Skip to main content

Privacy Policy regarding the processing of personal data

1. Consent of the personal data subject and the procedure for granting it

1.1. By registering on the website tianyui.com (hereinafter — the Website), creating a personal account, filling out any feedback forms or investment applications, and by checking the box “I accept the terms of the Privacy Policy and give consent to the processing of my personal data in accordance with the text of the Policy” (hereinafter — the checkbox), You (the personal data subject), of your own free will and in your own interest, grant LLC “Tian Yui Cha So” (hereinafter — the Operator) written consent to the processing of Your personal data in the scope, for the purposes and on the terms defined by this Privacy Policy.

1.2. The form of consent complies with the requirements of:

Part 4 of Article 9 of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data” (as amended on 08.08.2024);

Article 14 of the PRC Law “On Protection of Personal Information” (Personal Information Protection Law, PIPL) of 01.11.2021;

Article 7 of EU Regulation 2016/679 (GDPR) — where applicable.

1.3. The fact of checking the checkbox is recorded in the Operator’s information system logs with indication of the date, time, IP address and browser identifier and has the legal force of a simple electronic signature in accordance with Federal Law No. 63-FZ of 06.04.2011 “On Electronic Signature” and Article 13.1 of the PRC Law “On Electronic Signature” (as amended in 2023).

1.4. By this consent You confirm that:

You have read the full text of the Privacy Policy (available via a direct hyperlink next to the checkbox);

You understand the scope, purposes and consequences of the processing of Your personal data;

You are 18 years of age or older (or have full legal capacity under the laws of Your country of citizenship);

The data You provide is accurate and truthful.

1.5. You have the right at any time to withdraw this consent by sending a written statement (in free form, indicating full name and the e-mail address used during registration) to privacy@cha-invest.ru or by post to the Operator’s legal address.

Withdrawal of consent entails:

cessation of processing of personal data based solely on consent;

impossibility of further use of the Website, personal account and performance of the investment agreement in the part requiring processing of personal data;

deletion or anonymization of data within the periods provided for in Section 6 of this Policy (except for data that the Operator is obliged to retain by law).

1.6. Certain types of processing (for example, marketing and informational mailings not directly related to the performance of the contract) require separate additional consent, which is requested by a separate checkbox with precise wording of the purposes. Processing in such cases begins only after obtaining such separate consent.

1.7. If You act in the interests of a third party (for example, representing the interests of a spouse, principal, etc.), You confirm that You have the authority to grant consent on behalf of such person and undertake to provide the Operator with supporting documents upon first request.

2. Categories and list of collected personal data

The Operator collects and processes the following categories of personal data (only to the extent strictly necessary to achieve the stated purposes):

2.1. General personal data:

surname, first name, patronymic (including in Chinese transliteration, if any);

date and place of birth;

citizenship;

registration address / place of stay;

2.2. Special categories of personal data

The Operator does NOT collect special categories of personal data (information about racial or ethnic origin, political opinions, religious or philosophical beliefs, health, intimate life, etc.), except in cases where such data is directly contained in the documents You provide (for example, nationality in the passport). In this case, they are processed solely to the extent provided by law and without the purpose of their separate use.

2.3. Financial and payment data

Bank account details (BIC, correspondent account, account number, bank name);

Payment system data (Alipay ID, WeChat Pay ID, UnionPay card number (masked), SWIFT codes);

Information about the source of funds and source of wealth (Source of Funds / Source of Wealth) in accordance with the requirements of Federal Law No. 115-FZ and Chinese AML measures.

2.4. Data on investment and contractual activity

Amount of invested capital;

number and date of the investment agreement / adhesion agreement;

share in the project / number of acquired units / tokens (if any);

transaction history (date, amount, payment purpose);

signed electronic documents and qualified electronic signatures.

2.5. Technical and automatically collected data

IP address, geolocation (country, region);

cookie files, web beacons, pixels;

User-Agent, browser type and version, operating system;

device identifiers (device ID, advertising ID);

personal account and WeChat mini-program access logs;

data from analytical systems (Yandex.Metrica, Google Analytics with IP anonymization).

2.6. Other data

Any other information voluntarily provided by You during registration, form filling, correspondence or document upload that is necessary for identification, contract performance and compliance with the law.

3. Purposes of personal data processing

The Operator processes personal data exclusively for the following purposes:

3.1. Conclusion, execution, amendment and termination of the investment agreement (adhesion agreement), including identification of the party to the agreement, creation of the investor’s personal account, provision of access to project information, calculation and distribution of income from tea plantation activities.

Legal basis: clause 5 part 1 article 6 of Federal Law No. 152-FZ, article 13 of the PRC Law “On Protection of Personal Information” (PIPL), clause 1(b) article 6 GDPR (where applicable).

3.2. Ensuring compliance with PRC legislation in the field of foreign investment:

PRC Law “On Foreign Investment” 2020;

Negative List Regulation for Foreign Investment Access (2021);

Registration with MOFCOM and SAFE (for cross-border payments).

3.3. Execution of cross-border payment transactions and transfer of income to investors through banks and payment systems (SPFS, CIPS, SWIFT, UnionPay, Alipay, WeChat Pay).

3.4. Provision of regular reporting to the investor:

financial results of the project;

photo and video reports from tea plantations;

information on harvest, corporate events, general meetings of participants.

3.5. Ensuring the security of information systems, prevention of fraud, unauthorised access and cyber attacks (including monitoring of suspicious transactions in accordance with Article 7 of Federal Law No. 115-FZ and Article 51 PIPL).

3.6. Consideration of investor requests, claims and complaints, pre-trial and judicial dispute resolution.

3.7. Maintenance of accounting and tax records, storage of primary accounting documents in accordance with Article 29 of Federal Law No. 402-FZ of 06.12.2011 “On Accounting” and the PRC Law “On Accounting”.

3.8. Conducting mandatory audits (Federal Law No. 307-FZ of 30.12.2008, requirements of Chinese partners).

3.9. Marketing and informational mailings about new investment opportunities, project updates, educational materials on tea and investments — exclusively with separate explicit consent of the data subject (separate checkbox “I agree to receive marketing materials”).

3.10. Other purposes directly provided for by the legislation of the People’s Republic of China, as well as those necessary for the implementation of the legitimate interests of the Operator and not contrary to the rights of the personal data subject.

The Operator does not process personal data for purposes incompatible with those listed above and does not make automated decisions that entail legal consequences for the data subject (except in cases directly provided for by law).

4. Legal bases for the processing of personal data

The processing of personal data is carried out on the following legal bases (collectively or separately depending on the specific purpose and category of data):

4.1. Consent of the personal data subject

clause 1 part 1 article 6 of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”;

part 1 article 9 of Federal Law No. 152-FZ (in the form of electronic consent by checking the box);

article 14 of the PRC Law “On Protection of Personal Information” (PIPL);

article 7 of EU Regulation 2016/679 (GDPR) — in relation to data subjects located in the European Union (where applicable).

4.2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

clause 5 part 1 article 6 of Federal Law No. 152-FZ;

clause 1 part 2 article 6 GDPR (article 6(1)(b));

clause 1 article 13 PIPL PRC (“processing is necessary for the conclusion or performance of a contract in which an individual is a party”).

4.3. Processing is necessary for compliance with the operator’s statutory obligations

clause 2 part 1 article 6 of Federal Law No. 152-FZ;

articles 28–31 of the PRC Law “On Protection of Personal Information” (PIPL);

Measures for Customer Identification of Financial Institutions of the PRC (PBoC Order [2016] No. 3);

article 6(1)(c) GDPR (where applicable).

4.4. Processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

clause 7 part 1 article 6 of Federal Law No. 152-FZ;

clause 1(f) part 2 article 6 GDPR (“legitimate interests”);

article 13 clause 4 PIPL PRC (legitimate interests of the processor provided that an assessment of the impact on the rights of the subject is carried out and necessary protection measures are taken).

4.5. Processing is necessary for the administration of justice, execution of a judicial act or act of another body

clause 3 part 1 article 6 of Federal Law No. 152-FZ.

4.6. Processing is carried out for statistical or other research purposes subject to mandatory anonymization

clause 9 part 1 article 6 of Federal Law No. 152-FZ (applies in the case of subsequent anonymization of data for analytics).

4.7. Other bases provided for by the legislation of the Russian Federation, the People’s Republic of China and (where necessary) the European Union.

The Operator conducts an assessment of the proportionality and necessity of processing for each basis, as well as a data protection impact assessment (DPIA) in cases provided for by article 35 GDPR and articles 55–56 PIPL (including cross-border transfer and processing of sensitive personal data — biometric data within KYC, financial position data, etc.).

5. Transfer of personal data to third parties and cross-border transfer

5.1. The Operator has the right to transfer personal data to third parties only to the extent necessary to achieve the processing purposes specified in Section 3 of this Policy and only if there are relevant legal bases.

5.2. Categories of personal data recipients:

a) Chinese counterparties — tea cooperatives, agricultural enterprises, plantation management companies (including WFOE, joint ventures and cooperatives of Yunnan, Fujian, Zhejiang provinces, etc.) — for the purpose of performing investment contracts and operational project management;

b) Credit institutions and payment systems — resident banks of the Russian Federation, banks of the PRC, international payment systems (UnionPay, SWIFT), as well as non-bank payment organizations (Alipay, WeChat Pay (Tencent), ChinaPay) — for settlements under investment contracts, payment of income and return of investments;

c) Professional consultants — audit organizations, legal and tax consultants, notaries;

d) IT and cloud storage service providers — residents of the Russian Federation (Yandex.Cloud, VK Cloud, etc.) and the PRC (Alibaba Cloud, Tencent Cloud, Huawei Cloud), with whom data processing agreements (DPA) and/or confidentiality agreements have been concluded;

e) State authorities and regulators:

Federal Tax Service of the Russian Federation, Rosfinmonitoring, Bank of Russia;

State Taxation Administration of the PRC (STA), People’s Bank of China (PBoC), Cyberspace Administration of China (CAC), State Administration for Market Regulation (SAMR);

other authorities in cases directly provided for by the legislation of the Russian Federation and the PRC.

5.3. Legal bases for transfer to third parties:

Your direct consent (clause 1 part 1 article 6 of Federal Law No. 152-FZ, article 14 PIPL);

Performance of a contract to which You are a party (clause 5 part 1 article 6 No. 152-FZ);

Compliance with regulatory requirements (including article 7 of Federal Law No. 115-FZ, articles 28–31 PIPL PRC);

Legitimate interests of the Operator and third parties (clause 7 part 1 article 6 No. 152-FZ).

5.4. Cross-border transfer to the People’s Republic of China

The transfer of personal data to the territory of the PRC is carried out on the following cumulative bases:

Your explicit consent obtained during registration (article 14 PIPL, part 4 article 9 No. 152-FZ);

Passing the mandatory security assessment of cross-border flow of personal information in accordance with the “Measures for the Security Assessment of Cross-Border Data Flows” (effective July 22, 2022, CAC);

Conclusion of Standard Contractual Clauses approved by the CAC of the PRC and corresponding to the recommendations;

Certification of the recipients’ infrastructure in the PRC according to the national standard GB/T 35273-2021 “Personal Information Protection Requirements” and passing the Multi-Level Protection Scheme (MLPS 2.0) at least level 3;

Localization of critical information and important data in the territory of the PRC in accordance with article 37 of the Data Security Law (DSL) and article 40 PIPL;

Encryption of data in transit (TLS 1.3) and at rest (AES-256 and higher).

5.5. Transfer to other foreign countries (Hong Kong, Singapore, UAE, etc.), if required for settlements or storage of backup copies, is carried out only subject to:

availability of a decision of Roskomnadzor/European Commission on adequate level of protection (where applicable);

or conclusion of standard contractual clauses (SCC);

or obtaining separate explicit consent of the data subject.

5.6. The Operator guarantees that all recipients of personal data are obliged to maintain a level of protection not lower than that established by this Policy and applicable law. In the event of violations by the recipient, the Operator immediately ceases the transfer and notifies the data subject (where required by law).

6. Cross-border transfer of personal data and its legal bases

The Operator carries out cross-border transfer of personal data to the territory of the People’s Republic of China (PRC), since the main investment activity (management of tea plantations, harvest accounting, profit distribution) is carried out on the territory of the PRC by Chinese partners and/or a joint venture.

6.1. Legal bases for cross-border transfer

The transfer is carried out on the following alternative and cumulative bases:

Explicit consent of the personal data subject obtained by checking the box during registration (part 4 article 9, clause 1 part 1 article 12 of Federal Law No. 152-FZ; articles 14, 39 of the PRC Law “On Protection of Personal Information” (PIPL));

Necessity for the performance of a contract to which the data subject is party (clause 5 part 1 article 6 No. 152-FZ; clause 1 part 2 article 13 PIPL);

Necessity to comply with PRC regulatory requirements for data localization and management of foreign investors’ investments (PRC Data Security Law 2021, Measures for Security Assessment of Cross-Border Flows of Personal Information 2022).

6.2. Procedures performed to ensure the legality of the transfer

The Operator has completed the following mandatory procedures:

a) Conducted a security assessment of cross-border transfer of personal information (Personal Information Protection Impact Assessment, PIPIA) in accordance with articles 38–43 PIPL and the “Measures for the Security Assessment of Outbound Data Flows” (approved by CAC on 07.07.2022, effective 01.09.2022);

b) Concluded Standard Contractual Clauses of the Chinese template (appendix to the “Measures for the Standard Contract for Outbound Transfer of Personal Information”, CAC, 2023) with all recipients in the PRC;

c) Registered the standard contract and PIPIA report with the provincial division of the Cyberspace Administration of China (CAC) at the location of the main Chinese counterparty;

d) For critical information infrastructure (CII), ensured compliance with the Multi-Level Protection Scheme (MLPS 2.0) at least level 3 (GB/T 22239-2019, GB/T 35273-2021);

e) Part of the data classified as “important data” is localized on servers in the territory of the PRC in accordance with article 37 of the Data Security Law (DSL) and the provincial data catalogue (where the plantations are located).

6.3. Recipients in the PRC

Personal data is transferred to a limited circle of recipients:

Chinese-Russian joint venture / WFOE (full name and unified social credit code);

Cooperatives and partner tea farms (list available upon request);

Alibaba Cloud Computing Co., Ltd. (region China East 2 / China South 1) as a processor with concluded SCC and DPA;

Payment systems (China UnionPay, Ant Group, Tencent) — only the minimum data necessary for transfers.

6.4. Scope of transferred data

Only the strictly necessary minimum is transferred: full name, passport data (for registration of the investor in the Chinese system), payment details, investment amount. Data on health, biometrics (except photos in KYC), political views, etc. are not transferred.

6.5. Additional safeguards

All transferred data is encrypted according to the SM4 standard (national algorithm of the PRC) / AES-256;

A log of cross-border transfers is maintained (contains date, volume, recipient);

An independent audit of cross-border transfer is conducted annually by a certified Chinese organization.

7. Measures to ensure the security of personal data

The Operator implements necessary and sufficient legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, distribution, as well as from other unlawful actions with respect to personal data (part 2 article 19 of Federal Law No. 152-FZ, article 51 of the PRC Law “On Protection of Personal Information” (PIPL), article 9 GDPR where applicable). The measures taken include, in particular:

7.1. Appointment of a person responsible for the organization of personal data processing in accordance with clause 1 part 1 article 22.1 of Federal Law No. 152-FZ.

7.2. Issuance and updating of internal documents:

Policy on the processing of personal data;

Orders on access rights delimitation;

Rules for processing personal data without automation means;

Instructions for users of personal data information systems (PDIS).

7.3. Organizational measures:

Familiarization (under signature) of employees directly involved in personal data processing with the provisions of the legislation of the Russian Federation and the PRC on personal data, the Operator’s local acts and personal data protection requirements;

Maintaining records of persons authorized persons;

Application of access control and internal security regime on the Operator’s premises;

Secure storage of physical personal data carriers;

Conducting internal control and audit of compliance of personal data processing with legal requirements (at least once every three years).

7.4. Technical protection measures:

Identification and authentication of access subjects and PDIS users, including mandatory two-factor authentication (2FA) for login to the personal account and administrative interfaces;

Access management based on the “least privilege” and “need-to-know” principles;

Maintaining security event logs (recording login attempts, administrator actions, database queries);

Use of certified information protection tools (including Accord, Dallas Lock, Secret Net Studio and equivalents compliant with the requirements of FSTEC of Russia and MLPS 2.0 level 3 of the PRC);

Use of certified cryptographic protection means (CPM) for storage and transmission of personal data (GOST R 34.10-2012, GOST R 34.11-2012, GOST 28147-89, SM2/SM3/SM4 for the Chinese segment);

Encryption of data transmission channels (TLS 1.3 and higher);

Database encryption at rest (AES-256, SM4);

Backup and recovery of personal data;

Antivirus protection (up-to-date antivirus databases);

Intrusion detection and prevention systems (IDS/IPS);

Vulnerability assessment and penetration testing by accredited third-party organizations at least once every 12 months;

Multi-level network perimeter protection (application-level firewalls, WAF);

24/7 monitoring and incident response (own SOC or qualified MSSP provider).

7.5. Additionally for cross-border transfer to the PRC:

Passing the security assessment for cross-border data flow in accordance with articles 38–43 PIPL and CAC Measures 2022;

Conclusion of contracts with Standard Contractual Clauses (SCC) approved by the CAC of the PRC;

Localization of critical data in the territory of the PRC in accordance with the Data Security Law (DSL) and MLPS 2.0 level 3.

The Operator confirms that the level of personal data protection in the used personal data information systems complies with the requirements of FSTEC Order No. 21 of 18.02.2013 (for the Russian Federation) and the national standard GB/T 35273-2021 (for the PRC).

8. Use of cookies, analytical tools and other automatic data collection technologies

8.1. When visiting the website [your domain] and/or the mini-program in the WeChat ecosystem, the Operator uses cookies, pixel tags, web beacons, browser Local Storage, and similar automatic data collection technologies (hereinafter collectively — “cookies and similar technologies”).

8.2. Cookies are divided into the following categories:

a) Strictly necessary (mandatory) cookies — provide basic website functionality (personal account authorization, CSRF protection, session state preservation). Disabling these cookies will make the use of the site impossible or significantly complicate it. Legal basis — legitimate interests of the Operator (clause 7 part 1 article 6 of Federal Law No. 152-FZ, article 13 PIPL).

b) Analytical (statistical) cookies — collect anonymized statistics of visits, traffic sources, user behavior on the site (page views, session duration, exit points, etc.).

c) Functional cookies — remember user-selected settings (interface language, region, report display preferences).

d) Marketing (advertising) cookies — used for personalized offers and retargeting (including cross-platform retargeting in WeChat, Baidu, Yandex, etc. ecosystems). Processing is based on separate user consent.

8.3. List of third-party services and tools used (as of the date of the latest version of the Policy):

Yandex.Metrica (LLC Yandex, Russia) — with IP address anonymization enabled and personal data transmission disabled;

Google Analytics 4 (Google Ireland Limited) — with IP anonymization enabled, advertising features disabled, and a Data Processing Amendment concluded;

Baidu Tongji (Baidu, PRC) — for users accessing from the territory of the PRC;

WeChat Analytics (Tencent, PRC) — in the WeChat mini-program;

Hotjar Limited (if necessary) — only anonymized heatmaps and session recordings;

Other services specified in the cookie management banner.

8.4. All third-party analytical services are used exclusively in data anonymization mode (IP addresses are masked, user identifiers are not transmitted or are irreversibly hashed) in accordance with part 3 article 18 of Federal Law No. 152-FZ, article 26 PIPL PRC).

8.5. Preference management:

Upon the first visit to the site, a cookie management banner is displayed that allows granting or withdrawing consent for each cookie category (except strictly necessary ones). You can change the settings at any time by clicking the “Cookie Settings” button at the bottom of the site or by clearing browser cookies. Refusal of analytical and marketing cookies will not affect the main functions of the site.

8.6. Legal basis for processing data obtained through cookies and similar technologies:

for strictly necessary cookies — legitimate interests of the Operator;

for analytical and functional cookies — user consent;

for marketing cookies — separate explicit consent (article 9 of Federal Law No. 152-FZ, article 14 PIPL, article 7 GDPR where applicable).

8.7. Cookie storage periods:

from session end (session cookies) up to 24 months depending on the cookie type. Upon expiration, cookies are automatically deleted.

Continued use of the site after changes take effect will constitute Your consent to the new version.


Contacts:

Email: privacy@cha-invest.ru

This Policy is an integral part of the adhesion contract/user agreement and is publicly available on the website.