This Version Updated At: Jan. 10, 2020

This Version Takes Effect At: Jan. 15, 2020

Hangzhou Maycur Technology Co., Ltd. (hereinafter referred to as “we”) respects and protects the privacy of users (hereinafter referred to as “users” or “you”) of our products and services. The Maycur Privacy Policy (hereinafter referred to as “this Policy”) is written to describe how we handle the personal data collected. This Policy applies to all services we provide (hereinafter referred to as “the Services”), including our app “Maycur Expense”, our official website www.maycur.com, all the other websites we operate (hereinafter referred to as “the Websites” collectively), and our customer service team. Before using any of the Services, please make sure you have read and fully understood this Policy, and agree to it. Your use of the Services will be deemed acceptance and approval of this Policy.

1. How We Use Information

We may collect your information in the following aspects for the following purposes:

1.1. Help You Register

To get registered as a user of Maycur, you need to provide your basic personal information, like your email address, phone number and the verification code received.

1.2. Provide You with Services

• To offer the service of workflow control, we need to collect information like company name, department, position, job title, superiors, subordinates, etc.

• To enable the service of cost control, we need to collect information like base, job level, attendance check-in time, check-in location, etc. In most cases, the data are either manually entered by the company admin or imported from the company’s other systems via an interface.

• To enable you to get reimbursement and cash advances, we need to collect information on your debit cards, like cardholder name, card number, bank branch, etc.

• To enable the service of mileage subsidy, we will track your location via GPS on your phone after your consent is granted.

• To enable the service of receipt OCR, we need you to provide images of train tickets, flight itineraries, invoices, receipts, etc.

To enable the service of invoice import, you can import your invoices via WeChat or Alipay.

• To enable the service of attendance check-in, we need to collect your location information via GPS on your phone after your consent is granted.

To enable the service of automatic creation of third-party expenses, we will collect your consumption data from the third parties your company has signed up after your consent is granted, including item, amount, time, location, bill number, payment method, etc.

• The records of online consultation, error reporting and error-handling processes (such as communications or phone calls) during your use of the Services will be collected and analysed by us, to respond to your help requests in a more timely manner and to improve our Services.

• To provide continuous quality services, we will collect and store information about your login and use of the Services, including IP address, browser type, language used, access date and time, user identifier, web browsing history, etc.

• After your consent is granted, SSO is enabled which allows you to log in with your employee ID or company info to third parties such as Didi Chuxing, Ctrip Corporate Travel, etc.

• You need to provide personal information for the above-mentioned purposes. Refusal to do so will prevent us from fulfilling our contractual obligations with your company (i.e., our client), providing you with customer support, or responding to your help requests. Please note that refusal to provide certain information will make corresponding Services inaccessible to you while other Services remain unaffected. For example, if you refuse to offer location information, you may cannot use the services of attendance check-in or mileage subsidy, but other services remain unaffected.

1.3. Push Notifications to You

To enable the Services, we may send you messages or notifications, or communicate with you, including but not limited to verification codes and push notifications necessary for the use of the Services.

1.4. Improve Our Services

In addition, we may use non-identifying information about our users from time to time to better design our website and/or improve our products and services. This means that we may disclose such information to third parties, but all such information is not identifiable to a particular user.

1.5. Other Uses

We may disclose information to third parties as necessary to comply with the laws, legal requirements, orders, guidelines and requests of any court, agency or government department in any jurisdiction within or outside the People's Republic of China.

Please note that if we want to use your information for other purposes not described in this Policy or to collect additional information not mentioned herein, we will separately ask for your prior consent. Once your consent is granted, this Policy also applies to such additional uses and information.

2. How We Collect Information

1. The information that your company exports to or syncs with Maycur, including company name, department, position, job title, superiors and subordinates, base, job level, attendance check-in time, check-in location, etc.

2. The data that you enter in forms and templates, including itineraries, meals and attendees filled in for reimbursement, and bank account number entered for collection. If you authorize a colleague to reimburse expenses on behalf of you, then the person authorized has the permission to fill in, modify and check your information mentioned above.

3. Records created during your use of our Services, including records of online consultation and error-reporting.

4. To better understand your usage habits and avoid repetitive operations, we may use cookies to remember you, your last order and so on. You can manage your cookie settings on your browser. Please note that if you disable cookies, you may not have the best user experience and some Services may not work properly.

5. After your company admin opens a third-party platform (such as Didi, Ctrip Corporate Travel, CMB Commercial Card, etc.), the company will open an account for you for the purpose of reimbursement, and the bills under this account will be synced to Maycur. If you already have an account on the third party, bills under the account will also be synced to Maycur after the company binds the account for you. We collect the data to help you get the expenses reimbursed.

3. How We Disclose Information

3.1. Share with Your Company

As a B2B application, we will share your information with your company for the purpose of reimbursement management, expense management and so on. For example, we need to sync your expense reports and bank account number with your company when the company is to reimburse your expenses; or we need to share your itineraries with your company when it is to check employee attendance.

3.2. Share with Third Parties

We may share your information with third-party service providers for the following purposes:

• By agreeing to bind your account on Maycur with the account (either opened previously or opened by your company for you) on a third-party platform (Didi, Ctrip Corporate Travel, CMB Commercial Card, etc.), you allow Maycur to sync your travel requests with third parties for the purpose of booking. The booking information will also be synced to Maycur for expense reimbursement.

• If your company opens a third party and your account on the platform is bound with your Maycur account, we may share your information with the third party, like the departure city, destination, departure time, arrival time, travel mode, request amount on your travel requests, so that you can book tickets or hotels on the third party. You can go to “Me-Bind Apps” on the Maycur App to check the third parties opened or accounts bound. You can contact us to unbind your account (see 10 How to Contact Us).

• We may also share your information with your colleagues, such as the finance staff and system admin in your company. They are authorized by the company to help offer the Services to you.

• If you authorize a colleague to submit expense reports on behalf of you, the authorized person can access the information like your receipts/invoices, transaction records, bank card number, account name, bank branch, etc., for the purpose of filling in expense reports.

• We share your device ID (UUID) with Aurora, a communication service provider, to provide you with the service of push notifications. Your company can choose to disable the service.

• We share your GPS location with Baidu Map Location SDK, to provide you with the map service during attendance check-in.

• We share information to fulfill part of the purposes described in “1 How We Use Information”.

• We share information to fulfill our obligations and exercise our rights under this Policy or any other agreement we may have with you.

3.3. Transfer of Information

As our business continues to grow, we may enter into mergers, acquisitions, asset transfers or similar transactions, and your personal information may be transferred as part of such transactions. We will comply with applicable laws and regulations, and notify you prior to the transfer, ensure the confidentiality of the information during the transfer, and continue to fulfil our responsibilities and obligations after the transfer.

3.4. Disclose Information for the Following Reasons

• Comply with applicable laws and regulations.

• Comply with the provisions of court orders or other legal proceedings.

• Comply with the requirements of relevant government agencies or competent authorities.

• When we have reason to believe that compliance with laws, regulations, etc. is necessary.

• For purposes reasonably necessary to enforce relevant service agreements or this Policy, to protect the public interest, to handle complaints/disputes, and to protect the personal and property safety or legitimate rights and interests of our users, us, our affiliates, employees, or other users.

• Circumstances legally authorized by you.

If we disclose your information for any of the reasons above, we will inform you promptly in compliance with the relevant provisions of laws and regulations and this Policy.

4. How We Store and Protect Information

4.1. Ensure Information Security Against Loss, Misuse, Unauthorized Access, or Disclosure

• We have established strict management systems and procedures to ensure information security. For example, we strictly limit the scope of people who have access to user information and require them to comply with confidentiality obligations.

• We attach importance to information security compliance, and the infrastructure of our production system is deployed on Alibaba Cloud ( https://security.aliyun.com/trust?spm=5176.13076100.J_9220772140.28.78cd21e7yBgEWa), to ensure our security compliance at the hardware level. Meanwhile, at the software level, we have been accredited by many international and domestic institutions for information security, winning the Classified Protection of Information System Security Level-3 Certificate, ISO 27001 Certificate, etc. We ensure the security of your information with an industry-leading solution.

4.2. We Avoid to Collect Irrelevant User Information

We will only store your information for as long as necessary to achieve the purposes described in this Policy, unless permitted by law. After the information retention period expires, we will delete or anonymize your information.

4.3. Strengthen the Awareness of Self-Protection

We are only liable to the extent that we directly cause the disclosure of your personal information. Therefore, please keep your account and password properly to avoid leaking your personal information. Do not provide your account or password to any third party unless you deem it necessary.

Please only upload the personal information required for reimbursement. If the file uploaded contains personal information irrelevant to reimbursement, please cover it up before uploading.

4.4. Remedies for Information Security Incidents (leakage, loss, etc.)

We In accordance with the requirements of laws and regulations, we will promptly inform you of: the basics of the security incident and its possible impacts, disposal measures we have taken or will take, suggestions on how you can independently prevent and reduce risks, and remedies for the incident, etc. We will promptly inform you of the incident-related situation by email, letter, phone call, push notification, etc. When it is difficult to inform our users one by one, we will make an announcement in a fair and effective manner.

4.5. Information Storage

The information we collect is stored on Alibaba Cloud’s servers in mainland China. If we need to transfer personal information overseas for business purposes in compliance with applicable laws, we will obtain your prior consent and inform you of the purpose, recipient, security measures, and potential risks of your information transfer.

We will store your information for as long as necessary to achieve the purposes described in this Policy, unless permitted or required by law. After the information retention period expires, we will delete or anonymize your information.

If part of our business ceases to operate, we will promptly notify your company, i.e., our client, of the situation as required by law. Such notifications will be delivered by email, letter, phone call, push notification, etc. When it is difficult to inform our clients one by one, we will make an announcement in a fair and effective manner.

5. Direct Mail Marketing

At individuals’ requests, we will not use personal information for direct marketing purposes. We will not use your personal information or provide it to others for direct marketing without your consent or indication of no objection. Even if your consent is granted, you still have the right to cancel receiving such promotional emails at any time.

6. Links to Other Websites

Our Services contain links to websites owned and/or run by third parties. We are not responsible for the privacy practices or the content of such sites. Users should check their applicable privacy policies before providing any information to them.

7. Your Rights

You have the right to exercise the following rights as set forth in applicable laws and regulations, but please understand and agree that certain rights may be restricted during the performance of our contractual obligations to process your personal data, as agreed between us and your company.

7.1. Right of Access

You have the right to obtain confirmation from us as to whether your personal data are being processed and, if so, to request access to such data, especially the purpose of such information collection and processing, category of the personal data concerned, and the recipient or category of recipients to whom the data have been or will be disclosed.

You have the right to obtain a copy of the personal data being processed. If you request additional copies, we may charge a reasonable fee based on administrative costs.

7.2. Right to Rectification

You have the right to ask us to correct your personal information. We will be happy to do so, but will need to verify the accuracy of the information provided first.

7.3. Right to Erasure (Right to be Forgotten)

You may ask us to delete your information if you believe that we no longer need to use it for the purposes for which it was collected. In addition, you may ask us to delete your information if you have withdrawn your consent to our use of your information (if we initially asked you to grant your consent), or have exercised your right to object to further legal use of your information, or if we have used your information illegally, or if we are bound by a legal obligation to delete your personal information.

In some cases, we may not be able to meet your request. Examples of such circumstances include that we need to continue to use your information to comply with our legal obligations, including contractual obligations with your company, or that we need to use your information to establish, exercise or defend a legal claim.

7.4. Right to Restrict Processing

You have the right to restrict the processing of your personal information. At your request, the corresponding data will be marked and we will only process such data for certain purposes.

7.5. Right to Data Portability

Please understand that, according to the agreement between us and your company, your reimbursement data (including your itineraries, booking prices, etc.) in our mobile Services, i.e. our Maycur App, are subject to our obligation of confidentiality, and we recognize that the ownership of the data belongs to your company. Hence, we are not entitled to transfer any reimbursement data to other companies at your request.

7.6. Right to Object

We need to process your personal data based on the contract with your company, and for the personal data necessary for the performance of the contract, you waive the right to object during the period of performance. We have no intention to collect or process your personal data that are irrelevant to the performance of the contract; and we will delete all your data after the contract expires. If you believe that there are personal data processed irrelevant to the performance of the contract, you can exercise your right to object, and we will no longer process your personal data for such purposes. The exercise of this right will incur no costs. Please understand that each function requires certain basic personal data in order to be enabled, and after you exercise your right to object, we can no longer provide you with the corresponding Services, nor can we process the corresponding personal data.

7.7. Right to Cancel Account

You can send an email to support@maycur.com to ask your account to be cancelled. When your account is cancelled, all the information in the account will be deleted or anonymized, and we will no longer collect, use or provide personal data related to the account to the public. However, the information provided or generated by you during the use of our Services must still be stored by us for the time required by laws and regulations, and the competent authorities still have the right to inquire in accordance with the laws during the legal storage period.

For requests to access, change or delete personal data or personal data portability, or to cancel accounts, you can contact us by sending emails to support@maycur.com. Normally, we will reply within 15 days. To protect your interests, we only implement your request for personal data related to the email address you use to send us the email, and we need to verify your identity before implementing your request. Please note that we need to retain certain information for the purpose of recording or/and completing any transactions that were initiated prior to your request.

8. Protection of Minors

If you are under 16 years old (excluding 16 years old), then in principle, you are not allowed to use our website, Services, etc. We provide companies with technical services such as reimbursement management, and by default, we assume that all the employees of such companies are over 16 years old. If you are under the age of 16 and are legally employed by our client, please make sure that you have the consent of your parents or guardians to provide us with your personal information.

9. Update of This Policy

Please note that we reserve the right to review and update this Policy from time to time. If we make any material changes to this Policy, we will notify you in a pop-up window on the App or by other means required by law for you to reconfirm the new Policy before it takes effect. If you use our Services after the updated Policy takes effect, you will be deemed to have agreed to the revised Privacy Policy.

10. How to Contact Us

If you have any questions, comments, or suggestions about this Policy, you can contact us by “Me-Online Consultation” on your phone or by calling 400-6789-576.

Our address is:
Hangzhou Maycur Technology Co., Ltd.

Address:
7F, West Building, Building No. 2, Xixi Intime, Xihu District, Hangzhou, Zhejiang Province, China

Post Code: 310013

Email: support@maycur.com

If you are not satisfied with our reply, especially if you think our processing of your personal data has harmed your legitimate rights and interests, you can make a complaint or report to regulatory authorities such as the Office of the Central Cyberspace Affairs Commission or the State Administration for Market Regulation.

Last Updated At: Jan. 10, 2020