Cross-Border Personal Information Transfer Notice and Consent
Version: V1.1
Effective Date: 26th March 2025
Personal Information Processor (Domestic Entity): Ncurd (Shanghai) Textile Technology Co., Ltd.
Contact: info@tachain.com
Registered Address: Room 512, Building 1, No. 2071 Hongmei Road, Minhang District, Shanghai
Data Protection Officer (DPO) / Contact Person: Yuanyuan He / helen.he@tachain.com
In order to provide you with consistent cross-regional services, technical support, and backup disaster recovery, we need to provide personal information related to you to overseas recipients or access and process it in overseas regions under the premise of meeting legal requirements. We hereby provide you with separate and explicit notice regarding this cross-border provision of personal information. Please check the consent box after reading and understanding it thoroughly.
1. Purpose and Scenarios of Cross-Border Transfer
To achieve purposes such as [account login/authentication, cross-border customer service, ticketing and technical support, data backup and disaster recovery, statistical analysis and anti-fraud].
Typical scenarios:
- When you create or log in to an account in the China region, our [UK/EU] nodes need to access/copy necessary data to achieve account universality and failover.
- When providing you and your team with [cross-border order collaboration / logistics collaboration] functions, cross-border network transmission and processing is required.
2. Types and Scope of Cross-Border Personal Information (Minimum Necessity Principle)
- Account Identification: Username, UID, password verification credentials (irreversible hash), account status;
- Login and Security: Login time, IP, device information (browser/system/resolution/device identifier), behavior logs (for abnormal detection purposes);
- Contact Information (if provided by you): Name, position, mobile phone, email, company name and department;
- Sensitive Personal Information (if applicable): This service does not involve cross-border provision of sensitive personal information.
Note: Business data such as orders, BOMs, logistics documents, etc. are in principle enterprise/transaction information and do not constitute personal information; if they contain contact information that can identify natural persons, they shall be managed according to the above terms.
3. Overseas Recipients, Their Countries/Regions, Contact Information, and Processing Purposes
We may provide the above information to the following categories of overseas recipients (the actual list is subject to the "Recipient Directory" permanent page in the Privacy Policy):
1) Affiliated Companies/Service Nodes within the Same Group:
- Recipient: Takumi Tech Ltd.
- Region: United Kingdom (UK)
- Purpose: Account universality, technical support, and emergency disaster recovery
- Contact: info@takumi.pub
2) Cloud/Communication and Security Service Providers (Entrusted Processors):
- Recipient Type: Cloud computing and storage, email/SMS gateway, logging and risk control services
- Region: [UK/EU] (subject to service deployment)
- Purpose: Infrastructure and security capability hosting
3) Customer-Designated Cross-Border Integration Objects (if applicable):
- Recipient: Systems designated by you or your employer (such as brand headquarters system)
- Region: As designated by you or your employer
- Purpose: Business docking/system integration
We will sign data processing agreements with the above recipients and stipulate security obligations and purpose-limited use only, prohibiting processing beyond the scope and illegal re-provision.
4. Processing Methods, Frequency, and Retention Period
- Methods: Encrypted transmission, access and replication (including cross-border real-time access, caching, or backup);
- Frequency: Based on the continuous need for you to use the service (triggered by login, API calls, ticket generation, etc.);
- Retention Period: The shortest period necessary to achieve the purpose or the period required to meet legal/regulatory/contractual retention requirements (for example, login logs are usually retained for 365 days, account information is deleted or anonymized within 180 days after account cancellation or contract termination, and backup media is automatically overwritten after the retention period expires).
5. Cross-Border Compliance Pathways and Security Measures
Compliance Pathways (one of the following applicable situations):
- Standard Contractual Clauses for Cross-Border Personal Information Transfer have been signed with the recipient and filing obligations have been completed/fulfilled; or
- Through Personal Information Protection Certification; or
- Evaluated as applicable to policy exemption scenarios (such as cross-border production and manufacturing/international trade/cross-border transportation and business data that does not contain personal information or important data); or
- Security assessment has been completed in accordance with law (if statutory situations such as important data/large-scale personal information are triggered).
Security Measures:
- Full-link encrypted transmission (TLS)
- Encrypted storage (including hierarchical key management and rotation)
- Access control and least privilege
- Zero trust and multi-factor authentication
- Log audit and anomaly alerts
- Data classification and desensitization minimization
- Third-party compliance assessment
6. Your Rights and How to Exercise Them
You can exercise the following rights through [ticket / email]: query/copy, correction, deletion, withdrawal of consent, account cancellation, obtaining key points of cross-border standard contract copies (commercial sensitive information may be processed to avoid leakage), etc. Withdrawal of consent does not affect the validity of processing that has been carried out based on your consent before the withdrawal, but may affect the availability of related functions.
7. Possible Impacts and Risks to Your Rights and Interests
Cross-border network transmission and overseas processing pose objective risks such as network attacks and illegal access; data protection rules in some countries/regions may differ from those in China. We will take the aforementioned measures to reduce risks to a reasonable level and continuously evaluate the compliance capabilities of recipients.
8. Changes and Notifications
When the category of recipients, location, processing purpose, or information type undergoes significant changes, we will notify you again through on-site notifications/pop-ups and seek your separate consent again.
By using our Service and consenting to this notice, you acknowledge that you have read, understood, and agree to the cross-border transfer of your personal information as described above.