A. General Terms

The information we collect depends on the features/services you actually use, the environment in which you interact with us, and the choices you make, including your privacy settings and the features/services you use. The features/services provided by this Website may vary depending on the country/region of release, system/application version, and the installation/download status of the apps on your device. Therefore, the actual features/services provided by this Website, as well as the processing of personal information and permission requests shall be based on the actual product.

Please note that you are not obligated to provide us with personal information. However, if you choose not to provide personal information that is necessary for this Website to provide services, we may be unable to provide you with those services, and we may not be able to respond to or resolve any issues you encounter. Our collection of personal information serves to deliver more efficient operations and provide you with the best possible experience. Below, we detail the types of personal information we may collect and the reasons and purposes for which we collect and use such personal information.

We may collect your personal information:

• directly from you;
• when you use this Website; and/or
• from third parties.

To avoid any doubts and to transparently inform you of how we process your personal information, please note that if personal information is explicitly stated below as being stored only locally, it means that such personal information will only be collected and processed locally on your device and will not be uploaded to our servers, and thus will not be subject to this Policy.

Please note that if you are providing personal data on other individuals, make sure that you have obtained the consent of the data subjects.

To access the full functionality of our website, we may require you to create an account or complete your user profile in certain services. For such services, we may ask you to provide information including your username, password, nickname, full name, profile picture, gender, SSOID, and social media account details (such as Facebook and Twitter).

When you participate in our website's operational activities, OSRC may collect your name, contact details, shipping address, postal code, and country/region in order to deliver gifts to you.

(1) Definition of Cookies

A cookie is a small text file or mechanism that the web server stores on your computer, mobile phone, or other local devices to collect, identify, and store your information when you visit or use the OSRC; it typically consists of identifiers, site names, and some numbers and characters ("Cookies"). Our websites, online services, interactive apps, emails, and ads may use Cookies and similar technologies, such as pixel tags and web beacons.

When you use the OSRC, we may use Cookies or similar technologies to obtain your SSOID and mobile phone number, and cache your click actions to examine your network environment . By using Cookies and other similar technologies, OSRC can recognize whether you are our users so that you don't need to log in and authenticate yourselves on each page; and we continuously enhance user experience by customizing the website based on your needs. Please also be aware that Cookies may store such information as user preferences. If you disable Cookies or similar technologies, you may be prevented from accessing some features of our site, but the basic features will still be available.

Every browser allows you to manage your preferences about tracking technologies. Specifically, you can set your browser to block some or all Cookies from our website or disable other tracking technologies. You may also turn on Do Not Track (DNT) so that your browser will send a DNT request to this Website. For further details, please consult the Help menu in your browser or the documentation that came with your device or visit www.allaboutcookies.org.

We may collect your personal information from third parties. Depending on the services and functionalities provided by this Website, and to the extent permitted by applicable laws, we may obtain data about you from public or commercial sources, including your activity on social networks, and may combine such information with information obtained from you or otherwise related to you. For example, we may obtain your nickname from third-party partners for the purpose of matching user information. In particular, if you interact with us through social media platforms or third-party services, or choose to log in and use our services through a third-party account, we may receive information from such third parties, including your personal account information, profile picture, user ID, and any other information you have authorized the third party to share with us.

We will retain your personal information for the shortest period necessary to fulfill the purposes of providing products/services as required by law. Upon the expiration of any retention period or when the conditions for deletion are met, we will delete or anonymize your personal information, unless otherwise stipulated by law. If for any special reasons we no longer operate part or all of our products or services, we will let you know as soon as possible, and stop collecting and processing your personal information related to such products or services. For those of your personal information already held by us, which are related to the said products or services, we will erase or anonymize them, unless otherwise provided by laws or regulations.

As a globally operating company, we provide products or services through resources and servers located worldwide. To ensure service quality (e.g., to ensure processing speed), and without violating local data protection laws, we store users' personal data based on the phone's sales region and settings location. Our data centers are located in France, the United States, Singapore, India, Indonesia, and Russia. This means that your personal information may be transferred to or accessed from jurisdictions outside the country/region where you use the products or services. You understand that risks vary under different data protection laws. Given that, we will take measures to ensure that the data we collect is processed in accordance with the requirements of this Policy and applicable laws, and that your personal information is afforded the same level of protection as in the country/region where you use the products or services. For example, we may seek your consent for cross-border transfers of personal information or implement security measures such as encryption, de-identification, and signing necessary data transfer/sharing agreements with data recipients before cross-border data transfers.

As required by law, we may share your personal information from time to time with the following companies or organizations (for example, our affiliates and strategic partners in order to jointly provide products or services). We will require the third parties by contractual or other proper means to take the same level of measures we have, to secure and keep confidential your personal information when they are being processed.

This section only applies to users located in the European Union, Liechtenstein, Norway, Iceland，the United Kingdom, or Switzerland (collectively, "Europe").

The processing of your personal information described in the section "How we collect and use your personal information" is based on the following legal grounds:

(1) We have obtained your prior explicit consent, which you may withdraw at any time;

(2) It is necessary for the conclusion or performance of a contract to which you are a party regarding our products and/or services;

(3) It is necessary for us to fulfill our legal obligations, meaning the processing of personal information is required by law;

(4) We may disclose your personal information for the legitimate interests pursued by us or by a third party. Based on these legitimate grounds, we will process your personal information only after balancing the aforementioned interests with your privacy rights.

In the European region, OSRC provides the following functionalities: operational activities for distributing gifts and bonuses to users.

When you use the OSRC, we collect, use, and disclose your personal information for the following purposes:

In principle, personal information generated and collected within Europe will be stored in Europe. When your personal information is transferred outside of Europe, we ensure the following security measures are taken:

(1) The personal information recipient is located in a country determined by the European Commission to have an adequate level of information protection ("adequacy decision").

(2) The recipient has signed the Standard Contractual Clauses adopted by the European Commission, which require the recipient to protect your personal information.

(3) Or, in the absence of appropriate safeguards, we will obtain your explicit consent before transferring your personal information. We will also take adequate technical measures such as encryption or de-identification to protect your personal information. To learn more about the safeguards related to the transfer of personal information outside of Europe, please contact us and submit your request on the Data Subject Rights Platform ( https://brand.heytap.com/en/privacy-feedback.html )

According to GDPR, you are entitled to the following rights.

4.1 Right to access

We inform you of how we process your personal data through this Policy and specific announcements, SMS, emails, and other methods as required by laws and regulations. We will be committed to making the use of your information transparent.

You may view this Policy from the Privacy Policy page and understand how we have processed your personal information.

4.2 Right to rectification

If you find that your personal data processed by us is inaccurate or incomplete, you have the right to request that we rectify it immediately, and, where appropriate, to supplement your personal data.

4.3 Right to erasure

You can choose to erase certain personal information you have provided to us. To clear the locally stored application data and cached data on your device, you can navigate to Application Management in the system settings and then select OSRC. For personal information generated during your use of OSRC and stored on our servers, you may submit a request for deletion to security.eu@oppo.com. We will process such requests in a timely manner in accordance with applicable laws, regulations, and supervisory requirements.

4.4 Right to restriction of processing

You have the right, in certain circumstances, to request us to temporarily restrict the processing of your personal data, for example, during the period when we are verifying the accuracy of your personal data after it is contested by you. We will retain sufficient data, or process such data as is necessary to ensure that we comply with your restriction request in the future.

4.5 Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on legitimate interests. If you decide to object to the processing of your personal data, we will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You may object at any time to the processing of your personal data for direct marketing purposes.

4.6 Right to data portability

You have the right to receive the copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another data controller directly or under certain restrictions.

4.7 Right to change the authorization scope or withdraw consent

If we process your personal data based on your consent, you have the right to withdraw your consent at any time, and we will immediately stop processing your personal data. You may withdraw your consent by contacting us at security.eu@oppo.com.

4.8 Right to lodge a complaint

You have the right to lodge a complaint with your national data protection authority regarding our handling of your personal data. Contact details for your local data protection authority can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en .

5. Contact us

If you have any questions, suggestions, or complaints regarding this Policy or matters related to our personal information protection practices, you may contact us, our representatives, or our Data Protection Officer at https://brand.heytap.com/en/privacy-feedback.html

Mail address: Graf-Adolf-Platz 15, 40213, Düsseldorf, Germany

Mail address: 7 Albert Buildings, 49 Queen Victoria Street, London, United Kingdom, EC4N 4SA

This appendix applies only to users located in India.

You understand that this appendix is formulated based on the Indian Digital Personal Data Protection Act (referred to as "DPDPA") and relevant personal data protection laws. Under DPDPA, the roles in data processing are categorized as data fiduciaries and data processors. A "data fiduciary" means any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. A "data processor" means any person that processes personal data on behalf of the data fiduciary.

Under normal circumstances, we act as a data fiduciary in processing your personal data. However, third parties may be involved in providing services on the OSRC official website. You understand that in some cases, these third parties may have independent purposes and means of processing your personal data. These third parties will constitute independent data fiduciaries and will process your personal data independently.

In India, OSRC provides the following functions or services: users may register and log in to the official website account, and users may participate in operational activities to receive gifts.

We collect your personal data solely for the purpose of providing services on OSRC and enabling relevant functionalities.

However, please note that we may process your personal data without your consent under the following circumstances:

(1) When personal data that you voluntarily provided to us is processed for specific purposes, and you have not objected to the processing.

(2) When the data is used by the government or its agencies to provide or issue government-mandated subsidies, benefits, services, certificates, or licenses.

(3) When processing is required for the government or its agencies to fulfill their functions under applicable Indian laws, or in the interests of India's sovereignty, integrity, or national security.

(4) When disclosure of information to the government or its agencies is required under applicable Indian laws.

(5) When it is required to comply with any judgment, decree, or order issued under applicable Indian laws, or related to contractual or civil claims under the applicable laws outside India.

(6) When processing is required to provide medical treatment or health services to any individual in cases of epidemics, disease outbreaks, or other situations threatening public health.

(7) When processing is required to ensure the safety of any individual or to provide assistance or services in the event of any disaster or public disorder.

Under the DPDPA, you have the following rights regarding your personal data. You can exercise your rights by following the specific methods disclosed for each right. Alternatively, you can directly submit a request for exercising your personal data rights through the means provided in the "Contact us" section of this Policy.

2.1 Right to access information about personal data

You have the right to obtain from us:

(1) a summary of personal data being processed by us and the processing activities undertaken by us with respect to such personal data;

(2) the identities of all data fiduciaries and data processors who process your personal data, along with a description of the personal data shared;

(3) any other information required to be disclosed by relevant laws and regulations.

2.2 Right to correct and erase personal data

You have the right to (1) correct, complete, or update your personal data; and (2) erase your personal data.

2.3 Right to request redressal of grievances

If you believe we have deficiencies or omissions in performing our obligations in relation to your personal data, you can contact us for redressal of grievances. Generally, we will reply within [15] business days. If you believe we cannot fulfill your request, you may lodge a complaint with the Data Protection Board of India (DPB).

2.4 Right to withdraw consent

You have the right to withdraw your consent to our processing of your personal data. Upon withdrawal of consent, we will cease processing your personal data accordingly. However, you understand that your withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

2.5 Right to nominate

If you are a child or a disabled person, you have the right to nominate any individual ("agent") to exercise your personal data rights on your behalf. In such cases, we will verify whether the authorized individual is qualified to act as an agent.

In principle, we do not provide our products and services to children.

However, please note that in India, a child is defined as a natural person under 18 years of age.

This appendix applies only to users located in Brazil.

We process your personal data on the following legal basis:

We may process your personal data upon obtaining your consent. In particular, we may seek your consent to participate in promotional activities—for example, to send you promotional information, invite you to participate in user experience programs, or provide certain services, including those that involve the collection of location data. You have the right to withhold consent or withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out before such withdrawal. If you have authorized us to use your personal data, we will process it solely for the purposes specified in the consent you have provided. Please note that if our processing relies on your consent and you choose to refuse or withdraw it, we may be unable to provide the corresponding services. Furthermore, your initial refusal or subsequent withdrawal of consent will not have any adverse consequences for you, unless otherwise stated.

1.2 Performance or conclusion of a contract

We may rely on this legal basis in the following specific circumstances:

(1) To provide services, process your orders, or perform the contract between you and us;

(2) To activate the services, warranty coverage, or specific software licenses you have purchased, and to provide notifications of software updates;

(3) To enable and manage your participation in prize draws, contests, or similar promotional activities;

(4) To diagnose product issues, repair customer devices, and provide other customer care and support services.

1.3 Compliance with legal obligations

We may be required to process your personal data to comply with legal obligations, for instance, to retain certain data for tax or business purposes.

1.4 Legitimate interests

The processing of your personal data may also be necessary for the purposes of our legitimate interests. Specifically, such cases may include:

(1) Conducting customer surveys to enhance your user experience;

(2) Analyzing customer markets based on the countries in which you use our services, including the size of user base for product marketing and promotion;

(3) Assessing the efficiency of our business operations;

(4) Analyzing error logs to improve the quality of mobile phones and application functionality;

(5) Providing personalized services and recommending or displaying tailored content and advertisements through our services;

(6) Communicating with you and responding to any feedback or comments submitted by any means;

(7) Ensuring the functionality and security of our services;

(8) Verifying your identity;

(9) Conducting internal audits and preventing or investigating fraud, cybersecurity threats, or other misuse;

(10) Enhancing and developing our services, including related security features, to improve product usability, user experience, operational performance, functionality, and design;

(11) Pursuing or defending legal claims.

We will process your personal data on the basis of the legitimate interests above only when we have appropriately assessed and balanced our interests against your privacy rights. In certain circumstances, we may also process your personal data on other legal grounds as permitted by applicable laws.

If your personal data is transferred to jurisdictions outside Brazil, we will ensure that appropriate safeguards are in place and properly implemented, for example:

(1) The recipient of the personal data is located in a country that has received an "adequacy" decision from the Brazilian National Data Protection Authority (ANPD), where applicable;

(2) The recipient has entered into a contract incorporating the "Standard Contractual Clauses" approved by the ANPD (where applicable), requiring it to protect your personal data;

(3) In the absence of the above adequate safeguards, we will seek your explicit consent for the cross-border transfer of your personal data or adopt other recognized measures to ensure that your personal data receives adequate protection.

For more information about the safeguards applied to the transfer of personal data outside Europe or Brazil, you may submit a request through our Data Subject Rights Platform at https://brand.heytap.com/en/privacy-feedback.html.

If you wish to obtain detailed information on the use of Cookies and other tracking technologies, please refer to our Cookie Statement.

According to LGPD, you are entitled to the following rights.

(1) Right to access. You may request access to the personal data we hold about you.

(2) Right to rectification. If you find that your personal data processed by us is inaccurate or incomplete, you have the right to request that we rectify it immediately, and, where appropriate, to supplement your personal data.

(3) Right to erasure. You may submit a request for the deletion of your personal data. In certain cases, we are obliged to delete such data without undue delay, for example, if we no longer have a lawful reason under applicable laws and regulations to continue processing your personal data. Please note that deleting all data from your device does not necessarily mean that all personal data collected and processed by us has been deleted. Therefore, we encourage you to contact us (see the "Contact us" section) to request the deletion of your personal data.

(4) Right to restrict processing. You have the right, in certain circumstances, to request us to temporarily restrict the processing of your personal data, for example, during the period when we are verifying the accuracy of your personal data after it is contested by you. During this period, we will only retain the necessary data or process the data required to fulfill your restriction request in the future.

(5) Right to object. You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on legitimate interests. If you decide to object to the processing of your personal data, we will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You may also object to direct marketing at any time and for any reason.

(6) Right to data portability. You have the right to receive the copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another data controller in certain circumstances.

(7) Right to withdraw consent. If you have previously given us consent to process your personal data but have changed your mind, you have the right to withdraw that consent at any time. Your withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you wish to withdraw consent for receiving promotional communications, you may do so by following the unsubscription instructions contained in each promotional message. Please note that if you withdraw your consent, we may no longer be able to provide the relevant services to you.

(8) Right to lodge a complaint. You have the right to lodge a complaint or bring an action before the competent authorities regarding the way we process your personal data. You can obtain further information from your local data protection supervisory authority.

(9) Right to request anonymization. In certain circumstances, you have the right to request the anonymization of your personal data, meaning that your data will be transformed into a form that prevents any identification. This right is intended to enhance the protection of your privacy.

(10) Right to obtain information on data sharing. You have the right to know which companies and third parties have received your personal data. This ensures transparency regarding how your personal data is shared and used.

(11) Right to be informed of the possibilities and potential consequences of withdrawing consent. You have the right to be informed about the potential consequences of withdrawing your consent, including how such withdrawal may affect your access to certain services or features.

You may submit a request through our Data Subject Rights Platform or contact our Data Protection Officer.

Name: JULIANA MANTUANO DE MENESES

Link: https://brand.heytap.com/en/privacy-feedback.html