1. Introduction

This Product is an intelligent scientific research and collaboration platform developed and operated by Chongqing VIP Information Co., Ltd. and its affiliated companies (hereinafter referred to as "we," "us," or "the Company"). Leveraging cutting-edge technologies—including Artificial Intelligence (AI), Natural Language Processing (NLP), knowledge graph construction, multimodal data analytics, and cloud computing—this Product provides innovative services to researchers, faculty and students at academic institutions, enterprise R&D teams, and professional organizations worldwide. These services include, but are not limited to: intelligent literature retrieval, academic resource discovery and access, automated report generation, collaborative experimental data management, AI-assisted research, cross-lingual academic translation, and research trend forecasting.

As a technology-driven enterprise dedicated to academic research services, we deeply understand the heightened sensitivity and need for control that users have over their personal information, research outputs, interaction behaviors, and generated content in the AI era. Therefore, this Privacy Policy Agreement (hereinafter referred to as "this Policy") aims to transparently, clearly, and responsibly inform you of how we collect, use, store, share, transfer, protect, and ultimately dispose of your personal information when you visit, register, use, or otherwise interact with this Product Platform (including, but not limited to, our website www.cboa.org.cn , Application Programming Interfaces [APIs], browser extensions, and any other digital service forms that may emerge in the future).

This Policy reflects not only our legal obligations but also our solemn commitment to user trust. It has been drafted in strict compliance with—and strives to simultaneously satisfy—the core requirements of multiple international and regional laws and regulations, including but not limited to:

• The European Union's General Data Protection Regulation (GDPR) and its UK implementation (UK GDPR);
• The People's Republic of China's Personal Information Protection Law (PIPL), Cybersecurity Law, Data Security Law, and Interim Measures for the Management of Generative AI Services;
• The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), as well as other applicable privacy and data protection laws in relevant jurisdictions.

This Policy applies to all individual and organizational users (e.g., universities, research institutes, enterprises) who use the services of this Product. By accessing our platform for the first time, creating an account, engaging in dialogue with our AI services, or providing information in any other manner, you acknowledge that you have read, understood, and agreed to our processing of your personal information as described in this Policy. If you do not agree with any provision of this Policy, please immediately discontinue using all services of this Product.

We reserve the right to update this Policy in response to business developments, technological advancements, or changes in applicable laws and regulations, and will notify you through appropriate means.

2. Data Controller and Contact Information

For all data processing activities covered by this Policy, Chongqing VIP Information Co., Ltd. acts as the Data Controller (under GDPR / Business under CCPA / Personal Information Handler under PIPL), responsible for determining the purposes and means of personal information processing and bearing corresponding legal responsibilities.

Our registered legal address is: No. 18 Honghu West Road, Northern New Area, Chongqing, China.

Our primary operational and data centers are located in Hong Kong, China, though our services are available globally.

To ensure you can effectively exercise your privacy rights, raise inquiries, file complaints, or seek assistance, we have established dedicated contact channels. You may reach us via:

• General Privacy & Support Email:privacy@cboa.org.cn
• Data Protection Officer (DPO) Dedicated Email (primarily for EU/UK users): dpo@cboa.org.cn
• AI Ethics & Model Governance Committee Email:ai-ethics@cboa.org.cn

We commit to responding to your requests within the timeframes prescribed by applicable laws.

For users in the European Union or the United Kingdom, if you believe our processing of your personal information violates GDPR or UK GDPR, and you remain dissatisfied after filing a complaint with us, you have the right to lodge a formal complaint with the competent data protection supervisory authority in your country of habitual residence, workplace, or where the alleged infringement occurred (e.g., CNIL in France, BfDI in Germany, or the UK Information Commissioner's Office [ICO]).

For users in China, if you believe our processing activities infringe upon your legitimate rights, you may report us to the Cyberspace Administration of China or your local cyberspace authority.

For residents of California, USA, you likewise retain the right to file a complaint with the Office of the Attorney General of California.

For users in other countries, regions, or jurisdictions, if your complaint to us remains unresolved to your satisfaction, you have the right to lodge a complaint with the competent data protection authority in your habitual residence, workplace, or the location of the alleged infringement.

3. Types of Personal Information We Collect

The specific categories of personal information we collect depend on the depth of your interaction with this Product Platform, the specific features you use, and the choices you make. We always adhere to the "data minimization" principle, collecting only the information necessary to achieve specific, explicit, and lawful purposes.

3.1 Personal Information You Voluntarily Provide

This refers to information you consciously and willingly provide while using our services.

• Account Registration and Basic Identity Information: When you create an account, we require a valid email address as your unique login credential and a username of your choice. Your password is encrypted using industry-standard, high-strength, irreversible cryptographic algorithms. We cannot access your plaintext password. If you have concerns, please contact us via the channels listed above. We will do our utmost to assist you while ensuring user information security.
• Interaction Content with AI Research Services: A core feature of this Product is its integrated AI research assistant. When you ask questions, send commands, upload documents for summarization or analysis, or provide feedback on AI responses (e.g., clicking "Helpful" or "Not Helpful"), these interactions—including text, instructions, and feedback signals—are recorded. This data is essential for delivering real-time services and optimizing future performance.

3.2 Automatically Collected Technical Information

During your use of our services, our systems automatically collect technical data related to your device, network environment, and usage behavior.

• Device and Hardware Identifiers: To identify your device, secure your account, and deliver tailored services, we collect information such as screen width, screen height, browser name, and browser platform environment.
• Network and Location Information: Each time you connect to our services, our servers log your Internet Protocol (IP) address. Based on this IP, we infer your approximate geographic location (typically at city or regional level). If you use this Product on a mobile device and grant location permissions, we may also obtain more precise GPS coordinates. You may disable location permissions at any time via your device settings, though this may affect location-dependent features.
• Usage Behavior and Log Data: We meticulously record your interactions with the platform, including visited page URLs, clicked buttons, used modules, dwell time on pages, frequency and types of AI queries, application crash/error reports, and whether the app is running in the foreground or background. These logs are invaluable for troubleshooting, enhancing user experience, and ensuring system stability.
• Operating System and Software Environment: We also collect your device's OS type (including but not limited to Windows, macOS) and version, screen resolution, default language, available storage space, and browser type/version. This helps ensure compatibility across diverse environments.

3.3 Personal Information Obtained from Third Parties

Subject to applicable laws, we may supplement our data from external sources to enhance service relevance and accuracy.

• Academic and Commercial Data Partners: We collaborate with academic publishers and database providers. With lawful authorization, we may obtain publicly available academic metadata—such as author-institution mappings, paper keywords, and citation data—to enrich our knowledge graph and improve literature recommendations and collaborator discovery.
• Public Databases and Open Data Sources: We also leverage non-sensitive information from open platforms (e.g., DOAJ), patent databases, and preprint servers (e.g., arXiv, bioRxiv) to supplement AI model training and knowledge base construction.
• Social Media Platforms: If you choose to log in via Google, WeChat, or Apple accounts, we will, per your privacy settings on those platforms, access your public profile information, such as avatar, nickname, and verified email address.

3.4 Personal Information of Minors

This Product is not intended for children under 13, and we do not knowingly collect their personal information. While our registration process cannot technically prevent minors from signing up, we explicitly state that such users are unwelcome. If you are a parent or legal guardian and discover your child has provided us with personal information without consent, please contact us immediately at privacy@cboa.org.cn . Upon verification, we will take all necessary measures within 72 hours to permanently delete or anonymize the data from all our systems, including backups.

4. Purposes and Legal Bases for Processing Personal Information

We process your personal information only for clear, lawful purposes and strictly in accordance with the legal bases required by applicable laws.

4.1 Core Service Delivery and Account Management

We process your registered email, username, password hash, and third-party login data to create and manage your account, enabling access to basic platform functions. The legal bases for this are:

• Necessity for performance of a contract (GDPR Art. 6(1)(b));
• Necessity for concluding or performing a contract to which you are a party (PIPL Art. 13);
• Business purpose (CCPA/CPRA).

4.2 AI Service Delivery

When you use our AI research services, we process your query text and contextual information to generate real-time responses, summaries, or analyses—core to our service value. The legal basis remains necessity for performance of a contract.

4.3 Personalization and Content Recommendations

To enhance your experience, we use your research interests, browsing/search history, and saved items to recommend relevant papers, collaborators, tools, or events. This processing is based on your explicit consent (GDPR Art. 6(1)(a); PIPL Arts. 14 & 23 require "separate consent"). You may withdraw this consent anytime via account settings; doing so stops personalized recommendations but does not affect core services.

4.4 AI Model Training and Improvement

To continuously improve our AI models' accuracy, robustness, and multilingual capabilities, we aim to use real user interaction data—but with strict boundaries:

We will never use your private documents or conversation history without explicit authorization to train our public large models.

We only use:

• Feedback you voluntarily submit and explicitly mark as usable for model improvement; or
• Interaction logs that have undergone rigorous de-identification and anonymization.

4.5 Customer Support, Security, and System Maintenance

We process your contact details, account info, and usage logs to respond to support requests, investigate/fix errors, detect/prevent fraud, abuse, security attacks, or illegal activities, and conduct internal audits and performance optimization. These activities are vital for collective user safety and platform stability. Legal bases include:

• Necessity for contract performance;
• Compliance with legal obligations (GDPR Art. 6(1)(c));
• Necessity for cybersecurity and system stability (PIPL).

4.6 Legal Compliance and Dispute Resolution

We may be legally compelled to disclose your personal information in response to valid court orders, subpoenas, or lawful requests from regulatory authorities. We may also retain/process relevant information as evidence in actual or potential litigation, arbitration, or disputes. The legal basis is compliance with legal obligations (GDPR Art. 6(1)(c); PIPL Art. 13).

5. AI-Related Data Processing

Given this Product's deep AI integration, we provide special transparency regarding AI-related data processing.

5.1 AI Inference (Real-Time Service)

When you input a query or upload a document and click "Send," the request is encrypted and transmitted to our backend servers. Our AI model generates a response based on its training and your provided context—typically within seconds. During this inference phase, your input data is used solely for the immediate session response and is not persistently stored for other purposes unless you actively choose to save the conversation to your personal workspace. Even then, the data remains your personal asset under your control.

5.2 AI-Generated Content (AIGC)

Our AI models evolve through a continuous learning loop, with user feedback as a key component. When you rate AI responses (e.g., thumbs up/down), these signals are collected.

Any content you generate via our AI research services—including text, code, images, or data summaries—may contain factual errors, biases, or omissions. Therefore, we strongly advise manual review and verification of AI-generated content intended for academic publication, business decisions, or legal use. This Product assumes no full liability for the accuracy, reliability, or legality of AIGC.

We deploy content safety filters to scan AI outputs in real time, preventing the generation of illegal, pornographic, violent, or copyright-infringing material. If you encounter inappropriate AIGC, please report it immediately to report@cboa.org.cn .

6. Sharing and Disclosure of Personal Information

We treat personal information as highly valuable and share it only under specific circumstances.

6.1 Third-Party Service Providers

We may engage trusted third-party service providers ("data processors" or "service providers") to assist with specific tasks, including:

• Cloud Infrastructure & Storage: We use providers like Alibaba Cloud and Amazon Web Services (AWS) to host applications, store user data, and run AI computations.
• Identity Authentication: We may integrate specialized providers like Auth0 to securely manage logins and SSO.
• Push Notification Services: We partner with services like Firebase Cloud Messaging (Google) to send critical service notifications (e.g., task completion alerts, security warnings).

We enter into legally binding Data Processing Agreements (DPAs) with all such providers, requiring them to process your data only per our instructions and implement equivalent security measures. They are strictly prohibited from using your data for their own purposes.

6.2 Sharing with Affiliates

We may share your information with Chongqing VIP's parent, subsidiary, or affiliated companies for unified account systems, cross-product integration, or group-level compliance. All affiliates must adhere to this Policy's terms and spirit.

6.3 Disclosure for Legal, Regulatory, or Emergency Reasons

We may disclose your personal information when:

• Legally Compelled: In response to valid court orders, subpoenas, search warrants, or lawful investigations by law enforcement, tax, or securities regulators.
• Protecting Vital Interests: In emergencies to protect you, other users, our staff, or the public from imminent threats to life, property, or safety.
• Business Transfers: If our company or assets are acquired, merged, or under negotiation for such transactions, your data may be transferred as part of the deal. We will require the new controller to abide by this Policy or offer you an opt-out opportunity.

6.4 Special Clarification on "Sale" and "Sharing" (for U.S. Users)

Under the broad definitions of the California Consumer Privacy Act (CCPA) and CPRA, "sale" includes disclosing personal information for "other valuable consideration," and "sharing" refers specifically to cross-context behavioral advertising (i.e., targeted ads).

We hereby declare: In the next twelve (12) months, this Product will not "sell" or "share" any California resident's personal information for any purpose.

All data exchanges with third-party service providers are strictly limited to what is necessary to perform our contract with you, and thus do not constitute "sale" or "sharing" under CCPA/CPRA.

7. Cross-Border Data Transfers

This Product is global, but our primary data centers are currently in Hong Kong, China. Thus, your personal information may be transferred, stored, and processed in China regardless of your location. Data protection laws vary globally, and some jurisdictions may not offer protections equivalent to yours.

To ensure lawful and secure cross-border transfers, we implement jurisdiction-specific safeguards:

• For GDPR/UK GDPR Users: We rely on the European Commission–approved Standard Contractual Clauses (SCCs) as the legal mechanism, supplemented by strong technical measures (e.g., end-to-end encryption, strict access controls).
• For PIPL-Governed Chinese Users: We generally store your data within China. If overseas transfer is necessary for business reasons, we will comply with PIPL by either:
  • Passing a security assessment organized by the Cyberspace Administration of China;
  • Signing a standard contract formulated by the CAC; or
  • Obtaining your separate, written, informed consent in specific scenarios.
• For U.S. and Other Jurisdictions: Even where local law imposes no mandatory cross-border requirements, we ensure all overseas recipients (including ourselves and our providers) maintain reasonable data protection practices.

You may request detailed information about the legal mechanisms and technical safeguards used for cross-border transfers at any time.

8. Retention and Disposal of Personal Information

We do not retain your personal information indefinitely. Our retention policy follows the principles of "purpose limitation" and "data minimization," keeping data only as long as necessary to fulfill the purposes outlined in this Policy.

• Account and Profile Information: Retained while your account is active. Upon voluntary account deletion, we initiate cleanup and permanently delete all your personal data within 5 days.
• AI Interaction and Usage Logs: Raw interaction logs used for service delivery are automatically anonymized so they can no longer be linked to your identity. Anonymized aggregate data may be used for long-term product analysis and trend research.
• System, Security, and Transaction Logs: Retained for three (3) to seven (7) years to comply with legal obligations related to cybersecurity, auditing, taxation, and accounting.
• Raw Data for AI Model Training: Once a model training/validation cycle is complete, all raw, identifiable log data used in that cycle is immediately and permanently deleted from our production systems and backups.

When retention periods expire or we no longer have a legitimate business reason to process your data, we will securely and irreversibly delete or anonymize it. Anonymized data is no longer considered personal information and may be used for statistical analysis.

9. Cookies and Tracking Technologies

Cookies and similar technologies are essential for modern websites and apps, enhancing user experience, ensuring service security, and enabling internal analysis.

9.1 Definition and Function of Cookies

Cookies are small text files sent by our servers and stored on your device (computer, phone, tablet). When you revisit our site or use our app, your browser sends the cookie back to our server, allowing us to recognize your device, remember preferences (e.g., language, theme), maintain login sessions, and collect aggregated usage data.

In addition to traditional HTTP cookies, we use:

• Local Storage and Session Storage: For storing larger data volumes in your browser.
• Web Beacons ("pixel tags" or "clear GIFs"): Tiny graphics embedded in webpages/emails to track page views, email opens, etc.
• Software Development Kits (SDKs): Code libraries in our mobile app for push notifications, crash analytics, etc.

9.2 Types of Cookies We Use – Detailed List

We currently only use Strictly Necessary Cookies, which are essential for the basic functionality and security of this Product Platform and cannot be disabled via our Cookie Settings panel. Without them, requested services (e.g., article search, AI Q&A) cannot be provided:

• sso-auth-token (7 days): For login authentication.
• cboa-token (7 days): To maintain your login session across pages.
• i18n_redirected (1 year): To remember your preferred display language.

We explicitly commit that our platform does not use: Functional Cookies (for enhanced experience/personalization), Analytics Cookies (for user behavior analysis), Targeting/Advertising Cookies (for interest-based ads), Third-Party Cookies (for cross-site tracking, profiling, or programmatic advertising), Or any cookies representing the above types (e.g., Google Analytics, Meta Pixel, TikTok Pixel).

Should this change in the future, we will promptly update this Privacy Policy and Cookie Policy and adjust our Cookie Settings panel accordingly.

9.3 How to Manage Your Cookie and Tracking Preferences

We respect your control over your data. You may manage cookies via:

• On Our Website: On first visit, a Cookie Consent banner appears. Click "Cookie Settings" to access a detailed panel where you can toggle non-essential cookies (though none currently exist).
• Via Your Browser or Device OS: You may block all or third-party cookies through your browser's "Privacy" or "Security" settings.

9.4 "Do Not Track" (DNT) Statement

"Do Not Track" (DNT) is a privacy preference setting in some browsers/OSes indicating users' desire not to be tracked. However, the industry lacks a unified, mandatory standard for interpreting/responding to DNT signals.

Therefore, this Product Platform does not respond to DNT browser signals or other automated "opt-out" mechanisms. Instead, we provide more effective and reliable control through our proactive, granular Cookie and permission management tools.

10. Data Security Measures

Protecting your personal information is one of our highest priorities. We invest significant resources in multi-layered, defense-in-depth security strategies to prevent data loss, misuse, unauthorized access, disclosure, alteration, or destruction.

10.1 Technical Security Measures

• Encryption: All data transmitted between your device and our servers uses TLS 1.3 encryption. Personal information at rest (especially sensitive/privacy data like passwords, contact info, IP addresses) is encrypted using industry-standard algorithms (e.g., RSA, DES, AES).
• Access Control: We enforce strict Role-Based Access Control (RBAC). Only authorized employees may access specific data per their job duties, and all access is logged and audited.
• Network Security: Our infrastructure includes firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), and Distributed Denial-of-Service (DDoS) protection.
• Vulnerability Management: We regularly conduct security scans and penetration tests on our apps, servers, and dependencies, and operate a bug bounty program to encourage security researchers to report vulnerabilities.

10.2 Organizational and Administrative Measures

• Employee Training & Confidentiality: All employees undergo comprehensive data security and privacy training upon hiring and sign confidentiality agreements. Refresher training is conducted regularly.
• Physical Security: Our data centers, operated by professional cloud providers (e.g., Alibaba Cloud, AWS), feature world-class physical security: biometric access, 24/7 video surveillance, and disaster prevention systems.
• Incident Response: We maintain a detailed Data Security Incident Response Plan. In the event of a breach (or suspected breach), our team immediately initiates investigation, containment, eradication, and recovery, and notifies relevant regulators and affected users within legally mandated timeframes (e.g., 72 hours under GDPR).

Despite our best efforts, no internet transmission or electronic storage method can guarantee 100% security. Thus, while using this Product, you also assume some risk. We recommend using strong passwords, enabling two-factor authentication, avoiding public/unsecured networks for login, and regularly reviewing your account activity.

11. Your Privacy Rights

Depending on your jurisdiction, you may have various privacy rights. We provide convenient channels to exercise them:

• Right of Access: Confirm whether we process your data and obtain a copy.
• Right to Rectification: Request correction of inaccurate/incomplete data.
• Right to Erasure ("Right to Be Forgotten"): Request deletion under certain conditions (e.g., purpose fulfilled, consent withdrawn, unlawful processing).
• Right to Restriction of Processing: Request limitation under specific circumstances (e.g., accuracy contested, processing unlawful but deletion opposed, data needed for legal claims).
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and, where technically feasible, request direct transfer to another controller.
• Right to Object: Object to processing based on legitimate interests (not consent) or to direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time (without affecting prior lawful processing).
• Right Not to Be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

To exercise any right, email privacy@cboa.org.cn . To protect your account, we will verify your identity—typically by requesting matching information (e.g., registered email, recent login time/location). We will not ask for sensitive data beyond what's needed for verification.

Upon receiving a verifiable request, we will respond within legally required timeframes:

• GDPR: 1 month
• PIPL: 15 business days
• CCPA: 45 days

We will not charge fees unless your request is manifestly unfounded, excessive, or abusive.

12. Policy Update Mechanism

As our business evolves, technology advances, and global privacy laws change, we may update this Policy. We carefully assess each change to ensure compliance with the latest legal requirements and best practices.

For material changes (e.g., new processing purposes, new sharing partners, substantial impact on your rights), we will notify you via one or more of the following:

• Prominent notice on the Product Platform (e.g., login page, announcement board);
• Email to your registered address;
• Pop-up/banner on your next login.

The latest version of this Policy will always display an updated "Effective Date." We encourage you to review it regularly. Your continued use constitutes acceptance of the latest version.

13. Special Provisions for California Residents (CCPA/CPRA)

This section supplements the Policy for California consumers ("you") and prevails in case of conflict.

In the past twelve (12) months, we collected the following categories of personal information:

• Category A: Identifiers (e.g., name, email, IP address)
• Category B: California Customer Records (e.g., education, occupation, employer)
• Category F: Internet/Electronic Network Activity (e.g., browsing/search history, service interactions including AI queries)
• Category G: Geolocation Data (e.g., approximate location inferred from IP)

We did not collect:

• Category C (protected characteristics like race, religion),
• Category E (biometric data),
• Category L (sensitive data like SSN, precise geolocation, communication contents).

Your CCPA/CPRA rights include:

• Right to Know: Categories and purposes of collection, use, sale, or sharing.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: Request cessation of "sale" or "sharing." (As stated, we do not engage in such activities, but you retain this right.)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights (e.g., deny service, charge different prices, or provide lower-quality service).

To exercise your rights, email support@cboa.org.cn with subject line "CCPA Request." We will respond within 45 days (extendable by 45 more days with notice). We process up to two free requests per year.

14. Other Jurisdiction-Specific Provisions

• EU/UK Users: In addition to this Policy, you retain all rights under GDPR/UK GDPR, including the right to complain to your national data protection authority.
• Chinese Users: Our processing strictly complies with PIPL, including requirements for informed consent, separate consent, Personal Information Protection Impact Assessments (PIPIAs), and cross-border transfer compliance.
• Brazilian Users: Under the LGPD, you may confirm data processing, correct inaccuracies, anonymize/delete unnecessary data, and obtain a list of entities with whom we share your data.
• South African Users: Under POPIA, you may access/correct your data and complain to the South African Information Regulator.

15. Miscellaneous

Terms in this Policy (e.g., "personal information," "processing," "controller," "consent") shall be interpreted per the laws of your applicable jurisdiction. In case of inconsistency between the English version and any translated version, the English version shall prevail, except for Chinese users, for whom the Chinese version shall have equal or superior effect. This Policy constitutes the entire agreement between you and Chongqing VIP Information Co., Ltd. regarding personal information processing, superseding all prior or contemporaneous communications. It forms an integral part of the Terms of Service for This Product.