Futu Employee Equity Incentive Plan (ESOP) Product Services

Personal User Privacy Policy

Last update time: June 20^th 2023

Effective time: June 20^th 2023

In order to fully protect your rights, we have updated the "Futu Employee Equity Incentive Plan (ESOP) Product Services Personal User Privacy Policy" ("Privacy Policy"), which is as set out below.

1. To help you understand how we collect and use your personal information and sensitive personal information when you use our products and the service, we have updated the ESOP Personal Information Collection Checklist. We also have bolded and underlined the contents of sensitive personal information for your information.

2. To help you understand the cross-border transfer of personal information, we have updated Section 9, "How your Personal Data is transferred globally", to provide you with more detailed information.

Content

Your trust is very important to us. We are well aware of the importance of Personal Data to you. We will take corresponding security protection measures in accordance with the requirements of laws and regulations, and endeavour to keep your Personal Data safe and controllable. We are committed to maintaining your trust in us and protecting your Personal Information by adhering to the following principles: balancing rights with responsibilities, clear purpose, consent, minimum necessary, security, participation of PI Subjects, transparency. In view of this, Futu Network Technology (Shenzhen) Co., Ltd. And its affiliates, as the providers of services of Futu Employee Equity Incentive Plan (ESOP) Product and Services (referred to as "we" or "Futu") have formulated this "Privacy Policy" (hereinafter referred to as "this Policy") and would like to remind you that: This Policy applies to any use of the ESOP platform products and services. Before using the ESOP platform products and services, please be sure to read and thoroughly understand this Policy, and use related products or services only after confirming your full understanding and agreement to this Policy. Once you start using the ESOP platform products and services, you are deemed to have fully understood and agreed to this Policy.

If you have any questions, comments or suggestions about the content of this Policy, you can contact us by email at privacy@futunn.com. Our contact information is as follows:

Contact: Futu Data and Personal Information Protection Centre

Address: 25F, Building D1, Kexing Science Park, Nanshan District, Shenzhen

Postcode: 518000

This Policy will help you understand the following:

1. How we collect your Personal Data

2. How we use the Personal Data we collect

3. How we use cookies and similar technologies

4. How do we share, transfer and publicly disclose your Personal Data

5. How we protect your Personal Data

6. How we store your Personal Data

7. Your right to manage your Personal Data

8. How do we protect the Personal Data of minors

9. How your Personal Data is transferred globally

10. How our processing of your sensitive personal information may affect your rights

11. Information we may send you

12. Updates to this Policy

13. Scope of application of this Policy

14. How to contact us

1. How we collect your Personal Data

In order to provide services to you, maintain the proper functioning of the ESOP platform products and services, improve and optimize our service experience, and protect your account security, we may collect your personal information and information based on your use of ESOP products and services for the following purposes and in the manners described in this policy:

1.1 ESOP platform account login

Only when your company has entered into a partnership with the ESOP services and you are authorized to use the ESOP platform for the purpose of your company's incentive plan, can you log in and use the ESOP platform products and services.

To ensure the security of your account, you will be required to provide your mobile phone number and SMS verification code to complete initial account verification when you first log in to use the products or services on the ESOP platform;

After the verification, if you have already created a Futubull account and linked it to your mobile number, then you need to provide your password to complete the password verification to log in; if your mobile number is not linked to any Futubull account, the system will generate a Futubull account for you, and you can set a password for it.

To complete the final verification, you need to provide the last six digits of your ID number. Then you can login successfully. We collect your ID number and other information to complete multiple verifications to fully secure your account and provide the necessary information for ESOP platform account login and service creation. If you refuse to provide it, you will not be able to use our services.

1.2 ESOP equity incentive user services

1) Once your company has entered into a partnership with Futu ESOP services, the company ESOP administrator (usually an authorized person in the company) will provide Futu with your personal information to enable the ESOP platform and to complete the subsequent equity incentive service. Your personal information includes: name, mobile number, ID number, email, employee ID and tax information.

You confirm that you have authorized your company and authorized personnel to provide the above personal information to Futu for the purpose of providing ESOP platform products or services.

2) We may also be instructed by the company to collect your name, date of birth, user ID, ID number, nationality, bank account information, address, Futubull ID, stock positions, positions quantity, transaction history, funds records and tax information through the ESOP platform under the special arrangement model of certain incentive plans.

The personal information we collect through the above channels will be used to support the opening and subsequent operation of your employee option and long-term incentive plans to ensure that the ESOP service is available to you or continues to be available to you for exercise, trading, settlement, and other related services, and to meet the requirements of overseas statutory reviews. If you refuse to provide it, we will not be able to provide you and the Company with the appropriate exercise, trading, settlement, and other related services.

1.3 Secure operation of ESOP products and services

In order to protect the regular use of ESOP products and services, the safety of users' accounts, and to identify abnormal account status, we may collect the following personal information from you:

a) Log information: When you use the products or services provided by our website or client, we will automatically collect your detailed usage of our services and save them as relevant network logs. For example, your login account, search query content, IP address, browser type and version, language used, date and time of access, and web browsing records you visit, length of stay, refresh records, and operation records.

b) Device information: When you use the products or services provided by our website or client, we will receive and record the device-related information (such as operating system and version) you are using.

1.4 Other circumstances

In addition, we may collect and use your relevant Personal Data without asking for your authorization when we are required to do so in order to comply with applicable law or court order:

a) Directly related to national interests such as national security, national defense security, etc.;

b) Directly related to significant public interests such as public safety, public health and public right to know；

c) Directly related to crime investigation, prosecution, trial and execution of judgments;

d) For the purpose of protecting your life, property, reputation, and other significant legitimate rights and interests or those of other individuals but where it is difficult to obtain your consent;

e) Where the personal information collected is disclosed to the public by you;

f) Where personal information is collected from information that is lawfully and publicly disclosed, such as legitimate news reports, government information disclosure, and other channels;

g) Necessary for the signing and performance of a contract at your request;

h) Necessary for maintaining the safe and stable operation of the product or services, such as detecting and solving malfunctions of the product or services;

i) Necessary for the conduct of legitimate news reporting;

j) Necessary for statistical or academic research in the public interest and where it provides the results of academic research or descriptions to the public by de-identifying the personal information contained in the results；

k) Other circumstances as provided by law and regulations.

1.5 Please understand that the functions and services we provide to you are constantly being updated and developed. If a function or service is not in the above description and your information is collected, we will notify you through page prompts, interactive processes, and website announcements. The content, scope and purpose of information collection will be explained to you separately by other means.

1.6 We may obtain relevant information that you authorize to share with our affiliates and third-party partners. We will collect and use your information under the premise of complying with relevant laws and regulations, in accordance with the agreement with affiliates or third-party partners, and on the premise that the sources of information provided by them are legal.

1.7 Information provided by you may include your personal sensitive information, such as bank account numbers, transaction records, virtual property information, system account numbers, email addresses and their related passwords, phone numbers, web browsing records, and location information. Please be careful and pay attention to sensitive Personal Data, and you agree that we can process your sensitive Personal Data in accordance with the purposes and methods described in this Policy.

1.8 In addition to the scenarios already listed above, we may also collect and process your personal information for the purposes of providing services to you, such as customer service, account management, etc. You can learn more about how we collect and use your personal information by clicking on the "ESOP Personal Information Collection Checklist". If you do not agree to provide personal information under certain features, you will not be able to use those features, or it may affect your access to the full range of features and the services.

2. How we use the Personal Data we collect

Based on the provisions of relevant laws and regulations, and for the purpose of providing you with services and improving service quality, and providing you with a safe, smooth, efficient and personalized experience, we will strictly abide by the provisions of laws and regulations regulating Personal Data and this Policy.

1) To provide you with various services;

2) To understand how you access and use the services and to meet your customized needs;

3) Development and service optimization: To optimize and develop our services. For example, when our system fails, we will record and analyze the information generated;

4) To send you marketing information to promote Futu services or third-party goods and services, recommend information and information you are interested in, and issue notifications related to Futu services;

5) To evaluate and improve our promotion campaigns and assess their effectiveness;

6) To improve our management software. For example, software certification, software upgrade, etc.;

7) To invite you to participate in surveys about our services;

8) To prevent, detect, investigate acts that are fraudulent, or which infringes the rights of any person, or which jeopardizes security, or is illegal, or violates any agreements, policies or rules with us or any of our affiliates; or to protect the legitimate rights and interests of any user, or the public, as well as us and/or our affiliates. We will use and/or integrate your Personal Data, service usage information, device information, log information, and information that our affiliates and partners have obtained from you with your authorization or shared in accordance with the law to comprehensively analyze your account and transaction risks, and identity verification; to detect and prevent security incidents; and to take necessary recording, auditing, analysis, and disposal measures in accordance with the law;

9) To ensure the security of the service and help us better understand the operation of our application. We may record relevant information, such as the frequency of your use of the application, crash data, overall usage, performance data and the source of the application, but we do not combine the information we store in the analytics software with the personally identifiable information you provide in the app;

10) Any other purpose authorized by you.

If we use your Personal Data beyond the scope of the purposes listed above that is directly or reasonably related to the any of the above purposes at the time of collection, we will inform you again and obtain your express consent before using your Personal Data for such purposes.

3. How we use cookies and similar technologies

3.1 Cookies

In order to provide you with an easier access experience, when you use ESOP platform products or services, we may use various technologies to collect and store data related to your access to ESOP platform products or services. When visiting ESOP platform products or services, we can identify your identity, and provide you with better and more services by analyzing data, including identifying your identity using small data files, in order to understand your usage habits, to save you the step of repeatedly entering account information, or to help determine the security of your account. These data files may be cookies, Flash cookies, or other local storage provided by your browser or associated application (collectively, "Cookies"). We will not use Cookies for any purpose other than those described in this policy. You can manage or delete Cookies according to your preferences. See AboutCookies.org for details. You can clear all Cookies saved on your computer, and most web browsers have a Cookie-blocking feature. However, if you do this, in some cases you may not be able to use some functions of the ESOP platform products or services that rely on cookies, and you need to personally change the user settings every time you visit our website.

3.2 Web Beacons and Pixel Tags

In addition to Cookies, we may also use other similar technologies such as web beacons and pixel tags on our website. For example, an email we send you may contain a click URL linking to the content of our website. If you click on the link, we will track the click to help us understand your product or service preferences and improve customer service. A web beacon is usually a transparent image embedded in a website or email. With the help of pixel tags in emails, we can tell if an email has been opened.

3.3 Do Not Track

Many web browsers have a Do Not Track feature that issues a Do Not Track request to a website. Currently, no major Internet standards organization has established policies governing how websites should respond to such requests. But if your browser has Do Not Track enabled, then we will respect your choice.

4. How do we share, transfer and publicly disclose your Personal Data

1) Share

We will not share your Personal Data with companies, organizations and individuals other than service providers related to ESOP products or services, except in the following cases:

a) Sharing with your consent: After obtaining your explicit consent, we may share your Personal Data with other parties.

b) Sharing under statutory circumstances: We may share your Personal Data externally in accordance with laws and regulations, the need for litigation and dispute resolution, or as required by administrative and judicial authorities in accordance with the law.

c) When you choose to use the online signing function of the ESOP, only by revealing your Personal Data (such as your name and other identity information) can you receive the third-party products and services you require, or use such products and services together with the equity management platform. At present, the third-party services we access mainly include: third-party platform "Docusign" and "Tencent Cloud" services, which provide online signing related functions or services. Such access to third-party services is operated by the relevant parties and is subject to the third-party's own terms of service and information protection statement (not this "Privacy Policy"). You agree to us sharing your Personal Data with such third parties.

d) If a complaint regarding you has been received, or where you lodge a compliant against others, we will provide your Personal Data and other complaint-related information to the relevant regulatory agencies for the purpose of resolving complaints and disputes, unless the provision of such Personal Data is expressly prohibited by laws and regulations.

e) We may exchange information (including your Personal Data) with other companies and organizations in order to comply with laws, to enforce or apply the conditions of use of our services and other agreements, or to prevent fraud and other illegal activities, or to reduce credit risks.

f) Sharing with our affiliates: Your Personal Data may be shared with Futu's affiliates. We will only share necessary Personal Data and subject to the purposes stated in this Policy. If the affiliated company wants to change the purpose of processing Personal Data, it will ask for your authorization again.

g) Sharing with authorized partners: Some of our services will be provided by authorized partners only for the purposes stated in this Policy. We may share some of your Personal Data with our partners to provide better customer service and user experience. For example, when you participate in a reward activity we offer, we must share your Personal Data with our partners in order to arrange for rewards to be issued, or to arrange for partners to provide services. We will only share your Personal Data for legal, legitimate, necessary, specific and explicit purposes, and only share Personal Data necessary to provide services. Our partners are not authorized to use the shared Personal Data for any other purpose.

h) Share with third parties in accordance with the relevant agreements between the ESOP platform "Futu I&E User Service Agreement" and you. We may share your Personal Data with such third parties. If you wish to learn more about our sharing of information with third parties, please read the Third-Party Information Sharing Instructions.

i) Other agreements between you and us about information sharing.

For companies, organizations and individuals with whom we share Personal Data, we will sign strict confidentiality agreements with them, requiring them to process Personal Data in accordance with our instructions, this Policy and other relevant confidentiality and security measures, and in accordance with all applicable laws.

2) Transfer

We will not actively transfer your Personal Data to third parties except in the following circumstances:

a) Where your express consent has been obtained in advance;

b) If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include user information among our assets transferred to or acquired by a third party. You acknowledge and agree that such transfers may occur, and that any parties who acquire us may continue to use your Personal Data according to this Policy, or we will require the company, organization to obtain authorized consent from you again;

c) Where it is necessary to transfer your Personal Data in accordance with the provisions of laws and regulations, and/or the requirements of competent authorities.

3) Public disclosure

We will only publicly disclose your Personal Data in the following circumstances:

a) After obtaining your explicit consent;

b) Public disclosure based on law: We may publicly disclose your Personal Data if required by law, or any governmental authority or pursuant to any court order;

c) If we determine that you have violated laws and regulations or seriously violated the relevant agreement rules of ESOP products or services, or in order to protect the safety of any person or the safety of any property or the ESOP products or services, or the safety of us or any of our affiliates, or the safety of any other users, or to protect the public from your infringement, we may disclose your Personal Data with your consent in accordance with laws, regulations, and rules of the ESOP product or service-related agreements, including without limitation information regarding your violations and the measures that the ESOP products or services have taken against you

4) Exceptions to prior authorized consent for personal information sharing, transfer, and public disclosure

a) Directly related to national interests such as national security, national defense security, etc.;

b) Directly related to significant public interests such as public safety, public health, and public right to know；

c) Directly related to crime investigation, prosecution, trial, and execution of judgments;

d) For the purpose of protecting your life, property, reputation, and other significant legitimate rights and interests or those of other individuals but where it is difficult to obtain your consent;

e) Where the personal information collected is disclosed to the public by you;

f) Where personal information is collected from information that is lawfully and publicly disclosed, such as legitimate news reports, government information disclosure, and other channels;

g) Please note that, according to the law, sharing or transferring personal information that has been anonymized and ensuring that the recipient can't recover and re-identify the subject of the personal information is not considered an act of sharing, transferring, or publicly disclosing personal information to the public. The storage and processing of such data will not require separate notification to you and your consent.

5. How we protect your Personal Data

1) We will take various preventive measures to protect your Personal Data to protect your Personal Data from loss, misappropriation and misuse, as well as unauthorized access, disclosure, alteration or destruction. To ensure the security of your Personal Data, we have strict information security regulations and procedures, and a dedicated information security team strictly implements the above measures within the company.

2) We take security protection technologies and procedures such as system encryption measures, access management control and restriction, timely deletion or desensitization of relevant data, etc., to protect users' personal data from unauthorized access, use or disclosure, and to protect data and personal data. information security. Our data security and personal information protection capabilities have achieved certifications including but not limited to the following: ISO29151: certificate of practice for personally identifiable information protection, ISO27701: certificate of privacy information management, ISO27001: certificate of information management, SOC1 Report, and Certification of Information security technology cybersecurity protection 3.0.

3) We will take all reasonable and feasible measures to ensure that irrelevant personal data is not collected. We will only retain your Personal Data for as long as is necessary to achieve the purposes described in this Policy, unless an extension of the retention period is required or permitted by law.

4) We will establish an emergency response plan. If a security incident such as Personal Data leakage occurs, we will activate an emergency plan to prevent the expansion of the security incident. We will promptly notify you of the relevant information of the event by email, letter, telephone, push notification, etc. When it is difficult to inform the subject of Personal Data one by one, we will take a reasonable and effective way to publish an announcement.

5) The Internet environment is not 100% secure. Although we have these security measures, please note that there are no "perfect security measures" on the Internet, and we will try our best to ensure the security of your information. You can prevent your password from leaking and endanger your account security by not disclosing your login password or account information to anyone (unless the person is officially authorized by you). We recommend that you do not use the service on any device or operating system that has been modified outside the scope of the device vendor's license or warranty (eg, a "jailbroken" mobile device). The use of this service on the aforementioned devices or operating systems may lead to the risk of Personal Data leakage. We are not responsible for security omissions caused by third parties accessing your Personal Data due to your failure to keep it private. Notwithstanding the foregoing, you should notify us immediately of any unauthorized use of your account by any other Internet user or of any other security breach. Your assistance will help us protect the privacy of your Personal Data. At the same time, we will also proactively report the handling of Personal Data security incidents in accordance with the requirements of regulatory authorities.

6. How we store your Personal Data

1) We will store your Personal Data collected in China in accordance with relevant laws and regulations, and keep such information strictly confidential in accordance with the law. In some cases, we may transmit the relevant user Personal Data to our affiliates and other third parties in other jurisdictions. We will implement any such transmission in accordance with all applicable laws, and through effective measures such as signing agreements and on-site inspections.

2) Generally speaking, we only keep your Personal Data for the shortest time necessary to achieve the purpose. However, in the following cases, we may change the storage time of Personal Data to meet legal requirements:

a) In order to comply with applicable laws and regulations and other relevant regulations;

b) To comply with court judgments, rulings or other legal procedures;

c) To comply with the requirements of relevant government agencies or legally authorized organizations;

d) Where it is reasonable and necessary to do so for the purposes for the implementation of relevant service agreements or this Policy, the protection of the persons and property, the protection of other users, our employees, us and/or our affiliates, and/or to protect any other legitimate rights and interests.

7. Your right to manage your Personal Data

1) During your use of ESOP products or services, in order for you to access, correct and delete your Personal Data more conveniently, and to protect your right to withdraw your consent to the use of Personal Data and cancel your account, you can manage your Personal Data by:

a) Access your Personal Data: if you wish to access the Personal Data in your account, you can view it on the personal information page after logging in to the ESOP system;

b) To correct your Personal Data: if you want to correct your email address, you can go to the personal information page to correct after logging in to the ESOP system. If you want to correct any other Personal Data, you can contact the ESOP administrator, and that administrator will contact Futu for assistance to correct your Personal Data;

c) To delete your Personal Data: you can contact the ESOP administrator, and that administrator will contact Futu for assistance to delete your Personal Data;

d) To cancel the account: you can contact the ESOP administrator, and that administrator will contact Futu for assistance to delete your account;

e) To withdraw your consent to the processing of Personal Data: you can contact the ESOP administrator, and that administrator will contact Futu to withdraw your consent granted to Futu to process your Personal Data;

f) To obtain your Personal Data: you can contact the ESOP administrator, and that administrator will contact Futu to obtain your Personal Data stored with Futu;

g) To release the account binding: you can contact the ESOP administrator and ask the administrator to release the binding relationship between your Futubull account and the products or services of the ESOP products and services. After such unbinding, you can no longer log in to ESOP system.

2) If you find that our collection and use of your Personal Data violates the provisions of any applicable laws or any agreement between us, you can contact us at privacy@futunn.com and request to delete your data that has been collected under such violations.

3) If you find that your Personal Data collected and stored by us is wrong, you can contact us at privacy@futunn.com and ask us to correct it in time.

8. How do we protect the Personal Data of minors

We attach great importance to the protection of minors' Personal Data, but ESOP products, services and websites and services are mainly for adults, and we will not collect minors' Personal Data knowingly. If you find that we have unintentionally collected Personal Data of minors, please notify us immediately, and we will try to delete the relevant data as soon as possible.

9. How your Personal Data is transferred globally*

In general, the Personal Data we collect and generate in China will be stored in China.

Since we provide products or services through resources and servers all over the world, this means that, your Personal Data may be transferred to jurisdictions outside the country/region where you use the products or services, or subject to access from these jurisdictions. Such jurisdictions may have different data protection laws or even no relevant laws. In such cases, we shall ensure that any Personal Data transferred outside of China will be afforded a standard of protection that is comparable to the protection required under the PDPA. For example, we will request your individual consent for cross-border transfers of personal information, sign cross-border transfer agreements with foreign receivers, and implement security measures such as data de-identification before cross-border data transfers to fully protect the rights and security of your personal information.

10. How our processing of your sensitive personal information may affect your rights

Qualitative assessment, for example, can be conducted according to the “Information Security Technology – Security Impact Assessment Guide of Personal Information” (“The guide”), and be based on four dimensions: (1) influencing personal self-determination rights, (2) causing differential treatment, (3) causing personal reputational damages and mental stress, and (4) damaging personal property. In the scenarios where we process your sensitive personal information in accordance with this policy, we assess the degree of impact on your personal rights as set out in the table below:

Impact Dimension	Impact Description	Degree of Impact
Influencing personal self-determination rights	E.g., extra time costs.	Low
Causing differential treatment	E.g., extra time costs to acquire fair services or qualifications, etc.	Low
Causing personal reputational damages and mental stress	E.g., frequent nuisance, weariness and annoyance, etc.	Low
Damaging personal property	Such as, extra procedures (or providing extra evidentiary documents) to correct personal information, etc.	Low

Note: This assessment is only an indication of the relative adverse impact on your personal rights by referring to the guide. It does not mean that you will suffer such adverse impacts from our processing of your sensitive personal information.

11. Information we may send to you

1) When you use our services, we may send to you emails, text messages, information or push notifications. You can choose to unsubscribe from such notifications on your device by following our tips.

2) We may issue service-related announcements to you when necessary (for example, when a service is suspended due to system maintenance). You may not be able to cancel these service-related announcements that are not advertising in nature.

12. Updates to this Policy

We may from time to time update this Policy to take into account changes to the law, our business or any other relevant factors. Changes to this Policy will be posted on our website, and by the posting of any revised Policy on our website, you shall be deemed to have been notified of the changes made to the Policy and you shall agree to be bound by such updated Policy. If you are unsure whether you are reading the most current version, please contact us. Without limiting the foregoing, if you continue to use our services, you agree to be bound by the revised and updated Policy.

13. Scope of application of this policy

1) This policy applies to the products and services of the ESOP products and services of Futu that you use, except for services that we expressly state that our other specially formulated separate privacy policies or terms apply. However, some services have set their specific privacy guidelines/statements according to their needs. If there is any inconsistency between this policy and the privacy guidelines/statements of specific services, please refer to the specific privacy guidelines/statements.

2) The titles of all clauses of this Policy are for reading convenience only, have no actual meaning in themselves, and cannot be used as the basis for the interpretation of the meaning of this policy.

14. How to contact us

If you have any questions, comments or suggestions about this Policy or data processing, you can contact us by email at privacy@futunn.com, our contact details are as follows:

Contact: Futu Data and Personal Information Protection Centre

Address: 25F, Building D1, Kexing Science Park, Nanshan District, Shenzhen

Postcode: 518000

Email: privacy@futunn.com

Under normal circumstances, we will reply within fifteen days after receiving your relevant contact information and verifying your identity.

ESOP Personal Information Collection Checklist
Core Scenarios/Business Functions	Information Types	Collection/Use Purpose	Retention Period
Registration and login	Name, mobile number, verification code, password, (ID number, passport number or other identification), email, employee number, tax information	Account verification and login	During the existence of ESOP account
	Device information (device model, operating system and version, client version, device resolution, hardware and software information)	Data to identify the device (e.g., device serial number) or data about the device (e.g., browser type); Troubleshooting, system updates, and software adaptations to enhance the user experience	During the existence of ESOP account
Account management	Name, mobile number, password, ID number (resident ID number or passport number),verification code, email, face recognition information (if enabled)	Reseting the mobile number or email linked to your ESOP account and identify verification	During the existence of ESOP account
	Profile photo and name	Improving online identity and providing customized displays
	Device information (device model, operating system and version, client version, device resolution, historical login device information)	Data to identify the device (e.g., device serial number) or data about the device (e.g., browser type); Troubleshooting, system updates, and software adaptations to enhance the user experience; Manage login devices to prevent others from stealing your account
	ESOP platform account information, such as account name, username, password	Retrieving and changing the password, unlocking and canceling the account
Exercise and trading	Name, ID number (resident ID number or passport number), Futubull ID, user ID, employee ID, account statement (settlement information: payment batch, initiate date of settlement, settlement net income), account statement (tax information: incentive tax, remitted tax, current tax settlement)	Foreign exchange settlement services	Retention periods stipulated by applicable laws and regulations
	Name, ID number (resident ID number or passport number), Futubull ID, nationality, bank account information (bank card, account name, bank international code (SWIFT CODE), international bank account number (IBAN))	Futu' statutory review	Retention periods stipulated by applicable laws and regulations
Customer services	Contact records with customer service, ESOP account information, identity verification information, and other information necessary to resolve user inquiries	Responding to user complaints and suggestions, inquiries and disputes	During the existence of ESOP account
Safe operation	Log information such as login account, search query content, IP address, browser type, telecom operator, network environment, language used, registration years, access date and time, web browsing history you visited, length of stay, refresh record, operation record, device information (historical login device information such as device model, operating system and version, client version, etc.)	To ensure the regular use of products and services, the security of users' accounts, and to identify abnormal account status	During the existence of ESOP account
Employees management	Name, employee number, Futubull account, email, mobile number, ID number (resident ID number or passport number), tax residence identity	User basic information management	During the existence of ESOP account
Grant management	Name, employee number, Futubull account, email, mobile number, ID number (resident ID number or passport number), tax residence identity	User basic information management	During the existence of ESOP account
E-signing	Name, employee number, Futubull account, mobile number, email, face recognition information (if enabled), ID number (resident ID number or passport number)	Used for protocol signing notification and signatory identity verification	During the existence of ESOP account
Report management	Name, employee number, Futubull account, email, mobile number, ID number (resident ID number or passport number)	Used for incentive data statistics and holdings statistics	During the existence of ESOP account

Description of Information Sharing with Third Parties

For the purposes of user verification, mobile device security, receiving information pushes, account verification and login, and information security, the ESOP platform may share information with third parties in the course of providing services to you. We have listed below the names of these third-party service providers, the purposes, links to their websites, and privacy policies.

1. SDK

None.

2. Non-SDK

No.	Name	Info Type	Purpose	Receiver	Link	Platform
1	Docusign	User identification information, including name and ID number; contract information	Using the online signatures of Docusign to generate a unique digital certificate for the client and to use it for online agreement signing; generating electronic agreements	Hangzhou BestSign Network Technology Co.,Ltd.	Website: https://www.bestsign.cn/ Privacy Policy: https://ent.bestsign.cn/account-center/legal-agreement/privacy-policy	web
2	Tencent Cloud	User identification information, including name and ID number	Use two-factor authentication and face ID service from Tencent Cloud to verify domestic clients' identities and ensure the validity of agreement signing	Shenzhen Tencent Computer Systems Company Limited	Website: https://cloud.tencent.com/ Privacy Policy: https://cloud.tencent.com/document/product/301/11470	web