Privacy Policy

1. Introduction

Welcome to Social Finance Hub. This Privacy Policy explains how Digital Lattice (Chengdu) Technology Co., Ltd. ("we," "us," or "our") collects, uses, discloses, and protects your information when you use our website and services.

Social Finance Hub is a non-profit research platform dedicated to advancing social finance knowledge. We do not sell or share personal information for commercial purposes, and we do not use third-party advertising services.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or interact with our services, we may collect:

• Account Information: Email address, username, password (encrypted)
• Profile Information: Name, academic affiliation (if provided voluntarily)
• Communication Data: Messages you send to us through contact forms

2.2 Information Automatically Collected

• Technical Data: IP address, browser type, device information
• Usage Data: Pages visited, time spent on site, search queries
• Cookies: Essential cookies for site functionality (see our Cookie Policy)

2.3 Information We Do NOT Collect

• Sensitive personal data (race, political opinions, health information)
• Financial information or payment data (we are non-profit and free)
• Location data beyond general geographic region from IP address
• Data from third-party social media platforms

3. How We Use Your Information

3.1 Lawful Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance (Article 6(1)(b) GDPR): Processing is necessary for providing account-based services and fulfilling our agreement with you
• Consent (Article 6(1)(a) GDPR): For optional features, analytics, and communications where you have given explicit consent
• Legitimate Interests (Article 6(1)(f) GDPR): For improving our service, security, and research platform functionality, balanced against your privacy rights
• Legal Obligation (Article 6(1)(c) GDPR): Where required to comply with applicable laws and regulations

3.2 Purposes of Data Processing

We use your information to:

• Provide and maintain our research platform services
• Create and manage your user account
• Respond to your inquiries and provide customer support
• Improve our website functionality and user experience
• Ensure security and prevent fraud
• Comply with legal obligations

4. Data Sharing and Disclosure

4.1 We Do NOT Sell Your Data

We do not sell, rent, or share your personal information for commercial purposes. As a non-profit organization, we are committed to protecting your privacy.

4.2 Limited Data Sharing

We may share your information only in these limited circumstances:

• Service Providers: Supabase (database hosting) and Vercel (web hosting) for technical operations
• Legal Requirements: When required by law or to protect our rights
• With Your Consent: When you explicitly agree to sharing

4.3 Data Processing Locations and International Transfers

Your data is processed in the United States through our service providers (Vercel and Supabase).

For EU residents: We ensure that your personal data transferred to the US receives adequate protection equivalent to GDPR standards.

5. Your Rights and Choices

5.1 GDPR Rights (EU Residents)

If you are located in the European Union, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for data processing

5.2 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights:

• Right to Know: Request information about data collection and use
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of sale of personal information (we don't sell data)
• Right to Non-Discrimination: Equal service regardless of privacy rights exercise
• Right to Correct: Request correction of inaccurate personal information

5.3 Data Portability

For GDPR compliance, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). To request a data export:

• Email us at socialfinanceworkinggroup@gmail.com with the subject "Data Export Request"
• We will provide your data within 30 days in a portable format
• The export will include: account information, profile data, and activity history

5.4 How to Exercise Your Rights

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information:

• Encryption in Transit: All data transmission is encrypted using HTTPS
• Encryption at Rest: Database encryption through Supabase
• Access Controls: Limited access to personal data on a need-to-know basis
• Regular Security Updates: Ongoing security monitoring and updates
• Incident Response: Procedures for handling potential data breaches

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Until you delete your account or request deletion
• Usage Data: Aggregated and anonymized after 2 years
• Communication Records: Up to 3 years for support purposes
• Legal Requirements: As required by applicable law

8. Children's Privacy

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

9. International Data Transfers

If you are located outside the United States, please note that we transfer and process your information in the United States.

9.1 Legal Mechanisms

We ensure appropriate safeguards are in place to protect your information in accordance with applicable data protection laws:

• EU-US Data Privacy Framework: Our service providers participate in this framework, ensuring adequate protection for EU personal data transferred to the US
• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs for data transfers where applicable
• GDPR Compliance: All transfers are conducted in accordance with Chapter V of the GDPR
• Data Processing Addendum: Our database provider Supabase maintains a Data Processing Addendum (DPA) that ensures GDPR-compliant data processing and international transfers

9.2 Data Protection Measures

Additional safeguards for international data transfers include:

• End-to-end encryption for data in transit
• Encryption at rest for stored data
• Regular security audits and compliance reviews
• Contractual obligations with service providers to maintain data protection standards

10. Cookies, Similar Technologies and Tracking

To enable our website to function properly and improve your experience, we use cookies and other similar technologies such as Web Storage (Session Storage, Local Storage). These technologies help us maintain essential website functionality, remember your preferences, and provide a better user experience.

We use minimal cookies and storage technologies necessary for website functionality. We do not use tracking cookies or third-party advertising cookies. For detailed information about our use of cookies and web storage technologies, please see our Cookie Policy.

11. Updates to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated policy on our website
• Update the "Last Updated" date
• Notify you via email if you have an account (for significant changes)
• Provide at least 30 days advance notice for material changes

12. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

13. Supervisory Authority (EU Residents Only)

If you are located in the European Union and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.