Privacy Policy
Amovatech ("we", "us", or "our") values your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share and safeguard your personal data when you use our enterprise-grade products and services, including the "Secure Workspace" and related components (collectively, the "Services").
Our Services are designed for enterprise customers to support device management, secure access, data protection and related security controls. For personal data processed within the enterprise workspace, the enterprise customer acts as the data controller (or "data user" under Hong Kong PDPO), and Amovatech acts as the data processor, processing such data solely on behalf of the enterprise and in accordance with the enterprise's documented instructions and applicable laws.
For certain limited types of data necessary to ensure the security, integrity and availability of the Services (such as system event logs, error diagnostics or audit records), Amovatech may act as an independent data controller to the extent required by legal obligations or legitimate interests related to operating and protecting the Services.
By accessing or using our Services, you acknowledge that you have read, understood and agree to this Privacy Policy.
1. Personal Data We Collect
We collect only the minimum data necessary to provide our Services and to fulfil enterprise security and compliance requirements. The specific data collected depends on your usage scenario.
1.1 Use of Personal Devices for Regular Work
1.1.1 Account Creation & Authentication
We may collect:
- Mobile phone number
- Email address
- Password or authentication credential
1.1.2 Security Admission
To verify device compliance:
- Device identifiers (Android ID, IDFA/IDFV, OAID, GAID, HarmonyOS OAID)
- Device model, system version and hardware information
- Network information (IP address, Wi-Fi, Bluetooth, sensor data)
- Carrier information
1.1.3 Secure Use of Enterprise Apps (Optional)
- Installed enterprise app list and metadata
- Enterprise security policy enforcement data
1.1.4 Zero Trust Network Access (Optional)
We collect device identifiers, network environment data and geolocation information to determine real-time access trustworthiness.
1.3 Enterprise-Issued Devices
We may collect more comprehensive device information for the full lifecycle management of corporate assets, including:
- Device identifiers and hardware details
- Installed application list
- Storage and configuration information
- Compliance status
Optional remote support may involve real-time screen viewing or remote control, always initiated with your explicit consent unless for unattended devices.
1.4 Processing Under Instruction of Enterprise Users
The enterprise customer acts as the data controller and controls the personal data processed through end-user accounts. Amovatech processes such data for the sole purpose of providing the Services, in accordance with the enterprise customer's instructions and applicable laws and regulations.
2. How We Use Personal Data
We use your personal data to:
- Provide, operate and maintain the Services
- Support enterprise security, device compliance and access control
- Improve service performance and user experience
- Detect and handle technical faults, security incidents or misuse
- Fulfil contractual or legal obligations
We will obtain additional consent if we intend to use data beyond the stated purposes.
3. Legal Basis (for GDPR/International Compliance)
Where applicable, our processing is based on:
- Performance of a contract (e.g., enabling access, authentication)
- Legitimate interests (e.g., ensuring security, device compliance)
- Compliance with legal obligations
- Your consent, where required for optional or sensitive features
4. Storage of Personal Data
4.1 Location
Personal data is stored in Mainland China or in locations designated by your enterprise customer. If cross-border transfer is required, we will comply with applicable laws (e.g., PDPO, GDPR Chapter V) and implement appropriate safeguards.
4.2 Retention
Personal data is retained only for the period necessary to provide the Services or as specified by the enterprise customer. After expiry, the data is deleted or anonymised.
5. Cookies & Similar Technologies
We use cookies and similar technologies for authentication, site stability and usage analysis. You may disable cookies, but some functions may be restricted.
6. Sharing, Transfer and Disclosure
We do not sell personal data. We only share data in the following situations:
- With your enterprise customer (data controller)
- With third-party SDK providers strictly for functional purposes (e.g., maps, push services, device location)
- During mergers or acquisitions (with notice and protection measures)
- As required by law or government authorities
- To protect life, property or significant legal rights
A full SDK list including Baidu Location, Baidu Map, Xiaomi Push, Huawei Push and Tencent TBS is provided in Appendix A.
7. Security Measures
We implement administrative, technical and physical safeguards, including:
- Access control and least-privilege authorization
- Encryption, secure transmission and storage
- Security audits and monitoring
- Personnel confidentiality and training obligations
If a data incident occurs, we will notify affected users and regulators as required.
8. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access your personal data
- Rectify inaccurate data
- Request deletion
- Restrict or object to processing
- Data portability
- Withdraw consent
As the enterprise customer is the data controller, you should submit such requests via your enterprise administrator.
9. Children's Privacy
Our Services are intended for enterprise users and are not directed to minors. If we inadvertently collect personal data from a minor without proper consent, we will delete it promptly.
10. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified through prominent notices or email. Continued use constitutes acceptance.
11. Contact Us
If you have questions, complaints or requests, please contact us:
- Phone: +852 9337 8055 (09:00–18:00)
- Email: contact@amovatech.com
- Mailing Address: Room 2116, 21/F, Block A,83 King Lam Street, Lai Chi Kok, Kowloon, Hong Kong
We will respond within 15 working days upon verifying your identity.
Appendix A — Third-Party SDKs and APIs Used in the Services
The Services may integrate third-party software development kits (SDKs) or application programming interfaces (APIs) to enable specific system functions (such as location services, push notifications or document rendering). These third parties may receive certain personal data or device information as described below. All third-party components are assessed for security, compliance and necessity prior to integration.
1. Baidu Location SDK
- Provider: Beijing Baidu Netcom Technology Co., Ltd.
- Purpose: Determine geolocation for enforcing enterprise location-based policies.
- Personal Data Processed:
- Device information: Android ID, IDFA/IDFV, OS version, device brand/model, device configuration, app name
- Location information: GPS coordinates, GNSS data, Wi-Fi gateway/MAC, Wi-Fi signal strength, Wi-Fi parameters/lists
- Network & carrier data: IP address, carrier information, cell tower IDs
- Sensor data: accelerometer, gyroscope, compass, pressure, rotation vector, light, magnetometer
- Required Permissions: Phone, tracking, network access, precise & background location, storage
- Collection Method: Direct collection through the SDK; no server-side sharing by Amovatech
- Privacy Policy: https://lbs.baidu.com/index.php?title=openprivacy
2. Baidu Map SDK
- Provider: Beijing Baidu Netcom Technology Co., Ltd.
- Purpose: Provide map display, navigation and location visualization for enterprise use cases.
- Personal Data Processed:
- Device information: Android ID, IDFV, OS version, device brand/model, device configuration, app name, gyroscope readings
- Location information: GPS/GNSS data, Wi-Fi signal/MAC, cell tower IDs, IP address, Bluetooth info
- Sensor data: accelerometer, gyroscope, direction, pressure, rotation vector, light, magnetometer
- Network state: Mobile network, Wi-Fi, or offline state
- Image data: As required for map rendering
- Required Permissions: Phone, tracking, network access, precise & background location, storage, camera
- Collection Method: Direct collection via SDK; no data shared by Amovatech
- Privacy Policy: https://lbs.baidu.com/index.php?title=openprivacy
3. Xiaomi Push SDK
- Provider: Beijing Xiaomi Mobile Software Co., Ltd.
- Purpose: Deliver push notifications to the user's device.
- Personal Data Processed:
- Device identifiers (OAID, encrypted Android ID)
- Device information (manufacturer, model, region, carrier)
- Push message content
- Notification bar configuration
- Required Permissions: Network state access, device information access, write to storage
- Collection Method: Direct collection through SDK
- Privacy Policy: https://dev.mi.com/xiaomihyperos/documentation/detail?pId=1534
4. Huawei Push SDK
- Provider: Huawei Software Technologies Co., Ltd.
- Purpose: Provide push notification services for Huawei devices.
- Personal Data Processed:
- Application information
- Device hardware information
- Basic system settings and configuration
- Required Permissions: As required by Huawei Push Service
- Collection Method: Direct collection via SDK
- Privacy Policy: https://developer.huawei.com/consumer/cn/doc/HMSCore-Guides/sdk-data-security-0000001050042177
5. Tencent TBS Document SDK (Android)
- Provider: Shenzhen Tencent Computer Systems Co., Ltd.
- Purpose: Provide stable, secure and high-compatibility local document preview functionality.
- Personal Data Processed:
- Device model
- Operating system information
- CPU type
- Host application package name and version
- Required Permissions:
- Network access
- Storage access (optional)
- Clipboard access (optional)
- Collection Method: Direct collection through SDK; Amovatech does not transmit personal data for this integration
- Privacy Policy: https://rule.tencent.com/rule/b01dde7c-2c5b-487a-9bdd-3275dc716a83
Appendix B — Legal Basis Mapping
This appendix maps each category of personal data processed through the Services to the corresponding legal basis under the GDPR and relevant international privacy frameworks.
1. Account Creation and Identity Information
| Data Category | Purpose of Processing | Legal Basis |
|---|---|---|
| Mobile number, email address, password/credentials | Creating end-user account, authentication, secure login | Performance of contract (Art. 6(1)(b)) |
| Enterprise-issued identifiers (e.g., employee ID) | Identity verification, enterprise access control | Performance of contract / Legitimate interest (Art. 6(1)(f)) |
2. Device Information and System Metadata
| Data Category | Purpose of Processing | Legal Basis |
|---|---|---|
| Device identifiers (Android ID, IDFA/IDFV, OAID, GAID, HarmonyOS OAID) | Device compliance validation, security admission, zero-trust evaluation | Legitimate interest (security) / Performance of contract |
| Device model, OS version, hardware info | Delivering device management functions, compatibility assurance | Performance of contract |
| Network & communication data (IP address, Wi-Fi, Bluetooth, sensor info) | Access control, security verification, threat detection | Legitimate interest (security) |
3. Location Information
| Data Category | Purpose | Legal Basis |
|---|---|---|
| GPS / GNSS data, Wi-Fi MAC, cell tower IDs | Location-based enterprise compliance, zero-trust decisioning | Consent (if required by local law) / Legitimate interest (enterprise policy enforcement) |
4. Application Information
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Installed apps list (enterprise apps) | Ensuring enterprise data flows only within approved apps, policy enforcement | Performance of contract / Legitimate interest |
| App metadata (package name, version, size) | Security policy delivery, compatibility testing | Performance of contract |
5. Enterprise Data Stored on Devices
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Enterprise workspace data (encrypted) | Enabling enterprise workflows, secure container operations | Performance of contract |
| Data encryption, remote wipe, access restriction | Protecting enterprise confidential information | Legitimate interest / Legal obligation |
6. Logging and Security Monitoring
| Data Category | Purpose | Legal Basis |
|---|---|---|
| System logs, diagnostic logs, compliance records | Service security, troubleshooting, abuse detection | Legitimate interest (security) / Legal obligation |
| Audit logs (actions by admin or user) | Enterprise audit requirements | Performance of contract / Legal obligation |
7. Remote Support (Optional)
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Screen content (real-time), device status | Troubleshooting, remote guidance | Consent |
| Remote control input | Assisting enterprise in resolving device issues | Consent |
8. Data Processed Under Enterprise Instruction
| Data Category | Purpose | Legal Basis |
|---|---|---|
| All enterprise-controlled personal data processed in workspace | Per the enterprise customer's policies and instructions | Enterprise = Data Controller; Amovatech = Data Processor |
Appendix C — Data Retention Schedule
1. Account and Identity Information
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Account credentials, identity information | Retained until the enterprise terminates the account or instructs deletion | Secure deletion or irreversible anonymization |
2. Device Information
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Device identifiers, OS details, hardware metadata | Stored only during active device enrollment; deleted within 30 days after de-enrollment | Automatic purge from management database |
3. Enterprise Application Information
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Installed apps list, app metadata | Updated dynamically; retained only for active policy enforcement | Overwritten with new data or deleted upon device removal |
4. Security Logs and Diagnostic Data
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Compliance logs, authentication logs, system event logs | Typical retention: 90–180 days, unless enterprise specifies otherwise | Scheduled deletion; logs anonymised where possible |
| Error logs, crash diagnostics | 30–90 days, depending on severity | Automatic log rotation |
5. Workspace Data (Enterprise Data Stored on Devices)
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Encrypted workspace data | Retained only while workspace/account remains active | Enterprise-triggered wipe; cryptographic erasure; local deletion by workspace container |
6. Remote Support Data (Optional)
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Screen streaming data | Not stored unless explicitly requested; deleted immediately after session | No persistent storage by default |
| Session logs | Up to 30 days (or per enterprise policy) | Log rotation & secure deletion |
7. Backups and Disaster Recovery
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Encrypted backup snapshots | Typically 7–30 days, depending on enterprise configuration | Automatic expiration; cryptographic destruction |
8. Data Processed Under Enterprise Instruction
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| All enterprise-managed data | As specified in enterprise's retention policy | Amovatech deletes or returns data upon enterprise request |
9. Exceptions (Required by Law)
Certain data may be retained longer if required by:
- Legal obligations
- Regulatory investigations
- Fraud prevention
- Security incident analysis
Retention will be limited to the minimum legally required period.