Privacy Policy

Information We Collect

1.1 Personal Information

We collect personally identifiable information ("Personal Information") that you voluntarily provide when you:

• Complete contact forms, project request forms, or consultation request forms
• Subscribe to our newsletter or marketing communications
• Request product demonstrations, quotations, or technical specifications
• Create an account or user profile on our platform
• Participate in surveys, webinars, or events
• Communicate with us via email, phone, live chat, or other channels
• Submit employment applications or contractor proposals

Categories of Personal Information collected may include: Full name, email address, telephone number, mailing address, company name, job title, department, industry sector, country of residence, project requirements, technical specifications, business objectives, budget information, and any other information you choose to provide.

1.2 Automatically Collected Information

When you access our Services, we automatically collect certain technical information about your device and usage patterns, including:

• Device Information: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers
• Usage Data: Pages visited, time and date of access, time spent on pages, navigation paths, click-through rates, and interaction patterns
• Referral Information: Referring websites, search engines used, and search terms that led you to our Services
• Location Data: General geographic location derived from IP address (country, region, city)
• Cookies and Tracking Technologies: Information collected through cookies, web beacons, pixels, and similar technologies (see our Cookie Policy for details)
• Performance Data: Page load times, server response times, and error reports to improve Service performance

1.3 Business and Commercial Information

For our B2B automation services, we collect business-related information necessary to understand your requirements and deliver customized solutions:

• Company Information: Company name, size, industry classification, business registration details, and organizational structure
• Project Details: Technical specifications, current infrastructure, automation objectives, workflow requirements, and integration needs
• Financial Information: Billing details, payment information, purchase history, and invoicing records (processed securely through third-party payment processors)
• Communication Records: Correspondence, meeting notes, project documentation, and support ticket histories

1.4 Third-Party Sources

We may receive information about you from publicly available sources, business directories, social media platforms (such as LinkedIn), marketing partners, and data enrichment services to better understand your business needs and enhance our Services. This information is combined with data you provide directly to us.

How We Use Your Information

We process your Personal Information only for legitimate business purposes and in compliance with applicable data protection laws. The legal bases for processing include: contractual necessity, legitimate interests, legal obligations, and your consent where required.

We use the collected information for the following purposes:

• Service Delivery and Contract Performance: To provide, maintain, improve, and customize our automation services; execute contracts; deliver project milestones; and ensure service quality
• Customer Support and Communication: To respond to inquiries, provide technical support, send service notifications, share project updates, and maintain ongoing client relationships
• Marketing and Business Development: To send newsletters, promotional materials, industry insights, event invitations, and product updates (only with your explicit consent, which you may withdraw at any time)
• Analytics and Service Improvement: To analyze usage patterns, conduct research, develop new features, optimize website performance, and enhance user experience
• Security and Fraud Prevention: To protect our Services, detect and prevent security incidents, identify fraudulent activities, monitor unauthorized access, and ensure platform integrity
• Legal Compliance and Protection: To comply with applicable laws and regulations, respond to legal requests, enforce our terms of service, protect our rights and property, and resolve disputes
• Business Operations: For accounting, invoicing, payment processing, internal record-keeping, quality assurance, project management, and business continuity planning
• Recruitment: To process employment applications, evaluate candidates, conduct background checks (with consent), and manage the hiring process
• Personalization: To tailor content, recommendations, and communications to your specific interests and business needs

We will not use your Personal Information for purposes incompatible with those disclosed in this Privacy Policy without first obtaining your consent.

Information Sharing and Disclosure

We do not sell, rent, or trade your Personal Information to third parties for their marketing purposes.

We may share your information only in the following limited circumstances:

• Service Providers and Processors: We engage carefully vetted third-party vendors, contractors, and service providers to assist in operating our Services, including cloud hosting providers (AWS, Azure, Google Cloud), email service providers, CRM platforms, analytics tools, payment processors, and cybersecurity services. These parties are bound by strict confidentiality obligations and data processing agreements.
• Technology and Integration Partners: When necessary to deliver integrated automation solutions, we may share relevant technical information with authorized technology partners, software vendors, and system integrators who collaborate with us on your projects.
• Professional Advisors: We may disclose information to lawyers, accountants, auditors, insurers, and other professional advisors who require access to provide services to us.
• Legal and Regulatory Authorities: When required or permitted by law, we may disclose information to law enforcement, government agencies, courts, regulators, or other third parties in response to legal processes (subpoenas, court orders), to comply with legal obligations, or to protect rights, property, or safety.
• Business Transactions: In the event of a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar corporate transaction, your information may be transferred to the successor entity, subject to the same privacy protections.
• Affiliates and Subsidiaries: We may share information with our corporate affiliates and subsidiaries for business operations, subject to this Privacy Policy.
• With Your Consent: We may share information with third parties when you have provided explicit consent for specific purposes.
• Aggregated and De-identified Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, or marketing purposes.

All third-party processors are contractually obligated to: (i) process data only as instructed by us, (ii) implement appropriate security measures, (iii) comply with applicable data protection laws, and (iv) not use your information for their own purposes.

Data Security

We implement comprehensive technical, administrative, and physical security measures designed to protect your Personal Information from unauthorized access, disclosure, alteration, and destruction. Our security program includes:

• Encryption: Industry-standard SSL/TLS encryption (TLS 1.2 or higher) for all data transmissions; AES-256 encryption for data at rest
• Access Controls: Role-based access controls (RBAC), multi-factor authentication (MFA), principle of least privilege, and strict password policies
• Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, network segmentation, and virtual private networks (VPNs)
• Application Security: Secure coding practices, regular code reviews, input validation, output encoding, and protection against OWASP Top 10 vulnerabilities
• Security Monitoring: 24/7 security monitoring, real-time threat detection, automated alerting, and security information and event management (SIEM)
• Incident Response: Documented incident response procedures, breach notification protocols, and dedicated security team
• Compliance and Certifications: Adherence to ISO 27001 Information Security Management, SOC 2 Type II compliance, and GDPR requirements
• Regular Testing: Quarterly vulnerability assessments, annual penetration testing by independent security firms, and continuous security scanning
• Personnel Security: Background checks for employees with data access, mandatory security awareness training, confidentiality agreements, and security clearance levels
• Physical Security: Secure data centers with 24/7 surveillance, biometric access controls, environmental controls, and redundant infrastructure
• Vendor Management: Security assessments of all third-party vendors, data processing agreements, and ongoing compliance monitoring
• Data Backup and Recovery: Regular automated backups, geographically distributed storage, disaster recovery plans, and business continuity procedures

Security Incident Notification:

In the event of a data breach that may compromise your Personal Information, we will notify affected individuals and relevant supervisory authorities within 72 hours (or as required by applicable law), and take immediate remedial action.

Important Disclaimer:

While we implement industry-leading security measures and continuously work to maintain the highest security standards, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activities that occur under your account.

Data Retention

We retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal and regulatory obligations, resolve disputes, enforce our agreements, and maintain business records. Retention periods vary based on the type of information and purpose of processing:

• Active Client Projects: For the duration of the project/contract plus 7 years after completion (to comply with tax, accounting, and contractual obligations)
• Contract and Financial Records: 7-10 years after contract termination (as required by commercial and tax laws)
• Marketing and Newsletter Data: Until you unsubscribe or request deletion, whichever occurs first; inactive contacts may be deleted after 3 years
• Inquiry and Lead Data: 2 years from last contact or until you request deletion
• Website Analytics Data: 26 months (in accordance with Google Analytics default retention policy)
• Server Logs and Security Data: 12-24 months for security monitoring and incident investigation
• Employment Applications: 1 year from application date (unless hired, in which case retained per employment records policy)
• Legal Hold Data: Retained as long as necessary for litigation, investigation, or legal proceedings
• Backup Systems: Deleted data may persist in backup systems for up to 90 days before permanent deletion

At the end of the applicable retention period, we will securely delete or anonymize your Personal Information using industry-standard data destruction methods (e.g., secure deletion protocols, cryptographic erasure, physical destruction of storage media).

Right to Request Deletion:

You may request deletion of your Personal Information at any time by contacting us at privacy@dna-international.asia. Please note that we may need to retain certain information to comply with legal obligations or for legitimate business purposes.

Your Privacy Rights

Depending on your location and applicable data protection laws (including GDPR, CCPA, PIPEDA), you may have the following rights regarding your Personal Information. We are committed to facilitating the exercise of your rights:

• Right of Access: Request confirmation of whether we process your Personal Information and obtain a copy of the data we hold about you, including details about processing purposes, categories, and recipients
• Right to Rectification: Request correction, updating, or completion of inaccurate, incomplete, or outdated information
• Right to Erasure ("Right to be Forgotten"): Request deletion of your Personal Information when it is no longer necessary for the purposes collected, you withdraw consent, you object to processing, or it was unlawfully processed (subject to legal retention requirements)
• Right to Data Portability: Receive your Personal Information in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and transmit it to another controller
• Right to Opt-Out of Marketing: Unsubscribe from marketing emails, newsletters, and promotional communications at any time via unsubscribe links or by contacting us
• Right to Object: Object to processing of your Personal Information for direct marketing, legitimate interests, or profiling purposes
• Right to Restrict Processing: Request limitation of processing when you contest accuracy, processing is unlawful, we no longer need the data but you need it for legal claims, or pending verification of objection
• Right to Withdraw Consent: Withdraw previously given consent for processing at any time, without affecting the lawfulness of processing based on consent before withdrawal
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Lodge a Complaint: File a complaint with your local data protection authority or supervisory authority if you believe we have violated your privacy rights

California-Specific Rights (CCPA/CPRA)

If you are a California resident, you have additional rights:

• Right to know what Personal Information we collect, use, disclose, and sell
• Right to opt-out of sale or sharing of Personal Information (we do not sell Personal Information)
• Right to limit use of sensitive Personal Information
• Right to non-discrimination for exercising CCPA rights

How to Exercise Your Rights

To exercise any of these rights, please submit a request to:

• Email: privacy@dna-international.asia
• Subject Line: "Privacy Rights Request - [Type of Request]"

Response Timeline:

We will acknowledge your request within 5 business days and respond substantively within 30 days (or 45 days for complex requests, with notification of extension). We may request additional information to verify your identity.

Verification Process:

To protect your privacy and security, we may require verification of your identity before processing requests. You may be asked to provide: email address used with our Services, account information, or government-issued ID (in limited circumstances for sensitive requests).

International Data Transfers

As a global company headquartered in Mongolia with operations across multiple jurisdictions, your Personal Information may be transferred to, stored in, and processed in countries other than your country of residence, including countries that may not provide the same level of data protection as your home country.

We ensure appropriate safeguards are in place for international transfers:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses for transfers from the European Economic Area (EEA) to third countries
• Adequacy Decisions: Where possible, we transfer data to countries recognized by the European Commission as providing adequate data protection
• Data Processing Agreements: All international vendors and partners sign comprehensive data processing agreements that mandate GDPR and equivalent protections
• Supplementary Measures: We implement additional technical and organizational safeguards (encryption, access controls, pseudonymization) to protect data in transit and at rest
• Transfer Impact Assessments: We conduct regular assessments of international transfers to ensure continued adequacy of protections
• Binding Corporate Rules: For intra-group transfers, we maintain internal policies that ensure consistent data protection standards
• Regional Data Localization: Where required by law, we maintain data within specific geographic regions (e.g., China, Russia, Brazil)

Primary Data Processing Locations:

Mongolia (headquarters), Singapore, European Union, United States, and cloud infrastructure providers (AWS, Azure, Google Cloud) with data centers in various regions.

By using our Services, you acknowledge and consent to the international transfer of your Personal Information as described in this section. You may contact us to obtain more information about specific safeguards we have implemented for international transfers.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your browsing experience. For detailed information about our use of cookies, please see our Cookie Policy.

You can control cookie preferences through your browser settings. However, disabling certain cookies may affect website functionality.

Children's Privacy

Our Services are designed for and directed exclusively to business professionals and organizations. They are not intended for use by individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect, use, or disclose Personal Information from children.

If we become aware that we have inadvertently collected Personal Information from a child under 18 without verified parental consent, we will take immediate steps to delete that information from our servers and cease any further processing. Parents or legal guardians who believe their child has provided Personal Information to us should contact us immediately at privacy@dna-international.asia.

Compliance with COPPA and Similar Laws:

We comply with the U.S. Children's Online Privacy Protection Act (COPPA), GDPR provisions on children's data, and similar laws in other jurisdictions that protect children's privacy.

Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by DNA International. This Privacy Policy applies only to our Services. We are not responsible for the privacy practices of third-party sites.

Third-Party Integrations:

Our automation solutions may integrate with third-party platforms (e.g., CRM systems, ERP software, cloud storage). When you connect third-party services to our platform, those third parties may collect information in accordance with their own privacy policies. We encourage you to review the privacy policies of any third-party services before use.

Social Media Plugins:

Our website may include social media features (LinkedIn, Twitter, etc.). These features may collect your IP address and set cookies. Social media features are governed by the privacy policies of the respective platforms.

Do Not Track Signals

Some web browsers incorporate "Do Not Track" (DNT) features. Currently, there is no universal standard for how to respond to DNT signals. At this time, our Services do not respond to DNT browser signals. However, you can control cookies and tracking through your browser settings and our Cookie Consent Manager. We will continue to monitor developments in DNT technology and may implement DNT signal recognition in the future.

Changes to This Privacy Policy

We reserve the right to modify, update, or replace this Privacy Policy at any time to reflect changes in our data practices, Services, legal requirements, or for other operational, regulatory, or business reasons. All changes will be effective immediately upon posting the updated Privacy Policy on our website, unless otherwise specified.

For Material Changes:

We will provide prominent notice of significant changes that materially affect your rights or how we process your Personal Information. Notification methods include:

• Posting the updated policy on our website with a revised "Last Updated" date at the top
• Sending email notifications to registered users at least 30 days before changes take effect
• Displaying a prominent banner notice on our website homepage and Services
• In-app notifications for users of our platform
• Requesting renewed consent where required by applicable law

Your Continued Use:

Your continued access to or use of our Services after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you must discontinue use of our Services and contact us to request deletion of your Personal Information (subject to legal retention requirements).

Version History:

We maintain previous versions of this Privacy Policy for your reference. You may request access to prior versions by contacting us at privacy@dna-international.asia.

We encourage you to review this Privacy Policy periodically (at least annually) to stay informed about how we collect, use, and protect your information.

Contact Us

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us using the information below. We are committed to resolving any privacy-related concerns promptly and transparently.

Response Timeline:

We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within 30 days (or 45 days for complex requests, with notification of the extension).

Supervisory Authority:

If you are located in the European Economic Area (EEA) or United Kingdom (UK), you have the right to lodge a complaint with your local data protection authority if you believe we have violated your data protection rights. A list of EU data protection authorities is available at: https://edpb.europa.eu

Language:

This Privacy Policy is available in English, Mongolian, Chinese, Russian, and Arabic. In case of any discrepancy between translations, the English version shall prevail.