PRIVACY POLICY

GENCYBERS INC

PRIVACY POLICY

Document Control:

Document ID: PRIV-POL-2025-005
Version: 1.2
Last Updated: January 15, 2025
Approved By: Chief Technology Officer
Review Frequency: Annual

INTRODUCTION

This Privacy Policy outlines GenCybers INC's commitment to protecting personal data and ensuring compliance with global privacy regulations including but not limited to the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), and other applicable regional privacy laws. This policy applies to all personal data processed by GenCybers INC in connection with TikTok Shop integration and related services.

1. DEDICATED ROLES & RESPONSIBILITIES

1.1 Privacy Governance Structure

1.1.1 GenCybers INC has established a formal privacy governance structure with clearly defined roles and responsibilities:

Chief Technology Officer (CTO): Ultimate accountability for data privacy and security, approves privacy policies, oversees implementation of privacy controls, and serves as the senior executive responsible for privacy program oversight.
Data Protection Officer (DPO): Appointed in compliance with GDPR Article 37, responsible for monitoring compliance with data protection regulations, advising on data protection impact assessments, cooperating with supervisory authorities, and acting as the primary contact point for data subjects and regulatory bodies.
Privacy Compliance Manager: Responsible for day-to-day privacy operations, coordinates privacy impact assessments, manages privacy incident response, oversees privacy training, and ensures implementation of privacy by design principles.
Information Security Officer: Works closely with the privacy team to ensure technical measures support privacy requirements, implements appropriate security controls for personal data protection, and assists with security-related aspects of privacy compliance. 1.1.2 DPO Contact Information:
Name: Alex Wong
Email: privacy@gencybers.com
Phone: +12133767565
Postal Address: 1942 Broadway St. STE 314C, Boulder, Colorado 80302 USA

1.2 Privacy Accountability Framework

1.2.1 GenCybers INC maintains a comprehensive privacy accountability framework that includes:

Regular privacy compliance audits (minimum annually)
Documented privacy risk assessments for all new processing activities
Clearly defined privacy incident notification procedures
Regular reporting to executive leadership on privacy compliance status
Continuous privacy training program for all employees handling personal data
Vendor privacy assessment and monitoring program 1.2.2 Privacy Steering Committee: A cross-functional Privacy Steering Committee meets quarterly to:
Review privacy program effectiveness
Address emerging privacy risks
Evaluate privacy impact of new initiatives
Allocate resources for privacy compliance activities
Approve significant privacy program changes

1.3 Privacy Training and Awareness

1.3.1 All GenCybers INC employees receive privacy training:

Upon hiring (within first two weeks)
Annually as refresher training
When significant privacy law changes occur
When assigned to roles with increased privacy responsibilities 1.3.2 Specialized training is provided to:
Technical teams implementing privacy controls
Customer support handling data subject requests
Product development teams for privacy by design implementation
Management responsible for privacy governance

2. PRIVACY NOTICE

2.1 Data Collection Practices

2.1.1 Personal Data Categories Collected:

Customer identification information (name, address, email, phone number)
Authentication credentials (usernames, encrypted passwords)
Transaction data (purchase history, payment information)
Communication data (support inquiries, feedback)
Device information (IP address, browser type, operating system)
Usage data (features accessed, time spent, click patterns)
TikTok Shop seller account information (as authorized through API access) 2.1.2 Collection Methods:
Direct submission through web forms
API integration with TikTok Shop
Cookies and similar tracking technologies
Server logs and analytics tools
Customer support interactions
Account registration and profile updates 2.1.3 Legal Bases for Collection:
Contract performance (necessary to provide our services)
Legitimate business interests (improving services, ensuring security)
Consent (when specifically provided)
Legal obligations (compliance with applicable laws)
Vital interests (when necessary to protect someone's life)

2.2 Data Usage Purposes

2.2.1 Primary Usage Purposes:

Providing e-commerce integration services with TikTok Shop
Processing orders and managing inventory
Facilitating transactions and payment processing
Authenticating user access and maintaining account security
Providing customer support and resolving issues
Analyzing performance metrics and optimizing service functionality 2.2.2 Secondary Usage Purposes:
Improving user experience and interface design
Developing new features and services
Conducting market research and trend analysis
Preventing fraud and abuse
Generating aggregate statistical data
Marketing our services (subject to consent requirements) 2.2.3 Automated Decision Making:
When automated decision-making or profiling occurs: ○ Logic involved will be explained ○ Significance and potential consequences disclosed ○ Option for human intervention provided ○ Right to contest decisions maintained

2.3 Data Sharing and Transfers

2.3.1 Categories of Third-Party Recipients:

TikTok Shop platform (as necessary for integration)
Cloud service providers (AWS US East - N. Virginia region)
Payment processors (for transaction completion)
Analytics providers (using anonymized or pseudonymized data)
Customer support software providers
IT service providers maintaining our systems 2.3.2 International Data Transfers:
Personal data is primarily stored within the United States
When transfers outside the US occur: ○ Standard Contractual Clauses are implemented ○ Transfer impact assessments are conducted ○ Additional safeguards are applied as necessary ○ Data subjects are informed of transfer destinations 2.3.3 Safeguards for Data Sharing:
Data processing agreements with all processors
Vendor security and privacy assessments
Regular compliance verification
Contractual obligations for confidentiality
Access limited to necessary personnel only
Data minimization principles applied

2.4 Data Security Measures

2.4.1 Technical Safeguards:

Encryption of data at rest (AES-256)
Encryption of data in transit (TLS 1.2+)
Network segmentation and firewalls
Intrusion detection and prevention systems
Regular vulnerability scanning and penetration testing
Multi-factor authentication for system access
Comprehensive logging and monitoring 2.4.2 Organizational Safeguards:
Background checks for employees
Role-based access controls
Regular security awareness training
Formal security incident response procedures
Physical security controls for facilities
Clean desk policy and secure disposal practices
Regular compliance audits 2.4.3 Continuous Improvement:
Security program benchmarked against industry standards
Regular review of security controls effectiveness
Adaptation to emerging threats and vulnerabilities
Implementation of privacy-enhancing technologies
Security architecture reviews for all system changes

3. DATA SUBJECT RIGHTS

3.1 Rights Recognition and Support

3.1.1 GenCybers INC recognizes and supports the following data subject rights:

Right to access personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing
Rights related to automated decision making and profiling
Right to withdraw consent
Right to lodge a complaint with a supervisory authority 3.1.2 Rights Management System:
Dedicated system for tracking and managing rights requests
Standardized workflows for each request type
Verification procedures to confirm requestor identity
Response templates for consistent communication
Internal escalation procedures for complex requests
Documentation of all requests and responses
Training for customer support staff on rights handling

3.2 Rights Request Procedures

3.2.1 Multiple Access Channels:

Dedicated privacy request web form
Email submission to privacy@gencybers.com
Phone request via customer support
Written request to company address
In-product functionality for common requests 3.2.2 Request Processing Timeline:
Initial acknowledgment within 2 business days
Identity verification within 3 business days
Substantive response within 30 calendar days
Extension notification if additional time needed (up to 60 additional days)
Regular status updates for complex requests 3.2.3 Verification Requirements:
Risk-based verification procedures
Two-factor authentication for sensitive requests
Account credentials for logged-in users
Alternative verification options for non-account holders
Additional verification for high-risk requests

3.3 Specific Rights Implementation

3.3.1 Right to Access:

Complete inventory of all personal data held
Information on processing purposes
Categories of recipients
Retention periods
Information on automated decision-making
Source of data not collected directly
Safeguards for international transfers 3.3.2 Right to Data Portability:
Data provided in structured, commonly used format (JSON, CSV)
Direct transmission to other controllers where technically feasible
Complete extraction of user-provided data
Inclusion of derived data where appropriate
Machine-readable format options 3.3.3 Right to Erasure:
Complete deletion from production systems
Removal from backup systems according to backup cycle
Notification to processors and sub-processors
Documentation of legal basis for any denied erasure requests
Limited retention of minimal data to prevent re-identification or enforce erasure request

3.4 Seller-Specific Rights Support

3.4.1 TikTok Shop Seller Assistance:

Specialized processes for assisting TikTok Shop sellers with rights requests
API-based data access and deletion capabilities
Coordination with TikTok for cross-platform requests
Documentation of all seller data maintained
Expedited handling of seller data requests 3.4.2 Bulk Rights Request Handling:
Capabilities for processing multiple requests from same seller
Structured data export for seller business data
Processing of employee data requests from seller organizations
Clear delineation between seller business and customer data

4. DATA RETENTION

4.1 Retention Policy Framework

4.1.1 Retention Principles:

Data kept only as long as necessary for stated purposes
Different retention periods based on data categories
Documentation of legal/business justification for retention periods
Regular review and update of retention schedules
Consideration of data minimization principles
Balancing business needs with privacy requirements 4.1.2 Documentation Requirements:
Comprehensive retention schedule for all data categories
Legal basis for each retention period
Exceptions handling process
Business justification for extended retention
Approval process for retention period modifications
Annual review certification

4.2 Retention Periods

4.2.1 Standard Retention Periods by Data Category:

Account information: Duration of account plus 180 days
Transaction data: 7 years (tax and financial regulations)
Customer service communications: 2 years from resolution
Marketing preferences: Until consent withdrawal plus 30 days
Usage logs: 90 days
Security logs: 1 year
Anonymized analytical data: Indefinite (no personal data) 4.2.2 Exceptions Process:
Legal hold procedure for litigation-relevant data
Documented business necessity exceptions
Regulatory compliance extensions
Archive policy for historical data
Special handling for sensitive data categories

4.3 Data Deletion and De-identification

4.3.1 Deletion Methods:

Secure overwriting of digital storage
Destruction of physical media
Propagation of deletion across all systems
Verification of successful deletion
Deletion certificates when appropriate 4.3.2 De-identification Techniques:
Anonymization protocols for statistical data
Pseudonymization for required processing with reduced risk
Aggregation methods for trend analysis
Regular re-evaluation of re-identification risk
Technical controls against re-identification attempts

4.4 TikTok Shop Data-Specific Retention

4.4.1 Seller Authorization-Linked Retention:

Immediate flagging of data when seller revokes authorization
Soft deletion within 24 hours of authorization revocation
Complete deletion within 30 days
Exception documentation for any legally required retention
Notification to seller of any required extended retention 4.4.2 Post-Relationship Data Handling:
Return of seller data in portable format upon request
Secure deletion verification process
Certificate of deletion provided upon request
Archival of consent records and deletion logs only
No retention of operational data beyond necessary period 4.4.3 State-Specific Deletion Requirements:
Enhanced deletion capabilities for California residents (CPRA)
Virginia Consumer Data Protection Act compliance procedures
Colorado Privacy Act deletion requirements implementation
Adaptable framework for emerging state privacy laws
Most protective standard applied when multiple laws apply

5. DATA MINIMIZATION

5.1 Data Minimization Principles

5.1.1 Core Principles:

Only data necessary for specified purposes is collected
Processing is limited to what is necessary for stated purposes
Access to personal data is restricted on a need-to-know basis
Data is retained only for as long as necessary
Regular review of collected data to identify reduction opportunities
Privacy by design incorporated into all development processes 5.1.2 Implementation Methodology:
Pre-collection assessment of necessity and proportionality
Justification documentation for each data element
Regular data inventory audits
Technical controls limiting excessive data collection
Default settings configured to minimize data capture
Executive approval required for new data collection categories

5.2 TikTok Shop API Access Limitations

5.2.1 API Access Controls:

Access limited strictly to APIs necessary for business functionality
Documented business purpose for each API access request
Regular review of API access permissions
Immediate revocation of unnecessary API access
Principle of least privilege applied to all API integrations
No bulk data harvesting or speculative data collection 5.2.2 Specific API Limitations:
User demographic data accessed only when directly necessary
Transaction data limited to specific business relationships
Marketing data accessed only with explicit consent
Analytics data anonymized whenever possible
Social graph data never requested unless essential
Content data minimized to transaction-relevant items only

5.3 Data Collection Review Process

5.3.1 New Collection Evaluation:

Privacy impact assessment for new data collection activities
Formal sign-off process for data collection changes
Technical review of collection mechanisms
Legal review of minimization compliance
Consideration of alternatives with less privacy impact
Documentation of necessity and proportionality analysis 5.3.2 Periodic Data Audit:
Quarterly review of all collected data elements
Identification of redundant, obsolete, or trivial (ROT) data
Streamlining of data models to reduce duplication
Legacy data evaluation and cleanup
Verification of continued business necessity
Recommendations for further minimization opportunities

5.4 Minimization Technologies and Techniques

5.4.1 Technical Approaches:

Data filtering at collection points
Field-level encryption for sensitive elements
Anonymization and pseudonymization where appropriate
Local processing versus cloud transmission when possible
Differential privacy techniques for analytics
Decentralized architectures to minimize central data repositories 5.4.2 Design Methodologies:
Privacy by Design principles in all development activities
Privacy-focused data modeling
Regular developer training on minimization techniques
System architecture reviews for minimization opportunities
Code reviews that include privacy assessment
Incentives for implementing strong minimization approaches

6. ADDITIONAL PRIVACY SAFEGUARDS

6.1 Vendor Management

6.1.1 Privacy Requirements for Vendors:

Comprehensive data processing agreements
Documented sub-processor management
Regular compliance assessments
Security certification requirements
Incident notification obligations
Data deletion verification processes 6.1.2 Vendor Assessment Procedures:
Pre-engagement privacy assessment
Annual reassessment of privacy practices
Technical security evaluation
On-site audits for critical vendors
Contractual right to audit
Remediation requirements for identified issues

6.2 Children's Privacy

6.2.1 Special Safeguards for Children's Data:

Age verification mechanisms
Parental consent procedures for under-16 users
Enhanced data minimization for younger users
Prohibition on profiling of children
Specialized staff training for children's data handling
Child-friendly privacy notices 6.2.2 Compliance with Children's Privacy Regulations:
COPPA compliance measures
Age-appropriate design implementation
Special protection for children's sensitive data
Limited retention of children's data
Restricted data sharing of children's information
Regular compliance reviews

6.3 Privacy by Design and Default

6.3.1 Development Lifecycle Integration:

Privacy requirements defined at project inception
Privacy considered in all design decisions
Privacy impact assessments for major changes
Pre-release privacy reviews
Post-implementation privacy verification
Continuous improvement through feedback 6.3.2 Default Settings:
Privacy-protective defaults for all features
Opt-in approach for enhanced data processing
Granular privacy controls for users
Transparent privacy indicators in user interface
Easy access to privacy settings
Regular testing of privacy defaults effectiveness

6.4 Data Protection Impact Assessments

6.4.1 DPIA Triggers:

New technologies implementation
Profiling or automated decision making
Large-scale processing of sensitive data
Systematic monitoring of public areas
Data matching or combining operations
Processing that could prevent rights exercise 6.4.2 DPIA Methodology:
Systematic description of processing
Assessment of necessity and proportionality
Risk identification and evaluation
Measures to address risks
Documentation of findings
Implementation of recommendations
Regular reassessment when processing changes

6.5 Privacy Training Program

6.5.1 Training Components:

Basic privacy awareness for all staff
Role-specific privacy training
Regulatory compliance education
Security-privacy intersection training
Incident response procedures
Data subject rights handling
Documentation and record-keeping requirements 6.5.2 Training Delivery:
Interactive online modules
In-person workshops for key roles
Case study analysis
Practical exercises and simulations
Regular knowledge assessments
Refresher training schedule
Specialized training for privacy champions

6.6 Cross-Border Data Transfers

6.6.1 Transfer Mechanism Documentation:

Identification of all cross-border transfers
Legal basis for each transfer type
Implementation of appropriate safeguards
Transfer impact assessments
Supplementary measures as needed
Regular review of transfer mechanisms
Adaptation to regulatory changes 6.6.2 Geographic Data Storage Strategy:
Primary storage in AWS US East (N. Virginia) region
Data localization options for specific requirements
Transparency regarding storage locations
Controls against unauthorized transfers
Clear internal guidelines on permitted transfers
Due diligence on recipient country legal frameworks

7. COMPLIANCE AND ENFORCEMENT

7.1 Documentation and Accountability

7.1.1 Privacy Records Maintenance:

Records of processing activities (ROPA)
Data subject request logs
Consent records
Privacy impact assessments
Training completion records
Incident response documentation
Vendor assessments and agreements 7.1.2 Accountability Framework:
Clear responsibility assignments
Regular compliance reporting to leadership
Key performance indicators for privacy program
Internal audit processes
External certification where appropriate
Continuous improvement mechanisms

7.2 Regulatory Compliance

7.2.1 Regulatory Monitoring:

Active tracking of privacy law developments
Membership in privacy organizations
Legal updates from outside counsel
Participation in regulatory consultations
Relationship with relevant authorities
Proactive compliance planning for new regulations 7.2.2 Specific Regulatory Compliance Programs:
GDPR compliance program
CPRA compliance program
APEC Cross-Border Privacy Rules
Industry-specific regulations as applicable
Emerging state privacy laws compliance
International standards alignment (ISO 27701)

7.3 Breach Notification

7.3.1 Incident Response Plan:

Defined breach identification procedures
Severity classification framework
Internal escalation procedures
Investigation protocols
Documentation requirements
Post-incident review process 7.3.2 Notification Procedures:
Regulatory notification templates and processes
Data subject notification procedures
TikTok notification process
Law enforcement coordination when appropriate
Public relations response planning
Business partner communication protocols

7.4 Policy Enforcement

7.4.1 Internal Enforcement:

Consequences for policy violations
Integration with disciplinary procedures
Recognition for privacy-protective behaviors
Management accountability for team compliance
Regular policy adherence audits
Anonymous reporting channels for concerns 7.4.2 External Enforcement:
Contractual privacy obligations for partners
Compliance verification procedures
Remediation requirements and timelines
Contract termination provisions for serious violations
Ongoing monitoring of partner compliance
Support for partners' compliance efforts

8. POLICY UPDATES AND COMMUNICATION

8.1 Policy Revision Process

8.1.1 Regular Review Schedule:

Annual comprehensive policy review
Quarterly spot-checks for emerging issues
Ad-hoc reviews triggered by: ○ Significant regulatory changes ○ Major business model changes ○ New processing activities ○ Security incidents ○ Merger/acquisition activity 8.1.2 Approval Process:
Privacy team initial draft
Cross-functional review (Legal, Security, Product, Marketing)
Executive review and approval
Documentation of changes and justification
Version control management
Archiving of previous versions

8.2 Communication of Changes

8.2.1 Internal Communication:

Staff notification of policy updates
Updated training materials
Department-specific guidance
FAQ documentation
Change implementation support
Compliance verification procedures 8.2.2 External Communication:
Clear notification of material changes
Summary of significant updates
Advanced notice when possible
Multiple communication channels
Version history maintenance
Plain language explanations of impacts

CONTACT INFORMATION

For privacy-related inquiries, please contact our Data Protection Officer:

Email: privacy@gencybers.com
Phone: +12133767565
Postal Address: 1942 Broadway St. STE 314C, Boulder, Colorado 80302 USA

This Privacy Policy demonstrates GenCybers INC's ongoing commitment to privacy protection and regulatory compliance. We recognize that maintaining the trust of our partners, TikTok Shop sellers, and end-users is essential to our business success, and we are dedicated to implementing privacy best practices throughout our operations. APPROVED BY:Alex Wong

Chief Technology Officer GenCybers INC DATE: January 15, 2025

Did this page help you?

YESNO

HeiChat

PRIVACY POLICY

GENCYBERS INC

PRIVACY POLICY

INTRODUCTION

1. DEDICATED ROLES & RESPONSIBILITIES

1.1 Privacy Governance Structure

1.2 Privacy Accountability Framework

1.3 Privacy Training and Awareness

2. PRIVACY NOTICE

2.1 Data Collection Practices

2.2 Data Usage Purposes

2.3 Data Sharing and Transfers

2.4 Data Security Measures

3. DATA SUBJECT RIGHTS

3.1 Rights Recognition and Support

3.2 Rights Request Procedures

3.3 Specific Rights Implementation

3.4 Seller-Specific Rights Support

4. DATA RETENTION

4.1 Retention Policy Framework

4.2 Retention Periods

4.3 Data Deletion and De-identification

4.4 TikTok Shop Data-Specific Retention

5. DATA MINIMIZATION

5.1 Data Minimization Principles

5.2 TikTok Shop API Access Limitations

5.3 Data Collection Review Process

5.4 Minimization Technologies and Techniques

6. ADDITIONAL PRIVACY SAFEGUARDS

6.1 Vendor Management

6.2 Children's Privacy

6.3 Privacy by Design and Default

6.4 Data Protection Impact Assessments

6.5 Privacy Training Program

6.6 Cross-Border Data Transfers

7. COMPLIANCE AND ENFORCEMENT

7.1 Documentation and Accountability

7.2 Regulatory Compliance

7.3 Breach Notification

7.4 Policy Enforcement

8. POLICY UPDATES AND COMMUNICATION

8.1 Policy Revision Process

8.2 Communication of Changes

CONTACT INFORMATION