Legal Statement on Compliant Use of High-Risk Plugins and Cross-Border Transmission Risks
I. Purpose and Basis of the Statement
To clarify the development boundaries, usage specifications and risk liability division of high-risk plugins, fully prevent cross-border compliance risks, illegal transmission hazards and data security risks, protect the intellectual property rights, data security and legitimate rights and interests of the plugin development entity and relevant parties, and eliminate legal disputes and liability tracing caused by improper use of plugins, this legal statement is formulated in accordance with the Cybersecurity Law of the People’s Republic of China, Data Security Law of the People’s Republic of China, Personal Information Protection Law of the People’s Republic of China, Copyright Law of the People’s Republic of China, Anti-Unfair Competition Law of the People’s Republic of China, Criminal Law of the People’s Republic of China, Cybersecurity Review Measures, EU General Data Protection Regulation (GDPR), U.S. California Consumer Privacy Act (CCPA/CPRA), Federal Trade Commission Act, Computer Fraud and Abuse Act and other current laws, regulations and regulatory rules of various countries and regions. This statement is legally binding on the plugin development entity and all entities obtaining plugin usage rights (hereinafter collectively referred to as “Users”). The User’s act of obtaining and using the plugin shall be deemed as having fully known, understood and agreed to all terms of this statement and voluntarily accepting the constraints of this statement.
II. Definition of the Statement Entity and Core Plugin
(I) Statement Entity
Anping Wisdom Life Network Software Technology Agency (hereinafter referred to as “Development Entity”) is the sole legitimate development entity and exclusive owner of intellectual property rights of the high-risk plugins involved in this statement. It enjoys complete copyright, modification right, distribution right and rights protection rights for the plugins. No entity may claim intellectual property rights related to the plugins without the written permission of the Development Entity.
(II) Core Definition of Plugins
1. Plugin Attributes: The plugins involved in this statement are non-publicly circulating plugins specially developed by the Development Entity for specific compliant scenarios. Due to functional characteristics and applicable scenario restrictions, cross-border use without compliance evaluation and transmission on public networks are likely to violate laws and regulations of multiple countries and regions, and there is a high risk of being collected and illegally spread by search engines. They are not general plugins that can be opened to the public for use.
2. Plugin Scope: Including official versions, derivative versions, test installation packages, source code snippets, supporting configuration files, function description documents, operation tutorials of the plugins and all technical materials related to the plugins provided by the Development Entity. Regardless of the form of electronic files, code texts or other carriers, they are included in the scope of this statement.
3. Boundary of Usage Rights: Users may only use the plugins within the geographical scope and specific compliant scenarios clearly authorized by the Development Entity. The right nature is non-exclusive, non-transferable and non-sublicensable. They shall not expand the use scenarios, expand the user entities or divert plugin-related resources to third parties beyond the authorized scope.
III. Comprehensive Definition of Cross-Border Multi-Regional Legal Risks
Due to significant differences in data sovereignty, privacy protection standards, intellectual property protection intensity and market supervision rules among various countries and regions, cross-border use, cross-border data transmission and cross-border transmission of plugins all face diversified legal risks. Users shall verify compliance item by item in combination with the use region and scenario characteristics. The specific risk classification and detailed rules are as follows:
(I) Global General Legal Risks
1. Data Compliance Risks: Conducting automated data crawling, web scraping, sensitive data storage or cross-border data transmission using plugins without the permission of the regulatory authorities in the plugin use region and the explicit authorization of the data subject violates the basic data security guidelines of most countries, which will trigger administrative penalties (such as fines, data transmission bans). If data leakage or third-party losses are caused, additional civil liability for compensation shall be borne, and criminal liability shall be pursued if the circumstances are serious.
2. Intellectual Property Infringement Risks: Conducting reverse engineering, decompilation, disassembly, tampering with copyright marks, deleting the signature information of the Development Entity on the plugins; embezzling plugin source codes and functional modules for secondary development, packaging and selling, and paid sublicensing; using plugins to copy, spread and distribute copyrighted texts, pictures, audio, videos and other contents are all identified as intellectual property infringement acts worldwide. It is necessary to pay infringement compensation to the Development Entity and relevant right holders. If the circumstances are serious (such as large infringement profits and extremely wide infringement scope), criminal liability shall be pursued.
3. Unfair Competition Risks: Using plugins to interfere with the normal operation order of third-party platforms (such as maliciously occupying platform server resources and hindering the normal operation of platform functions), breaking through platform compliance restrictions (such as bypassing platform review mechanisms and anti-crawling technical measures) to obtain unfair competitive advantages; implementing traffic hijacking, ad blocking, malicious traffic diversion and other acts through plugins violate the global general principle of fair competition, which is likely to trigger unfair competition lawsuits and face risks such as right compensation and market access ban, and relevant illegal gains will be confiscated in accordance with the law.
4. Personal Privacy Infringement Risks: If the plugin involves personal information processing, failing to meet the user informed consent mechanism, information security protection requirements, and personal information rights protection (such as right to deletion, right to correction, right to data portability) in the privacy protection laws and regulations of the use region; illegally collecting, transmitting, disclosing and selling personal information such as names, contact information, identity information and browsing records of others shall bear legal liability. Some regions (such as the EU and California, USA) have extremely high penalties for personal privacy infringement, and need to compensate each affected user individually.
5. Computer Information System Violation Risks: Using plugins to invade and illegally control third-party computer information systems, or using technical means to obtain data stored, processed and transmitted in the systems is suspected of violating computer security-related laws of various countries, which will face administrative penalties. If the circumstances are serious, criminal liability shall be pursued and high fines shall be imposed.
(II) Special Legal Risks in Core Jurisdictions
1. EU Region (Core Regulation: GDPR)
– Core Compliance Requirements: Personal data processing shall obtain explicit separate consent from users, the consent content shall be clear and specific, and shall not be bundled with other function authorizations; key data shall be stored on servers within the EU. If cross-border transmission is really necessary, it is necessary to pass the verification of the EU “adequacy decision” list regions, or sign EU standard contractual clauses with the recipient, implement binding corporate rules and other compliance mechanisms; in case of data leakage, it shall be reported to the EU data protection regulatory authority within 72 hours, and the affected users shall be informed in a timely manner; data protection impact assessment shall be carried out regularly, and the assessment report shall be kept for future reference.
– High-Risk Violation Scenarios: Obtaining authorization only through vague clauses without clearly informing users of the purpose, method and transmission scope of personal data processing; failing to provide convenient operation channels for personal data deletion and right to data portability; arbitrarily transmitting plugin data across borders to regions not included in the EU “adequacy decision” without compliance evaluation; failing to report to the regulatory authority or inform users in time after plugin data leakage; collecting user personal data beyond the scope, exceeding the “minimum necessary” principle for realizing plugin functions.
– Penalty Standards: The maximum fine may be 4% of the Development Entity’s global annual turnover or 20 million euros (whichever is higher); penalties caused by Users’ illegal use shall be borne by Users themselves, and have nothing to do with the Development Entity; at the same time, compensation shall be paid to affected users, and the compensation amount shall be comprehensively determined according to the user’s loss degree and violation circumstances.
2. U.S. Region (Core Regulations: CCPA/CPRA, Federal Trade Commission Act, Computer Fraud and Abuse Act)
– Core Compliance Requirements: Personal information processing follows the “user opt-out” mechanism, users shall be clearly informed of the purpose of information processing, and users have the right to withdraw consent at any time; selling users’ sensitive personal information (such as biometric information, medical information) is prohibited, and personal information transfer in specific legal scenarios shall comply with exclusionary situations such as written contract agreements; web crawling shall strictly abide by the robots.txt protocol of the target website, and shall not bypass anti-crawling technical measures or forge access identities to conduct data crawling; plugin intellectual property rights shall be legally registered with relevant U.S. institutions, and illegal tampering and secondary sales are prohibited.
– High-Risk Violation Scenarios: Selling and transferring user browsing records, identity information and consumption data without informing users of the purpose of information processing; batch crawling third-party platform data for commercial monitoring, malicious competition or data trafficking; circulating in the market after tampering with plugin copyright information and Development Entity’s signature; transferring personal information beyond the legal exclusion scope; implementing large-scale data crawling by bypassing the anti-crawling measures of the target website, affecting the normal operation of the website.
– Penalty Standards: The maximum fine for a single personal information violation is 7,500 US dollars, and there is no upper limit on cumulative fines for large-scale violations; in unfair competition lawsuits, if malicious competition is determined, high civil compensation (up to 10 million US dollars) may be awarded; those who violate the Computer Fraud and Abuse Act and the circumstances are serious shall be pursued for criminal liability of relevant personnel, sentenced to fixed-term imprisonment and fined.
3. China Region (Core Regulations: Cybersecurity Law, Data Security Law, Personal Information Protection Law, Anti-Unfair Competition Law, Criminal Law, Cybersecurity Review Measures)
– Core Compliance Requirements: Personal information processing shall obtain separate consent from users, and disguised compulsory methods such as default check and bundled authorization shall not be adopted; core data collected and generated by operators of critical information infrastructure shall be compulsorily stored locally. If cross-border transmission is really necessary, it is necessary to complete the security assessment and filing organized by the national cyberspace administration, and comply with the relevant requirements of cybersecurity review; illegal invasion of computer information systems is prohibited, and high-risk unfiled plugins are prohibited from being transmitted on public networks; plugin development and use shall comply with the data classification and grading protection system, and enhanced protection measures shall be taken for sensitive data and core data.
– High-Risk Violation Scenarios: Illegally crawling user information and commercial data of third-party websites, breaking through platform anti-crawling restrictions, leading to abnormal server load and system paralysis; cross-border transmission of core data without filing and cybersecurity review; using plugins to block legal advertisements, crack platform permissions and implement traffic hijacking; uploading, transmitting and sharing plugins on public networks (such as forums, network disks, open platforms) without permission; using plugins to carry out illegal and criminal activities such as telecom network fraud and online gambling; collecting user personal information beyond the scope, failing to take encryption measures to store sensitive data, leading to leakage.
– Penalty Standards: For violations related to data security and personal information protection, the maximum fine may be 5% of the annual turnover or 50 million yuan; for violations related to unfair competition, the maximum fine may be 3 million yuan; those suspected of illegal acquisition of computer information system data, infringement of citizens’ personal information, illegal control of computer information systems and other acts shall be pursued for criminal liability, sentenced to fixed-term imprisonment and criminal detention, and imposed high fines; relevant illegal plugins shall be removed in accordance with the law, and the relevant platforms operated by Users may face shutdown and rectification.
IV. Detailed Tips on Search Engine Collection and Illegal Transmission Risks
(I) Transmission Risk Hazards
1. If Users upload plugin installation packages, source codes, tutorials and other related resources to public scenarios such as public forums, network disks, open storage platforms and social groups, they are likely to be collected and included by the crawling mechanisms of search engines such as Google and Baidu, breaking through geographical and permission restrictions, triggering unauthorized forwarding, tampering, secondary sales and malicious abuse worldwide. This not only seriously infringes on the intellectual property rights of the Development Entity, but also triggers multi-regional legal disputes due to improper use of plugins, expanding the scope of risk impact, and causing Users and the Development Entity to face accountability from regulatory authorities of multiple countries.
2. After unauthorized third parties obtain the plugins, they may tamper with plugin functions, implant malicious codes and backdoor programs, and use them to carry out illegal and criminal activities such as network attacks, data theft and fraud. The relevant illegal consequences may be associated with the Development Entity, increasing the rights protection costs and legal risks of the Development Entity; at the same time, improper use of plugins may damage the legitimate rights and interests of third parties, triggering multiple civil infringement lawsuits, and Users shall bear corresponding compensation liabilities.
(II) Description of Protective Measures and Limitations
1. The Development Entity has adopted multiple protective measures to prevent illegal transmission and improper use of plugins, including: embedding anti-search engine collection marks, setting multi-layer authorization verification mechanisms, encrypting plugin source codes, restricting plugins to be bound to specific devices/IPs for use, and retaining plugin usage logs to trace usage behaviors, so as to minimize the risk of illegal transmission.
2. Due to the complexity of the network environment, the upgrading of malicious attack technologies by third parties, and uncontrollable factors such as active disclosure by Users, the above protective measures cannot completely avoid the illegal acquisition and transmission of plugins. The relevant protective measures are only risk prevention means, and do not constitute a guarantee for the security and non-transmission of plugins by the Development Entity, nor do they exempt Users from compliant use and confidentiality obligations.
3. Any legal liability (such as administrative penalties, criminal accountability), economic losses (such as rights protection fees, compensation fees) and reputation losses caused by search engine collection, illegal transmission and malicious crawling by third parties shall be borne by Users and illegal transmitters, and the Development Entity shall not bear any responsibility.
(III) Emergency Disposal Requirements
1. When Users find that plugins are collected by search engines, illegally transmitted, abused or tampered with by third parties, they shall notify the Development Entity in writing (including emails and sealed letters) within 24 hours, clearly explain the risk occurrence scenario, transmission scope and impact degree, and provide relevant evidence materials (such as collection links, transmission screenshots).
2. Users shall fully cooperate with the Development Entity to complete emergency disposal work such as evidence fixation, cross-border complaint and removal, platform reporting, rights protection and evidence submission, including but not limited to: providing plugin usage records, cooperating in issuing situation descriptions, and assisting in contacting relevant platforms to handle infringing content.
3. If Users fail to find risks in time, notify the Development Entity on time, or cooperate in emergency disposal, resulting in expanded risks (such as further spread of transmission scope, triggering multi-country accountability, increased loss amount), the additional legal liability and economic losses shall be borne independently by Users, and the Development Entity has the right to recover the advanced rights protection costs from Users.
V. Responsibilities and Exemption Clauses of the Development Entity
(I) Responsibilities of the Development Entity
1. Compliant Development Responsibility: Plugin development is carried out in strict accordance with relevant laws and regulations and the needs of specific compliant scenarios. The development process complies with the regulatory requirements of the Development Entity’s location. No malicious codes, backdoor programs or virus programs are implanted, and no unauthorized data acquisition, network attack and other illegal functions are preset; internal compliance verification has been completed after development to ensure that the plugins themselves have no compliance defects.
2. Basic Support Responsibility: Provide Users with basic plugin usage documents, function descriptions, operation guidelines and common fault diagnosis plans; provide technical optimization support and repair services for functional faults and compliance problems of the plugins themselves (excluding problems caused by Users’ illegal use), ensuring the normal operation of the plugins within the authorized scenarios.
3. Intellectual Property Protection Responsibility: Legally protect the copyright and related intellectual property rights of the plugins, take rights protection measures such as complaint and removal, civil litigation and criminal reporting against illegal transmission, infringement and improper use of the plugins. The rights protection gains (such as infringement compensation, fines) belong to the Development Entity; during the rights protection process, Users shall cooperate in providing relevant evidence.
4. Risk Notification Responsibility: Clearly inform Users of the compliance boundary, cross-border risks and transmission risks of plugin use, provide risk prompt materials, and ensure that Users are aware of relevant risks and legal liabilities.
(II) Exemption Clauses
1. If Users use the plugins beyond the authorized region and authorized scenario, or use them across borders without completing compliance evaluation and cybersecurity review, or transmit the plugins on public networks, or use the plugins to engage in illegal and irregular activities, the resulting administrative penalties, criminal accountability, civil compensation and reputation losses have nothing to do with the Development Entity and shall be borne independently by Users. The Development Entity has the right to terminate Users’ plugin usage rights and recover relevant losses.
2. The Development Entity shall not bear repair and compensation responsibilities for disputes caused by search engine collection, illegal transmission, malicious crawling and malicious attacks on plugins, or plugin use abnormalities, data losses and system failures caused by incompatible server environments, operational errors and illegal modification of plugin codes by Users.
3. Plugins are developed for authorized scenarios. The Development Entity does not make any commitments on the compatibility, compliance and security of the plugins in other scenarios and regions. Risks caused by Users’ independent expansion of use scenarios and changes of use regions shall be borne by Users themselves.
4. The Development Entity shall not be liable for plugin unusability, data loss or other losses caused by force majeure (such as natural disasters, wars, policy changes, network interruptions); if the plugins do not meet the new regulatory requirements due to the update of policies and regulations, the Development Entity only provides technical optimization suggestions, and does not bear the full responsibility for compliance rectification and related losses.
5. If Users fail to back up plugin-related data as required, or cause data leakage and loss due to improper data management, the Development Entity has no repair and compensation responsibilities; plugin usage logs are only retained for a certain period of time, and expired logs cannot be traced. The Development Entity shall not bear relevant responsibilities.
6. Illegal products derived from plugins by third parties or fake plugins spread in the name of the Development Entity have nothing to do with the Development Entity, and the Development Entity shall not bear any responsibility. Users shall verify the authenticity of the plugins themselves and avoid using fake and derivative illegal plugins.
VI. Compliance Obligations and Liability Undertaking of Users
(I) Core Compliance Obligations
1. Scenario and Regional Compliance Obligations: Use the plugins only within the geographical scope and internal compliant scenarios authorized by the Development Entity. It is strictly prohibited to use them across borders, transmit them on public networks and share them without authorization; before use, Users shall independently verify the laws and regulations of the use region and confirm that the plugin use scenario complies with local regulatory requirements. If it is necessary to change the use region and scenario, Users shall submit a written application to the Development Entity in advance, complete the compliance evaluation and obtain the written consent of the Development Entity before implementation. No unauthorized changes are allowed without consent.
2. Data Security Compliance Obligations: When processing data using plugins, Users shall comply with the data classification and grading protection system, and take enhanced protection measures such as encrypted storage and access permission control for sensitive data and core data; if cross-border data transmission is really necessary, it is necessary to complete the compliance evaluation and cybersecurity review of the target region, obtain the permission of relevant regulatory authorities and the written consent of the Development Entity, strictly follow the cross-border data transmission compliance mechanism, and keep transmission records for future reference; it is prohibited to use plugins to carry out illegal data crawling, data trafficking, data leakage and other acts.
3. Intellectual Property Protection Obligations: Respect and protect the intellectual property rights of the Development Entity for the plugins, and shall not carry out infringement acts such as reverse engineering, decompilation and tampering with copyright marks; shall not embezzle plugin source codes and functional modules for secondary development, sales or sublicensing; shall not use plugins to infringe on the intellectual property rights of third parties; when finding infringement acts by third parties, Users shall timely inform the Development Entity and cooperate in rights protection.
4. Confidentiality and Control Obligations: Establish a full-process confidentiality control mechanism for plugins, which are only allowed to be operated and used by authorized personnel. It is strictly prohibited to transmit and share plugin installation packages, source codes, tutorials and related technical materials to unauthorized third parties; set up hierarchical management of plugin usage permissions, record plugin usage logs, and prevent internal personnel from disclosing plugins; after using the plugins, Users shall timely uninstall the plugins, destroy all relevant files (including electronic files and paper materials), retain destruction records and feed back to the Development Entity; the plugins shall not be used for any purpose outside the authorized scenario.
5. Emergency Disposal and Cooperation Obligations: When finding that plugins are collected by search engines, illegally transmitted, abused or tampered with by third parties, Users shall timely notify the Development Entity and cooperate in emergency disposal in accordance with the requirements of this statement; when receiving investigation notices from regulatory authorities and rights protection letters from third parties, Users shall inform the Development Entity in the first place, cooperate in providing relevant materials, and shall not conceal or falsely report relevant situations; when the Development Entity carries out rights protection work, Users shall fully cooperate in providing evidence, issuing explanations, etc.
(II) Liability Undertaking Rules
1. If Users violate any clause of this statement, causing the Development Entity to suffer losses such as administrative penalties, criminal accountability, civil compensation, reputation losses and rights protection expenses, they shall fully compensate the Development Entity’s losses. The compensation scope includes but is not limited to: fines, compensation, attorney fees, litigation fees, arbitration fees, cross-border rights protection travel expenses, evidence fixation fees, platform complaint fees, etc.
2. If Users’ illegal use of plugins triggers complaints, lawsuits and accountability from third parties (including users, other enterprises and regulatory authorities), they shall handle relevant disputes by themselves, bear all legal liabilities and compensation liabilities, and shall not transfer the liabilities to the Development Entity; if a third party lists the Development Entity as a joint accountability object, the Development Entity has the right to take legal measures to protect its own rights and interests, and all losses arising therefrom shall be borne by Users.
3. If Users fail to perform their confidentiality and control obligations, leading to plugin leakage and illegal transmission, they shall bear all losses of the Development Entity caused by plugin infringement and improper use. At the same time, the Development Entity has the right to immediately terminate the plugin usage rights, and will not refund any relevant fees already collected (if any).
4. If Users use plugins to engage in illegal and criminal activities, the Development Entity has the right to report relevant illegal clues to regulatory authorities and cooperate with regulatory authorities in investigations. The criminal accountability, administrative penalties and relevant losses faced by Users shall be borne by themselves.
VII. Other Supplementary Agreements
1. The intellectual property rights of the plugins belong exclusively to the Development Entity. Users only obtain limited usage rights as agreed in this statement, and have no right to dispose of any plugin-related rights (such as transfer, authorization, pledge, etc.), and shall not claim any intellectual property rights to the plugins.
2. The Development Entity may adjust and optimize plugin functions and clauses of this statement according to the update of laws and regulations of various countries, regulatory policy adjustments, technical upgrading needs, plugin function optimization and other situations. Major adjustments (such as changes in compliance requirements and liability division) will be announced through the official channels of the Development Entity (such as emails, official website announcements). If there is no objection within 3 days after the announcement, it shall be deemed that Users agree; if Users disagree with the adjustment, they shall immediately stop using the plugins, destroy relevant files and feed back to the Development Entity. The Development Entity shall not bear refund and compensation responsibilities.
3. Disputes arising from plugin use and performance of this statement shall be resolved through friendly negotiation between both parties first; if negotiation fails, both parties have the right to file a lawsuit with the people’s court with jurisdiction at the place where the Development Entity is located, applying the law of the People’s Republic of China (excluding conflict rules).
4. Matters not covered in this statement shall comply with the relevant laws, regulations and regulatory rules of the plugin use region and the Development Entity’s location; if any clause of this statement conflicts with relevant laws and regulations, the laws and regulations shall prevail, but the legal effect of other clauses shall not be affected.
5. This statement shall take effect from the date of issuance and be valid for a long time unless terminated by the Development Entity in writing; if Users have obtained and used the plugins before the issuance of this statement, they shall be bound by this statement from the date of issuance.
