Privacy Policy · 隐私政策

The English version and the Chinese version (中文版) of this document are provided below. 本文档同时提供英文版与中文版，内容见下方。

---

English

Effective Date: June 2, 2026 | Last Updated: June 2, 2026 | Version: 1.0

Important Notice

Please read this Privacy Policy carefully before using CCNeed services. By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please stop using our services immediately.

1. Scope and Application

This Privacy Policy applies to all products and services provided by CCNeed globally, including but not limited to the CCNeed website, web application, mobile application (if any), APIs, and any other services we offer (collectively, the "Services"). This Privacy Policy does NOT apply to third-party websites, platforms, or services linked from our platform.

2. Data Controller Information

The data controller responsible for your personal information is:

Company Name: Yuanjian Zhuoshi (Shanghai) Intelligent Technology Co., Ltd.

Registered Address: No. 1528 Gumei Road, Xuhui District, Shanghai, China

Contact Email: privacy@ccneed.ai

3. Definitions

• "Personal Information": Information identifying a specific natural person, alone or in combination with other data, including but not limited to name, email address, phone number, IP address, and device identifiers.
• "UGC Data" (User-Generated Content Data): Publicly available content posted by users on third-party social media platforms, including but not limited to text, images, comments, reviews, and engagement metrics.
• "Processed Data / Insights": AI-generated reports, analyses, summaries, and insights derived from aggregated and anonymized UGC Data.
• "Account Information": Registration data including email, company name, job title, and payment details.
• "Sensitive Personal Information": Biometric data, religious beliefs, financial account information, precise geolocation, health data, and personal information of minors under 14 (per China’s PIPL) or 16 (per GDPR).
• "Anonymization": Irreversible de-identification so no individual can be identified. Anonymized data is no longer personal information under PIPL Article 4 and GDPR Recital 26.
• "De-identification": Removing or masking identifiers from personal information, which may be reversible under certain conditions.
• "Data Processor": A third party that processes personal information on our behalf and under our instructions.
• "Separate Consent": A specific, standalone consent obtained separately from the general terms acceptance, as required by China’s PIPL for certain processing activities.

4. Information We Collect

4.1 Information You Provide Directly

• Account registration: email address, username, password (encrypted), company/organization name, job title, industry
• Payment and billing: processed through PCI-DSS compliant third-party processors; we do NOT store your full credit card number
• Configuration data: search keywords, topics, questions, and parameters for social media monitoring
• Communication records: chat logs and email correspondence with our support team
• Feedback and survey responses
• Identity verification documents (if required for enterprise accounts or by applicable law)

4.2 Information Collected Automatically

• Device information: device type, operating system, browser type and version, screen resolution, unique device identifiers (IDFA/GAID)
• Log data: IP address, access times, pages viewed, referring/exit URLs, clickstream data
• Usage data: features used, interaction patterns, session duration, frequency of use
• Approximate geolocation derived from IP address (city/region level only)
• Cookies, SDKs, and similar tracking technologies (see Section 12)

4.3 Publicly Available UGC Data from Third-Party Platforms

IMPORTANT DISCLOSURE: CCNeed collects publicly available User-Generated Content from various social media platforms worldwide through official APIs and publicly accessible web pages, in accordance with each platform’s Terms of Service. This UGC Data may include:

• Publicly posted text content, comments, reviews, and discussions
• Public usernames, handles, and display names (NOT private profile information)
• Publicly visible engagement metrics (likes, shares, reposts, comment counts)
• Publicly shared media content metadata
• Publicly available posting timestamps and platform source identifiers

Important: The UGC Data we collect is publicly available third-party platform data. Raw data does not belong to our users and cannot be downloaded or exported by users. We only perform lawful aggregated analysis and anonymization processing to generate market insight reports. We do not use UGC Data to identify, contact, or profile any individual social media user.

4.3.1 Legal Basis for UGC Data Collection

• Legitimate interest (GDPR Art. 6(1)(f)): We have a legitimate business interest in collecting publicly available data for market research. We conduct Legitimate Interest Assessments (LIAs).
• Public interest in research (GDPR Art. 6(1)(e) / Art. 89): Our processing serves market research and statistical purposes in the public interest.
• Publicly available information (China’s PIPL Art. 13(6) / Art. 27): We may process personal information that individuals have voluntarily made public, within a reasonable scope.
• We comply with CNIL’s guidance (June 2025) on web scraping and data collection, including respecting robots.txt protocols and platform Terms of Service.
• We adhere to the Joint Statement by Global Data Protection Authorities on scraping of publicly available personal data.

4.3.2 Facial and Biometric Information

We do NOT use facial recognition technology, biometric identification, or any technology designed to identify individuals from images or videos within UGC Data. If we become aware that any UGC Data contains biometric information, we will promptly delete or anonymize it.

4.4 Information Received from Third Parties

• Single Sign-On (SSO) providers: name, email address, and profile picture as authorized by you
• Business partners and resellers: contact information if you access our services through a partner
• Publicly available business information for B2B marketing purposes

4.5 Information We Do NOT Collect

We do NOT knowingly collect:

• Private or non-public social media content (restricted posts, private messages, etc.)
• Biometric data (fingerprints, facial recognition data, voiceprints)
• Health or medical information
• Government-issued identification numbers (except where required by law)
• Precise geolocation data (GPS coordinates) without your explicit consent
• Information about racial or ethnic origin, political opinions, religious beliefs, or trade union membership from UGC Data for profiling purposes
• Financial information (bank account numbers, credit card details); payment processing is handled entirely by third-party processors

5. How We Use Your Information

5.1 Purposes of Use

• Providing, maintaining, and improving our services, including AI Agent functionality and report generation
• Processing your configurations and generating AI-driven market research reports and consumer insights
• Managing your account, processing payments, and sending transactional communications
• Communicating about service updates, security alerts, and technical support
• Analyzing usage patterns and conducting internal research to improve user experience
• Complying with legal obligations, including responding to lawful requests from government authorities
• Preventing fraud, abuse, unauthorized access, and ensuring platform security
• Enforcing our Terms of Service and other agreements
• Sending marketing communications (only with your prior consent where required by law; you may opt out at any time)

5.2 Legal Basis for Processing

• Performance of contract (GDPR Art. 6(1)(b)): processing necessary to provide our services under our Terms of Service
• Legitimate interest (GDPR Art. 6(1)(f) / PIPL Art. 13(2)): improving services, fraud prevention, business analytics, network security. We conduct balancing tests.
• Consent (GDPR Art. 6(1)(a) / PIPL Art. 13(1)): marketing communications, non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (GDPR Art. 6(1)(c) / PIPL Art. 13(3)): tax, anti-money laundering, and data retention requirements
• Public interest (GDPR Art. 6(1)(e)): scientific or historical research purposes

5.3 UGC Data Processing Purposes

• Generating aggregated, anonymized market research insights, trends, and sentiment analysis
• Building and maintaining AI knowledge bases for market intelligence
• Improving the accuracy and quality of our AI models and algorithms

We do NOT use UGC Data to: identify, contact, or profile individuals; make automated decisions about individuals; sell or license raw UGC Data to third parties; or conduct surveillance of any kind.

5.4 Automated Decision-Making and Profiling

We do NOT engage in automated decision-making that produces legal effects or similarly significant effects on individuals. If we introduce any such features, we will provide notice, meaningful information about the logic involved, the right to obtain human intervention, and the right to contest the decision, as required by GDPR Article 22 and China’s PIPL Article 24.

5.5 Use of Data for AI Model Training

We may use aggregated and anonymized data (NOT your identifiable personal information) to train and improve our AI models. If we wish to use any identifiable personal information for AI model training, we will obtain your explicit, separate consent in advance.

5.6 Scenarios Requiring Separate Consent (China’s PIPL)

Under China’s Personal Information Protection Law, we will obtain your separate consent in the following scenarios:

• Processing your sensitive personal information (PIPL Art. 29)
• Providing your personal information to third parties (PIPL Art. 23)
• Transferring your personal information across borders (PIPL Art. 39)
• Making your personal information publicly available (PIPL Art. 25)
• Using automated decision-making that has a significant impact on your rights (PIPL Art. 24)
• Using identifiable personal information for AI model training

In each case, we will present a clear, standalone consent mechanism separate from the general terms acceptance, ensuring your consent is freely given, specific, informed, and unambiguous.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following limited circumstances:

• Service Providers / Data Processors: We engage trusted third-party service providers who process data on our behalf, bound by data processing agreements (DPAs).
• Affiliated Companies: We may share information with affiliates and subsidiaries, subject to the same level of protection.
• Legal Requirements: We may disclose information when required by law, regulation, legal process, or enforceable governmental request. We will make reasonable efforts to notify you unless prohibited by law.
• Protection of Rights: We may disclose information in good faith to protect our rights, your safety, the safety of others, to investigate fraud, or to respond to government requests.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or asset sale, your information may be transferred. We will notify you.
• With Your Consent: For other purposes with your explicit, informed consent.

CRITICAL: Raw UGC Data is NOT shared with, transferred to, or made downloadable by our users. Users only receive AI-generated insights from anonymized, aggregated analysis. We do not sell, rent, or license raw UGC Data to any third party.

6.1 Categories of Third-Party Processors

• Cloud Infrastructure: [e.g., AWS / Google Cloud / Azure]
• Payment Processing: [e.g., Stripe / PayPal]
• Analytics: [e.g., Google Analytics / Mixpanel] (anonymized)
• Customer Support: [e.g., Intercom / Zendesk]
• Email Services: [e.g., SendGrid / Mailchimp]
• AI Model Providers: [e.g., OpenAI / Anthropic] (where applicable, subject to DPAs)
• Error Monitoring: [e.g., Sentry] for crash reporting and debugging

A current list of our sub-processors is available upon request at privacy@ccneed.ai. We will notify you at least [30 days] in advance of any material changes to our sub-processor list.

6.2 Our Obligations as Data Processor

With respect to UGC Data that may contain personal information of social media users, we act as an independent data controller. With respect to our users’ Account Information and Configuration data, we process such data based on our contractual relationship with you. In all cases, we:

• Process personal information strictly in accordance with the purposes stated in this Privacy Policy
• Implement appropriate technical and organizational security measures
• Ensure that authorized personnel are bound by confidentiality obligations
• Assist with data subject rights requests
• Delete or return personal information upon termination of the processing purpose (subject to legal retention requirements)
• Make available all information necessary to demonstrate compliance
• Require our sub-processors to meet the same obligations

7. Cross-Border Data Transfer

Your information may be transferred to, stored in, and processed in countries or regions outside of your country of residence. We ensure compliance through the following mechanisms:

7.1 EEA / UK Transfers

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
• UK International Data Transfer Agreements (IDTAs) or UK Addendum to EU SCCs
• Adequacy decisions where applicable
• Supplementary measures (encryption, access controls, pseudonymization) per EDPB recommendations

7.2 China (PRC) Cross-Border Transfers

In compliance with China’s PIPL (Chapter III), Data Security Law, and Cybersecurity Law:

• We will fulfill notification obligations and obtain your separate consent before transferring personal information overseas
• We will conduct Personal Information Protection Impact Assessments (PIAs)
• We will follow the pathways prescribed by the Cyberspace Administration of China: security assessment, standard contract filing, or personal information protection certification (effective January 1, 2026)
• We will sign data processing agreements with overseas recipients specifying the rights and obligations of both parties
• We will periodically review the data protection capabilities of overseas recipients

7.2.1 Necessity of Cross-Border Transfer

Our cross-border data transfers are necessary for the following reasons:

• Global social media data collection requires access to platforms via overseas servers and APIs
• Use of overseas cloud service providers for stable, high-performance infrastructure
• Use of overseas AI model providers for core AI analysis capabilities
• Providing a consistent service experience to global users

We will only transfer the minimum data necessary for the stated purposes and will ensure appropriate safeguards are in place.

7.3 Data Localization

Where required by applicable law, including China’s Data Security Law and Cybersecurity Law, we will store important data and personal information collected during operations within that jurisdiction locally. Cross-border transfers, if necessary, will follow the mechanisms described in Section 7.2.

7.4 Other Jurisdictions

• CCPA/CPRA (California, USA), LGPD (Brazil), PIPA (South Korea), PDPA (Singapore/Thailand), APPI (Japan)

8. Data Retention

We retain your personal information only for as long as necessary. Specific retention periods:

• Account Information: active account plus [3 years] after deletion for legal, tax, and audit obligations
• Payment Records: [7 years] per tax and financial regulations
• UGC Data: retained for ongoing analysis services; periodically refreshed and purged per lifecycle policies
• Processed Insights / Reports: subscription duration plus up to [1 year] after termination
• Log Data: up to [12 months] for security, debugging, and analytics
• Communication Records: [3 years] after last communication
• Cookie Data: per specific cookie expiration period (see Section 12)

When data is no longer necessary, we will securely delete or irreversibly anonymize it using industry-standard methods.

8.1 Mandatory Deletion Triggers

Under China’s PIPL Article 47, we will proactively delete your personal information in the following circumstances:

• The processing purpose has been achieved, cannot be achieved, or is no longer necessary
• You withdraw consent and there is no other lawful basis for processing
• You successfully exercise your right to object or right to deletion
• We process personal information in violation of laws, regulations, or our agreement with you
• The service period has expired or the service has been terminated
• Other circumstances prescribed by laws or regulations

Where deletion is technically difficult, we will cease all processing except storage and implement necessary security measures until deletion is feasible.

9. Data Security

We implement comprehensive technical and organizational measures to protect your information:

• Encryption: AES-256 for data at rest; TLS 1.2+ for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege
• Infrastructure Security: SOC 2 Type II / ISO 27001 certified cloud hosting, network segmentation, intrusion detection systems
• Regular Assessments: periodic security audits, penetration testing, and vulnerability scanning
• Employee Training: mandatory annual security and privacy training for all employees
• Incident Response: documented incident response plan with defined escalation procedures
• Data Minimization: collection and retention of only the minimum data necessary

9.1 China Multi-Level Protection Scheme (MLPS 2.0)

In accordance with China’s Cybersecurity Law and the Multi-Level Protection Scheme (MLPS 2.0, GB/T 22239-2019), we have completed the required security classification, filing, and assessment to ensure our information systems comply with China’s cybersecurity graded protection requirements.

9.2 Data Breach Notification

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
• We will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights (GDPR Art. 34)
• We will comply with China’s Cybersecurity Incident Reporting Measures (effective November 1, 2025)
• We will document all breaches including facts, effects, and remedial actions taken

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

10.1 Rights Under GDPR (EU/EEA/UK Users)

• Right of access (Art. 15), Right to rectification (Art. 16), Right to erasure (Art. 17), Right to restrict processing (Art. 18)
• Right to data portability (Art. 20), Right to object (Art. 21), Right to withdraw consent (Art. 7(3))
• Right not to be subject to automated decision-making (Art. 22)
• Right to lodge a complaint with a supervisory authority (Art. 77)

10.2 Rights Under China’s PIPL

Under PIPL Chapter IV, you have the right to: be informed, make decisions, access, copy, correct, supplement, delete, port your data, request explanations of processing rules, and withdraw consent. The close relatives of a deceased individual may exercise these rights in accordance with law.

10.3 Rights Under CCPA/CPRA (California Residents)

• Right to know, right to delete, right to correct, right to opt out of sale or sharing, right to limit use of sensitive personal information, right to non-discrimination

10.3.1 California “Do Not Sell or Share”

We do NOT sell or share your personal information as defined by the CCPA/CPRA. We provide a "Do Not Sell or Share My Personal Information" link on our website footer. California residents may submit requests through this link or by emailing privacy@ccneed.ai.

10.4 Rights of Social Media Users Whose UGC Data We Process

If you are a social media user whose publicly available content has been collected by our platform, you have the right to request information about whether we hold your data, request deletion or anonymization, or object to processing. Contact privacy@ccneed.ai with sufficient identifying information.

10.5 How to Exercise Your Rights

Contact us at privacy@ccneed.ai. We will:

• Acknowledge your request within [3 business days]
• Respond substantively within [15 business days] for China / [30 calendar days] for GDPR / [45 calendar days] for CCPA
• Provide responses free of charge unless requests are manifestly unfounded or excessive
• Notify you if we need additional time (with reasons), up to an additional [15/30 days] as permitted by law

10.6 Identity Verification for Rights Requests

To protect your privacy, we may verify your identity before processing rights requests through: (a) confirming account credentials; (b) matching information with our records; or (c) requesting additional documentation. Information collected for verification will not be used for any other purpose.

10.7 Authorized Agents (CCPA)

California residents may designate an authorized agent to submit rights requests on their behalf. Authorized agents must provide: (a) written authorization signed by the consumer; or (b) a power of attorney. We may still require the consumer to verify their identity directly.

11. Complaints and Dispute Resolution

If you are not satisfied with our response to your privacy request, you may:

• Lodge a complaint with your local Data Protection Authority (for EU/EEA/UK users)
• File a complaint with the Cyberspace Administration of China or local consumer protection organizations (for China users)
• Contact the California Attorney General’s Office (for California residents)

We are committed to resolving privacy complaints promptly and fairly. Internal complaints will be acknowledged within [3 business days] and resolved within [15 business days].

12. Cookies, SDKs, and Tracking Technologies

12.1 Technologies We Use

• Cookies: small text files stored on your browser
• Web Beacons / Pixel Tags: small transparent images embedded in pages or emails to track engagement
• Software Development Kits (SDKs): third-party SDKs for analytics, crash reporting, or functionality
• Local Storage: HTML5 local storage for session persistence and preferences

12.1.1 Specific Third-Party SDK Disclosure

We embed the following third-party SDKs/tools (subject to updates):

• [Google Analytics]: usage analytics and visitor behavior tracking (anonymized IP enabled)
• [Sentry]: error monitoring and crash reporting
• [Stripe SDK / PayPal SDK]: payment processing
• [Intercom / Zendesk]: customer support chat widget
• [SendGrid / Mailchimp]: transactional and marketing email delivery

Each SDK processes data per its provider’s privacy policy and our DPA. A complete list is available at privacy@ccneed.ai.

12.2 Cookie Categories

• Strictly Necessary: session management, security, load balancing. Cannot be disabled.
• Functional: language, region, display preferences.
• Analytics: usage analytics (e.g., Google Analytics). Consent required.
• Marketing: advertising and campaign tracking. Explicit consent required.

12.3 Your Choices

For EU/EEA/UK users, we will present a cookie consent banner upon your first visit. You may adjust preferences at any time through the cookie settings on our website or your browser settings. Disabling certain cookies may affect service functionality.

12.4 Do Not Track (DNT) and Global Privacy Control (GPC)

We do not currently respond to DNT signals. For California users, we honor the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA/CPRA.

13. Children’s Privacy

Our services are intended for business use by adults and are not directed at individuals under the age of 18. Specifically:

• China: We do not knowingly collect personal information from individuals under 14 years old. If processing is necessary, we will obtain consent from their guardians per PIPL and the Regulations on the Protection of Minors in Cyberspace.
• EU/EEA: We do not knowingly collect personal information from individuals under 16 years old (or the age set by individual EU member states, which may be as low as 13).
• USA: We comply with the Children’s Online Privacy Protection Act (COPPA) and do not knowingly collect information from children under 13.

If we discover that we have inadvertently collected personal information from a minor without appropriate consent, we will promptly delete it and notify the relevant authorities if required by law.

14. Personal Information Protection Impact Assessment

In compliance with China’s PIPL Article 55 and GDPR Article 35, we conduct impact assessments before processing sensitive personal information, engaging in automated decision-making, entrusting processing to third parties, transferring personal information overseas, making personal information publicly available, or undertaking other processing activities that may have a significant impact on individual rights.

15. Compliance Audit

In accordance with the PIPL Compliance Audit Measures (effective May 1, 2025), we conduct periodic compliance audits of our personal information processing activities. Audit results are reported to relevant regulatory authorities as required.

16. Third-Party Links and Services

Our platform may contain links to third-party websites, plugins, or services that are not operated by us. We are not responsible for their content, privacy policies, or practices. The inclusion of a link does not imply our endorsement.

17. Changes to This Privacy Policy

We will notify you of any material changes by: posting the updated policy on our website, sending an email notification, and displaying a prominent platform notice. We will provide at least 30 days’ notice before material changes take effect. Where required by applicable law (including China’s PIPL), we will re-obtain your consent.

18. Contact Us

General Privacy Inquiries: privacy@ccneed.ai

Mailing Address: No. 1528 Gumei Road, Xuhui District, Shanghai, China

EU DPA directory: https://edpb.europa.eu/about-edpb/about-edpb/members_en

UK ICO: https://ico.org.uk

19. Governing Law

This Privacy Policy is governed by the laws of People's Republic of China; disputes submitted to the China International Economic and Trade Arbitration Commission (CIETAC). Nothing in this policy limits your rights under the GDPR (for EU/EEA users), UK GDPR (for UK users), or China’s PIPL, Data Security Law, Cybersecurity Law and all implementing regulations (for China users).

20. Supplementary Provisions

• Severability: If any provision is found invalid, the remaining provisions remain in full force and effect.
• Headings are for convenience only and shall not affect interpretation.
• This Privacy Policy is provided in English. A Chinese language version is also available. In the event of any conflict, the English version shall prevail except where local law requires otherwise.
• This Privacy Policy, together with the Terms of Service and any supplementary agreements, constitutes the complete privacy agreement between you and CCNeed.
• This Privacy Policy does not create any third-party beneficiary rights.
• Anonymized data (per PIPL Art. 4 / GDPR Recital 26) is no longer personal information and falls outside the scope of this Privacy Policy.
• We will publish annual privacy metrics (number of rights requests received, processed, and average response time) as required by applicable law, including CCPA.

---

中文

生效日期：2026-06-02 | 最后更新：2026-06-02 | 版本：1.0

重要提示

请在使用 CCNeed 服务之前仔细阅读本隐私政策。通过访问或使用我们的服务，您确认已阅读、理解并同意受本隐私政策的约束。如您不同意本政策的任何部分，请立即停止使用我们的服务。

1. 适用范围

本隐私政策适用于 CCNeed 在全球范围内提供的所有产品和服务，包括但不限于 CCNeed 网站、网页应用、移动应用（如有）、API 及我们提供的任何其他服务（统称“服务”）。本政策不适用于从我们平台链接的第三方网站、平台或服务。

2. 数据控制者/个人信息处理者信息

负责您个人信息的数据控制者/个人信息处理者为：

公司名称：远见琢实（上海）智能科技有限公司

注册地址：上海市徐汇区古美路1528号

联系邮箱：privacy@ccneed.ai

3. 定义

• “个人信息”：以电子或其他方式记录的与已识别或可识别的自然人有关的各种信息，包括但不限于姓名、电子邮箱、电话号码、IP 地址、设备标识符等。
• “UGC 数据”（用户生成内容数据）：用户在第三方社交媒体平台上发布的公开可用内容，包括但不限于文本、图片、评论、评价及互动指标。
• “处理数据/洞察”：基于聚合和匿名化的 UGC 数据由 AI 智能体生成的报告、分析、摘要和洞察。
• “账户信息”：注册时提供的信息，包括邮箱、公司名称、职务、支付详情。
• “敏感个人信息”：生物识别信息、宗教信仰、金融账户、精确位置、健康数据、不满十四周岁未成年人的个人信息等。
• “匿名化”：不可逆的去标识化处理。根据《个信法》第4条及 GDPR 序言26，匿名化后的信息不属于个人信息。
• “去标识化”：删除或遮蔽标识符，在特定条件下可能可逆。
• “受托处理者”：根据我们的指示代表我们处理个人信息的第三方。
• “单独同意”：与一般条款接受分开的、单独取得的特定同意，用于《个信法》规定的特定处理场景。

4. 我们收集的信息

4.1 您直接提供的信息

• 账户注册信息：电子邮箱、用户名、密码（加密存储）、公司/组织名称、职务、行业
• 支付和账单信息：通过符合 PCI-DSS 标准的第三方支付处理商处理；我们不存储您的完整信用卡号
• 配置数据：搜索关键词、主题、问题、社交媒体监控参数
• 沟通记录：与客服团队的聊天记录和邮件往来
• 反馈和调查问卷回复
• 身份验证文件（仅在企业账户或法律要求时）

4.2 自动收集的信息

• 设备信息：设备类型、操作系统、浏览器类型/版本、屏幕分辨率、唯一设备标识符
• 日志数据：IP地址、访问时间、浏览页面、来源/退出 URL、点击流
• 使用数据：功能使用情况、交互模式、会话时长、使用频率
• 基于 IP 地址的大致地理位置（仅城市/地区级别）
• Cookie、SDK 及类似跟踪技术（详见第12节）

4.3 来自第三方平台的公开 UGC 数据

重要披露：CCNeed 通过官方 API 和公开可访问的网页，按照各平台服务条款，收集全球社交媒体平台上的公开用户生成内容。

• 公开发布的文本、评论、评价和讨论
• 公开的用户名、昵称和显示名称（不包括私密个人资料）
• 公开可见的互动指标（点赞、分享、转发、评论数）
• 公开分享的媒体内容元数据和发布时间戳

重要声明：原始 UGC 数据不属于用户，不可下载/导出。我们仅进行合法聚合分析和匿名化处理。我们不会利用 UGC 数据识别、联系或画像任何个人。

4.3.1 UGC 数据收集的法律基础

• 合法利益（GDPR 第6(1)(f)条）：市场研究服务的合法商业利益，已开展合法利益评估
• 公共利益研究（GDPR 第6(1)(e)/89条）：市场研究和统计目的
• 已公开信息（《个信法》第13(6)/27条）：在合理范围内处理个人自行公开的信息
• 遵守 CNIL（2025年6月）网络爬取指南和全球数据保护机构联合声明

4.3.2 人脸和生物识别信息

我们不使用人脸识别、生物识别或任何旨在从 UGC 图像/视频中识别个人的技术。如发现含生物识别信息，将及时删除或匿名化。

4.4 来自第三方的信息

• SSO 提供商：经您授权的姓名、邮箱、头像
• 业务合作伙伴/经销商：您通过合作伙伴访问时的联系信息
• 用于 B2B 营销的公开企业信息

4.5 我们不收集的信息

• 私密/非公开社交媒体内容
• 生物识别数据（指纹、人脸识别、声纹）
• 健康/医疗信息
• 政府证件号码（除非法律要求）
• 未经同意的精确位置
• 用于画像的种族/民族/政治/宗教/工会信息
• 财务信息（由第三方处理商负责）

5. 我们如何使用您的信息

5.1 使用目的

• 提供、维护和改进服务，包括 AI 智能体和报告生成
• 处理配置并生成市场研究报告和消费者洞察
• 管理账户、处理支付、发送交易通信
• 服务更新、安全警报、技术支持
• 分析使用模式，改善用户体验
• 履行法律义务，响应政府要求
• 防欺诈、防滥用、平台安全
• 执行服务条款
• 营销通信（经同意后；可随时退出）

5.2 处理的法律基础

• 履行合同（GDPR 第6(1)(b)条）
• 合法利益（GDPR 第6(1)(f)条/《个信法》第13(2)条），已进行利益平衡测试
• 同意（GDPR 第6(1)(a)条/《个信法》第13(1)条），可随时撤回
• 法律义务（GDPR 第6(1)(c)条/《个信法》第13(3)条）
• 公共利益（GDPR 第6(1)(e)条）

5.3 UGC 数据处理目的

• 生成聚合、匿名化的市场研究洞察、趋势和情感分析
• 构建 AI 知识库
• 提高 AI 模型准确性

我们不会将 UGC 数据用于：识别/联系/画像个人；自动化决策；出售原始数据；或监控。

5.4 自动化决策与画像

我们不进行对个人产生法律效果或重大影响的自动化决策。如引入此类功能，我们将根据 GDPR 第22条和《个信法》第24条提供通知、透明度、人工干预权和异议权。

5.5 数据用于 AI 模型训练

我们可能使用聚合/匿名化数据训练 AI 模型。如使用可识别个人信息，将事先取得您的明确、单独同意。

5.6 需要单独同意的场景

根据《个人信息保护法》，以下情形我们将取得您的单独同意：

• 处理敏感个人信息（第29条）
• 向第三方提供个人信息（第23条）
• 向境外提供个人信息（第39条）
• 公开个人信息（第25条）
• 自动化决策影响权益（第24条）
• 可识别个人信息用于 AI 训练

每种情形下，我们将展示独立于一般条款的清晰同意机制，确保同意自由、具体、知情且明确。

6. 数据共享与披露

我们不会出售您的个人信息。仅在以下有限情形下共享：

• 服务提供商/受托处理者：受 DPA 约束
• 关联公司：同等保护
• 法律要求：合理通知
• 权益保护：善意披露
• 业务转让：合并/收购/破产
• 经您同意

核心声明：原始 UGC 数据不共享给用户、不可下载。不出售、不租赁、不许可原始 UGC 数据。

6.1 第三方处理商类别

• 云基础设施、支付处理、分析、客服、邮件、AI 模型提供商、错误监控

子处理商列表可应请求获取：privacy@ccneed.ai。重大变更提前 [30天] 通知。

6.2 我们作为数据处理者的义务

我们将：严格按目的处理；实施安全措施；确保保密；协助权利请求；删除/返还数据；证明合规；要求子处理商履行同等义务。

7. 数据跨境传输

7.1 欧洲经济区/英国

标准合同条款（SCCs）、UK IDTAs、充分性决定、补充措施。

7.2 中国数据出境

履行告知+单独同意；开展 PIA；按网信办规定路径（安全评估/标准合同备案/个信保护认证）；签订数据处理协议；定期审查。

7.2.1 跨境传输必要性

全球 API 访问、境外云服务、境外 AI 模型、全球服务一致性。仅传输最少必要数据。

7.3 数据本地化

根据《数安法》《网安法》，境内重要数据和个人信息在境内存储。

7.4 其他司法管辖区

CCPA/CPRA、LGPD、PIPA、PDPA、APPI。

8. 数据保留

• 账户信息：活跃期 + 删除后 [3年]
• 支付记录：[7年]
• UGC 数据：持续服务，定期刷新/清除
• 洞察/报告：订阅期 + [1年]
• 日志：[12个月]
• 沟通记录：[3年]
• Cookie：按过期时间

不再必要时，安全删除或不可逆匿名化。

8.1 应当删除的情形（《个信法》第47条）

• 目的已实现/无法实现/不再必要
• 撤回同意且无其他基础
• 行使拒绝权/删除权
• 违约处理
• 服务终止
• 法定其他情形

技术困难时，停止处理（除存储外）并采取安全措施。

9. 数据安全

• AES-256 静态加密；TLS 1.2+ 传输加密
• RBAC、MFA、最小权限
• SOC 2 Type II / ISO 27001 认证云基础设施
• 定期审计、渗透测试、漏洞扫描
• 全员年度安全/隐私培训
• 事件响应计划
• 数据最小化

9.1 等保 2.0

根据《网安法》和 GB/T 22239-2019，已完成等保备案和测评。

9.2 数据泄露通知

• 72小时内通知监管机构（GDPR 第33条）
• 高风险时及时通知受影响个人（GDPR 第34条）
• 遵守《网络安全事件报告管理办法》（2025.11起施行）
• 记录所有泄露事件

10. 您的权利

10.1 GDPR 权利（欧盟/英国）

访问权、更正权、删除权、限制处理权、可携带权、拒绝权、撤回同意权、自动化决策拒绝权、投诉权。

10.2 《个信法》权利（中国）

知情权、决定权、查阅权、复制权、更正权、补充权、删除权、可携带权、解释说明权。死亡自然人近亲属可依法行使。

10.3 CCPA/CPRA 权利（加州）

知情权、删除权、更正权、拒绝出售/共享权、限制敏感信息使用权、非歧视权。

10.3.1 加州“不要出售或共享”

我们不出售/共享您的个人信息。我们在网站底部提供“不要出售或共享我的个人信息”链接。

10.4 UGC 数据主体权利

如您的公开内容被收集，您可请求查询、删除/匿名化或拒绝处理。联系 privacy@ccneed.ai。

10.5 如何行使权利

联系 privacy@ccneed.ai。[3个工作日] 内确认，[15个工作日]（中国）/[30天]（GDPR）/[45天]（CCPA）内回复。免费，除非明显不合理。可延期并说明理由。

10.6 权利请求的身份验证

我们可能通过确认账户凭据、信息比对或要求额外文件来验证您的身份。验证信息不会用于其他目的。

10.7 授权代理人（CCPA）

加州居民可指定授权代理人代为提交权利请求。需提供书面授权或委托书。

11. 投诉与争议解决

• 欧盟/英国：当地数据保护机构
• 中国：国家网信办或消费者协会
• 加州：司法部长办公室

[3个工作日] 内确认，[15个工作日] 内解决。

12. Cookie、SDK 与跟踪技术

12.1 我们使用的技术

Cookie、网络信标/像素标签、第三方 SDK、HTML5 本地存储。

12.1.1 第三方 SDK 披露

嵌入的 SDK：[Google Analytics]、[Sentry]、[Stripe/PayPal]、[Intercom/Zendesk]、[SendGrid/Mailchimp]。完整列表可应请求获取。

12.2 Cookie 类别

• 必要 Cookie：会话/安全/负载均衡，不可禁用
• 功能 Cookie：语言/地区/显示偏好
• 分析 Cookie：需同意
• 营销 Cookie：需明确同意

12.3 您的选择

欧盟/英国用户首次访问时展示 Cookie 同意横幅，可随时调整。

12.4 DNT 和 GPC

我们目前不响应 DNT 信号。对于加州用户，我们尊重 GPC 信号作为 CCPA/CPRA 下的有效退出请求。

13. 未成年人保护

我们的服务面向成年人的业务使用：

• 中国：不收集不满14周岁未成年人信息，必要时取得监护人同意（《个信法》、《未成年人网络保护条例》）
• 欧盟：不收集16岁以下（成员国可降至13岁）
• 美国：遵守 COPPA，不收集13岁以下

如发现误收，将及时删除并按要求通知监管机构。

14. 个人信息保护影响评估

根据《个信法》第55条和 GDPR 第35条，我们在处理敏感信息、自动化决策、委托处理、跨境传输、公开个人信息等情形下进行影响评估。

15. 合规审计

根据《个人信息保护合规审计管理办法》（2025年5月1日起施行），我们定期对个人信息处理活动进行合规审计，审计结果按规定报送主管部门。

16. 第三方链接与服务

我们的平台可能包含第三方网站链接。我们不对其内容或隐私实践负责。链接不代表我们的认可。

17. 政策变更

重大变更将通过网站公告、电子邮件和平台通知，提前至少 30 天通知。根据《个信法》要求，将重新取得您的同意。

18. 联系我们

隐私咨询：privacy@ccneed.ai

通信地址：上海市徐汇区古美路1528号

欧盟数据保护机构目录：https://edpb.europa.eu/about-edpb/about-edpb/members_en

英国 ICO：https://ico.org.uk

中国用户可向国家互联网信息办公室投诉举报。

19. 适用法律

本隐私政策受 中华人民共和国；争议提交中国国际经济贸易仲裁委员会（CIETAC）仲裁 法律管辖。本政策不限制欧盟用户在 GDPR 下、英国用户在 UK GDPR 下、或中国用户在《个信法》《数安法》《网安法》下的任何权利。

20. 附则

• 可分割性：无效条款不影响其余条款的效力
• 标题仅为方便，不影响解释
• 本政策提供中文版。英文版另行提供。如有冲突，中文版适用于中国境内事项，英文版适用于其他事项
• 本政策与服务条款共同构成完整的隐私协议
• 本政策不创设任何第三方受益权
• 匿名化后的数据不属于个人信息，不在本政策范围内
• 我们将按适用法律要求发布年度隐私指标（权利请求数量、处理量和平均响应时间）