PIPL Notice

China's Personal Information Protection Law (PIPL) that came into effect on November 1, 2021. We are in the process of reviewing the privacy landscape and the necessary steps to be taken for compliance with PIPL.

1. Dedicated PIPO

Ideanote is processing the personal data of Chinese residents for the purpose of providing services or products, or for analyzing and assessing their behavior.

Ideanote has not yet appointed a "designated representative" in China.

2. Ensure Lawful Basis

Ideanote processes personal information only based on legality, explicit purpose, minimum necessary, transparency, accuracy, accountability, and data security.

Our processing has the clear and reasonable purpose to provide the Ideanote Service to Customers and End-users. We have reduced data collection to the minimum necessary, are transparent about how data is processed and ensure data security in transit and at rest.

Ideanote processes data based on explicit consent given by Customers and End-users on a contractual basis.

3. Consent

Ideanote ensures the right to Customers and End-users to withdraw consent and delete their personal information.

Personal information is given by Customers and End-users at free will and kept to the minimal information necessary (e.g. first name and email) to provide our Service.

Ideanote is a B2B software and does not allow the creation of user accounts for people under the age of consent.

4. Clear Privacy Notices

Ideanote provides explicit privacy notices to people providing personal information during sign-up in clear and transparent way that requires active consent. It includes the Ideanote business name, the purpose of collection, the categories of processed information and the retention period as well as the procedures for withdrawal of consent.

5. Request Mechanisms

Data subjects can request changes, rectification and deletion of their personal data in the Ideanote interface or by reaching out to hello@ideanote.io

6. Breach Response

Breach and incident response and notifications are documented in internal policies and ensured in the Ideanote ToS.

7. Impact Assessment

Ideanote handles information of less than 1 million Chinese citizens and does not handle important or sensitive personal information or information generated by public service providers in China. Ideanote has therefore not undergone an official Security or Impact Assessment.

8. Data Classification

Ideanote has internal management structures and operating rules for data classification and management.

9. Cross-Border Transfer Obligations

Ideanote has adopted measures to ensure that processing activities of the destination country have an equivalent level of protection provided in the PIPL.

For more information please see the Ideanote Sub-Processor list and the Data Transfer Impact Assessment.

10. Third-Party Processors

Ideanote has concluded agreements with the third parties on the purpose for processing, the time limit, the processing method, categories of personal information, protection measures, as well as the rights and duties of both sides of the personal information processing activities of the third parties.

11. Standard Contract

As part of allowing Customers to be compliant with PIPL when using Ideanote a standard contract will be available on request, once the guidelines are published.

Already Ideanote is transparent in its ToS and DPA about

  • The purpose, method and scope of transferred data, and the use and method of data processing by the overseas recipient.
  • The overseas location that will retain the transferred data and the retention period of such data, as well as the measures to be taken when the retention period is reached, the agreed purpose has been achieved or the contract is terminated.
  • Provisions that restrict Ideanote from re-transferring the data to other organizations and individuals.
  • Security measures to be taken by Ideanote in the event of a material change in its actual control or business scope, or a change of the legal environment of the country or region where the recipient is located, which makes it difficult to safeguard the data security.
  • Liability for breach of the obligations of data security protection as well as binding and enforceable dispute resolution provisions.
  • In the event of risks such as data leakage, properly implementing emergency response measures and ensuring convenient means are available for individuals to safeguard their personal information rights and interests.