This policy applies to SecureLink product of Wangsu Science & Technology Co., Ltd (hereinafter referred to as “we/us” or “the Company”).
Last updated: October 2021
The SecureLink product is designed to create a secure, efficient and easy-to-use remote access/office environment for enterprise users. Upon your enterprise/organization (hereinafter referred to as “enterprise user”) purchasing the SecureLink product from us, one or more users can be designated as enterprise system administrators with access to the backend of SecureLink management, anyone that requires to use SecureLink services for remote access/office business can be invited to register as end users.
This policy will help you understand the following:
i. What personal information do we collect and how do we use it
ii. How do we entrust, share, transfer and publicly disclose your personal information
iii. How do we protect your personal information
iv. Your rights
v. How do we process the personal information of children
vi. How do we store information
vii. How do we update this policy
viii. How to contact us
Wangsu is well aware of the importance of personal information to you, and we strive to safeguard the security and reliability of your personal information to the best of our ability. We value the trust you place on us and abiding by the following principles in protecting your personal information: the principle of consistency of rights and responsibilities, the principle of clear purpose, the principle of consent, the principle of minimum necessity, the principle of ensuring security, the principle of subject participation, the principle of openness and transparency, etc. Wangsu also promises that we will take adequate security protection measures to protect your personal information in accordance with prevalent security standards of the industry.
Please make sure that you read and fully understand the content of this policy before using our products or services.
1. What personal information do we collect and how do we use it?
When using the SecureLink service, SecureLink will collect the information willingly provided by enterprise users, provided by you or generated by the use of the service in the following ways, for the purpose of providing you with services, ensuring the security of your account and optimizing our products:
1.1 When an enterprise administrator registers your SecureLink account for you, the enterprise user will provide us with the mobile phone number, email address and user name collected from you with your consent (this user name may be your name or other identifying name stipulated by the management strategy of your enterprise user, the same concept applies to the other parts of this policy) for account registration, two-factor authentication when logging in, and processing of the verification code when the password is reset, for the purpose of the enterprise administrator‘s management of the employee account.
a) Mobile phone number: if you refuse to provide this information, the end users who enable SMS two-factor authentication will not be able to log in to SecureLink, reset their account password using their mobile phone number, or modify and bind their mobile phone number. This does not affect the ability of users who do not enable SMS two-factor authentication to use SecureLink.
b) Email address: if the enterprise user refuses to provide this information, you will not be able to reset your SecureLink account password through email, and you will not be able to receive notification emails sent by the server, including, but not limited to, email messages such as account creation, account expiration, password reset, TOTP key reset, and mobile phone number modification. This does not affect other features of SecureLink that you use.
c) User name: if you refuse to provide this information, it will only affect the enterprise administrator’s ability to identify the true identity of the account user. This does not affect your ability to use SecureLink for all its normal functions.
1.2 When you install and run SecureLink software for the first time, we will request storage and location permissions, where the storage permission is necessary for software installation, and you may chose on your own accord whether to authorize us with the location permission.
1.3 In the process of logging in to SecureLink, we will request for VPN permission to ensure the normal function of the product. It collects your mobile phone number, device name, device model, operating system, SecureLink software version number, location information of the device (such as login IP address, GPS location, etc., accurate to one kilometer), unique device identifier (this refers to the string information used by the device manufacturer to identify a specific device, such as Mac address), operation log, etc., in which the mobile phone number is used for two-factor authentication when logging in. All other information provides the basic data for the normal operation of the product. If the enterprise administrator does not enable SMS two-factor authentication for you, then we will not collect your mobile phone number information.
1.4 In the process of resetting your password, we will collect your mobile phone number or email address information for sending the two-factor authentication verification code. If you refuse to provide this information, you may ask the enterprise administrator to reset the account password through his/her console. This does not affect other features of SecureLink that you use.
1.5 In the process of resetting your TOTP key, we will collect your mobile phone number or email address information for sending the two-factor authentication verification code. If you refuse to provide this information, you may ask the enterprise administrator to reset the account TOTP key through his/her console. This does not affect other features of SecureLink that you use.
1.6 When using SecureLink services, if your enterprise users have access behavior audit requirements, then we will collect access log information, including access time, quintet, domain name details and other information.
1.7 When using the change mobile phone number function, we will collect your mobile phone number information for sending the two-factor authentication verification code.
1.8 When you use the issue report/user feedback function and need to upload images, we will request permissions to access photo albums and your device camera, and your uploaded descriptions, user logs and images will be stored on our server. Storage of this information is necessary for us performing this function.
1.9 When you encounter usage issues that require our assistance in troubleshooting, we will collect your operation log information, including but not limited to user name, permission resources, operation behavior, domain name access record, DNS resolution result, software failure information, IP routing information, the method, type and status of access to the network, network quality data, etc., which are the basic information that we must collect for troubleshooting. For instance, we will use permission resources and domain name access records to determine the occurrence of any unauthorized access; we will use DNS resolution results to determine abnormal DNS resolution incidents.
1.10 When an enterprise administrator resets your password through the console and chooses to notify you through your mobile phone number or email address, we will collect the information of your mobile phone number or email address.
When you use the above functions, our App will request for a total of 5 system permissions: storage, location, photo album, camera and VPN. Sensitive permissions such as location and camera access are not enabled by default. You can choose whether to grant these system permissions to our App.
2. How do we entrust, share, transfer and publicly disclose your personal information
No delegated processing will be involved for all the functions and modules in SecureLink.
2.2 Sharing information
We will ask you for your authorization to share personal information in the following situations: provide information to your enterprise users for security audit; for enterprise users who have the need for employee security behavior audit, we will provide operation logs, behavior logs and other data that do not contain personal information to enterprise administrators in accordance with the relevant agreements with enterprise users.
With the exception of the above circumstances, we will not share your personal information with any company, organization or individual outside our company without your explicit consent.
However, we may share your personal information to outside parties in accordance with the provisions of laws and regulations, or in accordance with the mandatory requirements of government agencies/regulators.
We will not transfer your personal information to any company, organization or individual outside our company, except in the following cases:
a) Transfer with explicit consent: with your explicit consent, we will transfer your personal information to other parties.
2.4 Public Disclosure
We will only publicly disclose your personal information under the following circumstances:
a) With your explicit consent.
b) Disclosure required by law: we may publicly disclose your personal information if required by law, legal proceedings, litigation, or government authorities.
3. How do we protect this information
3.1 We have deployed security measures in compliance with industry standards to protect your personal information from unauthorized access, public disclosure, use, modification, damage or loss of data. We will take all reasonable and feasible measures to protect your personal information. For example:
a) For information storage and display, we will use encryption technologies (hash algorithm, NCA algorithm, etc.), console desensitization display and other means to protect your personal information.
b) For data transmission, we leverage encryption technologies such as RSA and AES to prevent sensitive data from being disclosed.
c) For device level software security capabilities, we have adopted technical measures such as preventing decompilation, preventing two-factor packaging, preventing tampering, etc., to ensure that sensitive data is not disclosed; prohibit the use of our services on devices in simulators and debugging, root, jailbreaking, etc., to prevent the disclosure of personal information.
d) For access control, in order to prevent account theft, unique device identifiers, login IP addresses, operation logs, access logs, location information and other data may be analyzed to facilitate the adoption of security measures or security reminders.
3.2 We have obtained the following certifications: the certification and filing of national network security level protection (level 3), which has met the requirements of national certification standards in terms of information security.
3.3 We will take all reasonable and feasible measures to ensure that no irrelevant personal information is collected. We will only retain your personal information for the period necessary to achieve the purposes described in this policy, unless the retention period needs to be extended or permitted by law.
3.4 The Internet is not a 100% secure environment. We will endeavor to the best of our ability to ensure the security of any information you send to us.
3.5 In the unfortunate event of a personal information security incident, we will, in accordance with the requirements of laws and regulations, inform you of the general situation and possible impact of the security incident at the earliest opportunity, and inform you the measures we have taken or will take, and suggest actions that you can take to prevent and reduce risks on your own. We will promptly inform you of the incident-related information in one or more ways such as e-mail, telephone, etc., and when it becomes unfeasible to individually inform the subjects of personal information, we will issue an announcement in a reasonable and effective manner.
At the same time, we will also proactively report the handling of personal information security incidents in accordance with the requirements of the regulatory authorities.
4. Your Rights
In accordance with the relevant laws, regulations, and standards of the Peoples Republic of China, as well as the common practices of other countries and regions, we will ensure that you may exercise the following rights with regard to your personal information:
You have the right to access, correct, delete your personal information, or withdraw the authorization of your consent, unless otherwise stipulated by relevant laws and regulations. If you wish to exercise the above rights, you may do the following: 1) log in to our App and click “Settings”; 2) Click “Account Management” to access, correct or delete your personal information. However, subject to the agreements and agreements between us and your enterprise users, if an enterprise administrator sets the restriction that the end user cannot modify, delete or withdraw the consent by oneself, then your above rights shall be exercised by contacting the enterprise administrator.
Subject to the agreements between us and your enterprise users, only when enterprise users confirm that you no longer require the use of SecureLink or upon your resignation from the enterprise, you may cancel your account if you confirm by enterprise users that you no longer use our products or services or you cease to be employed by your enterprise, and we will stop providing services to you and delete or anonymously process your personal information under the relevant accounts within a reasonable period of time.
5. How do we process the personal information of children
Our products and services are mainly aimed at enterprise users and their adult staff who are invited or requested to register as end users, and children should not create their own personal information subject accounts.
In cases where a child’s personal information is collected with parental consent, we will only use or publicly disclose this information as permitted by law, with the explicit consent of the parent or guardian, or as otherwise necessary to protect the child.
Given that local laws and customs have different definitions of children, we regard anyone under the age of 14 as a child.
If we find that we have collected a child’s personal information without prior verifiable parental consent, we will attempt to delete the relevant data as soon as possible.
6. How do we store information
We will store relevant information in an encrypted manner, and we will not provide, share, or use personal information for purposes other than functions required by SecureLink. Unless required by enterprise users, we will facilitate operations and access behaviors that do not involve personal information in accordance with the relevant agreements, or in order to comply with relevant laws and regulations.
6.1 Location of information storage
We will store the collected information in our server in mainland China.
6.2 Duration of information storage
In general, we retain your personal information only for the time necessary to implement our agreements with enterprise users or to complete corporate user instructions, such as:
a) Mobile phone number: regardless it is entered by the enterprise administrator or the mobile phone number that you bind or update by yourself, if you require to use SecureLink services, we will retain a record of your mobile phone number at all times. When enterprise users no longer use SecureLink services, or when you are no longer authorized by enterprise users, we will delete the corresponding information.
b) Email address: email addresses are entered univormly by the enterprise administrator, if you require to use SecureLink services, we will retain a record of your mobile phone number at all times. When enterprise users no longer use SecureLink services, or when you are no longer authorized by enterprise users, we will delete the corresponding information.
c) User name: user names are entered uniformly by the enterprise administrator, if you require to use SecureLink services, we will retain a record of your mobile phone number at all times. When enterprise users no longer use SecureLink services, or when you are no longer authorized by enterprise users, we will delete the corresponding information.
When our products or services cease their operations, we will notify enterprise users who are still cooperating, notifications will be made in one or more of the following manners: telephone, email or public announcement. Once we have made the notification, we will delete your personal information within a reasonable period of time.
7. How do we update this policy
Our personal information protection policy are subject to change.
Major changes in this policy include, but are not limited to:
a) Significant changes have taken place in the we we conduct our services. Such as the purpose of dealing with personal information, the type of personal information processed, and the way in which personal information is used; or
b) We have experience significant changes in ownership structure, organizational structure and so on. Such as the change of ownership due to business adjustment, bankruptcy, mergers and acquisitions, etc.; or
c) Changes in the main subject of personal information sharing, transfer or public disclosure; or
d) Significant changes have taken place in your right to participate in the processing of personal information and the way it is exercised; or
e) When there is a change in the departments responsible for handling personal information security, contact information and complaint channels; or
f) When the personal information security impact assessment report indicates that there is a high risk factor.
We will also archive all existing versions of this policy for your reference.
8. How to contact us