Privacy Policy

1. Introduction and Scope

This Privacy Policy describes how Shaanxi Yingguan Network Technology Co., Ltd., operating as Crown Hero (hereafter the Company, we, us, or our), collects, uses, stores, shares, and protects personal information obtained through the website www.crownhero.lol (the Site) and any related services, communications, or business interactions (collectively, the Services).

By accessing or using the Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you should discontinue use of the Site and Services immediately.

This policy applies to all visitors, users, clients, and any other individuals whose personal data we process in the course of our business operations. It is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Personal Information Protection Law of the People’s Republic of China (PIPL).

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily submit through our contact forms, email communications, phone calls, or other direct interactions. This includes:

• Identity Data: Full name, job title, company affiliation.
• Contact Data: Email address, telephone number, physical address.
• Project Data: Information about your IT infrastructure, technical requirements, project scope, and any other details you include in inquiry messages.
• Communication Data: Records of correspondence including email threads, contact form submissions, and any attachments you provide.

2.2 Information Collected Automatically

When you visit the Site, certain information is collected automatically through standard web technologies:

• Technical Data: Internet Protocol (IP) address, browser type and version, operating system, device type, screen resolution, and time zone settings.
• Usage Data: Pages visited, time spent on each page, navigation paths, referral sources, search terms used to find the Site, and interaction patterns with page elements.
• Server Log Data: Request timestamps, HTTP status codes, data transfer volumes, and any errors encountered during your session.

2.3 Information We Do Not Collect

We do not knowingly collect sensitive personal data in the following categories: government-issued identification numbers, financial account credentials, biometric data, health or medical information, information about criminal convictions, or data revealing racial or ethnic origin. We do not process payment card information directly on our Site and do not store credit card numbers.

3. How We Use Your Information

Personal data collected through the Site and Services is used for the following purposes, each tied to a specific lawful basis as detailed in Section 4:

• Service Delivery: To respond to inquiries, prepare project proposals, deliver contracted computer systems design services, and provide ongoing technical support.
• Business Communication: To send service-related announcements, project updates, technical documentation, and administrative notifications. We may also send occasional newsletters or industry updates where you have explicitly opted in.
• Site Improvement: To analyze Site usage patterns, diagnose technical issues, optimize performance, and improve the user experience through data-driven design decisions.
• Security and Fraud Prevention: To monitor for unauthorized access attempts, protect against malicious activity, enforce our Terms of Service, and maintain the integrity of our systems.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to establish, exercise, or defend legal claims.

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals. All decisions regarding service delivery and client engagement are made by qualified human personnel.

4. Legal Bases Under the GDPR

For individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following lawful bases for processing personal data under Articles 6 and 7 of the GDPR:

• Consent (Art. 6(1)(a)): Where you have given clear, affirmative consent for a specific processing purpose, such as subscribing to marketing communications. You may withdraw consent at any time by contacting us using the details in Section 15.
• Contractual Necessity (Art. 6(1)(b)): Where processing is necessary for the performance of a contract with you or to take pre-contractual steps at your request, including responding to service inquiries and delivering agreed-upon computer systems design services.
• Legitimate Interests (Art. 6(1)(f)): Where processing is necessary for our legitimate business interests or those of a third party, provided those interests are not overridden by your data protection rights. Legitimate interests include: improving our Site and Services, ensuring network and information security, conducting business analytics, and communicating with existing clients about relevant service offerings.
• Legal Obligation (Art. 6(1)(c)): Where processing is necessary to comply with a legal obligation to which we are subject.

5. How We Share Information

We do not sell, rent, or trade personal data to third parties for their own marketing purposes. We may share personal data in the following limited circumstances:

• Service Providers: With trusted third-party vendors who perform functions on our behalf, including website hosting (Firebase), email delivery services, analytics providers, and IT support contractors. All service providers are bound by data processing agreements that mandate confidentiality and restrict use of data solely to the services they perform for us.
• Professional Advisors: With legal counsel, auditors, accountants, and insurers where reasonably required for the provision of professional services or the protection of our legal rights.
• Business Transfers: In connection with a merger, acquisition, reorganization, or asset sale, provided that the receiving party agrees to treat personal data in a manner consistent with this Privacy Policy.
• Legal Requirements: When required by law, court order, subpoena, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• With Your Consent: In any other circumstance, we will seek your explicit consent before sharing your personal data with additional parties.

6. Cookies and Tracking Technologies

6.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites function efficiently and to provide information to site operators. We also use similar technologies such as local storage objects and server-side session identifiers.

6.2 Cookies We Use

Our Site uses the following categories of cookies:

• Strictly Necessary Cookies: Required for the operation of the Site. These include session management cookies that enable form submissions and navigation. They do not collect personal data for marketing purposes and cannot be disabled through our cookie controls as the Site would not function without them.
• Analytics Cookies: Used to understand how visitors interact with the Site by collecting and reporting information anonymously. These help us improve site structure and content based on aggregated usage patterns. We use privacy-respecting analytics configurations that anonymize IP addresses and do not create cross-site profiles.
• Functional Cookies: Used to remember your preferences and choices, such as language settings or previously viewed pages, to enhance your browsing experience.

6.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. You may configure your browser to reject cookies, delete existing cookies, or alert you when cookies are being placed. Please note that disabling strictly necessary cookies may impair the functionality of certain Site features. For guidance on managing cookies in your specific browser, refer to your browser’s help documentation.

7. Data Security

We implement and maintain administrative, technical, and physical security measures designed to protect personal data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. These measures include:

• Encryption of data in transit using Transport Layer Security (TLS) protocol.
• Encryption of data at rest on production servers using industry-standard AES-256 encryption.
• Access controls that restrict data access to authorized personnel on a need-to-know basis, enforced through role-based permissions and multi-factor authentication.
• Regular security assessments, vulnerability scanning, and penetration testing conducted by qualified security professionals.
• Firewall protection and intrusion detection and prevention systems (IDS/IPS) monitoring network traffic.
• Secure development practices including code review, dependency auditing, and adherence to OWASP guidelines.
• Employee training on data protection obligations and incident response procedures.

While we strive to protect personal data using commercially reasonable means, no method of electronic transmission or storage is absolutely secure. We cannot guarantee or warrant the absolute security of any information you transmit to us.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods are determined by the following criteria:

• Client Relationship Data: Retained for the duration of the business relationship plus seven years following its termination, to comply with tax, accounting, and commercial record-keeping obligations under Chinese law and international standards.
• Inquiry Data: Contact form submissions and general inquiries from individuals who do not become clients are retained for a maximum of two years from the date of last communication.
• Site Analytics Data: Aggregated and anonymized within 26 months of collection. IP addresses are anonymized at the point of collection.
• Server Logs: Retained for a maximum of 90 days for security and diagnostic purposes, after which they are automatically purged.

Upon expiration of the applicable retention period, personal data is either securely deleted, destroyed, or anonymized so that it can no longer be associated with an identifiable individual.

9. Your Rights Under the GDPR

If you are located in the EEA, the United Kingdom, or Switzerland, the GDPR grants you the following rights regarding your personal data. To exercise any of these rights, contact us using the details in Section 15. We will respond within one month of receiving a valid request, extendable by two further months where the request is complex or numerous.

• Right of Access (Art. 15): You may request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You may request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or when you withdraw consent and no other lawful basis for processing exists.
• Right to Restriction (Art. 18): You may request that we limit processing of your personal data in certain circumstances, such as while we verify the accuracy of the data or the legitimacy of processing.
• Right to Data Portability (Art. 20): You may request a copy of your personal data in a structured, commonly used, machine-readable format, and have the right to transmit that data to another controller.
• Right to Object (Art. 21): You may object to processing based on legitimate interests, including profiling. You have an absolute right to object to processing for direct marketing purposes.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to Complain (Art. 77): You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement.

10. Your Rights Under the CCPA

If you are a resident of California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights regarding your personal information. We do not sell personal information as defined by the CCPA, nor do we share it for cross-context behavioral advertising.

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we shared it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions such as completing a transaction or complying with a legal obligation.
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny services, charge different prices, or provide a different quality of service as a result of your exercising these rights.
• Right to Opt Out: As stated above, we do not sell personal data or use it for cross-context behavioral advertising, so there is no need to exercise an opt-out right for these activities.

To exercise your CCPA rights, contact us using the details in Section 15. We will verify your identity before processing any request. You may also designate an authorized agent to make a request on your behalf, provided the agent submits written proof of authorization.

11. Children’s Privacy

Our Site and Services are not directed to, nor intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that a child under 18 has provided personal data through the Site, we will take prompt steps to delete such information from our systems. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately using the details in Section 15 so that we may take appropriate action.

For users in the EEA, the age threshold is 16 years unless a lower age between 13 and 16 is set by the applicable member state law. We do not knowingly process data of individuals below the applicable digital age of consent in their jurisdiction without verified parental consent.

12. International Data Transfers

Crown Hero is headquartered in Xi’an, Shaanxi, China. Personal data we collect is processed and stored on servers located in China and, where service providers are engaged, may be transferred to and processed in other countries, potentially including the United States.

When transferring personal data across borders, we implement appropriate safeguards in accordance with applicable data protection laws. These safeguards include:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.
• Data processing agreements that impose equivalent data protection obligations on any receiving party.
• Technical measures such as encryption both in transit and at rest.

Where required, we conduct transfer impact assessments to evaluate the level of protection in the destination country and implement supplementary measures where necessary to ensure data subjects’ rights remain enforceable and effective.

13. Third-Party Services and External Links

Our Site is hosted on Google Firebase, which provides infrastructure, hosting, and analytics services. Firebase processes data in accordance with Google’s privacy policy and the Google Cloud Platform Data Processing and Security Terms. We have configured Firebase to minimize data collection where possible.

Our Site may contain links to external websites, platforms, or services that are not operated by us. Clicking on those links will direct you to third-party sites over which we have no control. We are not responsible for the privacy practices, content, or security of any third-party sites. We encourage you to review the privacy policy of every site you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or operational requirements. When we make material changes, we will post the updated policy on this page with a revised Effective Date and, where appropriate, provide notice through the Site or via email to existing clients.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Continued use of the Site after changes become effective constitutes acceptance of the revised policy. If you disagree with any changes, you should cease using the Site and Services and contact us to request deletion of your data.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels. We will acknowledge your inquiry within three business days and provide a substantive response within the timeframes required by applicable law.

Data Controller: Shaanxi Yingguan Network Technology Co., Ltd.
Registered Address: Room 703, Unit 2, Building 8, Longji Taihe Wanhejun, Gaozhuang Village, Gaozhuang Town, Jinghe New City, Xixian New Area, Xi’an, Shaanxi, 710000, China
Email: hezijie@crownhero.lol
Phone: +1 (563) 294-8606
Website: www.crownhero.lol

For GDPR-specific inquiries, you may designate hezijie@crownhero.lol as the point of contact for data protection matters. We do not have a statutory Data Protection Officer requirement under Article 37 of the GDPR, but we maintain a designated privacy contact to handle all data protection queries.