User Privacy & Data Handling Guidelines

We provide a Privacy Policy template and Privacy Consent UI Example to help you get started quickly. We’re also happy to assist with translating, organizing, refining, or reviewing your English privacy policy into a compliant Chinese version that aligns with local regulations. If you need help, feel free to contact us.

This page outlines the privacy and data‑handling standards your app must meet to be published in Chinese app stores. You must comply with all applicable Chinese laws and industry guidelines, and follow the principles of legality, fairness, necessity, and good faith when processing personal data.

Key Chinese Regulations & Standards

For a list of the most relevant laws, national standards, and regulatory guidelines related to personal data protection, user rights, and app compliance in China:

See Government Resource Links

Privacy Policy Requirements

1. You must publish a privacy policy link and terms of services link both in the app stores and inside the app, in a place users can easily find.
2. The policy must disclose:
   • What personal data is collected
   • Why and how you collect and use it (the purpose, method, and scope of personal data collection)
   • Which parties collect or receive it (including third‑party SDKs/plugins)
3. The policy must explain how users can:
   • Withdraw consent
   • Request data deletion or account closure (processing time ≤ 15 working days)
   • Contact support with privacy questions
4. You must not collect, use, or disclose personal data without user consent or another lawful basis.

User Consent

5. When running the app for the first time, present your privacy policy clearly before collecting any personal data; obtain informed, voluntary, explicit consent.
6. Provide an easy, in‑app mechanism for users to withdraw consent at any time.
7. If you use data for personalized ads or marketing, clearly disclose this and offer an opt‑out switch.
8. For sensitive personal data (e.g. biometrics, health, precise location), obtain separate consent, explaining necessity and impact.
9. Do not auto‑launch or deep‑link into other apps without prior user notice and explicit action.

Data Collection & Use

10. Adhere to data minimization—collect only what is strictly necessary for core functions.
11. Do not collect personal data secretly or exceed stated purposes.
12. Transmit and store all personal data via secure channels (e.g. HTTPS, encryption).
13. Disclose in your privacy policy any personal data shared with third parties, including purposes and recipients.
14. Prohibit the sale of user personal data.
15. Ensure third parties you share data with implement equivalent privacy protections.
16. Do not use sensitive data (e.g. call logs, SMS, biometrics, health, location) for non‑core features such as profiling or ad targeting.
17. During payment or financial transactions, do not record or share authentication tokens or unrelated personal data.
18. Apps handling financial, identity, or health information must restrict disclosures to what is strictly necessary.
19. If your app accesses personal data on a public device, obtain the device user’s explicit confirmation.
20. Request permissions dynamically, at the moment a feature is used—never ask for a bundle of unrelated permissions up front.
21. For each requested permission, provide a clear, contextual rationale in‑app.
22. Do not repeatedly prompt for a permission after user refusal unless the feature truly requires it.
23. Do not make access to core features conditional on consenting to non‑essential data collection.

Advertising Identifiers

24. Do not force users to click ads or submit personal data to continue using your app.
25. Advertising identifiers (e.g. OAID) must be used only for ad delivery and analytics.
26. Respect the OS‑level “limit ad tracking” setting—if enabled, you must cease identifier collection and use.
27. Do not link new advertising IDs to previous ones without user permission.
28. Any third party you share advertising IDs with must comply with these same requirements.

What Counts as Personal Information

The following types of data are considered personal information under the Chinese national standard GB/T 35273-2020:

1. Personal Identity Information

   • Name
   • Identification number (e.g. ID card, passport)
   • Biometric data (e.g. fingerprint, facial features, voiceprint, iris, DNA)

2. Contact Information

   • Phone number
   • Email address
   • Address
   • Contact list

3. Network Identity Information

   • IP address
   • Account name and nickname
   • Device identifier (IMEI, MAC address, OAID, etc.)

4. Personal Property Information

   • Transaction records
   • Bank account
   • Virtual assets (e.g. in-app purchases, cryptocurrency)

5. Online Activity Information

   • Browsing history
   • Search history
   • Click records
   • App usage logs

6. Location Information

   • Real-time geographic location
   • Frequently visited places
   • GPS/Wi-Fi/Cell tower data

7. Health and Medical Information

   • Medical history
   • Physical and mental health data
   • Exercise and fitness records

8. Biometric and Sensor Data

   • Motion sensors (e.g. accelerometer, gyroscope)
   • Heart rate monitor
   • Facial recognition data

9. Device and App Information

   • Installed apps
   • Running processes
   • System configuration
   • Network environment

10. Other Information Related to Personal Life

    • Education and employment
    • Marital status
    • Religion or political beliefs (if collected, which is usually restricted)

Standardized Terminology for Personal Information and Consent

To comply with Chinese privacy regulations and improve the accuracy of automated policy review, app developers are advised to use standardized terminology when describing personal information collected by their apps.

Please refer to Standardized Terminology for Personal Information and Consent.

Contact Us

If you have questions or need assistance with privacy compliance, please reach out:

• Contact us via our online form
• Email: [email protected]