Privacy Policy

Version: V1.0
Date of Publication: June 15, 2026
Effective Date: June 15, 2026 (not earlier than the date of publication)

Personal Information Handler / Data Controller: Shanghai Jiusi Xinyuan Intelligent Technology Co., Ltd. (hereinafter "we," "us," or "Yio")
Registered/Business Address: DOBE Coworking Space, Building D, Lane 159 Haojing Road, Minhang District, Shanghai
Personal Information Protection Officer / Data Protection Contact: privacy [at] yio.chat

This Privacy Policy (hereinafter the "Policy") applies to the AI customer success services and related features that Yio (hereinafter "Yio" or the "Service") provides to users through its website (yio.chat), mobile browsers, embedded components, and other channels.

This Policy applies to all users, wherever you are located. The body of this Policy constitutes a general baseline for users worldwide, explaining in a neutral, jurisdiction-agnostic manner what information we collect, how we use it, with whom we share it, where it is stored, how we protect it, and the rights you have. At the end of this Policy, we provide dedicated regional chapters that consolidate the additional or differentiated terms required by the laws of specific countries or regions (such as the Personal Information Protection Law in Mainland China and the General Data Protection Regulation in the European Economic Area and the United Kingdom). Where the laws of your location afford you additional or different protections, we will, within their scope of application, respect those protections in accordance with the law; where a regional chapter conflicts with the body of this Policy, the regional chapter prevails for users in that region.

In this Policy, "personal information" and "personal data" refer to the same concept, namely information relating to an identified or identifiable natural person; "sensitive personal information" and "special categories of personal data" refer to personal information for which the law prescribes a higher standard of protection. We act as a "personal information handler / controller" with respect to personal information for which we ourselves determine the purposes and means of processing; where we process personal information on another party's behalf and on its instructions, we act as an "entrusted party / processor." The specific roles of each party are defined in Section 1.3.

---

Summary

This summary is intended to help you quickly understand the core content of this Policy. The full text of the body prevails:

• What information we collect: From enterprise users: registration information (email address and password), company information, uploaded knowledge base documents, and AI assistant configurations; from end-visitors: conversation content, lead information, and session identifiers; from website visitors: language preferences; as well as demo-booking information submitted through our company's official website.
• With whom we share information: To provide the AI question-and-answer service, we need to send the necessary conversation content and the relevant retrieved knowledge base snippets to large language model (LLM) service providers; to build retrieval capabilities, knowledge base text is sent to a vectorization service provider. The complete list of recipients is set out in Chapter Two, Section 2.2.
• Data storage and cross-border transfers: Some of our servers and service providers are located outside your country or region, and the related processing may involve cross-border transfers of personal data. We have adopted the compliance measures required by applicable law; the specific overseas recipients, their countries or regions, and the applicable safeguards are set out in Section 2.2 (Chapter Two) and Chapter Eight.
• How you exercise your rights: You may access and export your data in the product back-office, correct your company name and password, and delete knowledge base materials and assistants; conversation/lead records can be deleted in their entirety by closing your account. You may also contact us at privacy [at] yio.chat to exercise other rights. We will respond to your request within 15 business days.
• AI-generated content labeling: To safeguard the right to be informed and to ensure transparency, we conspicuously label each AI-generated reply in the AI assistant's conversation interface as "AI-generated" in textual form (explicit labeling), a practice that applies uniformly to all users; for the Service provided in Mainland China, we will additionally implement implicit (metadata) labeling in accordance with local law (see the Mainland China Users Chapter).
• What we will not do: We do not use the knowledge base content you upload or your conversation data to train our own models, we do not sell your personal information, we do not use advertising cookies, and we do not run advertising. We use third-party analytics tools (including but not limited to Google Analytics) solely on our marketing website and administrative back-office to analyze usage (not enabled on the end-visitor conversation page; see Section 1.5).

---

I. Information We Collect and Use

1.1 List of Personal Information Collected

We collect the following necessary and non-necessary personal information for different business functions, as set out below.

(1) Account Registration and Sign-in

You may register and sign in using an email and password.

Sign in with WeChat (third-party sign-in). If you choose to sign in via WeChat QR code, we obtain, through the WeChat Open Platform (Shenzhen Tencent Computer Systems Co., Ltd.), your unique identifier within this application (OpenID), used to recognize your identity, complete sign-in, and — where you so choose — link your WeChat to your email account. We obtain only this OpenID and do not obtain your WeChat nickname, avatar, phone number, contacts, or other information. WeChat sign-in is provided by WeChat and governed by its own privacy policy; your consent on the WeChat authorization screen is a precondition to our obtaining the identifier above. You may unbind WeChat at any time under "Account Settings" in the back-office; if WeChat is your only sign-in method, you must first set an email and password before unbinding, to avoid losing access.

We may from time to time offer other registration or sign-in methods, in which case we will update this Policy and describe the personal information collected and the purposes thereof.

(2) Company Information

(3) Knowledge Base Construction

(4) End-Visitor Interaction (via shared links, embedded website components, or custom domains)

The lead names and contact details of end-visitors are voluntarily provided by the visitors; we store and forward them solely on behalf of the relevant enterprise user and make no other use of them.

(5) Website Access and Demo Booking

Demo-booking information is collected by our company's official website (yio.chat) and processed directly by our company as the processor (controller), retained for 6 months. The specific fields are as set out in the actual form on the website.

1.2 Information We Do Not Collect

• We do not use advertising cookies, do not deploy advertising SDKs, do not conduct profile-based advertising, and do not use your data for advertising.
• Apart from the website and back-office analytics described in Section 1.5, we do not deploy any third-party analytics or tracking tools on the end-visitor conversation page.
• We do not collect precise geolocation (GPS) information and do not perform cross-site device fingerprinting.
• We do not actively collect children's personal information (the applicable age threshold for "children" varies by region; see Chapter Six and the relevant regional chapters).

For the cookies and local storage that are strictly necessary to maintain basic functionality (language preference, visitor identification, and sign-in sessions), see Chapter Seven.

1.3 Sensitive Personal Information and Roles

Sensitive personal information (special categories of personal data): Certain personal information is highly sensitive in nature, in that its leakage or unlawful use could readily harm a natural person's dignity or personal or property safety, and the law prescribes a higher standard of protection for it. Such information typically includes (varying by applicable law): biometric information, religious or philosophical beliefs, political opinions, racial or ethnic origin, medical or health information, sex life or sexual orientation, financial accounts, specific identity, whereabouts/trajectory, and children's personal information. Regardless of which jurisdiction's law applies, we apply stricter protective measures to such information across the board, and obtain the consent or other lawful basis required by applicable law before processing it. The specific definitions of, and processing requirements for, sensitive personal information / special categories of personal data in each region are set out in the relevant regional chapters.

Scenarios involving sensitive personal information in this Service:

• The knowledge base content uploaded by users may contain sensitive personal information (such as customer names, contact details, and order information). We recommend that enterprise users assess and de-identify such content themselves before uploading.
• End-visitor lead information (email, WeChat, WhatsApp, phone number) is voluntarily provided by visitors; we merely store it on their behalf and transmit it to the corresponding enterprise user.

Definition of roles (controller and processor): With respect to the knowledge base content uploaded by enterprise users and the personal information contained in end-visitor leads, the enterprise customer is the personal information handler (referred to as the "controller" under the GDPR and similar regimes), and Yio is the entrusted party (referred to as the "processor" under the GDPR and similar regimes). The processing purposes, periods, means, categories of personal information, protective measures, and the respective rights and obligations of the parties are governed by the Data Processing Agreement (DPA) concluded between them (Article 21 of the Personal Information Protection Law of China; Article 28 of the GDPR). With respect to personal information such as account registration information, for which Yio itself determines the purposes and means of processing, Yio is the personal information handler (controller).

Consent for sensitive-information processing and cross-border transfers: For the processing of sensitive personal information (special categories of personal data), and for the transfer of personal data outside your country or region, we will obtain the consent required by applicable law—separate from general consent and not pre-ticked by default—or rely on another lawful basis for processing provided under applicable law, and discharge the corresponding disclosure obligations. The specific consent standards and lawful bases applicable in each region are set out in the relevant regional chapters.

1.4 Purposes of Using Personal Information

The personal information we collect will be used for the following purposes:

We will not collect personal information by deceptive or misleading means, and will not use your information for any other purpose not stated in this Policy. If we need to change the purpose of use, we will, in accordance with applicable law, obtain your consent anew or establish a new lawful basis.

1.5 Third-Party Analytics Tools

To understand how the product is accessed and used and to continually improve the Service, we use third-party website/product analytics tools (including but not limited to Google Analytics, provided by Google LLC) on our marketing website (yio.chat) and in the administrative back-office that enterprise users access after signing in. We do not enable any third-party analytics tools on the end-visitor conversation page.

• Information collected: Page visits and interaction events, device and browser information, approximate geolocation inferred from IP (e.g., city level), and the analytics cookies set by the analytics tools (client-side identifiers used to distinguish visit sessions).
• Recipients and cross-border transfers: Some analytics tool providers (e.g., Google LLC, the provider of Google Analytics) are located in the United States, and the relevant analytics data will be sent for processing outside your country or region, which may constitute a cross-border transfer of personal data (see Chapter Eight).
• Lawful basis and your choices: Analytics cookies are non-essential cookies, which we will enable only after obtaining your consent; you may refuse such analytics through the cookie preference settings we provide, through your browser settings, or through the opt-out mechanisms provided by the analytics service providers (such as the Google Analytics Opt-out Browser Add-on). Refusal does not affect your use of the core functionality of the Service.

---

II. Sharing, Transfer, and Public Disclosure of Information

2.1 Basic Principles

We will not sell your personal information to any third party. We may share your information in the following circumstances:

• With your explicit consent, or where another lawful basis under applicable law exists.
• In accordance with laws and regulations, or pursuant to the mandatory requirements of administrative or judicial authorities.
• With authorized partners (entrusted parties/processors), only to the extent necessary to provide the Service to you (see Section 2.2 below).

2.2 List of Third-Party Sharing

The following table lists the recipients to which we provide personal information in order to deliver the Service. All external provision is carried out via encrypted API transmission (TLS 1.2+), and recipients are contractually bound to process the data for the purposes of this Policy, not to use it beyond the agreed scope, and not to use it to train their own models. The "Location" column indicates the country or region where the recipient processes the data, so that you can determine whether a cross-border transfer is involved (cross-border compliance measures are set out in Chapter Eight and the relevant regional chapters).

(1) Large Language Model (LLM) Service Providers

To enable your AI assistant to answer questions, we need to send the necessary conversation content and the relevant retrieved knowledge base snippets to LLM service providers for inference.

(2) Vectorization and Retrieval Service Providers

To build the retrieval capability of the knowledge base, the parsed text content of the knowledge base is sent to a vectorization service provider to generate a vector index.

(3) Object Storage Service Provider

(4) Server Hosting Service Provider

(5) Email Delivery Service Provider

(6) Payment Processing Service Providers

(7) Website and Back-Office Analytics Service Providers

Important commitment: We will not use the knowledge base content you upload or your conversation data to train our own models. Your data is used solely to provide the Service to you.

2.3 On-Premises Deployment

For enterprise customers who choose the on-premises deployment (appliance) option, all data processing takes place entirely within the enterprise's internal network and is not transmitted to any external server. In this scenario, we neither access nor store any of your data, and we do not assume the role of personal information handler (controller).

2.4 User Isolation

The knowledge base, conversation records, and customer data of each enterprise user are stored in complete isolation. No other Yio user can access any of your data.

2.5 Disclosure Required by Law

In the following circumstances, we may share, transfer, or publicly disclose your personal information in accordance with applicable law without obtaining your prior consent:

• Where directly related to national security, public safety, public health, or significant public interest.
• Where directly related to criminal investigation, prosecution, trial, and enforcement of judgments.
• Where necessary to protect the life, health, property, or other significant lawful rights and interests of the information subject or others.
• Where mandatorily required by administrative or judicial authorities pursuant to statutory procedures.
• Other circumstances provided by applicable law.

---

III. Storage and Security of Information

3.1 Storage Locations

• Part of our production environment and object storage is hosted by servers and service providers located outside your country or region; the specific recipients and their countries or regions are set out in Section 2.2 (Chapter Two).
• Because the above deployment and some of the service providers listed in Section 2.2 are located outside your country or region, our processing of personal data may involve cross-border transfers. We adopt the compliance measures required by applicable law in this regard; see Chapter Eight and the relevant regional chapters.

3.2 Storage Methods and Periods

3.3 Security Measures

We have taken the following reasonable and feasible security measures to protect your personal information:

• Transmission encryption: All network communications use TLS 1.2+ encryption (HTTPS).
• Storage encryption: Data at rest uses AES-256 or an encryption algorithm of equivalent strength.
• Access control: Role-based access control (RBAC) with the principle of least privilege; all data-access operations are logged and auditable.
• Password security: User passwords are stored using the bcrypt one-way hashing algorithm; we cannot read your plaintext password.
• Network security: Servers are deployed in a cloud environment with DDoS protection and intrusion detection and prevention capabilities.
• Internal management: We have established information-security management policies and operating procedures, and provide regular security education and training to personnel.
• Contingency planning: We have established a contingency plan for personal information security incidents and conduct regular drills.

3.4 Handling of Security Incidents

In the unfortunate event of a personal information security incident, we will, in accordance with the requirements of applicable laws and regulations:

1. Promptly activate the contingency plan and take remedial measures.
2. Assess the impact of the incident on individuals' rights and interests.
3. Where the incident may harm your lawful rights and interests, notify you by in-product notice or email of the following:
   • The content and scope of impact of the security incident.
   • The measures we have taken or will take to address it.
   • Recommendations on how you can protect yourself and reduce risk.
   • Our contact details.
4. Report to the competent supervisory authority in accordance with applicable law.

---

IV. Your Rights

In accordance with applicable data protection laws, you have the following rights with respect to your personal information. We will provide convenient channels for you to exercise them and will respond to your request within 15 business days. The applicable rights may differ across regions in terms of scope, conditions for exercise, and avenues of redress; the relevant differences are set out in the regional chapters (in particular, the European Economic Area / United Kingdom Users Chapter).

4.1 List of Rights

Effect of withdrawing consent: Withdrawing consent does not affect the validity of personal information processing activities already carried out on the basis of consent prior to the withdrawal. Withdrawing consent may render you unable to continue using specific features that require such consent.

4.2 Account Closure

You may request to close your account at any time. Upon closure:

• We will permanently delete your personal information immediately; once deleted, it cannot be recovered, except as otherwise required by laws and regulations.
• The knowledge base materials, assistant configurations, conversation records, lead records, and the like that you uploaded will be permanently deleted and cannot be recovered.
• Before closure, please retain any data you need yourself. Conversation records and lead information can be exported as CSV in the product back-office; please retain the original knowledge base documents from your local copy before closure (the system does not provide knowledge base file export).

In-product self-service closure requires verification of your current sign-in password as a prerequisite security step. If you are unable to complete self-service closure within the product, you may submit a closure and deletion request via privacy [at] yio.chat, and we will delete the relevant account and data after verifying your identity.

4.3 Response Time

• General requests: responded to within 15 business days.
• If we need to extend the response time, we will explain the reasons and inform you of the expected completion time.
• If we decline your request, we will explain the reasons and the basis for doing so.

4.4 Identity Verification

To protect the security of your personal information, we may need to verify your identity before processing your request. We will adopt appropriate controls to avoid causing additional disclosure of personal information during the identity-verification process. For accounts that request closure or deletion through the email channel described in Section 4.2, we may require your cooperation in providing the necessary verification information to confirm that you are the account holder before proceeding.

4.5 Costs of Exercising Rights

You will generally incur no cost in exercising the above rights. To the extent permitted by applicable law, for requests that are manifestly unfounded or excessive (in particular, repetitive requests), we may charge a reasonable fee or decline to act on the request, explaining our reasons to you.

---

V. Automated Decision-Making and AI Service Notes

5.1 Automated Decision-Making

Our AI assistant is used to automatically analyze end-visitors' questions and generate question-and-answer replies based on the knowledge base content uploaded by enterprise users. This question-and-answer service generally does not constitute a decision that is based solely on automated processing and that significantly affects individuals' rights and interests (Article 24 of the Personal Information Protection Law of China; Article 22 of the GDPR).

If an enterprise user uses the AI assistant for automated decision-making scenarios that significantly affect individuals' rights and interests, the corresponding compliance obligations are borne by that enterprise user. To the extent provided by applicable law, you have the right to request that we explain the means and logic of automated decision-making, and the right to refuse a decision made solely through automated decision-making that significantly affects your rights and interests (which may be exercised via privacy [at] yio.chat).

5.2 Labeling of AI-Generated Content

To safeguard users' right to be informed and to ensure transparency, we conspicuously label each AI-generated reply in the AI assistant's conversation interface as "AI-generated" in textual form (explicit labeling). This explicit labeling applies uniformly to all users and is our general practice for upholding AI transparency.

For the Service provided in Mainland China, we are additionally required by local law to implement implicit (metadata) labeling and to discharge the corresponding filing/registration obligations; the relevant requirements are set out in the Mainland China Users Chapter.

---

VI. Protection of Children and Minors

Yio is primarily oriented toward enterprise and commercial users and is not designed for children. If you do not have full civil capacity, you should use the Service with the consent and under the guidance of your legal guardian.

We do not actively collect children's personal information. If we discover that we have collected a child's personal information without first obtaining valid guardian consent, we will seek to delete the relevant data as soon as possible. The applicable age threshold for "children" varies by region (for example, under 14 in Mainland China; generally 16 in the European Economic Area, which member states may lower to no less than 13); see the relevant regional chapters for details.

---

VII. Cookies and Local Storage

We use cookies and local storage that are strictly necessary to maintain basic functionality (language preference, visitor identification, and sign-in sessions); in addition, we use the analytics cookies of third-party analytics tools (such as Google Analytics) on the marketing website and administrative back-office (see Section 1.5). We do not use advertising cookies and do not deploy any third-party analytics or tracking cookies on the end-visitor conversation page.

You can clear local storage and cookie data through your browser settings. After clearing, the use of certain features may be affected (e.g., the language preference will need to be reselected, conversational context may be lost, and you will need to sign in to the administrative back-office again).

---

VIII. Cross-Border Data Transfers

8.1 Current Cross-Border Status

Because some of our infrastructure and service providers are located outside your country or region, our processing of personal data may involve cross-border transfers, specifically including:

• Production environment hosted in Hong Kong (China): hosting the storage and processing of the application and database.
• Object storage using Cloudflare R2 in the United States: storing encrypted original knowledge base files, company logos, and AI assistant avatars.
• Email delivery using Postmark in the United States: transmitting email addresses and verification codes.
• Overseas customers' card payments using Stripe in the United States: transmitting the information necessary for the order and payment.
• Website and back-office access analytics using analytics tools located in the United States (such as Google Analytics, provided by Google LLC): transmitting access and usage data of the marketing website and administrative back-office (excluding the end-visitor conversation page).

8.2 Cross-Border Compliance Measures (General)

For the above cross-border transfers, we will, in accordance with applicable law, adopt corresponding protective measures, which may include: informing you, in respect of the cross-border transfer, of the recipient's name and contact details, the categories, purposes, and means of the personal information, and the means by which you may exercise your rights against the overseas recipient; obtaining your consent where required by applicable law; contractually binding the recipient to perform protective obligations consistent with this Policy; and using transfer mechanisms recognized by applicable law. The specific compliance pathway in each jurisdiction (such as the standard-contract filing/security assessment and personal information protection impact assessment in Mainland China, and the Standard Contractual Clauses and adequacy decisions in the European Economic Area / United Kingdom) is set out in the relevant regional chapters.

8.3 On-Premises Deployment

Customers who choose on-premises deployment are not affected by cross-border transfers, as all data is processed locally.

---

IX. Updates to This Privacy Policy

9.1 Update Mechanism

We may revise this Policy from time to time. The revised Policy will be published on this page, with the "Date of Publication" and "Effective Date" updated.

9.2 Method of Notification

For material changes (such as changes to the purposes of processing, the means of processing, or the categories of personal information processed), we will notify you through one or more of the following methods:

• Sending an in-product notice or pop-up prompt.
• Sending a notice to the email address you provided at registration.
• Conspicuously displaying the updated content on this page.

9.3 Historical Versions

We will make available on this page the historical versions of the Privacy Policy formally published within the most recent 24 months, for your reference.

---

X. Feedback, Complaints, and Dispute Resolution

10.1 Contact Us

If you have any questions, comments, or suggestions about this Policy, or wish to exercise your rights, please contact us through the following:

• Email: privacy [at] yio.chat
• Website: yio.chat

We will respond within 15 business days.

10.2 Complaints

If you believe that our processing of personal information has harmed your lawful rights and interests, you may first contact us, and we will do our best to resolve the matter. You also have the right to lodge a complaint with the data protection supervisory authority of competent jurisdiction in your country or region. The specific supervisory authorities and complaint channels are set out in the relevant regional chapters.

10.3 Dispute Resolution

Any dispute arising from or in connection with this Policy shall first be resolved by the parties through amicable negotiation. The governing law and jurisdiction for privacy disputes are set out in the relevant regional chapters; for the governing law and dispute resolution applicable to the Service as a whole, see the corresponding sections of the Terms of Service. In any event, the protection afforded to you by the mandatory data protection laws of your country or region is unaffected by this Policy.

---

XI. Mainland China Users Chapter

This chapter applies to users using the Service in Mainland China and to personal information processing activities carried out within Mainland China, and is formulated pursuant to the Personal Information Protection Law, the Cybersecurity Law, the Data Security Law, and related provisions of the People's Republic of China. This chapter supplements or refines the body of this Policy; concepts already explained in the body are not repeated here. Where this chapter conflicts with the body, this chapter prevails for Mainland China users.

11.1 Sensitive Personal Information and Separate Consent

Pursuant to Article 28 of the Personal Information Protection Law, sensitive personal information is personal information whose leakage or unlawful use could readily lead to the infringement of a natural person's dignity or harm to their personal or property safety (such as biometric information, religious beliefs, specific identity, medical and health information, financial accounts, whereabouts/trajectory, and the personal information of minors under the age of fourteen).

For the processing of sensitive personal information and for the provision of personal information outside the territory of the People's Republic of China, we will, pursuant to Articles 29 and 39 of the Personal Information Protection Law, obtain your separate consent—distinct from general consent and not pre-ticked by default—and discharge the corresponding disclosure obligations.

11.2 Compliance Pathway for Cross-Border Provision of Personal Information

For the purposes of the Personal Information Protection Law, both Hong Kong (China) and the United States are outside the territory of the People's Republic of China. Our production environment is hosted in Hong Kong (China), and our object storage and email/certain payment/analytics service providers are located in the United States, which constitutes cross-border provision of personal information. For such cross-border provision, we discharge the following obligations pursuant to Articles 38 and 39 of the Personal Information Protection Law:

1. Conduct and complete a personal information protection impact assessment (PIPIA) and retain the records as required.
2. Ensure compliance through one of the following: a security assessment organized by the national cyberspace administration; personal information protection certification by a professional institution; or concluding a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration and filing it with the provincial-level cyberspace administration.
3. Inform you, item by item, of the name and contact details of the overseas recipient, the categories, purposes, and means of the personal information provided abroad, and the means and procedures by which you may exercise your rights against the overseas recipient.
4. Obtain the separate consent described in Section 11.1.

11.3 Personal Information Protection Officer

We have designated a Personal Information Protection Officer responsible for supervising personal information processing activities and the protective measures taken. You may contact this officer at privacy [at] yio.chat.

11.4 Implicit Labeling of AI-Generated Content and Related Filings/Registrations

For the Service provided in Mainland China, in addition to the "AI-generated" explicit labeling described in Section 5.2 of the body, we will, in accordance with the Provisions on the Administration of Deep Synthesis of Internet-Based Information Services, the Measures for the Labeling of AI-Generated and Synthetic Content (effective September 1, 2025), and the accompanying national standard GB 45438-2025, write into the file metadata of AI-generated content the attribute information indicating generated/synthetic content, the service provider's name or code, and the content number (implicit labeling). This labeling obligation is determined by content type (text generation simulating a natural person) and does not depend on whether the Service has "public-opinion attributes or the capacity for social mobilization."

With respect to providing the Service to the public in Mainland China, we will assess our filing/registration obligations under applicable law. If, upon assessment, the Service is found to have public-opinion attributes or the capacity for social mobilization, or is otherwise required by applicable laws and regulations to be filed or registered, we will complete the following applicable filings/registrations before providing the Service to the public and publish the genuine filing numbers on this page. We note that we are an application-layer service provider that builds on third-party large language models which have themselves been duly filed; we do not train foundation models ourselves, so the relevant obligations primarily concern application-level registration (rather than foundation-model filing):

• Generative AI service registration (Interim Measures for the Administration of Generative Artificial Intelligence Services), where applicable—for an application that merely calls duly filed large language models without training or fine-tuning the foundation model, this is generally handled as a registration with the local cyberspace administration (without the need to submit a security assessment report); the underlying large language models we use are duly filed by their providers.
• Algorithmic recommendation service filing / deep synthesis service filing (Provisions on the Administration of Algorithmic Recommendation of Internet-Based Information Services; Provisions on the Administration of Deep Synthesis of Internet-Based Information Services), where applicable—the above registration and these filings are submitted through the same "Internet Information Service Algorithm Filing System."

Our formal provision of the Service to the public in Mainland China is conditioned upon our establishing a domestic operating entity and obtaining the corresponding qualifications (including ICP filing/license); until then, the Service is not formally open to the public within Mainland China.

11.5 Minors Under the Age of 14

We do not actively collect the personal information of minors under the age of 14. If we discover that we have collected the personal information of a minor under the age of 14 without first obtaining the consent of their parent or other guardian, we will seek to delete the relevant data as soon as possible.

11.6 Network Log Retention

Pursuant to Article 21 of the Cybersecurity Law, we retain the relevant network logs for a period of no less than 6 months.

11.7 Complaints and Supervisory Authorities

If you believe that our processing of personal information has harmed your lawful rights and interests, you may complain or report to the following authorities:

• Cyberspace Administration of China (www.cac.gov.cn)
• Your local provincial-level cyberspace administration
• Your local market regulation authority

11.8 Governing Law and Jurisdiction

For privacy disputes arising from this Policy, the laws of the People's Republic of China apply (for the purposes of this Policy, excluding the laws of the Hong Kong Special Administrative Region, the Macao Special Administrative Region, and the Taiwan region). Where negotiation fails, either party has the right to bring a lawsuit before the people's court of competent jurisdiction in the place where we are located; this provision does not exclude your right, as a consumer, to bring a lawsuit before the people's court of competent jurisdiction in your place of domicile, place of habitual residence, or place of contract performance in accordance with the law. For the governing law and dispute resolution applicable to the Service as a whole, see the corresponding sections of the Terms of Service.

---

XII. European Economic Area and United Kingdom Users Chapter (GDPR / UK GDPR)

This chapter applies to users located in the European Economic Area (EEA) or the United Kingdom, and is formulated pursuant to the General Data Protection Regulation (GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR). This chapter supplements or refines the body of this Policy; concepts already explained in the body are not repeated here. Where this chapter conflicts with the body, this chapter prevails for EEA/UK users. For the purposes of the GDPR/UK GDPR, with respect to personal data for which Yio itself determines the purposes and means of processing, Yio is the controller; with respect to personal data processed on behalf of an enterprise customer, Yio is the processor.

12.1 Lawful Bases for Processing

We process your personal data only where a lawful basis under Article 6 of the GDPR exists, with the specific basis depending on the processing activity:

• Performance of a contract (Article 6(1)(b)): processing necessary to create and maintain your account, to provide the Service to you, and to perform the Terms of Service.
• Consent (Article 6(1)(a)): for non-essential analytics cookies, for sending you marketing communications (where applicable), and for other processing for which the law requires consent; you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legitimate interests (Article 6(1)(f)): for safeguarding the security of the Service and systems, preventing fraud and abuse, and improving the product, provided that such interests are not overridden by your rights and freedoms; you have the right to object pursuant to Section 12.2.
• Legal obligation (Article 6(1)(c)): processing necessary to comply with the legal obligations applicable to us.

For special categories of personal data (Article 9 of the GDPR, including racial or ethnic origin, political opinions, religious or philosophical beliefs, health, biometric data, sex life or sexual orientation, etc.), we process such data only where we have obtained your explicit consent or where another lawful condition under Article 9 exists.

12.2 Your Rights

To the extent the GDPR/UK GDPR applies, you have the following rights with respect to your personal data: the right of access, the right to rectification, the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, the right to object (including to processing based on legitimate interests or for direct marketing), the right to withdraw consent, and the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you (Article 22). You may exercise the above rights via privacy [at] yio.chat, and we will respond within the applicable statutory period.

12.3 Cross-Border Transfer Mechanisms

When we transfer your personal data to a country or region outside the European Economic Area or the United Kingdom that has not received an adequacy decision (for example, the United States, Hong Kong (China), or Mainland China), we will adopt a transfer mechanism recognized by the GDPR/UK GDPR to provide appropriate safeguards—principally the Standard Contractual Clauses (SCCs) adopted by the European Commission (and the corresponding UK authority), supplemented by additional measures where necessary; where the recipient's country or region has received an adequacy decision, the transfer is made on the basis of that decision. You may request information about the transfer safeguards we have adopted via privacy [at] yio.chat.

12.4 Lodging a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, if you believe that our processing of your personal data infringes the GDPR/UK GDPR, you have the right to lodge a complaint with a supervisory authority, in particular the data protection authority of the EU member state of your habitual residence, place of work, or place of the alleged infringement; if you are located in the United Kingdom, this is the Information Commissioner's Office (ICO). We also welcome you to contact us first so that we can do our best to address your concerns.

12.5 Children's Age

For information society services, the GDPR sets the age of consent for children at 16, which member states may lower in law to no less than 13; in the United Kingdom, this age is 13. We do not provide the Service to children below the applicable age, and we will not knowingly collect their personal data.

12.6 EU/UK Representative

We do not currently have an establishment in the EU or the UK. If applicable law requires us to designate an EU representative or a UK representative (Article 27 of the GDPR/UK GDPR), we will designate one in accordance with the law and publish their contact details in this Policy. In the meantime, for matters relating to this Policy and your personal data, you may contact us via privacy [at] yio.chat.