4.1 Retention Period

We will retain your personal information for the shortest period necessary to provide the service. You understand and acknowledge that the necessary storage period may vary based on different services and their functional requirements, for example, the time for retaining personal information specifically agreed upon in the product service contract you signed, or maintaining corresponding log records as required by law, or performing system and service security protection in accordance with the law and agreement, or responding to possible third-party investigations and evidence collection or user complaints, problem location, etc., or whether there are special requirements for retaining personal information under laws, contracts, etc.

We will continue to retain the relevant information until you withdraw your authorization, delete or cancel your account, or the purpose of processing personal information is not achieved or the retention period expires.

If laws and regulations have other provisions on the retention period, you agree to retain the information for a longer period, to ensure the safety and quality of the service, to achieve the purpose of dispute resolution, or when force majeure occurs, we will extend the retention period in accordance with the law, in accordance with the contract, or within a reasonable range.

After the retention period expires, we will delete your personal information or anonymize it, unless otherwise provided by laws and regulations.

4.2 Territory of Information Retention

In principle, the personal information we collect and generate within the territory of the People's Republic of China will be stored within the territory of the People's Republic of China. In the following circumstances, your personal information may be transferred to or accessed from jurisdictions outside the country/region where you use products or services:

1. Applicable laws and regulations have clear provisions;
2. Obtain your separate consent;
3. To perform the contract with you.

In response to the above circumstances, we will strictly fulfill the obligations stipulated by laws and regulations and protect the security of your personal information in accordance with this policy.

4.3 Security Measures

We will collect, use, store and transmit user information based on the principle of “minimization” and inform you of the purpose and scope of use of the relevant information through the User Agreement and Privacy Policy. We attach great importance to information security. We have set up a dedicated team to develop and apply a variety of security technologies and procedures. We will conduct security background checks on security management personnel and key security positions. We have established a complete information security management system and internal security incident handling mechanism. We will take appropriate security measures and technical means that meet industry standards to store and protect your personal information to prevent your information from being lost, unauthorized access, public disclosure, use, damage, loss or leakage. We will take all reasonable and feasible measures to protect your personal information. We will use encryption technology to ensure the confidentiality of data; we will use trusted protection mechanisms to prevent data from being maliciously attacked. We will train and assess employees on data security awareness and security capabilities, and strengthen their awareness of the importance of protecting personal information. We will authenticate the identity and control the permissions of employees who handle personal information, and sign confidentiality agreements with employees and partners who have access to your personal information, clarify job responsibilities and codes of conduct, and ensure that only authorized personnel can access personal information. If there is any violation of the confidentiality agreement, the cooperative relationship with Baidu will be terminated immediately, and relevant legal responsibilities will be pursued. Confidentiality requirements are also made for personnel who have access to personal information when they leave their posts. We also ask you to understand that in the Internet industry, due to the limitations and rapid development of technology and the various possible malicious attacks, even if we do our best to strengthen security measures, it is impossible to always guarantee 100% security of information. Please understand that the system and communication network you use when using our products and/or services may have security problems in other links beyond our control. According to our security management system, the leakage, damage or loss of personal information is classified as the most serious security incident. Once it occurs, the company's highest level emergency plan will be activated, and a joint emergency response team composed of multiple departments such as the Security Department, Public Affairs Department, and Legal Department will be formed to handle it.

4.4 Notification of Security Incidents

We will formulate emergency plans for network security incidents and promptly deal with security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions. When an incident that endangers network security occurs, we will immediately activate the emergency plan, take appropriate remedial measures, and report to the relevant competent authorities in accordance with regulations.

The leakage, damage, and loss of personal information are considered company-level major security incidents. We will be responsible for regularly organizing working group members to conduct security plan drills to prevent such security incidents from happening. If unfortunately, we will activate the emergency plan with the highest priority, form an emergency response team, trace the cause and reduce the loss in the shortest time.

After the unfortunate occurrence of a personal information security incident, we will promptly inform you of the basic situation and possible impact of the security incident, the measures we have taken or will take, suggestions for you to prevent and reduce risks on your own, and remedial measures for you in accordance with the requirements of laws and regulations. We will promptly inform you of the relevant situation of the incident through in-site notifications, SMS notifications, phone calls, emails, and other contact information you have reserved. When it is difficult to inform you one by one, we will take reasonable and effective ways to issue announcements. At the same time, we will also proactively report the handling of personal information security incidents in accordance with the requirements of the regulatory authorities. Please understand that according to the provisions of laws and regulations, if the measures we take can effectively avoid harm caused by information leakage, tampering, and loss, we can choose not to notify you of the personal information security incident unless the regulatory authorities require you to be notified.