of the date both Client and Nativex have executed the Agreement. In case of any
conflict between a provision of this CCPA Addendum and the Agreement, as it relates to Personal Information, the provision of this CCPA Addendum
shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or CCPA (as defined
below).
1. Definitions
1.1. "Affiliates" means with respect to a party, all entities which, directly or indirectly, control, are being controlled by, or are under
common control with such Party.
1.2 "CCPA" means the California Consumer Privacy Act of 2018(as amended by the California Privacy
Rights Act effective on January 1, 2023, and any others), and its regulations as amended, and/or other laws that are successors to, or that are
intended to implement them.
1.3 "Client" means any business partner that has signed Agreement with Nativex for engaging Nativex to
promote its products or service (or those of third party).
1.4 "Individual" means a natural person to whom Personal Information
relates, also referred to as "Consumer" pursuant to CCPA.
1.5. "Nativex Privacy Policy" means the privacy policy available at
Nativex’s official website https://www.nativex.com/en/privacy/ or at any other or additional location, as may be updated from time to
time.
1.6 "Service" means the services provided by Nativex to Client in accordance with the Agreement, including activities that are
required, usual, or appropriate in performing the Services, including to (a) carry out the Services or the business of which the Services are a
part, (b) maintain records relating to the Services, or (c) comply with any legal or self-regulatory obligation relating to the
Services.
1.7 "User" means a Data Subject who is an end-user accessing a mobile application/website and accessing ads served by
Nativex or its business partners (e.g. publishers).
1.8 The terms, "Business", "Business Purpose" "Consumer", "Personal Information",
"processing", "process" "Sale", and "Service Provider" shall have the same meanings as in the CCPA, and their cognate terms shall be construed
accordingly.
2. Nativex Activities.
Both Parties acknowledge and agree that the Client (or any third party designated by Client) may transfer any Personal Information of Users to
Nativex ("Client Personal Information") for purpose of
(i) ads attribution and making settlement, detecting fraud and resolving
dispute related to the Agreement (the "Major Activities") and
(ii) profiling Users, tracking Users and serving Users with
interest-based ads or personalized ads for any ad campaign through Nativex and any of its Affiliates (the "Additional Activities").
3. Nativex Obligations.
3.1 As a Service Provider
To the extent that Nativex processes any Client Personal Information for a Business Purpose under the
Agreement,
(i)Nativex is a Service Provider and shall process the Client Personal Information solely to provide its
Services under the Agreement.
(ii)Nativex shall not retain, use, disclose or otherwise process the Client Personal Information
for any purpose other than for performing the Services unless as otherwise permitted by the CCPA. Nativex shall return or delete all Client
Personal Information at the conclusion of performance of the Services, or sooner if directed by Client unless Nativex is processing Client
Personal Information as a Business under Section 3.2 of this CCPA Addendum. Nativex shall follow all Client instructions regarding the return or
destruction of Client Personal Information.
(iii)Nativex shall not Sell any of the Client Personal
Information.
(iv)Nativex shall assist Client in fulfilling its obligations under the CCPA to respond to individual requests
related to Client Personal Information about them, including by promptly fulfilling requests to access or delete relevant Client
Personal Information in Nativex’s possession. If Nativex receives a request to know or a request to delete from an User regarding
Personal Information that the Nativex collects or maintains on behalf of Client, and does not comply with the request, it shall explain the
basis for the denial. Nativex shall also inform the User that it should submit the request directly to Client and, when feasible, provide
the User with contact information for Client.
(v)Nativex shall enter into written agreements with each third party subcontractor that
processes the Client Personal Information that obligate the subcontractor to comply with terms that are at least as restrictive as
those imposed on Nativex under this CCPA Addendum and the Agreement, including the prohibition on the Sale of the Client Personal
Information.
3.2 As a Business
To the extent that Nativex determines the purposes and means of the processing of the
Client Personal Information with respect to the Additional Activities,
(i)Nativex is a Business subject to the satisfaction of other
conditions in the definition of Business under the CCPA.
(ii) Nativex shall comply with personal information security and other
obligations prescribed by CCPA for a Business.
(iii)Nativex shall ensure that Nativex Privacy Policy is consistent with current
business practices and ensure that Nativex Privacy Policy complies with the CCPA.
(iv)Nativex shall only process Personal Information
that have been lawfully and validly collected and ensures that such Personal Information is relevant and proportionate to the respective
uses.
(v)Nativex shall establish a procedure for the exercise of the rights of the Individuals whose Personal Information are
collected.
(vi)Nativex agrees and acknowledges that Individuals who are California residents have certain enhanced rights regarding
the use of their Personal Information, including (a) the right to request to whom a company has sold or disclosed their Personal Information;
(b) the right to request the Personal Information that a company stores regarding such Individuals; (c) the right to request the company delete
such Individual’s Personal Information; and (d) the right to opt out of the Sale of Personal Information, and other rights.
(vii)If
Nativex ever Sells Personal Information to third parties, it shall provide a clear and conspicuous link on the Business’ Internet
homepage, titled "Do Not Sell My Personal Information," to an Internet Web page that enables an Individual, or a person authorized by such
Individual, to opt out of the Sale of the Individual’s Personal Information.
4. Client Obligations.
Regarding any Client Personal Information, Client represents and warrants :
(i) that adequate notices have been provided to
Users, and valid consents have been obtained from Users (the "User’s Consent"), in each case and in compliance with CCPA, to the extent
necessary for Nativex to process the Client Personal Information in connection with the Agreement, this CCPA Addendum and as described in the
Nativex Privacy Policy including, without limitation for the performance of the Major Activities and the Additional Activities, and
international transfers of Client Personal Information to and from Nativex;
(ii) Client shall not by act or omission, cause Nativex
to violate the Nativex Privacy Policy, any applicable data protection law including CCPA, notices provided to, or consents obtained from, Users
as result of Nativex’s Major Activities and Additional Activities;
(iii) Client shall, upon Nativex’s request, provide
records of all the User’s Consent to Nativex; and (iv) Client shall notify Nativex in writing within 24 hours upon receiving any
User’s objection to or withdrawal of any User’s Consent for Nativex to process their Personal Information or other information for
the Major Activities and the Additional Activities pursuant to Section 2 of this CCPA Addendum.
5. Duration of Addendum
Notwithstanding the expiration of the Term of the Agreement, this CCPA Addendum will remain in effect until, and automatically expire upon,
Nativex’s deletion or return to Client all the Client Personal Information.
6. Limitation of Access
Each party will limit access to Personal Information to those personnel who require such access only as necessary to fulfill such party’s
obligation under the Agreement.
7. Information Security.
Each party will maintain appropriate administrative, physical, organizational and technical safeguards aimed at maintaining an appropriate level
of security, confidentiality and integrity of the Personal Information, in accordance with any applicable data protection law including CCPA,
and official guidelines as provided by the competent authorities and good industry practice. Each party undertakes to regularly monitor
compliance with these safeguards and will not materially decrease the overall security controls during the term of the Agreement.
8. Miscellaneous.
8.1 Nativex may amend this CCPA Addendum from time to time by posting an amended version at its website and sending Client written notice
thereof. Such amendment will be deemed accepted and become effective 10 days after such notice unless Client first gives Nativex written notice
of rejection of the amendment.
8.2 Invalidation of one or more of the provisions under this CCPA Addendum will not affect the
remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same
objectives.
8.3 Client acknowledges that Nativex and/or its Affiliates may disclose this Addendum and any relevant privacy provisions
in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law. Such
disclosure will not constitute a breach of Nativex’s confidentiality obligation under the Agreement.