Privacy Policy

1. About This Privacy Policy

This Privacy Policy ("Policy") applies to all products and services provided by Nanjing Fanmo Education Technology Co., Ltd ("Fanmo", "we", "our", or "us"), including:

• Our official website at njfanmo.com and all associated subdomains;
• Our mobile applications published on Google Play and the Apple App Store (collectively, the "Apps");
• All educational, consulting, cultural, and technology services we provide.

This Policy is designed to comply with applicable data protection laws worldwide, including but not limited to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the US Children's Online Privacy Protection Act (COPPA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's PIPEDA, Australia's Privacy Act 1988, South Korea's PIPA, South Africa's POPIA, Thailand's PDPA, Singapore's PDPA, and other applicable national privacy laws.

2. Who We Are

Data Controller and Publisher:
Nanjing Fanmo Education Technology Co., Ltd
Room 201, No.123 Songshan Road, Jianye District, Nanjing, People's Republic of China
Website: njfanmo.com
Email: support@njfanmo.com

For enterprise and data protection inquiries: ganlin@njfanmo.com

3. Information We Collect

3.1 Information You Provide to Us

• Account registration: Name, email address, phone number, username, password (stored in hashed form), profile information, and organization details;
• Service inquiries and forms: Contact name, email, organization, service interest, and message content;
• Service delivery: Educational preferences, program selections, scheduling details, billing information (processed via PCI-DSS compliant payment processors), and feedback;
• Communications: Emails, support tickets, chat messages, and other correspondence with our team;
• User-generated content: Photos, artwork uploads, reviews, comments, and other content submitted through our platforms.

3.2 Information Collected Automatically

• Device information: Device type, operating system, OS version, device identifiers (including Android Advertising ID / GAID, Apple IDFA / IDFV), hardware model, and screen resolution;
• Network and connection: IP address, approximate geolocation (country, region, city level), internet service provider, network type (Wi-Fi, cellular), and connection speed;
• Usage data: App session duration, screens visited, features used, in-app events, error logs, crash reports, and engagement metrics;
• Cookies and similar technologies: Browser cookies, web beacons, pixel tags, local storage, session storage, and mobile SDKs (see Section 16 for details).

3.3 Information from Third Parties

• Social login data (if you use Google Sign-In or Apple Sign-In);
• Advertising attribution data from mobile measurement partners (MMPs);
• Analytics data from third-party analytics services;
• Payment verification data from payment processors.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

• Providing services: To deliver, manage, and improve our educational consulting, art training, cultural programs, study tours, team-building services, and mobile app features;
• Account management: To create and maintain your user account, authenticate your identity, and process transactions;
• Communications: To respond to inquiries, send service confirmations, provide customer support, and send administrative notices;
• Marketing (with consent): To send promotional communications about new services, events, and offers — subject to your marketing preferences and applicable law;
• Analytics and improvement: To analyze usage patterns, conduct research, diagnose technical problems, and improve our services and applications;
• Advertising: To serve contextual and personalized advertisements through integrated third-party advertising platforms in our mobile applications (see Section 5);
• Legal compliance: To comply with applicable laws, respond to legal process, and enforce our Terms of Service;
• Safety and security: To detect fraud, prevent unauthorized access, and protect the rights and safety of users and third parties.

The legal bases for processing (where GDPR applies) are: contractual necessity, legitimate interests, legal obligation, and/or your explicit consent.

5. Third-Party Advertising & Analytics Platforms

Our mobile applications are supported by advertising revenue. We integrate with multiple advertising and analytics SDKs that may collect and process device data in connection with serving advertisements and measuring ad performance. Below is a comprehensive disclosure of the advertising, analytics, and monetization partners whose SDKs or pixels we may integrate:

5.1 Google AdMob / Google Ad Manager

We use Google AdMob (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to serve advertisements in our Apps. AdMob may collect and process: Android Advertising ID (GAID) or Apple IDFA, IP address, device information, usage data, and interaction data to serve personalized or non-personalized ads. Google processes this data in accordance with its Privacy Policy. Users in the EU/EEA are served ads under Google's EU User Consent Policy. You can opt out of personalized advertising via your device's advertising settings or at adssettings.google.com.

5.2 Meta Audience Network (Facebook)

We may use Meta Platforms, Inc.'s Audience Network to serve ads. Meta may collect device identifiers, behavioral data, and other signals to serve targeted advertisements. Meta processes data under its Privacy Policy. You can manage your Meta ad preferences at facebook.com/adpreferences.

5.3 AppLovin MAX

We integrate AppLovin MAX (AppLovin Corporation, 1350 Old Bayshore Hwy, Burlingame, CA 94010, USA) as our primary ad mediation platform. AppLovin MAX collects device identifiers, IP address, geolocation, and usage signals to optimize ad delivery across multiple demand sources. AppLovin's privacy practices are described at applovin.com/privacy. For opt-out options in applicable regions, visit AppLovin's opt-out page.

5.4 Unity Ads

Unity Technologies (30 3rd St, San Francisco, CA 94103, USA) provides Unity Ads services integrated in our Apps. Unity may collect device identifiers, gameplay and engagement data, and device signals for ad targeting and measurement. Unity's privacy policy is available at unity.com/legal/privacy-policy.

5.5 IronSource (Unity LevelPlay)

IronSource Ltd (now Unity LevelPlay) provides ad mediation and direct demand services. ironSource may collect device identifiers, app usage data, and engagement events. Privacy information is available at is.com/privacy-policy.

5.6 Vungle (Liftoff Monetize)

Vungle, Inc. (rebranded as Liftoff Monetize), headquartered in Redwood City, CA, USA, provides in-app video advertising. Vungle/Liftoff may collect device identifiers, video interaction data, and behavioral signals. See liftoff.io/privacy-policy.

5.7 InMobi

InMobi Group (InMobi Pte Ltd, 30 Cecil Street, Singapore 049712) provides mobile advertising technology. InMobi may collect device identifiers, location (with permission), and behavioral data. For privacy information and opt-out: inmobi.com/privacy-policy. InMobi provides a consumer opt-out at inmobi.com/page/opt-out.

5.8 Mintegral (Mobvista)

Mintegral International Limited (a subsidiary of Mobvista Inc., Cayman Islands) provides programmatic advertising technology, particularly active in Asian markets. Mintegral may collect device identifiers, behavioral data, and contextual signals. See mintegral.com/en/privacy.

5.9 Pangle (TikTok for Business / ByteDance)

Pangle, operated by ByteDance Pte. Ltd, provides mobile advertising for apps targeting Asian and global audiences. Pangle may collect device identifiers, usage data, and behavioral signals. Privacy information: pangleglobal.com/privacy.

5.10 Chartboost (Zynga)

Chartboost, Inc. (222 Kearny Street, San Francisco, CA 94108, USA, owned by Zynga) provides in-app advertising and monetization. Chartboost may collect device identifiers, gameplay data, and engagement signals. See chartboost.com privacy policy.

5.11 Digital Turbine (AdColony / Fyber)

Digital Turbine, Inc. (formerly Logia and including the AdColony and Fyber brands), headquartered in Austin, TX, USA, provides video and rich-media mobile advertising. Digital Turbine may collect device identifiers, video interaction data, and behavioral signals. See digitalturbine.com/privacy-policy.

5.12 Smaato / Verve Group

Smaato, Inc. (Hamburg, Germany), part of the Verve Group, provides programmatic mobile advertising. Smaato may collect device identifiers, location, and contextual data. Privacy policy: smaato.com/privacy. For EU users, Smaato operates as a data processor under applicable SCCs.

5.13 Tapjoy (Offerwall / Liftoff)

Tapjoy, Inc. (now part of Liftoff), provides offerwall and rewarded advertising solutions. Tapjoy may collect device identifiers, completion event data, and behavioral signals for offer targeting and verification. See liftoff.io/privacy-policy.

5.14 Amazon Publisher Services (APS)

Amazon.com, Inc. (410 Terry Ave N, Seattle, WA 98109, USA) provides header bidding and programmatic advertising solutions through Amazon Publisher Services. Amazon may collect device identifiers, behavioral signals, and purchasing intent data. See Amazon Privacy Notice.

5.15 Moloco

Moloco, Inc. (777 Mariners Island Blvd, San Mateo, CA 94404, USA) provides machine-learning-based programmatic advertising. Moloco may collect device identifiers and behavioral signals for ad optimization. See moloco.com/privacy-policy.

5.16 Ogury

Ogury Limited (London, UK) provides personified advertising based on a consent-based data approach. Ogury may collect consented device and behavioral data for ad targeting. See ogury.com/privacy-policy.

5.17 Analytics and Measurement Partners

We use the following analytics tools to understand app performance and user behavior:

• Google Firebase / Google Analytics for Firebase: App analytics, crash reporting, and performance monitoring — firebase.google.com/support/privacy;
• Adjust: Mobile attribution and analytics — adjust.com/privacy-policy;
• AppsFlyer: Mobile attribution and marketing analytics — appsflyer.com/legal/privacy-policy;
• Amplitude: Product analytics — amplitude.com/privacy.

You can limit data sharing with these third parties by opting out of interest-based advertising on your device and/or adjusting your privacy settings within the App.

6. Ad Formats in Our Mobile Applications

Our mobile applications may contain the following advertising formats, each of which may involve third-party data collection as described in Section 5:

• App Open / Splash Ads: Full-screen advertisements displayed when the application is launched or resumed from background. These ads are shown briefly before the main app content loads. App open ads may be served by Google AdMob App Open format and other ad networks supporting this format.
• Rewarded Video Ads: Opt-in video advertisements that users voluntarily watch in exchange for in-app rewards, premium content access, or additional features. Completion of rewarded ads is tracked for reward fulfilment purposes. Advertising partners including AdMob, Unity Ads, AppLovin, ironSource, Vungle/Liftoff, and others may serve rewarded video ads.
• Interstitial Ads: Full-screen advertisements displayed at natural transition points within the application (e.g., between levels, sections, or activities). Interstitial ads may be static image, video, or interactive formats.
• Banner Ads: Rectangular display advertisements that appear at the top or bottom of the app screen. Banners may be served in standard IAB sizes (320x50, 300x250, 728x90) and may refresh automatically at intervals.
• Native Ads: Advertisements that match the look and feel of the application's content. Native ad content is provided by ad networks but is clearly labeled as "Advertisement" or "Sponsored."
• Offerwall: An in-app advertising unit that presents users with a list of sponsored offers or tasks in exchange for in-app rewards (served via Tapjoy/Liftoff where integrated).

All advertisements are clearly identified as advertisements. Users in jurisdictions requiring consent for personalized advertising will be shown a consent management interface (CMP) upon first launch, consistent with IAB TCF 2.2 standards where applicable.

7. Data Sharing and Disclosure

We do not sell your personal data to third parties. We may share your information in the following circumstances:

• Service providers: With third-party vendors who process data on our behalf (payment processors, cloud hosting, customer support tools, analytics), under appropriate data processing agreements (DPAs);
• Advertising partners: As described in Section 5, advertising SDKs integrated in our Apps may access certain device identifiers and usage data for ad delivery and measurement;
• Business partners: With institutional partners in connection with specific educational programs, study tours, or cultural exchange activities — where you have been informed and consented;
• Legal requirements: Where required by law, court order, or governmental authority, or to protect the legal rights of Fanmo or users;
• Business transfers: In connection with a merger, acquisition, or sale of assets — where the successor entity agrees to honor this Policy;
• Aggregated/anonymized data: Non-personally identifiable aggregated data may be shared with research partners, industry bodies, and for public reporting.

8. Children's Privacy (COPPA and Global Age Restrictions)

Fanmo's primary services are directed at users aged 13 and older. We comply with the US Children's Online Privacy Protection Act (COPPA), which applies to the online collection of personal information from children under 13 years of age.

8.1 COPPA Compliance (United States)

We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent. If we discover that we have inadvertently collected personal information from a child under 13, we will promptly delete such information. If you believe your child under 13 has provided us with personal information, please contact us at support@njfanmo.com immediately.

8.2 Age Restrictions by Jurisdiction

• European Union (GDPR Article 8): Children under 16 (or the lower age limit set by the member state, which may be 13) require parental/guardian consent for the processing of personal data in connection with information society services;
• United Kingdom: The UK Children's Code (Age Appropriate Design Code) requires that services likely to be accessed by children under 18 implement age-appropriate privacy protections;
• United States (COPPA): Children under 13 require verifiable parental consent;
• Brazil (LGPD): Children under 12 require parental/guardian consent; children aged 12-17 may require parental authorization;
• Australia: We exercise particular caution with users under 18 and do not knowingly collect data from children under 13 without parental consent.

8.3 Advertising and Children

For users identified as children or in child-directed app experiences, we configure our advertising partners to deliver non-personalized, contextual advertisements only, consistent with Google AdMob's Families Policy, Apple App Store Review Guidelines, and Google Play's Families Policy requirements.

9. EU/EEA and UK Users — GDPR / UK GDPR

9.1 Legal Basis for Processing

Purpose	Legal Basis
Providing services under contract	Article 6(1)(b) — Contractual Necessity
Marketing communications (email/push)	Article 6(1)(a) — Consent
Personalized advertising	Article 6(1)(a) — Consent
Analytics and app improvement	Article 6(1)(f) — Legitimate Interests
Legal compliance and fraud prevention	Article 6(1)(c) — Legal Obligation
Special categories of data (if any)	Article 9(2)(a) — Explicit Consent

9.2 Your GDPR Rights

Under GDPR (and UK GDPR), you have the following rights:

• Right of Access (Article 15): You may request a copy of the personal data we hold about you;
• Right to Rectification (Article 16): You may request correction of inaccurate data;
• Right to Erasure / "Right to be Forgotten" (Article 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected;
• Right to Restrict Processing (Article 18): You may request that we restrict processing in certain circumstances;
• Right to Data Portability (Article 20): You may request your data in a structured, machine-readable format;
• Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing;
• Rights related to automated decision-making (Article 22): You have the right not to be subject to solely automated decisions that significantly affect you.

To exercise these rights, contact us at support@njfanmo.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, CNIL in France, or your local DPA).

9.3 Data Protection Representative

As we process data of EU/EEA data subjects, we are in the process of appointing an EU representative as required under Article 27 GDPR. Details will be updated in this Policy upon appointment.

10. California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

10.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information (as defined by CCPA):

• Identifiers (name, email address, IP address, device identifiers, account username);
• Personal information under California Civil Code Section 1798.80(e) (name, email);
• Commercial information (services purchased, transaction history);
• Internet or electronic network activity (browsing history within our App, usage logs);
• Geolocation data (general, city-level);
• Inferences drawn from above to create a profile about preferences.

10.2 CCPA/CPRA Rights

• Right to Know: The right to request disclosure of personal information we have collected, used, disclosed, or sold about you;
• Right to Delete: The right to request deletion of personal information we have collected from you (subject to certain exceptions);
• Right to Correct: The right to request correction of inaccurate personal information;
• Right to Opt-Out of Sale/Sharing: We do not sell personal information in the traditional sense. However, to the extent sharing data with advertising partners constitutes a "sale" or "share" under CPRA, you have the right to opt out. Submit your request to support@njfanmo.com with the subject line "CCPA Opt-Out";
• Right to Limit Use of Sensitive Personal Information;
• Right of Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at support@njfanmo.com. We will verify your identity before fulfilling any request. We do not offer financial incentives for collection of personal information.

11. Brazil — LGPD

If you are located in Brazil, the Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13,709/2018) provides you with specific rights regarding your personal data.

The legal bases we rely upon for processing your data under the LGPD include: the data subject's consent; the fulfillment of a contract; legitimate interests; and compliance with legal obligations.

As a Brazilian data subject, you have the right to: confirm the existence of processing; access your data; correct incomplete, inaccurate, or outdated data; anonymize, block, or delete unnecessary or excessive data; data portability; information about third-party sharing; information on not providing consent and the consequences; revoke consent; and lodge a complaint with the ANPD (Autoridade Nacional de Proteção de Dados).

12. Canada — PIPEDA

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws apply. We collect, use, and disclose personal information in accordance with the 10 fair information principles outlined in PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

You may access or correct your personal information, or withdraw consent to certain uses, by contacting us at support@njfanmo.com. Complaints may be submitted to the Office of the Privacy Commissioner of Canada.

13. Australia — Privacy Act 1988

For users in Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). We collect personal information only by lawful means and for the purposes described in this Policy. You have the right to access the personal information we hold about you and to request corrections. For privacy inquiries or complaints, contact us at support@njfanmo.com. Unresolved complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

14. Other Jurisdictions

14.1 South Korea — PIPA

For users in South Korea, we comply with the Personal Information Protection Act (PIPA). We will obtain consent before collecting personal information, provide notice of our data practices, and allow users to access, correct, or delete their information. Personal information is not transferred to third parties without consent or legal authority.

14.2 South Africa — POPIA

For users in South Africa, we comply with the Protection of Personal Information Act (POPIA). We collect personal data for specific, explicitly defined purposes and maintain reasonable security measures to protect data from unauthorized access, destruction, or modification.

14.3 Singapore — PDPA

For users in Singapore, we comply with the Personal Data Protection Act 2012 (PDPA). We collect personal data with consent, limit use to stated purposes, and maintain data protection policies consistent with the PDPA.

14.4 Thailand — PDPA

For users in Thailand, we comply with the Personal Data Protection Act B.E. 2562 (2019). We process personal data on the basis of your consent, contractual necessity, or other lawful grounds as specified by Thai law.

15. App Store Compliance

15.1 Apple App Store Guidelines

Our Apps comply with Apple's App Store Review Guidelines, including:

• App Tracking Transparency (ATT): Prior to accessing the device's Advertising Identifier (IDFA) on iOS 14.5 and later, we display the ATT prompt and request your permission. If you decline, we configure advertising partners to serve non-personalized ads only;
• Privacy Nutrition Labels: We maintain accurate App Privacy labels in the App Store disclosing the types of data collected and their uses;
• Data Minimization: We collect only the data necessary for the App's functionality and declared purposes;
• Children's Guidelines: Where our Apps are designated for child audiences, we comply with Section 1.3 of Apple's Review Guidelines regarding child safety and advertising restrictions.

15.2 Google Play Developer Policy

Our Apps comply with Google Play Developer Policies, including:

• Data Safety Section: We maintain an accurate and complete Data Safety disclosure in the Google Play listing, accurately reflecting data collected, shared, and security practices;
• Sensitive Permissions: We request only the permissions necessary for app functionality and provide clear rationale for each permission request;
• Ad Policy: Advertisements in our Apps comply with Google Play's Ads Policy, including prohibition of deceptive ads, adult ads in non-adult apps, and ads that mimic system notifications;
• Families Policy: For any app that targets children or mixed audiences, we comply with Google Play's Families Policy and Designed for Families requirements, including using only ad networks certified for family-appropriate content;
• Real Money Gambling: Our Apps do not contain real-money gambling features;
• Deceptive Device Settings: Our Apps do not alter device settings without user consent.

16. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. Categories of cookies used:

• Strictly Necessary: Essential for website functionality (session cookies, security tokens). No consent required;
• Performance / Analytics: Used to understand how visitors interact with our site (Google Analytics, Firebase). Require consent in applicable jurisdictions;
• Functionality: Remember your preferences (language, region). Require consent in applicable jurisdictions;
• Targeting / Advertising: Used to deliver relevant advertisements and track conversions. Require consent in applicable jurisdictions.

On your first visit to our website, you will be presented with a cookie consent banner. You may manage your cookie preferences at any time by clicking "Cookie Settings" in the footer. You can also control cookies through your browser settings, though this may affect site functionality.

In our mobile Apps, we use mobile SDKs (Software Development Kits) from the advertising and analytics partners listed in Section 5. These SDKs may use equivalent tracking technologies such as local storage, device fingerprinting (where permitted), and advertising identifiers.

17. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Account data: Retained for the duration of your account and for 3 years after account deletion (for legal and compliance purposes);
• Transaction records: Retained for 7 years as required by applicable financial and tax laws;
• Communication records: Retained for 2 years after the last communication;
• Analytics data: Aggregated/anonymized analytics data may be retained indefinitely;
• Advertising identifiers: Subject to the retention policies of the respective advertising partners and applicable platform policies (e.g., Apple resets IDFA on ATT denial; Google limits GAID retention to certain periods);
• Legal hold: Where required by legal proceedings or regulatory investigations, data may be retained beyond standard periods.

18. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• TLS/SSL encryption for all data in transit;
• AES-256 encryption for sensitive data at rest;
• Role-based access controls (RBAC) and principle of least privilege;
• Regular security audits, penetration testing, and vulnerability assessments;
• Multi-factor authentication (MFA) for administrative access;
• Incident response procedures compliant with GDPR 72-hour breach notification requirement;
• Employee security awareness training and data handling policies.

While we take all reasonable precautions, no security system is impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify you and applicable regulators as required by law.

19. International Data Transfers

Fanmo is headquartered in China, and our services are used globally. Your personal data may be transferred to and processed in countries other than your country of residence. For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:

• Standard Contractual Clauses (SCCs) adopted by the European Commission;
• UK International Data Transfer Agreements (IDTAs) for UK transfers;
• Other appropriate safeguards as permitted by applicable law.

Advertising technology partners based in the US and other countries receive data subject to the data transfer mechanisms described above and their own certifications under applicable frameworks.

20. Your Rights and Choices

Regardless of your jurisdiction, you have the following choices:

• Opt out of personalized advertising: On iOS, go to Settings > Privacy & Security > Tracking and limit ad tracking. On Android, go to Settings > Google > Ads and opt out of Ads Personalization;
• Manage push notifications: Adjust notification settings within the App or in your device's notification settings;
• Delete your account: Contact us at support@njfanmo.com to request account deletion;
• Access and correction: Log in to your account settings or contact us to view and correct your personal data;
• Withdraw consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal;
• Do Not Sell/Share (California): Contact us at support@njfanmo.com with subject "CCPA Opt-Out."

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy;
• Provide in-app notifications for material changes affecting App users;
• Send email notifications to registered users where required by applicable law;
• Seek new consent where required for changes to data processing that require consent.

We encourage you to review this Policy periodically.

22. Contact Us

For privacy-related questions, requests, or complaints, please contact:

We will respond to all legitimate privacy requests within the timeframes required by applicable law (generally within 30 days).