Privacy Notice and Policy - Legend Link Limited

Effective Date: January 1, 2026

Company: Legend Link Limited

Service: iAiluropoda IoT Platform

Official URL:https://www.legendlink.tech/privacy

1. Introduction

Legend Link Limited (“we“, “us“, or “our“) is committed to protecting the privacy and security of your personal data. This Privacy Notice and Policy explains how we collect, use, disclose, and safeguard your information when you use our cloud-native iAiluropoda IoT platform (the “Service”).

This document is designed to comply with global data protection regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the CPRA. By accessing or using the Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy.

2. Information We Collect

In the course of providing the iAiluropoda IoT platform, which facilitates device management, data telemetry, and rule-based event processing, we collect the following categories of information:

System and Usage Logs: Audit logs, authentication events, API calls, and platform interaction metrics.

Account and Identity Data: Names, email addresses, business contact details, and authentication credentials (passwords are never stored in plaintext).

IoT Device and Telemetry Data: Device identifiers, IP addresses, sensor readings, operational status, and metadata transmitted by your connected IoT devices to our platform.

3. Data Hosting and Residency

Exclusive Data Center Location: All cloud infrastructure, application services, and customer data (including personal data and IoT telemetry) are hosted exclusively within the Alibaba Cloud Hong Kong (ap-east-1) data center.

We maintain strict data residency controls. Legend Link Limited does not store, process, or replicate customer data in cn-hangzhou, ap-southeast-1 (Singapore), or any other geographic region outside of the designated Hong Kong (ap-east-1) environment.

4. Data Security and Protection Controls

We implement robust, defense-in-depth technical and organizational measures to ensure the confidentiality, integrity, and availability of your data. Our security architecture is built upon the Alibaba Cloud Well-Architected Framework and includes the following mandatory controls:

4.1. Encryption

Data in Transit: All data transmitted over public networks and between internal services is encrypted using TLS 1.2 or higher with strong cipher suites.
Data at Rest: All customer data, including databases, object storage, and block storage volumes, is encrypted at rest using the industry-standard AES-256 algorithm.
Key Management: Cryptographic keys are securely managed, rotated, and protected using Alibaba Cloud Key Management Service (KMS).

4.2. Authentication and Access Control

Password Security: Passwords are never stored in plaintext. All customer and employee passwords are hashed using bcrypt with a unique, randomly generated salt per user. We enforce strict password complexity and check against known breached credential databases.

Multi-Factor Authentication (MFA): MFA (via TOTP or SMS) is supported for all users and is strictly mandatory for all administrative and privileged access to the platform.

Infrastructure Access: Direct access to production networks is prohibited. All internal administrative access is brokered exclusively through an Alibaba Cloud Bastion Host requiring MFA, ensuring secure and audited administrative sessions.

4.3. Threat Detection and Monitoring

Perimeter Defense: An Alibaba Cloud Web Application Firewall (WAF) is deployed to protect the platform against common web exploits (e.g., SQL injection, XSS) and malicious traffic.

Continuous Monitoring: We utilize Alibaba Cloud Security Center for continuous vulnerability scanning, threat detection, and baseline security checks across our cloud assets.

Audit Logging and Retention: All security-relevant events, including authentication attempts, API calls, privilege elevations, and system changes, are comprehensively logged via Alibaba Cloud ActionTrail and system-level Auditd. These logs are retained for a minimum of one (1) year to support forensic investigations and compliance audits.

5. GDPR Compliance (For EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), Legend Link Limited processes your personal data in accordance with the GDPR. We act as a Data Processor for the IoT telemetry data you ingest into the platform, and as a Data Controller for your account management data.

5.1. Legal Basis for Processing

In the course of providing the iAiluropoda IoT platform, which facilitates device management, data telemetry, and rule-based event processing, we collect the following categories of information:

5.2. Your Data Subject Rights

Under the GDPR, you possess the following rights regarding your personal data:

Right of Access: Request copies of your personal data.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to legal and retention obligations.
Right to Restrict Processing: Request the limitation of data processing under certain conditions.
Right to Data Portability: Request the transfer of your data to another organization or directly to you.
Right to Object: Object to our processing of your personal data.

To exercise these rights, please contact our Data Protection Officer at the details provided in Section 8.

6. CCPA Compliance (For California Residents)

This section applies solely to all visitors, users, and others who reside in the State of California. We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act (CPRA).

6.1. Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information: Identifiers (e.g., name, email, IP address), Customer Records (e.g., account details), and Internet or other similar network activity (e.g., interaction with our platform).

6.2. “Do Not Sell or Share My Personal Information”

Legend Link Limited does not sell your personal information. We also do not share your personal information with third parties for cross-context behavioral advertising. Therefore, we do not offer an opt-out mechanism for the sale of personal data.

6.3. Your California Privacy Rights

Right to Know: You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months.
Right to Delete: You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Specifically:

Customer Account Data: Retained for the duration of your active subscription and deleted within 30 days following account termination, unless legally required otherwise.
Audit and Security Logs: Retained for a minimum of one (1) year to ensure platform security, compliance, and incident response capabilities.

8. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Notice and Policy, or if you wish to exercise your privacy rights under GDPR or CCPA, please contact our Information Security and Privacy team:

Company: Legend Link Limited
Privacy Policy URL: https://www.legendlink.tech/privacy
Email: alanc@legendlink.tech
Mailing Address: Unit A, 14/F., Wah Lik Industrial Centre, 459-469 Castle Peak Road, Tsuen Wan, N.T., Hong Kong

Document Version: 2.0 | Last Updated: March 14, 2026