Privacy Policy

Anhui Reallysec Information Technology Ltd. ("Company", "we", "us", or "our") operates RST Marketplace (the "Service"). We respect your privacy and are committed to protecting your personal information in accordance with applicable laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Personal Information Protection Law of the People's Republic of China (PIPL).

This Privacy Policy explains what information we collect, how we use and share it, and the rights you have regarding your information. By using the Service, you agree to the collection and use of information in accordance with this policy.

We collect the following categories of information:

• Information you provide: Name, email address, account password (stored as a hash), company name, billing details, and content you submit (such as trial requests, support messages, or feedback).
• Information collected automatically: IP address, browser type and version, device identifiers, operating system, referrer URL, pages visited, timestamps, and interaction events — collected through server logs, cookies, and similar technologies.
• Information from third parties: If you sign in using Google or GitHub, we receive the profile information you authorize those providers to share. Payment transactions are handled by Stripe; we receive payment status and a transaction identifier but never your full card number.
• License and usage data: Server GUID, license activation status, node count, and license expiration — required for issuing and verifying your license.

We use the information we collect to:

• ✓Provide, operate, and maintain the Service
• ✓Process license purchases, issue licenses, and send confirmation emails
• ✓Authenticate users and secure accounts (including two-factor authentication)
• ✓Respond to support inquiries and customer service requests
• ✓Detect, prevent, and investigate fraud, abuse, and security incidents
• ✓Send service-related notices (license expiry, policy updates)
• ✓Analyze aggregate usage to improve features and performance
• ✓Comply with legal obligations and enforce our Terms of Service

If you are located in the European Economic Area or the United Kingdom, we rely on the following lawful bases:

• Performance of a contract: Processing necessary to deliver the Service you have purchased or to take pre-contractual steps at your request (Art. 6(1)(b)).
• Legitimate interests: Processing necessary for fraud prevention, service security, and improving the Service — balanced against your rights (Art. 6(1)(f)).
• Consent: For optional analytics and marketing communications — you may withdraw consent at any time (Art. 6(1)(a)).
• Legal obligation: To comply with tax, accounting, anti-money-laundering, and other legal requirements (Art. 6(1)(c)).

We do not sell your personal information. We share information only with the following categories of recipients, and only to the extent necessary for the purposes described in Section 3:

• →Payment processors — Stripe, Inc. (card processing, fraud screening)
• →Cloud infrastructure — Vercel Inc. (application hosting) and Supabase Inc. (database)
• →Email delivery — Feishu Mail / SMTP relay (transactional email)
• →Anti-abuse — MTCaptcha / hCaptcha (bot detection for registration and trials)
• →Analytics — aggregated, non-identifying traffic analytics
• →Legal and regulatory authorities — when required by law, subpoena, or court order
• →Successors in interest — in the event of a merger, acquisition, or sale of assets (with prior notice)

Anhui Reallysec Information Technology Ltd. is based in the People's Republic of China. The Service is hosted on infrastructure located outside of China, which means your personal information may be transferred to, stored in, and processed in jurisdictions other than your own.

For transfers out of the EEA/UK, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

For transfers out of the People's Republic of China, we comply with the cross-border data transfer requirements of the PIPL, including obtaining separate consent where required, conducting personal information protection impact assessments, and implementing contractual safeguards consistent with the PIPL Standard Contract.

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

• Account data: Retained while your account is active and for up to 24 months after account deletion for audit and dispute resolution.
• Transaction records: Retained for at least 7 years to comply with tax, accounting, and commercial law requirements.
• Server logs: Typically retained for 90 days for security monitoring and troubleshooting, and longer if an investigation is required.
• Support and email communications: Retained for 24 months after the last interaction.

Subject to applicable law, you have the following rights regarding your personal information:

• ✓Right to access — request a copy of the personal information we hold about you
• ✓Right to rectification — correct inaccurate or incomplete information
• ✓Right to erasure — request deletion of your personal information ("right to be forgotten")
• ✓Right to restriction — limit how we process your information
• ✓Right to data portability — receive your data in a structured, machine-readable format
• ✓Right to object — object to processing based on legitimate interests
• ✓Right to withdraw consent — where processing is based on consent
• ✓Right to lodge a complaint — with a supervisory authority in your jurisdiction

Depending on your location, additional rights and disclosures apply:

• California residents (CCPA/CPRA): You have the right to know the categories of personal information collected, to request deletion, and to opt out of sale or sharing. We do not sell personal information. To exercise these rights, contact us at the address in Section 13.
• EEA/UK residents (GDPR): You may exercise the rights listed in Section 8 and lodge a complaint with your local data protection authority. Our EU representative can be contacted at the address below.
• China residents (PIPL): You have rights of access, correction, deletion, restriction, portability, and the right to request an explanation of our personal information processing rules. For deceased users, close relatives may exercise these rights in their own lawful interest.

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

• →TLS 1.2+ encryption for data in transit
• →Encryption at rest for sensitive fields, passwords stored as bcrypt hashes
• →Row-level security on our database, principle of least privilege for staff access
• →Security headers (HSTS, X-Frame-Options, Content Security Policy) on our web properties
• →Rate limiting, CAPTCHA, and bot-detection to mitigate abuse
• →Regular dependency updates and vulnerability scanning

We use cookies and similar technologies to operate the Service. You can control cookies through your browser settings; disabling essential cookies may impair Service functionality.

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled without breaking the Service.
• Preference cookies: Remember your locale, theme, and other interface preferences.
• Analytics cookies: Measure aggregate traffic and feature usage. Anonymized where technically feasible.

The Service is intended for business users and is not directed to children under 16 years of age (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

We may update this Privacy Policy from time to time. Material changes will be notified via a prominent notice on the Service or by email at least 30 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions, complaints, or wish to exercise your rights under this Policy, please contact us:

• Data Controller: Anhui Reallysec Information Technology Ltd.
• Registered Office: Anhui Province, People's Republic of China
• Privacy Email: privacy@reallysec.com
• Support Email: support@reallysec.com