Personal Data Protection Addendum for Mainland China ("Chinese PIPL Addendum") European Data Protection Addendum ("European Addendum") and the California Consumer Privacy Act Addendum ("CCPA Addendum") supplements any agreement entered into between Mobvista International Technology Limited or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for promoting Client’s product or service (or those of a third party) ("Agreement"). Please refer to the below content for all these addendum. For your convenience, you can just click on the above link to refer to the respective addendum.

Personal Data Protection Addendum for Mainland China

This Personal Data Protection Addendum for Mainland China ("Chinese PIPL Addendum") supplements any agreement entered into between Mobvista International Technology Limited or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for promoting Client’s product or service (or those of a third party) ("Agreement"). This Chinese PIPL Addendum shall be incorporated into and form part of the Agreement and be deemed to have become effective as of the date both Client and Nativex have executed the Agreement. In case of any conflict between a provision of this Chinese PIPL Addendum and the Agreement, as it relates to Personal Data, the provision of this Chinese PIPL Addendum shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.

1. Definition

1.1 "Affiliates" means with respect to a party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with such party.

1.2 "Client" means any business partner that have signed Agreement with Nativex for engaging Nativex to promote its product or service (or those of third party).

1.3 "Data Protection Rules" means any applicable laws, regulatory policy, national standard, industry standard of the mainland areas of the People’s Republic of China (for the sole purpose of this Chinese PIPL Addendum, the Hong Kong S.A.R of People’s Republic of China, Macao S.A.R. of People’s Republic of China, and Taiwan areas of People’s Republic of China is not included) with respect to the processing of Personal Data which Nativex or Client is subject to, including but not limited to any law or regulation, regulatory policy, national standard, industry standard, any applicable policy of any platform that is engaged in providing digital marketing service for Nativex and Client pursuant to the Agreement that is similar, equivalent to, successors to, or that are intended to or implement the laws or regulations.

1.4 "Individual" means a natural person to whom Personal Data relates.

1.5 "Nativex Privacy Policy" means the privacy policy available at Nativex’s official website at https://www.nativex.com/en/privacy which may be updated from time to time.

1.6 "Personal Data" means information relating to an identified or identifiable Individual, and as defined in the Chinese Personal Data Protection Law.

1.7 "process" or "processing" means any operation or set of operations which is or are performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

1.8 "Services" means the services provided by Nativex to Client in accordance with the Agreement, including activities that are required, usual, or appropriate in performing such services, including to (a) carry out such services or the business of which the services are a part, (b) maintain records relating to the services, or (c) comply with any legal or self-regulatory obligations relating to the services.

1.9 "User" means a Data Subject who is an end-user accessing a mobile application/website and accessing ads served by Nativex or its business partners (e.g. publishers).

2. Application

2.1 This Chinese PIPL Addendum shall apply only to the extent that the Data Protection Rules apply to the processing of any Personal Data under or in connection with the Agreement.

2.2 Each party confirms that it has complied, and will continue to comply, with its obligations relating to the processing of Personal Data that apply to it under the Data Protection Rules.

3. Obligation of the Parties

3.1 Client acknowledges and confirms that Nativex may receive User’s Personal Data from Client or any third party designated by Client (or may collect User’s Personal Data under the authorization of Client) (hereinafter referred to as "Client Personal Data"). Client confirms and agrees that Nativex is authorized to process the Personal Data for the following purposes:(i) ads attribution and making settlement, detecting fraud and resolving dispute related to the Agreement (the "Major Activities") and (ii) profiling Users, tracking Users and serving Users with interest-based ads or personalized ads for any ad campaigns through Nativex Platform (the "Additional Activities").

3.2 Client guarantees that, regarding Nativex's processing of Client Personal Data, it has provided Users with appropriate notices and obtained their valid consents in accordance with Data Protection Rules, and that the ways, methods and procedures for obtaining consent will not violate Data Protection Rules, to the extent necessary for Nativex to process Client Personal Data or other information related to the Agreement in accordance with Nativex Privacy Policy and this Chinese PIPL Addendum, including but not limited to Nativex’s or Nativex Affiliates’ processing of Personal Data for Major Activities as well as Additional Activities.

3.3 At the request of Nativex, Client shall provide Nativex with records of all Users’ consents. Client shall notify Nativex in writing within 24 hours after receiving User’s notice of rejection or withdrawal of consent for any data processing.

3.4 Client guarantees that its privacy policy shall comply with Data Protection Rules as well as this Chinese PIPL Addendum, including but not limited to:
(1)Client warrants that it shall prominently announce and display its privacy policy in its Products in accordance with this Chinese PIPL Addendum. The privacy policy shall be independently written and clearly reminding. After the User enters the main function interface, he or she can access to the privacy policy within no more than 4 time’s click or swipe.
(2)Client ensures that when the Product runs for the first time, the User will be notified to read its privacy policy by pop-up window and other obvious ways. After the User confirms and agrees to the privacy policy, Nativex is authorized by Client to process Personal Data.
(3)The User should be given the choice to choose actively whether to agree Client’s privacy policy, and the User’s authorization should not be obtained by default or deceived.
(4)The content that Client should clearly inform the user through its privacy policy and other documents includes but is not limited to: (a) the type of Personal Data processed by Client, the purpose, the processing method, the retention period, etc.; (b) Client has chosen Nativex as its partner, the Client has used Nativex's Services, and Nativex related information, including without limitation, Nativex's company name and contact information, the types, processing purposes, and processing methods of Personal Data processed by Nativex/Nativex’s Affiliates and its traffic providers, and any other information that shall be notified to Client according to Data Protection Rules; (c) Specifically, Nativex or Nativex’s Affiliates may process the Personal Data for purpose of providing personalized information or commercial marketing information though automated decision-making, and the right that Users legally enjoyed to opt out such personalized marketing; (d) that Nativex will process Personal Data in accordance with Nativex Privacy Policy for personal information, and User shall be notified of the link to Nativex Privacy Policy, and User can access the Nativex Privacy Policy by clicking on the link; (e) any other information that needs to be included to meet the Data Protection Rules.

3.5 Client is obliged to provide Users with convenient ways to ensure that Users can refuse personalized information push and commercial marketing provided to them through automated decision-making methods, or should provide Users with options that are not specific to their personal characteristics. If Client refuses the personalized recommendation, Client must inform Nativex in an appropriate way, and Nativex will cooperate with the relevant requirements of the User.

3.6 If Client’s Product is targeted at a child user as defined by applicable laws related to protection of Personal Data of Children in mainland China, Nativex will not provide Services to the Product, and Client shall not transfer the Personal Data of such children to Nativex unless Client has complied with and fulfilled all of the following requirements:
(1)Client has obtain prior written consent of Nativex;
(2)Client guarantees to comply with all relevant laws and regulations on the protection of minors and children's Personal Data. If Client's Products may provide Services to children under the age of 14 and may be transferred to Nativex, Client warrants to take relevant measures and ensure that it has obtained the valid and clear consent of the child’s parent or other authorized guardians (including the way, method and procedure of consent shall be legal), and make reasonable efforts to confirm that such consent is authorized by parents or other authorized guardians, so as to ensure that Client and Nativex/Nativex’s Affiliates can process the Personal Data of child Users in accordance with this Chinese PIPL Addendum and Nativex Privacy Policy;
(3)Client has complied with any other requirements as directed by Nativex.

3.7 Client shall provide Users with easy-to-operate mechanisms to access, correct, delete their Personal Data, revoke or change their authorization and consent, and cancel their personal accounts, etc., to ensure that Users can realize their personal data rights in accordance with Data Protection Rules.

3.8 Client guarantees that the relevant Personal Data and data provided to Nativex (or allowed to be collected by Nativex) does not exceed the legally necessary storage period which is necessary for Client to process such Personal Data and data, nor does it exceed the legally necessary storage period which is necessary for providing related services based on such Personal Data and data. The processing of such Personal Data and data due to the cooperation between Client and Nativex has not exceeded the above-mentioned period.

3.9 Client guarantees that it will not steal or obtain Personal Data in other illegal ways, or illegally sell or illegally provide Personal Data to any third party (including Nativex). Client will not disclose, tamper with, or destroy Personal Data it collected.

3.10 When Nativex discloses or makes available Personal Data "Nativex Personal Data") to Client (or third party designated by Client) to the extent necessary for the purpose of providing digital marketing service, Client warrants that Client shall process the Personal Data solely for purpose of ads attribution and settlement pursuant to the Agreement.Without written consent of Nativex, Client is not entitled to disclose or make available Nativex Personal Data to any third party. For any international transfer of personal data, Client warrants that it shall comply with any applicable law and take any measure to ensure that the international transfer is in compliance with any applicable law.

3.11 Client shall not cause Nativex to violate any Data Protection Rule when processing Personal Data in accordance with this Chinese PIPL Addendum and Nativex Privacy Policy due to its acts or omissions, or cause Nativex to process Personal Data beyond the scope of User's authorization and consent in accordance with this Chinese PIPL Addendum and Nativex Privacy Policy.

4. Personal Data of Client’s Employees

Client warrants that it has provided adequate notices to, and obtained valid consents from, its employees, in each case, to the extent necessary for Nativex and/or its, Affiliates to send direct marketing by email to Client’s employees in relation to the products and services of Nativex and/or its Affiliates, in accordance with the Nativex Privacy Policy https://www.nativex.com/en/privacy. Client will provide on request records of all consents obtained from its employees to Nativex and shall notify Nativex in writing within 24 hours of Client receiving employee’s objection to or withdrawal of consent.

5. Duration

This Chinese PIPL Addendum will remain in effect until the expiry or termination of the Agreement.

6. Miscellaneous

6.1 Nativex may amend this Chinese PIPL Addendum from time to time by notifying and posting an amended version at its website. Such amendment will be deemed accepted and become effective when Client continues to use Nativex’s Services, unless Client first gives Nativex written notice of rejection of the amendment.

6.2 Invalidation of one or more of the provisions under this Chinese PIPL Addendum will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

6.3 Client acknowledges that Nativex and/or its Affiliates may disclose this Chinese PIPL Addendum and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the Data Protection Laws or any other applicable law. Such disclosure will not constitute a breach of Nativex’s confidentiality obligation under the Agreement.

European Data Protection Addendum

This European Data Protection Addendum ("European Addendum") supplements any agreement entered into between Mobvista International Technology Limited or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for promoting Client’s product or service (or those of a third party) ("Agreement"). This European Addendum shall be incorporated into and form part of the Agreement and be deemed to have become effective as of the date both Client and Nativex have executed the Agreement. In case of any conflict between a provision of this European Addendum and the Agreement, as it relates to Personal Data, the provision of this European Addendum shall prevail. In case of any conflict between the provisions of the Standard Contractual Clauses and the provisions of the Agreement and/or this European Addendum, the provisions of the Standard Contractual Clauses shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.

1. Definition

1.1 "Affiliates" means with respect to a party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with such Party.

1.2 "Controller" means the entity which determines the purposes and means of the processing of Personal Data.

1.3 "Client" means any business partner that have signed Agreement with Nativex for engaging Nativex to promote its product or service (or those of third party).

1.4 "Data Protection Laws" means any applicable UK, European Union or Member State laws with respect to the processing of Personal Data which Nativex or Client is subject to, including but not limited to the EU General Data Protection Regulation ("EU GDPR") as implemented by countries within the European Economic Area ("EEA"), the EU e-Privacy Directive 2002/58/EC as implemented by countries within the EEA, the UK Data Protection Act 2018, the UK Privacy and Electronic Communications (EC Directive) Regulations 2003, the EU GDPR as retained as UK law by the European Union (Withdrawal) Act 2018 ("UK GDPR"), and and/or other laws or regulations that are similar, equivalent to, successors to, or that are intended to or implement the laws or regulations.

1.5 "Individual" means a natural person to whom Personal Data relates, also referred to as "Data Subject" pursuant to Data Protection Laws.

1.6 "Nativex Privacy Policy" means the privacy policy available at Nativex’s official website at https://www.nativex.com/en/privacy/ which may be updated from time to time.

1.7 "Personal Data" means information relating to an identified or identifiable Individual, and as defined in Data Protection Laws.

1.8 "process" or "processing" means any operation or set of operations which is or are performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

1.9 "Processor" means the entity which processes Personal Data on behalf of the Controller.

1.10 "Services" means the services provided by Nativex to Client in accordance with the Agreement, including activities that are required, usual, or appropriate in performing such services, including to (a) carry out such services or the business of which the services are a part, (b) maintain records relating to the services, or (c) comply with any legal or self-regulatory obligations relating to the services. 

1.11 "Standard Contractual Clauses" means the standard contractual clauses for international transfers pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en ), in each case as may be amended or replaced from time to time;

1.12 "Subprocessor" means any entity engaged by the Processor to process Personal Data in connection with the Services.

1.13 "User" means a Data Subject who is an end-user accessing a mobile application/website and accessing ads served by Nativex or its business partners (e.g. publishers).

2.Application

2.1 This European Addendum shall apply only to the extent that the Data Protection Laws apply to the processing of any Personal Data under or in connection with the Agreement.

2.2 Each party confirms that it has complied, and will continue to comply, with its obligations relating to the processing of Personal Data that apply to it under the Data Protection Laws.

3.Role of the Parties

3.1 To the extent Nativex is processing Personal Data for the purpose of providing Services to Client pursuant to the Agreement, the parties acknowledge that Client is processing such Personal Data as a Controller and Nativex is processing such Personal Data as a Processor. For the avoidance of doubt such processing by Nativex shall include ads attribution, monitoring traffic, making settlement with Client as well as with other publisher partners engaged in delivering ads of Client during Nativex’s performance of the Agreement, anti-fraud related activities, and handling legal claims related to the Agreement and this European Addendum. In these circumstances, section 4 of this European Addendum shall apply.

3.2 The parties acknowledge that for all other processing of Personal Data, Nativex shall be a Controller. For the avoidance of doubt such processing by Nativex may include building profiles of Users, tracking Users and serving Users with online behavioral ads for ad campaigns through Nativex and/or any of its Affiliates.

4.Nativex acting as Processor

4.1The subject matter and duration of Processing, nature and purpose of Processing, the types of Personal Data processed and the categories of Data Subjects whose Personal Data will be processed are set forth in Appendix A to this European Addendum.

4.2 As a Processor, Nativex shall:

(a)process the Personal Data only on documented and written instructions of the Client (including to the extent necessary to provide the Services and to comply with its obligations under the Agreement), unless Nativex is otherwise required to process the Personal Data under applicable laws to which it is subject. In such a case, Nativex shall promptly notify the Client of those applicable legal requirements unless such applicable law prohibits such information on important grounds of public interest;

(b)ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c)implement appropriate technical and organizational security measures in relation to the Personal Data and shall, taking into account the nature of Nativex’s processing of Personal Data and the information available to Nativex, without undue delay notify Client of personal data breaches in relation to the Personal Data that it becomes aware of and at Client’s cost and request, provide reasonable assistance to Client in relation to such personal data breaches;

(d) taking into account the nature of Nativex’s processing activities and at Client’s cost and request, reasonably assist Client in connection with communications from, or requests made by Data Subjects, as they relate to Personal Data processed in connection with the Agreement;

(e) taking into account the nature of Nativex’s processing of Personal Data and of the information available to Nativex and at Client’s cost and request, provide reasonable assistance to Client with undertaking an assessment of the impact of processing Personal Data, and with any consultations with a supervisory authority, if and to the extent an assessment or consultation is required to be carried out under Data Protection Laws; (f) at the choice and request of the Client and where technically feasible, Nativex shall , as a processor, delete or return all the Personal Data to Client at the expiry or termination of the Agreement, unless UK, EU or Member State law requires storage of the Personal Data beyond such term;

(g) make available to Client at Client’s cost, all information necessary to demonstrate compliance with the obligations laid down in this Section 4.2 and and with prior written notice of thirty (30) business days allow for and audits, including inspections, conducted by auditor mandated by Client and Nativex or under the Data Protection Laws: (i) once every twelve (12) months; (ii) where a supervisory authority requires this under Data Protection Laws; or (iii) following a personal data breach in relation to the Personal Data; provided that Nativex shall notify Client in writing if it believes in good faith that the exercise of rights under this section 4.2(g) would infringe Data Protection laws. Such audits shall not be duplicative of any additional audit right provided in the Agreement. If the audit is to be performed by a third party, such third party shall execute a confidentiality and non-disclosure agreement as presented by and for the benefit of the parties. Upon completion of the audit, Client shall promptly provide Nativex with a summary of the findings from each report prepared in connection with any such audit;

(h) be generally authorised to engage a Subprocessor to process Personal Data, subject to Nativex entering into a written agreement with each Subprocessor which includes equivalent data protection obligations as contained in this section 4.3. Nativex shall make available to Client the current list of Subprocessors on request provided that Client keeps such information confidential in accordance with the confidentiality provisions in the Agreement, and Nativex shall provide notification of a new Subprocessor before authorizing any new Subprocessor to process Personal Data of Client. Client may object to Nativex’s use of a new Subprocessor by notifying Nativex promptly in writing within ten (10) business days after receipt of Nativex’s notice. In the event Client objects to a new Subprocessor, Nativex will use reasonable efforts to avoid the processing of Personal Data by the objected-to new Subprocessor. If Nativex is unable to accommodate the objection within a reasonable period of time, Client may terminate the Agreement;

(i) be permitted to share Personal Data with its publishers for purpose of ads attribution, making settlement, detecting fraud, resolving disputes related to ad campaigns under the Agreement; and

(j) shall only transfer Personal Data outside of the EEA/UK in accordance with Data Protection Laws and Section 6 below.

5.Obligations of the Client

5.1Client expressly warrants that:

(a)adequate notices have been provided to Users, and valid consents have been obtained from Users, in each case, to the extent necessary for Nativex to process the Personal Data whether on the instructions of Client as a Processor or, as a Controller for purposes as described in the Nativex Privacy Policy which shall include (without limitation) purposes such as building profiles of Users, tracking Users and serving Users with online behavioral ads for ad campaigns through Nativex and/or any of its Affiliates. For these purposes Client shall use the IAB Consent Transparency Framework. To further clarify, an acceptance of Client’s terms and conditions by Users does not constitute valid consent under the Data Protection Laws. Instead, Client must display a valid consent prompt (e.g. a “Cookie Banner”) to Users, and only start collecting Personal Data after Users have voluntarily agreed, without limiting Users’ access to all app functionalities if no consent is given.

(b) it will on request provide to Nativex records of all consents obtained;

(c) it shall notify Nativex in writing within 24 hours upon receiving User’s objection to the processing of Personal Data or the withdrawal of User’s consent to the processing of Personal Data ;

(d) it will not by act or omission, cause Nativex to violate any Data Protection Laws, notices provided to (including, as applicable the Nativex Privacy Policy), or consents obtained from, Users as result of processing the Personal Data;

(e) where Nativex is processing Personal Data as a Processor, any processing instructions the Client issues to Nativex, shall be compliant with Data Protection Laws;

(f) it has the right to transfer and/or disclose the Personal Data to Nativex for processing; and

(g) it will not (nor permit or enable any third party) to disclose any special categories of personal data (as defined under Data Protection Laws) to Nativex.

6.International Transfer

6.1 Where Personal Data are transferred by Client in the EEA/UK (the “Data Exporter”) to Nativex, its Affiliates or Subprocessors (collectively, the “Data Importer”) outside of the EEA/UK, the Standard Contractual Clauses shall apply and will be incorporated into this European Addendum by this reference. For the avoidance of doubt, MODULE TWO shall apply while section 3.1 of this European Addendum applies and MODULE ONE shall apply while section 3.2 of this European Addendum applies. The Standard Contractual Clauses apply as follows:

(a) When MODULE TWO applies: both parties agree to choose OPTION 2: GENERAL WRITTEN AUTHORISATION of Clause 9. Specifically, Data Exporter generally agrees that Data Importer is entitled to engage its cloud servers and its traffic providers as its sub-processors;

(b) Both parties agree to choose OPTION 1 of Clause 17 as the following:
[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Netherlands.]

(c) As for Clause 18 (b), both parties agree that the Dutch courts shall be choice of forum.

(d) The APPENDIX is attached as Appendix of this European Addendum.

6.2 If the Standard Contractual Clauses, which are incorporated herein, are at any time no longer deemed to provide adequate protection for Personal Data transferred, or if the implementation of an updated set of Standard Contractual Clauses are issued by the European Commission or a new transfer mechanism is required by any Data Protection Laws, each party agrees to enter into such Standard Contractual Clauses as are amended or replaced and take all further steps as reasonably requested by the other party to comply with any legal and/or regulatory requirements under any Data Protection Laws regarding international transfers of Personal Data.

7.Duration of the European Addendum

This European Addendum will remain in effect until the expiry or termination of the Agreement.

8.Miscellaneous.

Nativex may amend this European Addendum from time to time by posting an amended version at its website and sending Client written notice thereof. Such amendment will be deemed accepted and become effective 10 days after such notice unless Client first gives Nativex written notice of rejection of the amendment.

Invalidation of one or more of the provisions under this European Addendum will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

Client acknowledges that Nativex and/or its Affiliates may disclose this European Addendum and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the Data Protection Laws or any other applicable law. Such disclosure will not constitute a breach of Nativex’s confidentiality obligation under the Agreement.

Appendix

ANNEX I

A.LIST OF PARTIES

Data exporter: Client
Address: As specified in the Agreement
Contact person’s name, position and contact details: As specified in the Agreement
Activities relevant to the data transferred under these Clauses: As specified in section 3 of the European Addendum
Role (controller/processor): controller

Data importer: Nativex
Address: As specified in the Agreement
Contact person’s name, position and contact details: As specified in the Agreement
Activities relevant to the data transferred under these Clauses: As specified in section 3 of the European Addendum
Role (controller/processor): controller/processor

B.DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:Users

Categories of personal data transferred:
(a)Mobile Identifiers: GAID, IDFA;
(b)Other device data: UUID, android id, mobile mac address, country code, device operation system (“OS”, i.e. Android or iOS), OS platform, OS version, device model, IP address, user agent (UA), device brand, package name of the publisher;
(c)Users' interaction with the Nativex’s ads: an indication that an User installs the Client’s app following a click on or a view of an ad served by Nativex; information about actions an User performs within Client’s app following such an install, such as in-app purchases, and the number of times the User opens the app; and other information that Client decides to share with Nativex.

Sensitive data transferred: No sensitive data will be transferred

The frequency of the transfer(e.g. whether the data is transferred on a one-off or continuous basis):continuous during the whole term of the Agreement.

Nature of the processing:Personal Data will be subject to automated and manual processing operations by Nativex, including collection, use, analysis, transfer, storage and erasure.

Purpose(s) of the data transfer and further processing:while Data Importer is acting as a data processor, to provide the Services as set out in the Agreement; while Data Importer is acting as a data controller, for building profiles of Users, tracking Users and serving Users with online behavioral ads for ad campaigns through Nativex and/or any of its Affiliates.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:while Data Importer is acting as a data processor, in accordance with section 4 of the European Addendum; while Data Importer is acting as a data controller, in accordance with Nativex Privacy Policy.

C.COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: the competent supervisory authority/ies are as provided in Clause 13 of the Clauses.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Nativex has implemented physical, technical and administrative security measures for the Services that comply with applicable laws and industry standards. For example, Nativex uses firewalls, encryption technology and other automated software designed to protect against fraud and identity theft; Nativex’s data is only stored in centers that provide high-level security for Users’ information. Physical access is strictly controlled both at the perimeter and at building ingress points by our staff utilizing video surveillance and other electronic means.

Nativex also protects User’s privacy by seeking to minimize the amount of sensitive data that it stores on its servers. Nativex also seeks appropriate contractual protection from its partners regarding their treatment of User data.

Nativex also has completed the ISO27001 audit and has received the SOC2 Type1 audit report which provides detailed information and assurances about its security, availability, processing integrity, confidentiality and privacy controls, based on its compliance with the Trust Services Criteria (“TSC”) of the American Institute of Certified Public Accountants (AICPA).

CCPA Addendum

This California Consumer Privacy Act Addendum (the "CCPA Addendum") supplements any agreement entered into between Mobvista International Technology Limited and/or its Affiliates ("Nativex") and Client under which Nativex provides the Services (as defined below) to Client for promoting Client’s products and service (or those of a third party) ("Agreement"). This CCPA Addendum shall be incorporated into and form part of the Agreement and be deemed to have become effective as of the date both Client and Nativex have executed the Agreement. In case of any conflict between a provision of this CCPA Addendum and the Agreement, as it relates to Personal Information, the provision of this CCPA Addendum shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or CCPA (as defined below).

1. Definitions

1.1. "Affiliates" means with respect to a party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with such Party.

1.2 "CCPA" means the California Consumer Privacy Act of 2018(as amended by the California Privacy Rights Act effective on January 1, 2023, and any others), and its regulations as amended, and/or other laws that are successors to, or that are intended to implement them.

1.3 "Client" means any business partner that has signed Agreement with Nativex for engaging Nativex to promote its products or service (or those of third party).

1.4 "Individual" means a natural person to whom Personal Information relates, also referred to as "Consumer" pursuant to CCPA.

1.5. "Nativex Privacy Policy" means the privacy policy available at Nativex’s official website https://www.nativex.com/en/privacy/ or at any other or additional location, as may be updated from time to time.

1.6 "Service" means the services provided by Nativex to Client in accordance with the Agreement, including activities that are required, usual, or appropriate in performing the Services, including to (a) carry out the Services or the business of which the Services are a part, (b) maintain records relating to the Services, or (c) comply with any legal or self-regulatory obligation relating to the Services. 

1.7 "User" means a Data Subject who is an end-user accessing a mobile application/website and accessing ads served by Nativex or its business partners (e.g. publishers).

1.8 The terms, "Business", "Business Purpose" "Consumer", "Personal Information", "processing", "process" "Sale", and "Service Provider" shall have the same meanings as in the CCPA, and their cognate terms shall be construed accordingly.

2. Nativex Activities.

Both Parties acknowledge and agree that the Client (or any third party designated by Client) may transfer any Personal Information of Users to Nativex ("Client Personal Information") for purpose of

(i) ads attribution and making settlement, detecting fraud and resolving dispute related to the Agreement (the "Major Activities") and

(ii) profiling Users, tracking Users and serving Users with interest-based ads or personalized ads for any ad campaign through Nativex and any of its Affiliates (the "Additional Activities").

3. Nativex Obligations.

3.1 As a Service Provider

To the extent that Nativex processes any Client Personal Information for a Business Purpose under the Agreement,

(i)Nativex is a Service Provider and shall process the Client Personal Information solely to provide its Services under the Agreement.

(ii)Nativex shall not retain, use, disclose or otherwise process the Client Personal Information for any purpose other than for performing the Services unless as otherwise permitted by the CCPA. Nativex shall return or delete all Client Personal Information at the conclusion of performance of the Services, or sooner if directed by Client unless Nativex is processing Client Personal Information as a Business under Section 3.2 of this CCPA Addendum. Nativex shall follow all Client instructions regarding the return or destruction of Client Personal Information. 

(iii)Nativex shall not Sell any of the Client Personal Information. 

(iv)Nativex shall assist Client in fulfilling its obligations under the CCPA to respond to individual requests related to Client Personal Information about them, including by promptly fulfilling requests to access or delete relevant Client Personal Information in Nativex’s possession. If Nativex receives a request to know or a request to delete from an User regarding Personal Information that the Nativex collects or maintains on behalf of Client, and does not comply with the request, it shall explain the basis for the denial. Nativex shall also inform the User that it should submit the request directly to Client and, when feasible, provide the User with contact information for Client.

(v)Nativex shall enter into written agreements with each third party subcontractor that processes the Client Personal Information that obligate the subcontractor to comply with terms that are at least as restrictive as those imposed on Nativex under this CCPA Addendum and the Agreement, including the prohibition on the Sale of the Client Personal Information. 

3.2 As a Business

To the extent that Nativex determines the purposes and means of the processing of the Client Personal Information with respect to the Additional Activities,

(i)Nativex is a Business subject to the satisfaction of other conditions in the definition of Business under the CCPA.

(ii) Nativex shall comply with personal information security and other obligations prescribed by CCPA for a Business.

(iii)Nativex shall ensure that Nativex Privacy Policy is consistent with current business practices and ensure that Nativex Privacy Policy complies with the CCPA.

(iv)Nativex shall only process Personal Information that have been lawfully and validly collected and ensures that such Personal Information is relevant and proportionate to the respective uses.

(v)Nativex shall establish a procedure for the exercise of the rights of the Individuals whose Personal Information are collected.

(vi)Nativex agrees and acknowledges that Individuals who are California residents have certain enhanced rights regarding the use of their Personal Information, including (a) the right to request to whom a company has sold or disclosed their Personal Information; (b) the right to request the Personal Information that a company stores regarding such Individuals; (c) the right to request the company delete such Individual’s Personal Information; and (d) the right to opt out of the Sale of Personal Information, and other rights.

(vii)If Nativex ever Sells Personal Information to third parties, it shall provide a clear and conspicuous link on the Business’ Internet homepage, titled "Do Not Sell My Personal Information," to an Internet Web page that enables an Individual, or a person authorized by such Individual, to opt out of the Sale of the Individual’s Personal Information.

4. Client Obligations.

 Regarding any Client Personal Information, Client represents and warrants :

(i) that adequate notices have been provided to Users, and valid consents have been obtained from Users (the "User’s Consent"), in each case and in compliance with CCPA, to the extent necessary for Nativex to process the Client Personal Information in connection with the Agreement, this CCPA Addendum and as described in the Nativex Privacy Policy including, without limitation for the performance of the Major Activities and the Additional Activities, and international transfers of Client Personal Information to and from Nativex;

(ii) Client shall not by act or omission, cause Nativex to violate the Nativex Privacy Policy, any applicable data protection law including CCPA, notices provided to, or consents obtained from, Users as result of Nativex’s Major Activities and Additional Activities;

(iii) Client shall, upon Nativex’s request, provide records of all the User’s Consent to Nativex; and (iv) Client shall notify Nativex in writing within 24 hours upon receiving any User’s objection to or withdrawal of any User’s Consent for Nativex to process their Personal Information or other information for the Major Activities and the Additional Activities pursuant to Section 2 of this CCPA Addendum.

5. Duration of Addendum

Notwithstanding the expiration of the Term of the Agreement, this CCPA Addendum will remain in effect until, and automatically expire upon, Nativex’s deletion or return to Client all the Client Personal Information.

6. Limitation of Access

Each party will limit access to Personal Information to those personnel who require such access only as necessary to fulfill such party’s obligation under the Agreement.

7. Information Security.

Each party will maintain appropriate administrative, physical, organizational and technical safeguards aimed at maintaining an appropriate level of security, confidentiality and integrity of the Personal Information, in accordance with any applicable data protection law including CCPA, and official guidelines as provided by the competent authorities and good industry practice. Each party undertakes to regularly monitor compliance with these safeguards and will not materially decrease the overall security controls during the term of the Agreement.

8. Miscellaneous.

8.1 Nativex may amend this CCPA Addendum from time to time by posting an amended version at its website and sending Client written notice thereof. Such amendment will be deemed accepted and become effective 10 days after such notice unless Client first gives Nativex written notice of rejection of the amendment.

8.2 Invalidation of one or more of the provisions under this CCPA Addendum will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

8.3 Client acknowledges that Nativex and/or its Affiliates may disclose this Addendum and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law. Such disclosure will not constitute a breach of Nativex’s confidentiality obligation under the Agreement.