Gerlsair Privacy Policy

1. Introduction

This Privacy Policy (hereinafter referred to as "this Policy") specifies how 【Changsha Xizhen Electronic Technology Co., Ltd.】 (hereinafter referred to as "we", "us" or "our") collects, uses, discloses, processes, stores, protects and transfers all information provided or generated by you when using the "Gerlsair" products and services (hereinafter referred to as "Products and Services"). This Policy complies with the EU General Data Protection Regulation (GDPR), Google Play Developer Distribution Agreement and relevant data protection laws and regulations of the People's Republic of China, aiming to protect your personal information rights and data security.

In this Policy, "Personal Information" refers to information that can identify a specific natural person individually or in combination with other information, including but not limited to: mobile phone number and email address used when logging in to the "Gerlsair" APP, avatar (non-mandatory), nickname (non-mandatory), gender (non-mandatory) actively provided by you, device information (such as device model, system version), location information (obtained only after your active authorization), permissions and related operation data such as Bluetooth (used only after your active authorization) and camera (used only after your active authorization), as well as log information generated during the use of Products and Services. "Sensitive Personal Information" refers to information that may endanger your personal or property safety if leaked or misused, including your mobile phone number, email address, location information, etc. We will adopt stricter protection measures for such information.

By using our Products and Services, you acknowledge that you have read, understood, recognized and accepted all the terms stated in this Policy, including changes made by us in accordance with legal and regulatory updates and business adjustments. If you are a minor under the age of 16, you must have your parents or legal guardians read and agree to this Policy before using the Products and Services, and the guardians shall assist you in protecting the security of your personal information.

We commit to adopting corresponding security protection measures in accordance with mature industry security standards (ISO27001 Information Security Management System) to protect your personal information. If you have any questions, complaints or suggestions regarding the data processing practices described in this Policy, or need to exercise your data subject rights, please contact us through the methods specified in the "How to Contact Us" chapter of this Policy. We will respond to and handle your request within 1 month as required by GDPR.

2. Types of Information We Collect

To provide you with necessary and high-quality Products and Services, we follow the principles of "purpose limitation" and "data minimization", and only collect information necessary to achieve the purposes of the Services. If you do not provide relevant necessary information, we may not be able to provide you with complete Products and Services, but it will not affect the use of basic functions. The information we collect is divided into the following categories:

2.1 Information You Voluntarily Provide or Authorize

2.1.1 Account Registration and Login Information

When you register and log in to your account, you need to provide a mobile phone number or email address to complete identity verification:

If you choose to register/log in with a mobile phone number, we will send a verification code to you through a third-party compliant SMS service provider. We only collect the verification code for identity verification, do not store the SMS content, and immediately delete the verification code cache after the verification is completed;
If you choose to register/log in with an email address, we will send a verification code to the email address. We only obtain the verification result and do not read or store other email contents in your mailbox;

Avatar, nickname, gender and other information are non-mandatory. You can independently choose whether to supplement them. The collection of all optional information is based on your voluntary consent. We will not force you to provide such information on the grounds of "completing the account".

2.1.2 Permission-Related Information

The following permissions are non-basic permissions that you can independently enable or disable. Enabling a permission means that you authorize us to collect and use relevant information in corresponding scenarios. After disabling a permission, we will stop collecting such information, and it will not affect the use of basic functions of the product:

(1) Location Information and Nearby Devices Permission

After you enable this permission through system authorization, we only collect your location information (based on GPS or network positioning) and nearby device detection data in the following specific scenarios: Add Device page, Bluetooth Debugging Device List page, and Device Network Configuration page. The sole purpose of collecting this information is to help you discover surrounding smart Bluetooth devices and WiFi network information to achieve rapid device network configuration.

You can manage this permission at any time through the following paths: Gerlsair APP "Me - Settings - System Permission Management" or mobile device system settings "Apps - Gerlsair - Permissions - Location Information". After disabling it, you can only not use device network configuration-related functions, and it will not affect basic services such as account login and device control.

(2) Bluetooth Permission

After you authorize and enable the Bluetooth permission, we only communicate with smart devices through Bluetooth in the following scenarios: Add Device page (scanning Bluetooth devices), Bluetooth Debugging Device List page (connecting devices), Device Details page (controlling devices, obtaining device status), and Device Network Configuration page (transmitting network configuration information). This permission is only used to realize the connection, control and network configuration functions of Bluetooth devices, and will not collect irrelevant information through Bluetooth.

Permission management path: Gerlsair APP "Me - Settings - System Permission Management" or mobile device system settings "Apps - Gerlsair - Permissions - Bluetooth".

(3) Camera Permission

We only obtain the camera permission after your active authorization, and strictly follow the principle of "one authorization, one use". It is only used for the following three clear functions and no other purposes:

Add Device page: Scanning device QR codes to complete device binding. The images generated during the scanning process are only temporarily cached locally on the device and are automatically deleted immediately after identification without being uploaded to our servers;
Personal Profile page: Uploading avatars. Avatars are only used for display on the personal homepage within the APP and will not be disclosed or shared with any third parties; minors must have their guardians assist in uploading avatars, and guardians shall confirm that the avatar content does not contain minors' privacy information;
Help & Feedback page: Uploading feedback logs in the form of pictures to assist us in solving the problems you encounter.

When you upload an avatar or feedback picture, you can choose to obtain it from your mobile phone album. We access the picture you selected through Android system standard components, and the system only grants temporary access permission. We will not obtain other files stored in your mobile phone. Permission management path: Gerlsair APP "Me - Settings - System Permission Management" or mobile device system settings "Apps - Gerlsair - Permissions - Camera".

2.1.3 Smart Device-Related Information

After you bind a smart device to your account, we will collect basic information about the device, including device name, unique device ID, online status, firmware version, upgrade records, and device operation status data (such as connection stability). This information is used to realize core services such as remote device control, status monitoring, and firmware upgrades to ensure the normal operation of the device.

2.2 Information Collected by Third-Party SDKs

To realize the basic functions of the Products and Services, we have integrated the following third-party SDKs. The information collection behavior of relevant SDKs is subject to their own privacy policies and this Policy. We have required them to comply with data protection obligations through contractual agreements:

SDK Name: OkHttp

Company: Square

Purpose of Use: Realizing stable network requests

Types of Information Collected: Network status, IP address, device identifier (only used to establish a secure connection with the server)

Third-Party Privacy Policy Link: https://square.github.io/okhttp

SDK Name: hivemq-mqtt-client

Company: HiveMQ

Purpose of Use: Realizing message push and device communication under the MQTT protocol

Types of Information Collected: Device model, system version, network connection status, application usage logs (only used for communication and connection maintenance under the MQTT protocol)

Third-Party Privacy Policy Link: https://www.hivemq.com/legal/privacy-policy/

In addition, the third-party open source libraries we use, such as zxing (QR code scanning and recognition), rxpermissions (permission application), glide (image loading), Gson (data parsing), and eventbus (event notification), only provide local function support and will not collect, use, share or transmit any of your personal information.

2.3 Information We Automatically Collect

During your use of the Products and Services, we will automatically collect necessary information related to the Services to ensure the stable operation of the Services and optimize your user experience, including:

Device Information: When you interact with our products, we will automatically collect device information, such as device operating system type, system version, and application version number. It is used for uploading application logs and abnormal stack information to our servers.
Usage Data: Including your account login time, device binding/unbinding records, function operation paths (such as "Add Device - Select Model - Successful Network Configuration"), etc. It is only used for counting function usage and optimizing service processes.
WiFi Network Information: When the user agrees to enable the location permission and connects to a WiFi network, the BSSID information of the currently connected WiFi is obtained through the system API. We collect the BSSID (Base Station Identifier), SSID (Network Name), and signal strength of the WiFi you are currently connected to. It does not involve WiFi passwords or other network configuration information, and the BSSID information will not be shared with third parties. It is used to realize rapid device network configuration. You can refuse the APP to obtain the location information permission in the mobile device settings, which will result in the inability to obtain BSSID information, but will not affect the basic function use of the APP.
Log Information: Including network request logs, device communication logs, error logs, etc. The content only involves service operation status and does not contain your personal identification information. Logs will be automatically anonymized after being retained for 90 days.
Basic Smart Device Information: When you use a smart device connected to our services, we may collect some basic information about the smart device, including device name, device ID, online status, firmware version, and upgrade information.

3. How We Use Your Personal Information

We only process your personal information within the scope of the purposes agreed in this Policy based on legal bases such as your consent, performance of contractual obligations, compliance with legal and regulatory requirements, or protection of your legitimate rights and interests. The specific usage scenarios are as follows:

Account Identity Verification and Security Assurance: Using your mobile phone number, email address and corresponding verification code to confirm that registration, login and information modification behaviors are performed by you personally, preventing risks such as malicious registration, account theft, and identity theft; when the system detects abnormal login behaviors (such as login from an unusual location, login from an unfamiliar device, multiple login failures within a short period of time), sending security notifications through your retained mobile phone number or email address. You can restore account control through identity verification to minimize account security risks.
Providing Core Products and Services: Using Bluetooth permission-related data to realize the connection, control and status monitoring of smart devices; using location information and WiFi network information to realize rapid device network configuration; using camera permission-related data to complete functions such as scanning QR codes to add devices, uploading avatars, and feedback logs.
Customer Service and Problem Resolution: Using your account information and device information to respond to your inquiries, complaints or feedback (such as "device cannot connect to the network") and provide targeted solutions; locating the cause of problems and optimizing services through the feedback pictures or logs you uploaded.
Service Optimization and Improvement: After anonymizing statistical data such as the number of device activations, function usage frequency, and firmware version distribution, analyzing the operation status of the Products and Services, optimizing function design (such as simplifying the network configuration process) and fixing potential problems to improve service quality.
Compliance with Legal and Regulatory Requirements: Using your personal information to fulfill legal obligations when required by laws and administrative regulations or when legally requested by administrative and judicial authorities.

We will not use your personal information for purposes not explicitly agreed in this Policy. If it is necessary to use it beyond the agreed scope, we will obtain your explicit consent again.

4. Storage and Cross-Border Transfer of Personal Information

4.1 Storage Method and Period

Your personal information will be stored in Alibaba Cloud's compliant data centers to meet GDPR data localization requirements. We follow the principle of "minimum necessary storage period" and only store your personal information for the period necessary to achieve the purposes agreed in this Policy:

Account information (mobile phone number, email address): Stored during the existence of your account, and completely deleted within 15 working days after account cancellation;
Permission-related operation data (such as location information, Bluetooth connection records, camera usage): Only temporarily cached during the use of corresponding functions and immediately deleted after the functions are completed;
Device information, usage data and log information: Retained for 90 days after the relevant purposes are achieved, and anonymized (deleting content that can identify personal identity) after the expiration;
If laws and regulations require or allow a longer storage period (such as retaining evidence for litigation), we will delete or anonymize your personal information after the expiration of that period.

4.2 Cross-Border Transfer

If it is necessary for business purposes to transfer your personal information from within the EU to other countries or regions (including within the People's Republic of China), we will strictly comply with the provisions of GDPR on cross-border data transfer and take one or more of the following compliant measures to ensure data security:

Transfer to data recipients in countries or regions recognized by the European Commission as having an "adequate level of protection";
Signing EU Standard Contractual Clauses (SCCs) with data recipients to clarify the data protection obligations of both parties;
Requiring data recipients to obtain international information security certifications such as ISO27001 to ensure that they have corresponding security protection capabilities.

If you need to know the specific cross-border transfer situation, you can consult us through the methods specified in the "How to Contact Us" chapter of this Policy.

5. With Whom We Share Your Information

We strictly limit the scope of personal information sharing and follow the principle of "no sharing unless necessary". Except for the following circumstances, we will not provide, sell, rent, share or trade your personal information to any third party:

After obtaining your explicit consent: For example, if you authorize us to share device information with smart device manufacturers for troubleshooting, we will only share necessary information related to the problem;
To fulfill contractual obligations: Sharing with third-party service providers that provide technical support for us (such as SMS verification service providers, data center operators), but we will require them through contractual agreements to only use the information within the authorized scope and take security protection measures;
Compliance with legal and regulatory requirements: Disclosing to relevant third parties or authorities in accordance with the provisions of laws and administrative regulations, or in response to legal requests from administrative and judicial authorities;
Protection of legitimate rights and interests: Sharing information when necessary and in accordance with legal and regulatory requirements to protect the legitimate rights and interests of you, us or other third parties (such as preventing fraudulent acts);
Corporate merger, acquisition or bankruptcy liquidation: In the event of corporate merger, acquisition, asset transfer or bankruptcy liquidation, personal information may be transferred as part of the assets. We will notify you through APP pop-up windows or emails 30 days in advance to ensure that the transferee continues to perform the information protection obligations agreed in this Policy.

6. How We Protect Your Personal Information

We have established a sound information security management system and adopted multiple security measures at the technical, management and physical levels to prevent your personal information from being accessed, used, disclosed, tampered with or damaged without authorization:

Technical Security Measures: Using AES-256 encryption algorithm to store sensitive information such as your mobile phone number and email address; adopting HTTPS protocol encryption during data transmission; deploying defensive tools such as firewalls and Intrusion Detection Systems (IDS) to prevent network attacks; conducting regular security vulnerability scans and penetration tests to promptly fix potential risks;
Management Security Measures: Establishing a hierarchical permission control mechanism, only authorizing necessary personnel to access personal information, and keeping a full record of access logs; conducting regular data security and GDPR compliance training for employees and requiring them to sign confidentiality agreements; setting up an information security emergency response team and formulating data breach emergency response plans;
Data Breach Notification: In the event of a personal information breach, we will notify affected users through APP pop-up windows, registered emails and other methods within 72 hours as required by GDPR, and report to the EU data protection supervisory authority, explaining the breach situation, scope of impact and remediation measures.

Despite the adoption of the above measures, please note that the Internet environment is not absolutely secure. We cannot completely avoid information security risks caused by force majeure, third-party attacks or your improper operations. Please properly keep your account password and verification information, avoid disclosing them to others, and jointly ensure information security.

7. Your Rights

According to GDPR and relevant laws and regulations, you enjoy the following personal information rights. We will provide you with convenient channels to exercise these rights without charging any unreasonable fees:

Right to Know: You have the right to inquire about the collection, use, storage, sharing and cross-border transfer of your personal information. You can obtain detailed explanations by contacting customer service.
Right of Access: You have the right to obtain a copy of your personal information. You can apply through the above inquiry channels, and we will provide it via email within 7 working days.
Right to Rectification: If you find that your personal information is incorrect or incomplete, you can independently modify your avatar, nickname, login password (requiring mobile phone or email verification code verification) and other information through "Me - Settings - Personal Profile"; if you cannot modify it independently, you can contact customer service for assistance, and we will complete the verification and rectification within 3 working days.
Right to Erasure: You have the right to request that we delete your personal information or account, including but not limited to: information that has served its purpose and for which no further retention is necessary, and information collected in violation of our agreement. You can delete your account and associated data through this link (https://www.xizhenelec.com/#/Account) or by going to the Gerlsair app (My page -> Settings -> Account and Security -> Cancel User). If there are any devices linked to your account, you must remove the devices before canceling your account. We will complete the deletion and provide feedback within 15 business days.
Right to Withdraw Consent: You have the right to withdraw your authorization for various permissions (such as location, camera, Bluetooth) at any time through mobile device system settings or the permission management function within the APP. Withdrawing consent will not affect the legality of information processing behaviors based on previous authorization;
Right to Account Cancellation: You have the right to cancel your "Gerlsair" account. After cancellation, we will cease providing you with all services and completely delete your personal information within 15 business days (except where required by laws and regulations). Cancellation path: You can cancel your account via this link (https://www.xizhenelec.com/#/Account) or by going to "My - Settings - Account Security - Cancel Account" in the Gerlsair app. Before cancellation, we will clearly inform you of the consequences (such as device unbinding and data deletion) and verify your operation through identity verification.
Right to Object: If we process your personal information based on legitimate interests, you have the right to object. We will review it within 15 working days and adjust the data processing method according to the review result;
Right to Lodge a Complaint: If you believe that our personal information processing behaviors violate GDPR or relevant laws and regulations, you can lodge a complaint with the data protection supervisory authority of the EU member state where you are located (contact information is detailed in Chapter 11 of this Policy).

If you entrust a guardian to exercise the above rights, the guardian shall provide your identity certificate, the guardian's identity certificate and a power of attorney. We will assist in exercising the rights after verifying the identity.

8. Updates to This Policy

We will regularly review and may revise this Policy in accordance with legal and regulatory updates, business model adjustments and technological development. If this Policy is changed, we will notify you in the following ways:

Displaying a pop-up window prompt within the Gerlsair APP and guiding you to read the updated Policy content;
Sending a Policy change notice to your registered email address, specifying the change content, effective time and your rights;
Publishing the updated Policy text on the "About Us - Privacy Policy" page of the APP, official website and Google Play Developer Console.

For material changes involving your core rights and interests (such as expansion of the scope of personal information collection, change of use purpose, adjustment of cross-border transfer rules), the effective time will not be earlier than 30 days after the notice is sent to ensure that you have sufficient time to understand the change content. Your continued use of the Products and Services will be deemed as acceptance of the updated Policy; if you do not accept it, you should immediately stop using the Products and Services and cancel your account, and we will process the relevant personal information according to your request.

9. Third-Party Links and Services

The Products and Services may contain links to third-party websites or services (such as links to the privacy policies of third-party SDKs). The information processing behaviors of such third parties are not subject to this Policy and are the sole responsibility of the third parties. We only provide links within necessary scopes and do not represent that we endorse their information protection. We recommend that you carefully read their privacy policies and user agreements before accessing third-party websites or using third-party services to understand their information processing rules.

10. Protection of Minors' Information

We pay special attention to the protection of minors' personal information. If you are a minor under the age of 16, you must use the Products and Services under the guidance of your parents or legal guardians. The guardians shall assist you in completing account registration, permission authorization and other operations and supervise your information use behaviors.

Guardians have the right to check the minor's personal information, request correction or deletion of inappropriate information, and cancel the account. They can contact us through the methods specified in the "How to Contact Us" chapter of this Policy. We will provide necessary assistance after verifying the guardian's identity. We will not push commercial advertisements to minors, nor will we collect non-essential personal information of minors (such as home address, school name).

11. Contact Information of Data Protection Supervisory Authorities in Major EU Member States (For Complaints)

France: Commission Nationale de l'Informatique et des Libertés (CNIL)

Official Website: https://www.cnil.fr/

Complaint Phone: +33 1 53 73 22 22

Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Official Website: https://www.bfdi.bund.de/

Complaint Channels: Official website online form or inquiry email poststelle@bfdi.bund.de

Italy: Garante per la Protezione dei Dati Personali (Garante)

Official Website: https://www.garanteprivacy.it/

Complaint Portal: Online submission on the official website

12. How to Contact Us

If you have any questions, comments, suggestions about this Policy, or need to exercise the various rights agreed in this Policy, you can contact our Data Protection Officer through the following methods:

Company Name: Changsha Xizhen Electronic Technology Co., Ltd.;

Mailing Address: Room 101, Building 20, Liandong Yougu Industrial Park, No. 32 Yulian Road, Xueshi Sub-district, Yuelu District, Changsha City, Hunan Province, People's Republic of China (Attn: Data Protection Department);

Email Address: xizhendianzi@xizhenelec.com (Please indicate "Privacy Policy Inquiry/Right Exercise Application" in the email subject and provide your account information and specific needs to facilitate our rapid response);

Response Time: We will respond to your request within 1 month after receiving it. If the processing time needs to be extended due to the complexity of the request, we will notify you in advance, and the extension will not exceed 2 months.

13. Miscellaneous

For the establishment, effectiveness, performance, interpretation and dispute resolution of this Policy, if you use the Products and Services within the EU, the EU General Data Protection Regulation (GDPR) and the relevant laws of the member state where you are located shall apply first; if you use them within the territory of the People's Republic of China, the laws of the People's Republic of China shall apply.

Any disputes arising from or in connection with this Policy shall first be resolved through friendly negotiation between both parties; if the negotiation fails, you may choose to apply for mediation with the data protection supervisory authority of the EU member state where you are located, or file a lawsuit with the people's court with jurisdiction over our place of residence.