You need to handle user personal information with caution, ensure compliance with applicable laws and regulations, fulfill personal information protection obligations, and follow the principles of legality, legitimacy, necessity, and integrity, including but not limited to the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, and the Data Security Law of the People's Republic of China "Methods for Determining the Illegal Collection and Use of Personal Information by Apps", "Notice on Carrying out Special Rectification Actions for APP Infringement of User Rights in Depth", "Personal Information Security Standards for Information Security Technology", "Evaluation Standards for APP User Rights Protection", "Notice of the Ministry of Industry and Information Technology on Carrying out Information and Communication Service Perception Enhancement Action" Notice of the Ministry of Industry and Information Technology on Further Enhancing the Service Capability of Mobile Internet Applications, Regulations on the Recommendation and Management of Internet Information Service Algorithms, Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, Regulations on the Network Protection of Children's Personal Information, and other applicable laws and regulations, as well as any other applicable laws and regulations.
Privacy Policy
- Developers must provide their own easily accessible privacy policy links within the application. The content of privacy policies should be open and transparent, and consistent with the handling of user personal information by the application during operation. Developers must ensure that the link always opens properly.
- The privacy policy link of the application should include the purpose, method, and scope of personal information collection and use by the application (including delegated third-party or embedded third-party code, plugins).
- The privacy policy within the application should include information on how users exercise their personal information subject rights, such as how users revoke their consent and/or request data deletion, their right to access and copy personal information, and effective channels for feedback on user privacy issues; If the application involves an account system, it should provide users with convenient account cancellation services, without setting unreasonable obstacles, and ensure that account cancellation is true and effective. The processing time for account cancellation services should not exceed 15 working days.
- Access, collection, use, or disclosure of any personal information by the application requires the user's consent or compliance with other applicable laws and regulations.
User consent
- The application must present privacy policies in a clear and explicit manner, and obtain user consent before collecting and processing personal information. This consent should be voluntarily and explicitly given by the user with full knowledge.
- The application must provide users with a simple, understandable, and easy to operate way to revoke consent.
- If an application uses personal information for personalized advertising and precision marketing, it must be informed in the privacy policy and provide independent options for turning it off or rejecting it within the application.
- The processing of sensitive personal information should obtain the individual consent of the user, and inform them of the necessity of processing sensitive personal information and its impact on user rights.
- In situations where it is not necessary for the service or where there is no reasonable scenario, the application shall not self start or associate with starting other applications, or engage in wake-up, calling, updating, and other behaviors. Before initiating the association, the user should be prominently informed of other applications that are about to be redirected or initiated by the user.
Collect and use
- The collection and use of personal information by the application must adhere to the principle of data minimization, adopt a method that minimizes the impact on user rights, and be limited to the minimum scope for achieving processing purposes.
- The application shall not secretly collect and use personal information, and shall not collect and use personal information beyond what is necessary for the service or without reasonable application scenarios.
- The application must use encryption technology (such as HTTPS) to securely process all personal information of users.
- Any personal information disclosed by the application must be explained in the privacy policy, including the disclosure content, purpose, and disclosure recipient.
- It is prohibited for the application to sell the user's personal information.
- Any third party who discloses personal information through the application should provide personal information protection measures that are the same or equivalent to those required by your application's privacy policy and these guidelines.
- The application shall not use sensitive personal information such as "call records", "SMS", "biometrics", "health data", "travel trajectory", etc. for non core business functions such as service improvement, advertising or marketing.
- During the process of using third-party payment transactions, if it is not required by applicable laws or necessary to provide third-party payment services, it is not allowed to record user transaction authentication information or disclose user personal information unrelated to specific transactions to third parties.
- The application function is to process financial information, payment information, or identity information, and is not necessary for providing corresponding services. No personal information of users shall be disclosed.
- Applications accessing personal device information from public devices (such as large screens) require confirmation from the user of the personal device.
- Application applications and usage permissions must adhere to the principle of minimizing permissions. The required permissions should be dynamically applied for when the corresponding business function is activated, and users should not be required to agree to multiple necessary permissions that are not related to this business function. Do not refuse to provide products or services on the grounds that users refuse permission or withdraw their consent.
- The permissions applied for by the application must have clear and reasonable usage scenarios and functional descriptions, and it is prohibited to induce or mislead users to authorize. The permissions used by the application must be consistent with those described in the application. When applying for sensitive permissions, it is necessary to inform the user of the purpose of applying for that permission simultaneously. Without the user's consent, the user's permission authorization status cannot be changed.
- Applications should not frequently apply for permissions. After users refuse permission requests, they should not reapply to enable permissions again unless necessary for the functional scenario, which will affect their normal use.
- The application processing of personal information should have a clear and reasonable purpose, and should not force users to agree to personal information processing behaviors that exceed the scope or are unrelated to the service scenario solely based on service experience, product development, algorithm recommendation, risk control, etc. When a user refuses to provide personal information that is not necessary for the current service, it shall not affect the basic functions of the user's use of the service.