1. POLICY INFORMATION

1.1. Organization

1.1.1. Across Media Global Limited (Trading as BiddingX), (‘ BiddingX’), a limited liability company incorporated under the laws of the Laws of the Hong Kong Special Adminstrative Region of The People's Republic of China, with its main establishment and registered office at 16/F., CentreHollywood, 151 Hollywood Road, Sheung Wan, Hong Kong, registration number 68898162, is responsible as the data controller of your personal data.

1.1.2. In addition, this Data Protection Policy (‘policy’) applies to 'BiddingX' meaning the group of undertakings comprised of 'BiddingX' as the controlling undertaking and its controlled undertakings comprised of subsidiary and affiliated enterprises and any other enterprise whether to be incorporated as the controlled undertaking or to adhere to this policy. The reference to 'BiddingX', also referred to as ‘we’ or ‘us’, may mean reference to the group of undertakings or an individual enterprise within this group being responsible as the data controller of your personal data as the case may be.

1.1.3. 'BiddingX' cooperates with service providers, such as advertisers, publishers and other partners, accounting and IT services providers, wherein within this business cooperation certain personal data could be collected, transferred and processed by such service providers. 'BiddingX' cooperates only with service providers, which are in compliance with the General Data Protection Regulation.

1.1.4. This policy applies to information we collect when you access or use BiddingX's website(s), Ad Platform, including the Ad Network, or otherwise interact with us as described below. We are compliant with applicable legislation in the countries in which we operate. By using our services or interacting with us as described below, you confirm that you are aware of this policy.

1.1.5. We may amend this policy from time to time due to change of legislation or us updating our internal policies and practices. If we make changes, we will notify you by revising the date of this policy, and in some circumstances, we may provide you with additional notice, including, for example, by adding a statement to the website(s) of 'BiddingX' or by sending you an email notification. We strongly encourage you to review the policy whenever you access or use our services to stay informed about our information practices and your privacy rights and choices.

2. INTRODUCTION

2.1. Definitions

2.1.1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘ data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2.1.2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2.1.3. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

2.1.4. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

2.1.5. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

2.1.6. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

2.1.7. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

2.1.8. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

2.1.9. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

2.1.10. ‘General Data Protection Regulation’ means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

2.2. Purpose of policy

2.2.1. The purpose of this policy is to give you information about what personal data we collect and why we do it, how we collect, use and disclose that personal data, the legal grounds for processing, and your rights in respect to your personal information.

2.2.2. 'BiddingX' has adopted this policy in order to ensure the protection of your rights in relation to the processing of your personal data as your fundamental right, to further design the processing of personal data to serve both you, BiddingX's clients, workers and employees and other individuals, as well as to protect 'BiddingX'.

2.2.3. 'BiddingX' notably strives to further design this policy in order to approved it as binding corporate rules in accordance with Article 47 of the General Data Protection Regulation.

2.3. Business activities

2.3.1. 'BiddingX' provides advertising technology services to its clients. Upon opening an account at the Ad Platform connecting advertisers, publishers and other partners through the Ad Network, you provide us with Contact and Business Management Data. Clients use the Ad Platform to provide advertising to end users and we in return provide the services under our Ad Platform to help the clients to provide advertisements to end users. Thus, within its business activities 'BiddingX' processes only a very limited scope of personal data notably End User Data, wherein the majority of the information we receive when providing services to our clients is considered to be data of enterprises, notably Business Management Data.

2.4. Types of data

2.4.1. 'BiddingX' processes the following categories of personal data:

2.4.1.1. Contact Data: personal name, company name, telephone number and e-mail address, in order to respond to you when you contact us;

2.4.1.2. End User Data: data collected through interactions of end users with advertisements generated using BiddingX's services on behalf of our clients, which may be advertisers or publishers, including internet protocol numbers automatically provided to us when the end user posts information through social media sites, plug-ins or other applications depending upon your privacy settings, geolocation information (generally an end user's latitude and longitude data) for determining geotargeting, cookies on geolocation and frequency for providing advertisements, all in order for us to perform business;

2.4.1.3. Business Management Data: personal name of employee or worker of the client (enterprise), company name, address, e-mail address, telephone and fax number, the client's payment details such as bank account number and type of banc account, registration and tax number, information on the profit, submitted using special payment application filled out by the client, all in order to provide services and further our business interests. 'BiddingX' uses this information to process payments. Where 'BiddingX' uses third-party service providers to manage credit card processing, such personal data are being obtained from the payment service providers.

2.4.1.4. Human Resource Data: personal data of our employees and workers including information about employee's work permit, employment contract and its termination, labour costs, data on salaries and compensations charged to the employer and data on other labour costs and information on statutory social security contributions for an individual worker, information on the use of working time, medical examinations, health checks of individual groups of workers, completed training for safe work and tests of the workers qualifications, accidents at work, collective casualties, dangerous occurrences, established occupational diseases and work-related illnesses and their causes, all in order to comply with statutory provisions and to the extent as permitted by law;

2.4.1.5. Candidate Management Data: personal data of candidates for employment, namely personal name, date of birth, place and the country of birth, address of permanent or temporary residence, actual and required education, work experience, diploma certificate and various other certificates that are attached them to the application (certificate of foreign language knowledge, statement on impunity, recommendations) or other details you provide to us contained in letters of application and résumés, all in order to process your application for employment with us and comply with statutory provisions;

2.4.1.6. Information on Management of Premises: personal data of individuals maintained regarding entries and exits from the premises, namely the personal name, number and type of personal document, address of residence, employment, type and registration number of the vehicle and date, time and reason for entry to or exit from the premises, all in order to ensure the safety of people and property in our business premise;

2.4.1.7. Sensitive Information: information of employees and workers in relation to medical examination with an assessment of the worker's compliance with specific health requirements for a particular work in the workplace, health checks of individual groups of workers with a list of examined workers and an assessment of the fulfilment of specific health requirements for a particular work in the work environment, health status of a group of examined workers, established occupational diseases, sickness-related illnesses or suspicion of an occupational disease, information on the fact and level of intoxication, information whether the worker was under the influence of illicit drugs and other psychoactive substances or not in case testing for illicit drugs and other psychoactive substances, accidents at work, collective casualties, dangerous occurrences, established occupational diseases and work-related illnesses and their causes; all only in order for us to comply with regulatory statutory provisions and to the extent as permitted by law;

2.4.1.8. We ask that you avoid submitting us special categories of personal data including sensitive information and data concerning health, unless such information is legally required and/or the 'BiddingX' requests you to submit such information.

2.4.1.9. 'BiddingX' has adopted every reasonable step to ensure that personal data are accurate and kept up to date, as well as that inaccurate personal data are erased or rectified without delay, however, it cannot assume liability should your information provided to us not be true, incomplete and/or misleading. For incorrect information, please send an email to info@biddingx.com

2.5. Legal basis for processing

2.5.1. 'BiddingX' processes personal data only, if permitted to do so by the General Data Protection Regulation.

2.5.2. Most commonly, 'BiddingX' processes personal data about you because the processing is necessary for compliance with a legal obligation to which 'BiddingX' is subject. Special categories of personal data are processed only on this legal basis and 'BiddingX' does not process any such data on any other legal basis. Processing of Human Resource Data including Sensitive Information is almost entirely subject to this legal basis.

2.5.3. Furthermore, 'BiddingX' processes some personal data where processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract. Most of the processing employment and work contracts (Human Resource Data), as well as Candidate Management Data is carried out on this legal basis.

2.5.4. Moreover, we process some personal data where this is necessary for the legitimate interests pursued by 'BiddingX' (or by a third party) and your interests and fundamental rights do not override these interests. For example, 'BiddingX' has a legitimate interest in the processing and transfer of personal data within its group of undertakings for internal business purposes, including centralisation of data processing activities, to design lawfully efficient and workable business processes, to allow cross border teams to work together and to make business processes more efficient and cost effective. Moreover, 'BiddingX' automatically receives your internet protocol number we rely on our legitimate interest by geotargeting advertisements to end users, which is beneficial to the user as an integral part of the social media site, plug-in or other application the user has consented to use.

2.5.5. 'BiddingX' may also process your personal data when you have given consent to the processing of your personal data for one or more specific purposes. 'BiddingX' has strived and continues to endeavour to obtain consents, which are given freely, specific, informed and present an unambiguous indication of your wishes by a statement or by a clear affirmative action, signifying agreement to the processing of your personal data.

2.5.6. Where 'BiddingX' relies on your consent to process personal data, you have the right to withdraw or decline your consent at any time and where we rely on legitimate interests, you have the right to object. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

2.6. Use of data

2.6.1. We process your data for the following purposes:

2.6.1.1. Managing of workforce notably with respect to Human Resource Data, Candidate Management Data and Sensitive Information;

2.6.1.2. Communications: enabling response and facilitating communication with you regarding Contact Data;

2.6.1.3. Complying with legal requirements, such as record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal rules, policies and procedures.

2.6.1.4. Services: 'BiddingX' processes Business Management and End User Data in order to provide services to clients.

2.6.2. There may be more than one purpose that justifies our use of your personal data in any particular circumstance.

2.6.3. We shall only use your personal data for the purposes for which we collected it. Should we reasonably require to use your personal data for an unrelated purpose, we will notify you thereof and explain the legal obligation or that such processing is compatible with the original purpose, which allows us to use it for another reason. If your consent was granted for a specific purpose, which may contain one or more processing activities, we shall not process your personal data for another purpose other than the purpose for which it was originally collected. Where we intend to perform processing for another purpose on the basis of your initial consent, we shall process your personal data only on the basis of a new consent.

2.6.4. Managing of workforce and complying

2.6.4.1. 'BiddingX' manages your Business Management, Human Resource, Candidate Management Data and Sensitive Information within its customer relations management software. The software is designed on a need-to-know basis. Furthermore, our internal privacy and security rules are communicated to all of our employees and workers, instructing them to process personal data in accordance with the respective legislation, internal rules and under highest security processing standards when managing workforce or complying with statutory provisions.

2.6.5. Services:

2.6.5.1. 'BiddingX' uses your data to operate lawfully, effectively and provide the best experience with our services.

2.6.5.2. We use your data to enable access to the AdPlatform, to provide customer, technical, and operational support, to manage your account(s), to send you technical notices, updates, security alerts and support and administrative messages and to resolve disputes and enforcing of our rights, to detect and protect against errors, fraud, or other criminal or illegal activities and to enforce our client agreements. This may also include analysing, customizing, and improving the AdPlatform, to provide information and analytics to clients about the use of the AdPlatform, to help our clients to create or enhance their services with respect to marketing or analytics.

2.6.5.3. You may access to the AdPlatform by submitting the identification form (Join us form), wherein for certain services it is necessary to create a user account, enabling the user to use certain applications. In these cases, you are required to submit data including Business Management Data. This information is needed to provide services to clients, including access to the application, display of customized content and advertising, communications, transfer of profit deriving from digital advertising, ensuring the technical functioning of the network, research and analysis in order to maintain and protect our services.

2.6.5.4. We also use your data to create interferences about end users geographically categorized in order to enable the enterprises within 'BiddingX' to help clients place advertisement in the respective geographical region. For example, if the End User Data indicates that an end user is located in a certain geographical region or country, the Ad Platform enables the client to place advertisements in such region or country. After this process is done, the internet protocol number of the end user is anonymized in order to prevent enterprises within 'BiddingX' from other regions or countries, clients and third parties to access or retrieve the internet protocol number of the end user. This process also includes anonymizing internet protocol numbers for statistical purposes.

2.6.5.5. We may also use your data when the Ad Platform interferes with social media sites, plug-ins or other applications provided by advertisers, publishers or other partners. For example, if a worker or an employee of a client intends to advertise on Facebook through the Ad Platform, it has to link its personal Facebook account with the Ad Platform, considering that Facebook does not enable corporate Facebook accounts. After the connection is established, we save his personal name, Facebook identification number and a list of all Facebook advertisement accounts such individual has access to, which we consider Business Management Data since it the individual has opened the Ad Platform account for the client (enterprise), in order for us to invoice the services provided by the Ad Platform. If the individual then revokes his Ad Platform through its Facebook account, we still store his data necessary until the agreement with our client is fulfilled.

2.6.6. Cookies

2.6.6.1. When an end user visits a website or views an advertisement linked to the Ad Platform we may deploy online cookies to end users in order to better or more accurately target relevant advertisements to end users with respect to its geolocation and frequency of the advertisements. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. They are typically stored on your computer's hard drive.

2.6.6.2. Cookies include such strictly necessary for the normal website functions, which cannot be switched off because the website wouldn't work properly anymore nor do they store any personal data.

2.6.6.3. In order to deliver as relevant advertisements as feasible, 'BiddingX' collects data across its Ad Network. This enables it to identify likely consumer interest segments. All the data, however, is on completely aggregate basis. We use cookies to improve the quality of our services by storing user preferences and tracking users trends, thus providing the most relevant advertisements. Cookies are also used to help advertisers and publishers serve and manage advertisements across the web. We use Google Analytics cookies that enable us to improve user experience on our websites. They help us understand how our users use the website and decide on the functional and material adjustments in order to show as much useful content as possible.

2.6.6.4. You are free to decline most of our cookies if your browser or browser add-on permits it but choosing to remove or disable our cookies may interfere with your use and functionality of BiddingX's services. You may amend our cookies settings by clicking on the following link: Cookies Setting[Pop-up window of the cookies & disable setting]

2.6.6.5. You may delete other cookies as follows:

2.6.6.5.1. Google Chrome – After clicking on the menu icon navigate to settings. On the bottom of the page, expand the settings by clicking on ‘Advanced’. In the ‘Privacy and Security’ panel click on ‘Content settings’ and then ‘Cookies’. You can also type chrome://settings/content/cookies in the browsers address bar;

2.6.6.5.2. Mozilla Firefox – click on the ‘Menu’ hamburger icon and navigate to preferences. In the ‘Privacy & Security’ tab head to the history section and click on the ‘remove individual cookies’ link

2.6.6.5.3. Safari – in the ‘Privacy’ menu navigation item, there is an option to ‘Block all cookies’ and to remove them all. You can also click ‘Details’ to remove individual cookies

2.6.6.5.4. Edge – Click on the 3 dot icon and select ‘Settings’. Select the arrow keys next to the ‘Advanced settings’ on the top side. You will see an option ‘clear browsing data’ with which you can clear cookies.

2.6.7. Communications:

2.6.7.1. We use your Contact Data primarily to respond to you when you have contacted us.

2.6.7.2. In addition, we may use your Contact Data and/or Business Management Data in order to send you promotional communications or newsletters from us through e-mails where you have given consent. You may choose to sign-up for marketing or other communications from 'BiddingX' on our website.

2.6.7.3. You may opt out of receiving promotional communications and/or newsletters from us by following the instructions in those communications (unsubscribe button at the bottom of each email). If you opt out of receiving promotional communications and/or newsletters, we may still send you transactional or relationship messages, such as those about your account or our ongoing business relations for as long as the business relationship exists.

2.6.7.4. In case of performing direct marketing upon the first communication at latest, we shall communicate to you our identity and contact details and the details of our data protection officer, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, categories of personal data, the recipients or categories of recipients of the personal data and other information provided in Article 14 of the General Data Protection Regulation. If we shall process personal data for direct marketing purposes, we shall do so in accordance with Article 21 of the General Data Protection Regulation, wherein you may exercise your rights to rectification, to object and to request from us to permanently or temporarily cease to use or otherwise process your personal data for the purpose of direct marketing. We shall not disclose this personal data to other users.

2.7. Disclosure of data

2.7.1. For the provision of our services, we share personal data with the following unaffiliated third person:

2.7.1.1. Program integrations with Sunteng HongKong Holdings Ltd, eDM Solution provider, Google Analystics and Google Adwords (Read more: http://www.google.com/privacy.html ) for campaign settings, advertisement group targeting settings available on the respective program integration and for tracking, analysis, advertisements;

2.7.1.2. Social integrations with Linkedin for campaign settings, advertisement group targeting settings for advertisements, and campaign statistics import at present;

2.7.1.3. Other service providers, such as advertisers, publishers and other partners, accounting and IT services providers;

2.7.1.4. Public and Governmental Authorities: entities that regulate or have jurisdiction over 'BiddingX' such as regulatory authorities, public bodies, and judicial bodies, including to meet national security or law enforcement requirements.

2.8. Transfer of personal data

2.8.1. For the purposes explained in this policy, 'BiddingX' may transfer personal data to a third country or an international organization in case of an adequate decision in accordance with Article 45(1) of the General Data Protection Regulation, without a special permit. In the absence of an adequate decision, the Company shall provide appropriate safeguards in accordance with Article 46 of the General Data Protection Regulation. In the absence of an adequacy decision pursuant to Article 45(3) of the General Data Protection Regulation or of appropriate safeguards pursuant to Article 46 of the General Data Protection Regulation, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only on one of the conditions in Article 49(1) of the General data Protection Regulation.

2.9. Data retention

2.9.1. Generally, we retain personal data for as long as necessary to fulfil purposes described in this policy subject to our own legal and regulatory obligations.

2.9.2. Our employees and workers processing personal data are instructed to verify the respective national statutory provisions regarding data retention when processing data.

2.9.3. When personal data is no longer needed, we either irreversibly anonymize the data (and we may further retain and use the anonymized information) or securely destroy the data.

2.10. Your rights

2.10.1. 'BiddingX' enables you to exercise the following rights as determined under the General Data Protection Law and respective national jurisdiction:

2.10.1.1. Right to access: you may obtain confirmation from 'BiddingX' to whether or not your personal data are being processed, and where that is the case, access to personal data and information;

2.10.1.2. Right to correct: you may request from 'BiddingX' to rectify inaccurate personal data concerning and incomplete personal data completed;

2.10.1.3. Right to erasure: you may obtain erasure of your personal data that we hold as a data controller;

2.10.1.4. Right to restriction of processing: you may obtain from 'BiddingX' the restriction of processing;

2.10.1.5. Right of information: we shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform you about those recipients if you request it.

2.10.1.6. Right to data portability: you may request from 'BiddingX' to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and may also request us to transmit those data to another controller without our hindrance;

2.10.1.7. Right to object: you may object, on grounds relating to your particular situation, at any time to processing of personal data concerning based on our legitimate interests. In this case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of our legal claims;

2.10.1.8. Right to object to direct marketing: you may object at any time to processing of personal data concerning you for marketing purposes. Should you object to processing for direct marketing purposes, we shall no longer process your personal data for such purposes;

2.10.1.9. We guarantee your right not to be subject to a decision based solely on automated processing ;

2.10.1.10. Right to be informed of a breach: we shall notify you that there has been a breach of the protection of your personal data where the infringement of the protection of personal data is likely to pose a high risk to your rights and freedoms;

2.10.1.11. Right to file a complaint: You have the right to lodge a complaint with a supervisory authority. However, we hope that you will first consult with us, so that we may work with you to resolve any complaint or concern you might have.

2.10.2. Amendment for Subject Access Request Under GDPR, you have the right to request sight of any personal data that is held about you, which is provided for free, and within 30 days of the request. The number of similar Subject Access Requests (SARs) made free of charge is a maximum of 2 per calendar year for the same individual. For additional SARs there is a processing fee of $100.

2.10.3. You may exercise the abovementioned rights through: info@biddingx.com. You may also contact this e-mail to obtain details of the supervisory authorities of the respective 'BiddingX' enterprise or to be directed to the respective privacy officer of the 'BiddingX' group enterprise.

2.11. Security

2.11.1. We have implemented reasonable and effective technical and organizational measures and procedures designed to implement data-protection principles, such as data minimization, and integrated necessary safeguards into the processing in order to meet the requirements of the General Data Protection Regulations.

2.11.2. We protect your information by using reasonable physical, technical and administrative security measures, including limiting access to your information to employees and workers on a need-to-know basis. To make sure your personal data is secured, we communicate our internal privacy and security rules to all of our employees and workers, strictly enforce privacy safeguards within 'BiddingX' and have also designed our internal software in order to meet our high security processing standards.

2.11.3. We advise you to protect your Ad Platform account details including your username and password and not to share this information with any other individual.

2.12. Contact

2.12.1. Should you have any questions or concerns regarding this policy, our use of cookies, or our policies regarding the collection, use, processing, retention and/or disclosure of your personal data, you may contact us or our privacy officer as indicated below:

BiddingX, owned by Across Media Global Limited

Address: 16/F., CentreHollywood, 151 Hollywood Road, Sheung Wan, Hong Kong

Privacy Officer: Zhifeng Mi

E-Mail: info@biddingx.com

Telephone: +852-5808 0004