WeCom Privacy Protection Guidelines

Release Date: August 31, 2021

Effective Date: August 31, 2021

Thank you for using WeCom!

To safeguard your rights, WeCom Privacy Protection Guidelines (hereinafter referred to as "these Privacy Guidelines") will explain to you how WeCom will collect, use and store your personal information and what rights you have. Please read, understand and agree to these Privacy Guidelines and relevant supplementary documents before you use WeCom.

These Privacy Guidelines apply to the features and services of WeCom, including Instant Messaging, Company-paid Calls, Attendance, Announcement, Approvals, WeDrive, WeDoc, Contacts, Calendar, Reports, Meeting, Live, Hardware Services and Message Exchange with Weixin, but do not apply to other products or services provided through the WeCom website or client-side or any products or services provided by any third parties (hereinafter referred to as "Third-party Services"). You should fully read and understand the product features and privacy protection guidelines of the Third-party Services before you choose to use such Third-party Services.

These Privacy Guidelines will help you understand:

1. What Types of Information We Collect

2. How We Store These Information

3. How We Protect These Information

4. How We Use These Information

5. Sharing and Provision of Information

6. How You Access and Manage Your Personal Information

7. Protection of Minors

8. Changes to These Privacy Guidelines

9. Miscellaneous

10. Contact Us

Relevant Definitions:

“WeCom” refers to an office management & communication tool provided by Tencent. WeCom products and services include official website of WeCom (https://work.weixin.qq.com) and WeCom client-side available in multiple application versions such as Windows, Mac, iOS and Android.

“WeCom Operator” refers to the legal entity which provides WeCom products and relevant services, which refers to Shenzhen Tencent Computer System Co., Ltd., hereinafter referred to as "Tencent" or "We".

“Company User” refers to the individual or organization registering, logging in to and using the WeCom products and services and obtaining the admin permission, including but not limited to legal persons, government agencies, other organizations, partners or sole proprietors (hereinafter referred to as "Company User"). A Company User creates its own work platform, which means a virtual workspace that is created and managed by the Company User and may be available for many people to concurrently use WeCom services, through WeCom, inviting and authorizing an individual user to join in such work platform to become its end user.

“Company User Admin” refers to an individual designated by the Company User, who has the permission to operate the admin console for company users. The Company User Admin may be one or more persons.

“Individual User” or “End User” refers to the individual user who is invited by the Company User to join in the company platform and registers to use the WeCom, hereinafter referred to as "You" or "End User". When the Company User invites you to access its work platform as an End User, you will receive an invitation and may choose whether to join in this Company User or not.

“Personal Information” refers to various kinds of information recorded electronically or otherwise that may identify a specific natural person or reflect the activities of a specific natural person, individually or in combination with other information.

“Sensitive Personal Information” refers to the personal information that may endanger personal and property security and is likely to cause damages to personal reputation or physical and psychological health, or discriminatory treatment, once disclosed, illegally provided or abused, including ID card number, personal biometric information, communication records and contents, property information, whereabouts, health and physiological information, and trading information.

“Company-controlled Data” refers to the information and data submitted or produced during use of WeCom by the Company User and the End User of such Company User, which may contain the information submitted by the Company User or the End User, the information allocated by the Company User to the End User, and the information submitted by the End User to the Company User in order to complete the required work and satisfy the daily management needs. For details, please refer to the description in section 1.3.

 “Anonymization” refers to a technically processing of personal information which can make the data subject unidentifiable, and such personal information being technically processed cannot be reversed. After anonymization, such information cannot be regarded as personal information.

For more definitions, please refer to Tencent Privacy Policy.

1. What Types of Information We Collect

To provide you and the Company User with services, guarantee normal running of the services, improve and optimize our services and safeguard the account security, WeCom will collect the information provided by you proactively or upon your authorization when you register or use the services or generated from your use of the services, by the following means:

1.1 Account registration information: when you register and log into WeCom for the first time, you are required to provide your mobile number or your Weixin account of which the alias and profile photo will be collected. This information is necessary for you to use WeCom. If you do not provide such information, you will be unable to normally use our services. If you register/log into WeCom through Weixin authorization, you may also choose whether to provide us with the list of friends in your Weixin account or not, and if you do not provide such information, you may be unable to use the Friend Notification feature of external contacts, but your use of other WeCom services will not be affected.

1.2 When you use the WeCom services, we will collect the following information to provide you and the Company User with the WeCom products and services, maintain normal running of our services, improve and optimize our service experience and safeguard your account security:

1.2.1 Device information: according to the device model and permission granted during your installation and use of the WeCom services, we will collect and use the device-related information of the WeCom services, including device model, operating system, unique device identifier, device location information (such as login IP address, GPS location, and Wi-Fi access point that is able to provide relevant information), WeCom software version number and device accelerator (such as gravity sensor device).

1.2.2 Log information: when you use the WeCom services, we will collect the log information about your use of the services, including manner, type and status of the network accessed, network quality data, operation log and service log information such as the website information you view at WeCom and service disable information.

1.2.3 The information you provide to us through our customer service representative or when participating in our activities. For example, the questionnaire completed by you when you participate in our online activity may contain your name, phone number, home address and other information.

1.3 To provide office management and communication services, we will collect the information and data submitted or produced during use of WeCom by the Company User and the End User of such Company User (hereinafter referred to as "Company-controlled Data"), which may contain:

1.3.1 Your name, photo, gender, mobile number, ID card and other personal information submitted by the Company User or provided by you as required;

1.3.2 The company name, invoice title, work signature, landline number, email address, position, title level, title, department, fax number, office seat and other information relating to the Company User or assigned by the Company User to you;

1.3.3 The geographical location information and attendance records when you use the Attendance feature, approval records, document information in the WeDrive, use of Company-paid Calls and Enterprise Mailbox account, etc. And

1.3.4 Other data submitted by the Company User, such as organizational directory and approval process.

You understand and agree that the Company User is the data controller of the Company-controlled Data, and we will process such Company-controlled Data only according to the instructions of the Company User, including operation conducted by the Company User and the Company User Admin through the admin console, as well as the agreement between us and the Company User. If you have any question or suggestion about the purpose, the scope or the way of collecting and using such Company-controlled Data, please contact your Company User or Company User Admin.

1.4 When you use the External Contacts feature, we will collect the mobile contacts you provide proactively to match the external contacts. We will encrypt your contacts in an irreversible manner, and only collect the encrypted information. The aforesaid information is only for matching and will not be stored or used for any other purpose. The aforesaid information is sensitive, and refusal to provide such information will only prevent you from using the aforesaid feature, instead of affecting your normal use of other WeCom features.

1.5 When you use the Identity Verification feature, we will collect the identity information and the photos of front and back of the ID card you provide proactively. The aforesaid information is sensitive, and refusal to provide such information will only prevent you from using the Identity Verification and Association feature, instead of affecting your normal use of other WeCom features.

1.6 When you need to register yourself as a Company User, you are required to provide the information about the creator, and if you do not provide such information, you will not be able to register yourself as the Company User to use relevant services.

Before the Company User uploads and manages the personal information of its End User such as name, photo and mobile number, please make sure that he/she obtains prior express consent from the End User, only collects the end user information that is necessary for the purpose of operation and feature implementation, and informs the End User about what, why and how the data is going to be collected and used.

1.7 When you use the Attendance Recorder feature, since different Company Users may use different ways for the attendance, in order to verify the identity, we may collect the face image or the fingerprint characteristic information you provide proactively to carry out the identity verification. The aforesaid information is sensitive, and refusal to provide such information will only prevent you from using the Attendance Recorder feature, instead of affecting your normal use of other WeCom features.

1.8 During the COVID-19 pandemic, if your company has enabled the Temperature feature, your company may ask you to actively report your daily health information, which may include your name, department, city located, whether you have any symptoms of physical discomfort, the people you contacted, and special circumstances if any, etc. In order to achieve the above feature, we will collect the above information at the same time. The aforesaid information is sensitive, and refusal to provide such information will only prevent you from using the Temperature feature, instead of affecting your normal use of other WeCom features.

1.9 Information from third parties

We will collect relevant data shared with or provided toWeCom by any third party with your consent or authorization. For example, when you or your Company User uses third-party products or services through the WeCom website or client, the third-party service provider may use our API or SDK to notify us of what third-party products or services you have used.

It should be particularly noted that the third-party service provider may provide you or the Company User with products or services through the WeCom website or client, and the Company User in which you join may choose whether to develop or use the third-party services, what kinds of third-party services to use and when to terminate or cancel use of the third-party services. During use, the third-party service provider may collect, use and store your data or information. Before you determine whether to use such services, please acquire a full understanding of the personal information and privacy protection strategies from the third-party service provider or contact your Company User for more information.

In particular, when you use WeCom on mobile phones of certain brands, such as Xiaomi, Huawei, VIVO and OPPO, we will use Push SDKs to collect the unique identification information of these mobile phones, such as IMEI, and may collect your mobile phone model, system type, system version, device screen size and other parameters for the purpose of pushing our product information. For details, see the privacy policy or relevant statements of the SDK operator.

Please be aware that the products and services we provide to you are updated and developed from time to time, and if a certain product or service is not covered by the foregoing description and needs to collect your information, we will otherwise explain to you the content, scope and purpose of information collection by the means of indication in the page, interaction process and website announcement to ask for your consent.

2. How We Store These Information

2.1 Place of Information Storage

We will store within China the personal information collected and produced within China as provided for in the laws and regulations.

2.2 Period of Information Storage

In general, we will retain your personal information only for so long as is necessary to realize the purpose. With respect to part of the Company-controlled Data of which the Company User may independently set the retention period, such as chat history, files and pictures of WeCom, we will retain relevant information as per the setting of the Company User, but not view or use the chat history, files and pictures retained by the Company User.

In case of halt of our products or services, we will notify you of the same by the means of push notification or announcement, delete or anonymize your personal information within the reasonable period, immediately discontinue the activity of collecting your personal information and close the third-party application service interfaces to prevent third-party services from collecting and further using your personal information.

3. How We Protect These Information

3.1 We will endeavor to safeguard the information security of the user to prevent the information from loss, improper use, unauthorized access or disclosure.

3.2 We will safeguard the security of information with various security protection measures within the reasonable security level. For example, we will use encryption techniques (such as SSL/TLS), anonymization and other means to protect your personal information.

3.3 We will establish special management systems, processes and organizations to safeguard the security of the information. For example, we will strictly limit the personnel who can access the information, check their fulfillment of the confidentiality obligation and conduct relevant audit.

We will enhance the security capabilities of the software installed on your device by improving relevant technical mechanisms, to prevent the data breach of your personal information. For example, we may do part of the information encryption locally on your device for the safe data transfer; we may detect whether there is any security risk on your device's installed apps, running processes or the information stored in your device memory, to prevent viruses, Trojans, or other malicious programs or websites; we may analyze the use of unique device identifiers, login IP addresses, operational logs, geo-location information, etc., to prevent fraud, theft of accounts, counterfeiting and other illegal acts and carry out security checks, which is good for taking relevant security measures or providing users with security alerts.

3.4 In case of any security incident such as personal information leakage, we will start the emergency plan in accordance with the laws to prevent escalation of such incident, and inform you such security incident, the possible impact of such incident on you and the remedies we will take by the means of push notification or announcement. We will also report disposal of the security incident about the personal information as required by the laws and regulations and by the regulatory authority.

3.5 Currently,WeCom has met the requirements in ISO/IEC 20000, ISO/IEC 27001, ISO/IEC 27018, cybersecurity level protection system (Level III) and other international and domestic authoritative certification standards in respect of information security and cybersecurity, and WeCom has been certified accordingly.

We are committed to protecting your personal data, however, please note that no security measure is perfect.

4. How We Use These Information

We will strictly follow the provisions in the laws and regulations and the agreements with the User, and use the information collected for the following purposes pursuant to the provisions in these Privacy Protection Guidelines.

4.1 We will collect relevant information during your use of WeCom services for the purpose of creating and providing better services for the WeCom users, including Company User and End User. We will use the information collected for:

4.1.1 Providing, maintaining and developing WeCom services: we will use the information collected to provide, optimize and improve the WeCom services, such as tracking the service interruptions or troubleshooting the problems reported by the WeCom users; upon your authorization and consent, we will display or recommend external contacts to you according to your Weixin contacts so that you can expand your WeCom contacts; we will provide you or your Company User with various data statistics and analysis features and services, such as Weekly Summary feature and Customer Service Data Statistics according to the WeCom log and the service use information.

4.1.2 Safeguarding the security: to safeguard your and all the WeCom users' security, we will use relevant information to assist in improving the security and reliability of the WeCom services, including detecting, preventing and responding to frauds, abuses, illegal acts, security risks and technical problems that may endanger WeCom, our users or the public;

4.1.3 Communicating with you: we will use the information collected, such as email address you provide, admin contact email of the Company User and phone number, to directly communicate with you. For example, if we detect suspicious activities, such as attempting to log in to your WeCom account from a location you don't usually use, a notification may be sent to you and we may let you know what changes or improvements will happen to WeCom. Or, we will give service return visit on you; and

4.1.4 Complying with relevant requirements in applicable laws and regulations, the ministry rules and the government orders.

Currently, we will not use your personal information for personalized recommendation or advertisement purpose. If we use your personal information beyond the purpose stated during collection and the scope that is directly or reasonably associated, we will notify you of the same by means of indication in the page, interaction process and website announcement and ask for your express consent before we use your personal information.

4.2 We will treat use of the Company-controlled Data in accordance with the laws subject to the decision of the Company User and relevant agreements between us and the Company User. For example, the Company User will be entitled to determine which information of the End User to display and how to display such information in WeCom.

4.3 In accordance with relevant laws and regulations as well as the national standards, we may collect and use your personal information without your authorization and consent:

(1) Related to data controllers fulfilling obligations stipulated by laws and regulations;

(2) Directly related to national security and national defense security;

(3) Directly related to public safety, public health, and significant public interests;

(4) Directly related to criminal investigation, prosecution, trial and execution of judgments;

(5) In order to protect the life, property and other major legal rights of the data subject or other individuals, but it is difficult to obtain the authorization and consent of such data subject;

(6) The personal information involved has already been disclosed to the public by the data subject;

(7) Necessary for signing and performing contracts according to the requirements of data subject;

(8) Collecting personal information from legitimately publicly disclosed information, such as legitimate news reports, government information disclosure and other channels;

(9) Necessary to maintain the safe and stable operation of the products or services provided, such as discovering and disposing of product or service disorders;

(10) The data controller is a news organization and is necessary to carry out legitimate news reports;

(11) The data controller is an academic research institution that is necessary to conduct statistics or academic research for the public interest, and when it provides the results of academic research or description to the public, the personal information contained in the results is de-identified.

5. Sharing and Provision of Information

We will not share with or transfer to third parties your personal information, except that:

5.1 Your express consent has been obtained: upon your prior consent, we may share your personal information with third parties;

5.2 For the purpose of external processing, we may share your personal information with our affiliates or other third-party partners including third-party service providers, contractors, agents and application developers and permit them to process such information according to our instructions, privacy policy and other relevant confidentiality and security measures and to use such information to provide you with our services so as to realize the purposes set out in the section "How We Use the Personal Information". If we share your personal information with the aforesaid affiliates or third parties, we will take encryption, anonymization and other means to safeguard the security of your personal information.

5.3 We will not publicly disclose the personal information collected, and when it is compulsory to do so, we will notify you of the purpose of this public disclosure, the type of information to be disclosed and the sensitive information that may be involved, and make the disclosure in compliance with relevant laws and regulations. It should be particularly noted that how to disclose or share the information about the End User in the work platform of the Company User in which the End User joins shall be determined and managed by the Company User. If you have any concerns or questions, you understand and agree to contact your Company User or Company User Admin for help.

5.4 With continuous development of our businesses, we may proceed with consolidation, procurement, asset transfer and other transactions, and we will notify you of relevant conditions and continue to or require the new controller to continue to protect your personal information in accordance with the laws and regulations and the standards that are in no event less restrictive than those required in these Privacy Guidelines.

5.5 We may disclose your personal information on the basis of the legal requirements or the law enforcement requirements from the competent authority.

6. How You Access and Manage Your Personal Information

To ensure that you can access, correct or delete your personal information in a more convenient manner during your use of WeCom, and meanwhile to safeguard your right to withdraw your consent or quit the company (deactivate the account), we have provided you with the corresponding operation setting in the product design and you can follow the guidelines below for operation.

6.1 Access the Personal Information

6.1.1 Access the profile photo, name, gender, nickname, information externally display, work signature, company name, invoice title, mobile number, landline number, email address, position, title level, title, department, fax number, office seat, secretary and other information:

(1) After logging in to WeCom, click "Me";

(2) Click Profile Photo column;

(3) Access Personal Information.

6.1.2 Access contacts:

(1) After logging in to WeCom, click "Contacts";

(2) Check internal contacts and external contacts of the company.

6.2 Set the Privacy Feature

6.2.1 Set whether verification is required to add me as contact:

(1) After logging in to WeCom, click "Me";

(2) Click "Settings";

(3) Click "Privacy";

(4) Click "Verification Is Required to Add Me as Contact" to make the change.

6.2.2 Set how to allow others to find current company identity:

(1) After logging in to WeCom, click "Me";

(2) Click "Settings";

(3) Click "Privacy";

(4) Click "Allow Others to Find Current Company Identity" to make the change.

6.2.3 Set the information to be shown to my external contacts:

(1) After logging in to WeCom, click "Me";

(2) Click "Settings";

(3) Click "Privacy";

(4) Choose "Whether to Show Mobile Number, Email, Title and Other Information to My External Contacts".

6.2.4 Set how to accept friend request:

(1) After logging in to WeCom, click "Me";

(2) Click "Settings";

(3) Click "Privacy";

(4) Choose "Whether to Allow Adding Me As A Friend Via Group Chat" or "Whether to Allow Adding Me As A Friend Via Contact Card" or "Whether to Accept the Friend Request Received in Weixin".

6.2.5 Manage Weixin Friends:

(1) After logging in to WeCom, click "Me";

(2) Click "Settings";

(3) Click "Privacy";

(4) Choose "Whether to Allow Obtaining My Weixin Friends".

6.3 Delete the Personal Information

6.3.1 Delete all one-to-one chat histories:

(1) After logging in to WeCom, open the dialog and click the  icon at the top right corner;

(2) Click Clear Chat History.

6.3.2 Delete group chat history:

(1) After logging in to WeCom, open the dialog and click the  icon at the top right corner;

(2) Click Clear Chat History.

6.3.3 Delete part of the chat histories:

(1) After logging in to WeCom, open the dialog and hold the message to be deleted;

(2) Select "Delete" to delete this message.

6.3.4 Delete the profile photo, name, gender, nickname, work signature, company name, invoice title, mobile number, landline number, email address, position, title level, title, department, fax number, office seat, secretary and other information;

If no restriction is set by the Company User Admin:

(1) After logging in to WeCom, click "Me";

(2) Click Profile Photo column;

(3) Delete the information.

If the Company User Admin sets Members Are not Allowed to Modify, please contact the corresponding Company User Admin if you want to make changes.

6.4 Correct the Personal Information

If no restriction is set by the Company User Admin:

(1) After logging in to WeCom, click "Me";

(2) Click Profile Photo column;

(3) Change the information.

If the Company User Admin sets Members Are not Allowed to Modify, please contact the corresponding Company User Admin if you want to make changes.

6.5 Withdraw the Consent

Withdraw recommendation of new external contacts:

(1) After logging in to WeCom, click "Me";

(2) Click Settings;

(3) Click Privacy;

(4) Click "Recommend New External Contacts to Me" to change the setting.

6.6 Quit Company (Deactivate the Account)

6.6.1 Quit company

(1) After logging in to WeCom, click "Me";

(2) Click "Settings";

(3) Click "Manage Company Identity";

(4) Click company you want to quit;

(5) Click "Quit Company".

Note: When you quit your company, we will delete or anonymize the personal information about you in this company within a reasonable period. When you quit your company, you are deemed to deactivate the account, and we will stop providing you with services and delete or anonymize your personal information within a reasonable period.

7. Protection of Minors

We attach great importance to the protection of the personal information of minors. Subject to the provisions in relevant laws and regulations, if you are a minor below the age of 14, before using the products and services of WeCom, please carefully read and understand these Privacy Guidelines and "儿童隐私保护声明" specially formulated by Tencent that applicable to children under the age of 14, and obtain your parent or your legal guardian’s written consent for these Privacy Guidelines and "儿童隐私保护声明". If you are the legal guardian of a minor, when you have any questions about the personal information of the minor under your guardianship, please contact us through the contact information in Section 10.

8. Changes to These Privacy Guidelines

We may amend these Privacy Guidelines from time to time. In case of changes to the terms hereof, we will display the changed Guidelines to you by the means of announcement on the official website (https://work.weixin.qq.com) or push notification.

In case of significant changes to the terms hereof, we will notify you of such changes by the means of announcement on the official website (https://work.weixin.qq.com), push notification or pop-up window that is more eye-catching.

For the purpose of this article, significant changes include but are not limited to:

(1) Significant changes in our service mode, such as purpose of processing the personal information, type of the personal information processed and approach for use of the personal information;

(2) Significant changes in the ownership structure and organizational directory, such as change in the owner caused by business adjustment, bankruptcy and merger & acquisition;

(3) Changes in the main target with or to whom we share, transfer or publicly disclose the personal information;

(4) Significant changes in your right to engage in processing of the personal information and the approach for exercise thereof;

(5) Changes in the department responsible for security in processing the personal information, the contact information and the complaint channel; and

(6) High risks as shown in the personal information security impact assessment report.

9. Miscellaneous

Tencent Privacy Policy contains the general privacy terms that are generally applicable across Tencent, and the user's rights and information security safeguarding measures set out herein, including but not limited to How We Use Cookies and Relevant Technologies, apply to the WeCom users. In case of any inconsistency or conflict between Tencent Privacy Policy and these Privacy Guidelines, the latter shall prevail.

10. Contact Us

When you have other complaints, suggestions and questions about the personal information of minors, please contact us through http://kf.qq.com/. You may also send your questions to Dataprivacy@tencent.com or mail them to:

Data and Privacy Protection Center (Attention), Legal Department, Tencent Building, Kejizhongyi Avenue, Nanshan District, Shenzhen, Guangdong Province, China

Postal Code: 518057

We will review the issues involved as soon as possible and give you the reply within fifteen days upon verification of your identity.