POPCUSTOMS数据安全与个人信息保护管理规定
文件编号: IS-POL-2024-001
版本号: V2.0
生效日期: 2024年5月28日
制定部门: 技术研发部 & 法务合规部
1. 引言与目的
为保障福建众潮科技有限公司(以下简称“公司”)旗下POPCUSTOMS应用(以下简称“本应用”)的数据安全,全面遵循《中华人民共和国网络安全法》《中华人民共和国数据安全法》《中华人民共和国个人信息保护法》等相关法律法规,特制定本规定。
本规定是公司内部数据安全管理的强制性文件,旨在明确数据分类标准、保护措施、操作流程及责任归属,确保所有数据处理活动在安全、合规的框架下运行。所有接触公司数据及用户个人信息的员工、承包商及第三方合作伙伴,必须严格遵守本规定。
2. 核心原则
合法合规原则: 所有数据收集与处理活动必须具有合法依据,并获得用户的明确授权。
最小必要原则: 仅处理为实现特定、明确、合法的目的所必需的最少数据类型和数量。
权责一致原则: 明确各部门及各岗位在数据安全保护方面的责任和义务。
安全防护原则: 采取与技术发展、业务风险水平相适应的技术与管理措施,确保数据安全。
全程可控原则: 对数据的收集、存储、使用、加工、传输、提供、公开、删除等全生命周期实施安全管理。
3. 数据分类与保护级别
公司对处理的数据进行如下分类,并采取相应的保护措施:
| 数据级别 | 定义 | 示例 | 保护要求 |
| Level 3 | 高度敏感数据,一旦泄露可能导致个人遭受歧视或人身财产安全受到严重危害的数据。 | 身份证号、银行卡号、生物识别信息、精准定位信息、未加密的密码。 | 访问需单独授权与动态双因素认证;访问日志永久留存并每周审计。 |
| Level 2 | 敏感数据,一般的个人信息,泄露可能导致个人隐私受到损害。 | 姓名、手机号、收货地址、订单信息、设备标识符(IMEI/OAID)。 | 加密传输;部分敏感字段加密存储;访问权限遵循最小化原则;访问日志留存6个月。 |
| Level 1 | 内部数据,业务运营产生的非公开内部数据,不直接标识个人。 | 应用崩溃日志、性能分析数据、内部业务操作日志。 | 逻辑隔离存储;访问受公司网络和权限控制。 |
| Level 0 | 公开数据 已公开可自由使用的信息。 | 产品公开描述、公司新闻、帮助中心文章。 | 常规管理。 |
4. 技术安全措施
加密技术:
传输加密: 所有客户端与服务器之间的通信强制使用TLS 1.3协议,并禁用不安全的加密套件。
存储加密:
用户密码使用 bcrypt 算法(工作因子12)进行哈希加盐存储。
高度敏感数据(如身份证号)使用 AES-256 算法在数据库层面进行加密存储。
访问控制:
权限最小化: 严格执行权限最小化原则,员工仅能访问其职责绝对必需的数据。权限申请需经部门负责人及数据保护专员(DPO)书面审批。
账号安全: 强制使用复杂密码策略并定期更换。对核心系统和管理后台的访问启用双因素认证 (2FA)。
日志审计: 对所有后台管理操作、数据库查询(尤其是涉及用户数据的)进行不可篡改的日志记录。安全团队每月对访问日志进行一次全面审计。
安全开发与测试:
将安全要求纳入软件开发生命周期(SDLC),新功能上线前必须进行代码安全审计和隐私影响评估(PIA)。
每季度委托第三方安全公司或内部红队进行一次渗透测试,并对发现的所有高危漏洞在72小时内进行修复。
5. 组织与管理措施
数据保护负责人: 任命数据保护负责人,负责本规定的监督执行与合规对接。
员工培训: 所有新员工必须接受数据安全与隐私保护的入职培训,并每年进行一次强化培训,培训记录留档。
第三方管理: 所有集成第三方SDK(如支付宝、微信登录)均需经过技术合规评估,并签署数据保护协议,明确其责任与义务。主要第三方信息见附录。
数据泄露应急响应:
设立7×24小时安全事件应急响应小组。
一旦发生疑似数据泄露事件,立即启动应急流程:遏制->评估->通知->补救。
如确认泄露,将在法律法规要求的时限内(如72小时内)向监管部门和受影响的用户履行报告和通知义务。
6. 数据留存与删除
用户个人信息保存期限为实现处理目的所必需的最短时间。
用户主动注销账户后,我们将在30天内将其个人数据从业务系统中删除,并在后续的备份清理周期(最长不超过60天)内从所有备份中完成删除。
超过保存期限的数据将进行匿名化处理,使其无法识别特定个人且不可复原。
7. 审计与更新
本规定每年至少进行一次全面评审,或随法律法规及业务变化及时更新。
所有修订版本都将通过版本号进行追踪,并经管理层批准后发布。
8. 联系我们
如果您对本政策有任何疑问,或希望行使您的个人信息权利(访问、更正、删除、撤回同意等),请通过以下方式联系我们:
公司名称: 福建众潮科技有限公司
邮箱: support@popcustoms.cn
客服电话: 13305962420 (工作日 8:30~12:00, 14:00~18:00)
我们承诺将在15个工作日内对您的请求予以答复和处理。
附录: 集成第三方SDK清单
| SDK名称 | 所属公司 | 使用目的 | 收集信息类型 | 隐私政策链接 |
| 支付宝SDK | 蚂蚁集团 | 提供支付服务 | 设备信息、网络状态 | https://render.alipay.com/p/c/k2cx0tg8 |
| 微信开放平台SDK | 腾讯 | 提供微信登录、支付、分享功能 | 设备信息、网络状态 | https://weixin.qq.com/cgibin/readtemplate?lang=zh_CN&t=weixin_agreement&s=privacy |
English Version:
Fujian Zhongchao Technology Co., Ltd. Data Security and Personal Information Protection Regulation
Document Number: IS-POL-2024-001
Version: V2.0
Effective Date: May 28, 2024
Developed by: R&D Department & Legal & Compliance Department
1. Introduction and Purpose
To ensure the data security of the POPCUSTOMS application (hereinafter referred to as “the App”) operated by Fujian Zhongchao Technology Co., Ltd. (hereinafter referred to as “the Company”), and to fully comply with relevant laws and regulations such as the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and the Personal Information Protection Law of the People’s Republic of China, this regulation is hereby established.
This regulation is a mandatory internal document for the Company’s data security management. It aims to define data classification standards, protection measures, operational procedures, and responsibility attribution, ensuring that all data processing activities operate within a secure and compliant framework. All employees, contractors, and third-party partners who have access to Company data and user personal information must strictly adhere to this regulation.
2. Core Principles
Lawfulness and Compliance: All data collection and processing activities must have a legal basis and obtain explicit user authorization.
Data Minimization: Only the minimum types and amount of data necessary to achieve specific, explicit, and legitimate purposes shall be processed.
Accountability: The responsibilities and obligations of various departments and positions regarding data security protection shall be clearly defined.
Security Safeguards: Technical and administrative measures commensurate with technological developments and business risk levels shall be adopted to ensure data security.
Lifecycle Control: Security management shall be implemented throughout the entire data lifecycle, including collection, storage, use, processing, transmission, provision, disclosure, and deletion.
3. Data Classification and Protection Levels
The Company classifies processed data as follows and implements corresponding protection measures:
| Data Level | Definition | Examples | Protection Requirements |
| Level 3:Highly Sensitive Data | Data that, if leaked, may lead to discrimination or serious harm to personal safety and property. | National ID numbers, bank card numbers, biometric information, precise location data, unencrypted passwords. | Mandatory encryption in transit and at rest; Access requires separate authorization and dynamic two-factor authentication (2FA); Access logs are retained permanently and audited weekly. |
| Level 2: Sensitive Data | General personal information, the leakage of which may harm personal privacy. | Name, phone number, shipping address, order information, device identifiers (IMEI/OAID). | Encryption in transit; Encryption of sensitive fields at rest; Access follows the principle of least privilege; Access logs are retained for 6 months. |
| Level 1: Internal Data | Non-public internal data generated from business operations, not directly identifying individuals. | App crash logs, performance analytics, internal operational logs. | Logical isolation storage; Access is controlled by corporate network and permissions. |
| Level 0: Public Data | Publicly available information that can be used freely. | Product descriptions, company news, help center articles. | Routine management. |
Routine management.
4. Technical Security Measures
Encryption Technology:
Encryption in Transit: All communication between clients and servers mandates the use of TLS 1.3 protocol, with insecure cipher suites disabled.
Encryption at Rest:
User passwords are stored using the bcrypt algorithm (work factor 12) with salting.
Highly sensitive data (e.g., national ID numbers) is encrypted at the database level using the AES-256 algorithm.
Access Control:
Principle of Least Privilege: Strictly enforced. Employees can only access data absolutely necessary for their duties. Access requests require written approval from department heads and the Data Protection Officer (DPO).
Account Security: Complex password policies with mandatory periodic changes are enforced. Two-factor authentication (2FA) is enabled for access to core systems and admin panels.
Logging and Auditing: Immutable logs are maintained for all backend administrative operations and database queries (especially those involving user data). The security team conducts a comprehensive audit of access logs monthly.
Secure Development and Testing:
Security requirements are integrated into the Software Development Lifecycle (SDLC). Code security audits and Privacy Impact Assessments (PIA) are mandatory before new features are launched.
Penetration testing is conducted quarterly by third-party security firms or an internal red team. All identified critical vulnerabilities must be remediated within 72 hours.
5. Organizational and Administrative Measures
Data Protection Officer: A Data Protection Officer is appointed to oversee the implementation of this regulation and ensure compliance.
Employee Training: All new employees must undergo onboarding training on data security and privacy protection, with annual refresher training conducted. Training records are maintained.
Third-Party Management: All integrated third-party SDKs (e.g., Alipay, WeChat Login) undergo technical compliance assessments and must sign Data Protection Agreements clarifying their responsibilities. A list of key third parties is provided in the Appendix.
Data Breach Response:
A 7×24 Security Incident Response Team is established.
Upon detection of a suspected data breach, the emergency response process is immediately activated: Contain -> Assess -> Notify -> Remediate.
If a breach is confirmed, reporting obligations to regulators and affected users will be fulfilled within the timeframe required by law (e.g., 72 hours).
6. Data Retention and Deletion
User personal information is retained for the minimum period necessary to achieve the processing purposes.
After a user actively cancels their account, their personal data will be deleted from business systems within 30 days, and from all backups during the subsequent backup cleanup cycle (not exceeding 60 days in total).
Data that exceeds the retention period will be anonymized, making it impossible to identify specific individuals and irreversible.
7. Audit and Update
This regulation is reviewed at least annually in full, or updated promptly in response to changes in laws, regulations, or business operations.
All revised versions are tracked by version number and published after approval by management.
8. Contact Us
If you have any questions about this policy or wish to exercise your personal information rights (access, correction, deletion, withdrawal of consent, etc.), please contact us via:
Company Name: Fujian Zhongchao Technology Co., Ltd.
Email: support@popcustoms.cn
Customer Service Tel: +86 13305962420 (Weekdays 8:30~12:00, 14:00~18:00 GMT+8)
We commit to responding to and processing your requests within 15 business days.
Appendix: Integrated Third-Party SDK List
| SDK Name | Company | Purpose of Use | Types of Information Collected | Privacy Policy Link |
| Alipay SDK | Ant Group | Provide payment services | Device information, network status,payment results | https://render.alipay.com/p/c/k2cx0tg8 |
| WeChat SDK | Tencent | Provide login and payment services | Device information, network status, installed application list | https://weixin.qq.com/cgibin/readtemplate?lang=zh_CN&t=weixin_agreement&s=privacy |