Privacy Policy

According to the EU General Data Protection Regulations (“GDPR”), EPEC E-Commerce Co., Ltd. (“EPEC” or “We”) recognize the importance of personal data or data as well as the importance of maintaining the confidentiality of personal data.

EPEC Privacy Policy (“this Policy”) applies to our collection, processing, storage, transmission, analysis, use, and disclosure of individual’s personal data on the EPEC international business platform (https://global.epec.com/portal/) (“Platform”). This Policy also applies to the use of our services and products via mobile devices or mobile applications. It should be noted that if you provide your personal data to any third party when using its products and/or services, your information shall be subject to the privacy statement or similar policies of such third party, and we will not undertake any legal liability for any third party’s improper use or disclosure of such information.

Generally, the personal data of the data subject should not be uploaded by persons other than the data subject. However, if you need to provide us with other persons' personal data under certain scenarios, you shall ensure that you have explained the purpose, method and scope of the collected data to the individual according to this Policy, and obtained her authorization so that we can collect, store, use, share, transfer and publicly disclose the data according to this Policy. Meanwhile, you have also informed her that she has the right to access, correct and delete her personal data.

After you have clicked or ticked the “Agree” button to give your consent before using the Platform, it is deemed that this Policy has been agreed and become effective between you and EPEC, and you have agreed EPEC’s collection, storage, transmission, analysis, and processing of your personal data in accordance with this Policy. EPEC shall have the right to claim liabilities against the relevant persons.

Please understand that the functions and services we provide are constantly updated and developed. Where specific functions or services are not contained in the following description, but we collect your data when you use such functions or services, we’ll explain to you the content, scope and purpose of such collection through page prompt, interactive process, website announcement, extra agreement, or by other means, so as to obtain your consent.

This Policy will contain the following content:

A. PERSONAL DATA COLLECTION SCOPE

B. PURPOSE OR USE OF PERSONAL DATA

C. COOKIES AND SIMILAR TECHNOLOGIES

D. SHARING AND DISCLOSURE OF PERSONAL DATA

E. SECURITY MEASURES FOR DATA SUBJECT’S INFORMATION

F. FUNDAMENTAL RIGHTS AS A DATA SUBJECT

G. REGARDING CROSS-BORDER TRANSMISSION

H. ABOUT CHILDREN

I. UPDATE OF THIS POLICY

J. HOW TO CONTACT US

A. PERSONAL DATA COLLECTION SCOPE

When we collect your personal data, we will collect it according to the “minimum” principle provided by GDPR. We only collect and store your personal data that is necessary for our platform business. We will not collect or store more personal data than necessary. At the same time, we will limit the persons who can access your personal data to a minimum range.

In the process of filing personal registration on the Platform, we may collect and store your personal data including your user name, email address, and set your account password to verify your identity and create your personal service account.

If companies, enterprises or entities in other forms by which data subjects are employed plans to be a member of the platform, these companies, enterprises or entities shall be collectively referred to as “Member Entity”, and you will open an account and file registration on the Platform on behalf of the Member Entity you are employed. Specifically:

If you would like to register a corporation service account on behalf of the Member Entity and become a buyer on the Platform, we may request you to provide your company information and the information about purchasing director. If your company would like to be a buyer on this Platform, we may need you to further provide personal information of purchasing director (including name, cellphone number, office phone number, email address , mailing address and postal code), and also need you to further provide some company information (including company address, English name, English abbreviation, Chinese name [voluntary], Chinese abbreviation [voluntary], and administrator name).

If you would like to register a corporation service account on behalf of the Member Entity and become a supplier on the Platform, we may request you to provide your company information and the information about sales director. If your company would like to be a supplier on this Platform, we may need you to further provide personal information of sales director (including name, cellphone number, office phone number, email address , mailing address and postal code), and also need you to further provide some company information (including company address, English name, English abbreviation, Chinese name [voluntary], Chinese abbreviation [voluntary], legal representative, date of establishment, business scope, company profile, business address, company website, and administrator name).

If you contact our Platform's customer service, we may record your conversation with us, the solutions and results of related problems in order to respond to your request and to provide you with after-sales services and other customer support services in time, and we may collect additional information to verify your identity.

Since you may provide your personal data to Platform on behalf of your Member Entity, if you leave the Member Entity, please let us know and we will delete your personal data after conducting proper verification.

It should be noted that contents and information (such as the product or service information you release) you provide, upload or release voluntarily when you use our products and/or services may reveal your sensitive personal data, so please provide, upload or release such information with due care. If you disclose your personal data in the information uploaded or released in a public area visible to other users, or in your response to the information uploaded or released by others, such personal data may be collected and used by others. Where you are aware of any improper collection of your personal data by others, you may contact us through the contact information disclosed herein.

B. PURPOSE OR USE OF PERSONAL DATA

We process your personal data for the purpose of:

1. Verifing your identity;

2. Keeping in contact with you and obtaining your consent on the relevant matters;

3. Processing the registration of you conducted for your Member Entity on the Platform, including providing you with the login ID of the Platform, and maintaining and managing the account you have opened;

4. Sharing your contact information with the Platform’s purchasing managers, suppliers and purchasers registered on the Platform to facilitate the transactions between the platform suppliers and the purchasers;

5. Evaluating the account security and transaction risk of the Member Entity, detecting and preventing fraud and other security incidents;

6. Transmitting, storing and processing your personal data abroad to the server deployed in China Mainland.

We may also use your personal data for purposes other than purposes listed above (such as archiving for the purpose of public interest, scientific or historical research, or statistics), or we may disclose such information according to the requirements of governmental authorities.

If your Member Entity actively cancels the account or makes such request, we will anonymize your personal data or delete your personal data as soon as possible in accordance with relevant laws and regulations.

For any use of your personal data beyond the purposes disclosed in this Policy, we will further inform you of such use and obtain your explicit consent.

C. COOKIES AND SIMILAR TECHNOLOGIES

In order to keep our websites up and running, we will store small data files named Cookies on your computers or mobile devices. Cookies often contain identifiers, site names, and certain numbers and characters. Using Cookies technology, we can provide you with a more personalized service and allow you to set specific service options.

When you use our products and services, Cookies will be sent to your device. We will not use Cookies for any purpose other than having informed you and obtained your consent. You can manage or delete Cookies according to your preferences. For details, please see our Cookie Policy.

D. SHARING AND DISCLOSURE OF PERSONAL DATA

We may share your personal data with the Platform's suppliers, purchasers, Platform purchasing managers, affiliates of EPEC within the Sinopec Group (the range of Sinopec Group is subject to EPEC’s interpretation) and agents engaged by EPEC, so that we can provide intermediary services and facilitate transactions for the Member Entity in a more effective way.

The above mentioned agents include, but are not limited to, business consulting companies, big data analytics companies. These agents will process your personal data on behalf of EPEC and also under the supervision of EPEC, and they will not use your personal data for the purposes other than those provided this Policy.

Your personal data may be posted on the platform's website along with the information about your Member Entity. Meanwhile, it is not impossible that in the future, we may share the web-links of the products displayed on the Platform with other platforms and forward the specific needs of your Member Entity to other platforms. By then, the relevant persons may browse or be linked to the products displayed on the Platform by viewing other platforms’ website, or they may be forwarded the specific needs of Member Entity, and in this way, such relevant persons may be able to view your personal data.

When we believe it is necessary to comply with applicable laws to safeguard your or our legal rights, we may also share your personal data with our professional advisors, relevant judicial authorities, insurance companies, government departments or regulatory institutions.

In order to maximize the security of your personal data, we will reach an agreement with the above mentioned suppliers, purchasers, platform purchasing managers, affiliates of EPEC, and agents engaged by EPEC, causing these persons to promise not to share or disclose your personal data to any other unauthorized persons.

If you select "Remember Username" when logging in, the platform will use cookies to store the current login account, so that you can log in more conveniently next time. After successfully logging in, the cookie will store your account name and code to facilitate your use of the online customer service function. The platform also uses cookies to store your search history so that you can conduct a more convenient search next time. (The last two functions only exist in EPEC’s Chinese websites). All information that cookies store is not sensitive information, and you can delete or disable cookies by re-setting your browser.

E. SECURITY MEASURES FOR DATA SUBJECT’s DATA

We have taken reasonable and practical security measures to protect the personal data you provide, preventing your personal data from unauthorized access, public disclosure, unauthorized use, unauthorized modification, being damaged or loss. For example, we will anonymize your personal data as much as we can when collecting, storing, transmitting, analyzing, and processing data; will encrypt your personal data to improve the security of your personal data; will use trustful protection mechanisms to prevent your personal data from being maliciously attacked. We will use access control mechanisms to try to ensure that only authorized person can have access to your personal data. We will conduct security and privacy protection training courses to enhance our employees’ understanding and enforceability of protecting personal data.

At the same time, to ensure the security of personal data, we will regularly evaluate the collection, transmission, storage, analysis or other security measures in relation to processing your personal data.

We will only retain your personal data for the period within the purposes provided in this Policy or for the period required by the law, unless extending such period is permitted by you or by the law.

At the time of the transaction, you may inevitably give your personal data to the counterparty or potential counterparties, such as contact information or contact address. Please protect your personal data and provide it to others only when necessary. If you find that your personal data, especially your account or password, has been leaked, please contact us immediately so that we can take proper actions. At the same time, please use a complicated password to ensure that the account you open on behalf of the Member Entity is safe.

In the event of a personal data security incident, we will, in accordance with the regulations of GDPR, notify the regulatory authority or you about: the basic facts and possible impact of the security incident, measures we have taken or will take, our advice that you can take to prevent or reduce the risk, and remedies for your personal data security incident, etc. We will inform you about updates of the security incident by email, letter, telephone call, notification, etc. When it is difficult to inform each data subject, we will issue a notice in a reasonable and effective manner such as a notification on the first page of our website.

F. FUNDAMENTAL RIGHTS AS A DATA SUBJECT

According to the GDPR regulations, as a data subject, you have the fundamental rights including but not limited to the following ones.

1. Access your personal data

You have the right to access your personal data, unless there is exception provided by laws and regulations. You can access your personal data in the following ways.

Account Information - If you wish to access or edit personal data in your account, or information you have provided on behalf of your Member Entity, you can do so by logging into your account and using the “Account Management” function.

Search information - you can request your browsing or search history record.

Provide a copy of the information - you can ask us to provide you a copy of your personal data or data that is being processed.

If you are unable to access such personal data through the above methods, you can contact us at any time through the "Contact Us" window of the platform. We will respond to your request in time.

2. Correct or supplement your personal data

You have the right to ask us to make corrections or supplements when you discover that the personal data we collect, store, transmit, analyze or process about you is inaccurate. You can make request to correct or supplement your personal data through the “Contact Us” window.

3. Delete your personal data

You can require us to delete of all or part of your personal data through the “Contact Us” window. For example, in the following situations, you can require us to delete personal data:

(1) If processing your personal data is in violation of laws and regulations;

(2) If we collect and use your personal data without obtaining your explicit consent;

(3) If processing your personal data is in material breach of agreement with you;

(4) If you or your Member Entity no longer use our products or services, or you or your Member Entity voluntarily cancel the account, or you have left your Member Entity;

If we respond to your request, we will simultaneously try our best to notify the entities that obtained your personal data from us, and request such entities to delete your personal data in a timely manner, unless laws and regulations provide otherwise, or these entities obtain your separate authorization.

4. Change or withdraw your consent

EPEC’s act of collecting, storing, transmitting, analyzing or processing your personal data on the Platform is based on your consent. Nevertheless, you can request changes or withdrawals of your consent at any time through the “Contact Us” window.

When you withdraw your consent, we will no longer store, transmit, analyze or process the corresponding personal data. However, your decision to withdraw your consent will not affect the processing of personal data that has been completed based on your prior consent.

5. Appeal your claims to the regulatory authorities

You have the right to appeal to the relevant data regulation authorities.

6. Restrict or limit our processing

You have the right to refuse or restrict our collection, storage, transmission, analysis or other processing acts of your personal data at any time. For example, you have the right to ask us not to process your personal data in the following circumstances:

(1) If you believe that your personal data we collect, store, transmit, analyze or process is inaccurate-we will verify the accuracy of your personal data within a certain period of time;

(2) We act illegally in processing your personal data;

(3) It is no necessary any more for us to process personal data according to the provisions of this Policy.

7. Carry your personal data to other data processor

You have the right to request that the personal data you provide to us be transferred to other entities.

You can copy your personal data that you provide to us.

8. Cancel the account

Since your registration of the account on the Platform is on behalf of your Member Entity, you will be able to submit the account cancellation application on the “Cancel Account” page of the platform if you are explicitly authorized by your Member Entity to do so (EPEC will verify whether the Member Entity has authorized you to cancel the account).

After canceling the account, we will stop providing products or services for you and your Member Entity, and will delete your personal data or anonymize your personal data according to laws and regulations.

9. Limit the automatic decision making conducted by our information system

In operating some of the functions of the Platform, we may provide services to the Member Entity solely using automatic mechanism ("automatic mechanism") such as automatic information systems and algorithms. If you believe that such automatic mechanism significantly affect your legal rights, you may contact us and require explanation. We will give you reasonable explanations to the extent that our explanation will not violate public interests and legitimate rights and interests of EPEC and other related persons.

10. Require our response to your request

To guarantee information security, you may need to prove your identity by giving us written request or in some other necessary ways. Thus, we may first verify your identity and then process your request. We will respond to your request as soon as possible. If you are not satisfied, you can also initiate a complaint to the Platform customer service.

Generally, we do not charge a fee for your reasonable requests, but we might charge a certain fee for the repeated requests or those that exceed the reasonable scope to cover our costs. We may reject requests that are unreasonably repetitive, will require excessive technical means (for example, requests that need to develop new systems or need to fundamentally change existing practices), bring risks to the legal rights of others, or are obviously unrealistic.

In the following situations, according to laws and regulations, we may not be able to respond to your request:

(1) Your request is related to national security and national defense security;

(2) Your request is related to public safety, public health, and significant public interests;

(3) Your request is relevant to criminal investigations, prosecutions, trials and execution of judgments;

(4) There is sufficient evidence that you are in subjective malice or abuse your rights;

(5) Responding to your request will result in serious damage to your or other’s legitimate rights;

(6) Satisfying your request will infringe trade secrets.

G. REGARDING CROSS-BORDER TRANSMISSION

For the purpose of processing your personal data as described in Article 2 of this Policy, as the server of the platform is deployed in China Mainland, your personal data will be transmitted beyond EU and stored on the Platform’s servers located in China Mainland. At present, China Mainland is not a third country or territory that the European Commission has specified as being countries or territory that are able to provide adequate level of protection. At the same time, EPEC has not taken the following safeguard measures under the GDPR.

1. Executing legally binding and enforceable documents between government departments or agencies;

2. Executing binding corporate rules;

3. Executing standard data protection clauses adopted by the Commission in accordance with the its examination procedure;

4. Executing codes of conduct designated by EPEC’s sector associations, supervisory authorities or by other institutions conferring binding and enforceable commitments, which have been approved and publicized by the European Commission;

5. Acquiring an approved certification mechanism or data protection seals and marks given by EU member states, regulation institutions, the European Data Protection Council and the European Commission;

6. Executing standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the its examination procedure.

Therefore, under this Policy, our transmission of your personal data across beyond EU to a server located in China Mainland is based on your explicit consent after you have understanding the above risks. However, we will use as many as possible technical means to ensure the safety of your personal data, and prevent them from being damaged and leaked during cross-border transmission.

H. ABOUT CHILDREN

Our products, website and services are not intended for children under the age of 16 (or as required by applicable laws and regulations in your jurisdiction). If we collect the personal data of children on an occasional basis, we will delete the relevant information as soon as possible after verification. If you find that we have collected the personal data of children during your usage of the Platform, please contact us through the contact information published in this Policy. Upon receipt of your notice, we will verify it in a timely manner and delete relevant information after verification.

I. UPDATE OF THIS POLICY

You agree that EPEC may update the contents of this Policy to the extent that the updated content is in the line with GDPR regulations. We will not restrict your rights under the GDPR before we obtain your consent. We will post updates to this Policy on a designated web page or through a pop-up window. If you do not agree the updates, you may exercise your rights under the GDPR e.g. requesting us to delete your personal data or restrict the use of your personal data, or withdrawing your consent.

The updates referred to in this Policy include but are not limited to:

1. Changes we make to this Policy in accordance with requirements of applicable laws and regulations;

2. Changes regarding the service model of the Platform e.g. changes as to the purpose of processing personal data, the type of personal data processed, and the way in which personal data is processed;

3. Major changes of EPEC’s controller, such as changes in owners caused by mergers and acquisitions, etc.;

4. Changes regarding the main objects of sharing, disclosure, or transmission of your personal data;

5. Significant changes regarding your rights or manners to exercise your rights in relation to our processing of your personal data;

6. Changes regarding our departments in charge of personal data security issue, its contact information, and your complaint channels.

J. HOW TO CONTACT US

You can contact us or the data protection officer by clicking the “Contact Us” button of the Platform’s website. We will respond to your request as soon as possible.