General Data Protection Regulation (GDPR) WHITEPAPER

1. DISCLAIMER

This document is a broad overview of the General Data Protection Regulation 2016/679 (GDPR) issued by the European Parliament and Council of the European Union, which took effect on May 25, 2018. It demonstrates Tuya's dedication to fully comply with GDPR regulations, supported by consultation from TrustArc, a leader in privacy compliance and data protection.

Tuya invested significant effort in gap analysis and remediation during GDPR enforcement. In July 2019, Tuya received its finalized GDPR Validation Report from TrustArc. Tuya has maintained this validation, with the latest report dated January 27, 2021.

This whitepaper serves as a general introduction to GDPR obligations and evidence of enforcement, targeting Tuya Customers and relevant stakeholders for familiarization with Tuya's privacy and compliance commitments. The information herein does not modify existing contractual arrangements and may be subject to change over time.

Tuya is committed to protecting corporate and individual customer personal data. Compliance with Data Protection Legislation is critical for maintaining customer trust. This whitepaper outlines Tuya's approach to GDPR preparation and compliance, and may be updated as legislation evolves.

2. TERMS

This whitepaper defines key terms as per GDPR. Terms like 'the authority', 'recipients', and 'third party' have the same meaning as in GDPR.

"Data Protection Legislation" means, as applicable: (i) EU Directive 95/46/EC (ii) GDPR, and any related national laws, legislation, rules, or regulations concerning privacy and data protection. This includes legislation made under or in relation to these.

"controller" means the Party that determines how and for what purposes personal data is processed.

"processor" means the Party that processes personal data on behalf of the controller.

"data subject" means an individual about whom personal data relates.

"processing" means any operation performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, restriction, erasure, or destruction.

"personal data" means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person can be identified directly or indirectly, particularly by reference to an identifier such as name, identification number, location data, and online identifiers (e.g., IP address, cookie ID).

3. APPLICATION SCOPE

3.1. Entity Scope

GDPR applies to any company handling personal data of residents in the European Union (EU) and European Economic Area (EEA). Tuya's global operations, including all wholly owned legal entities, subsidiaries, branches, and registered offices, are subject to GDPR, particularly in the EU.

3.2. Partners and Customers

Tuya empowers its partners and customers to offer their end-customers the GDPR rights to control their personal data. Tuya's customers operating in the EU/EEA or collecting personal data are subject to GDPR. While Tuya's compliance helps, partners and customers must independently ensure their own business practices, technical, and organizational measures comply with GDPR and relevant legislation in their operating jurisdictions.

3.3. Validation Scope

The validation focused on Tuya's IoT Product Line, including:

• IoT platform (data controller)
• Tuya Cloud (data controller + data processor)
• Tuya Mobile Apps: Tuya Smart App and Smart Life App (data controller)
• Other OEM branded App (data processor)
• Tuya API/SDK (data processor)

4. CONTROLLER VS. PROCESSOR

4.1. Being a Controller

GDPR defines controllers and processors with distinct obligations. Tuya acts as both, depending on the business context. A controller determines the purposes and means of personal data processing. The following indicators help determine if a company acts as a controller:

• [ ] We decided to collect or process the personal data.
• [ ] We decided what the purpose or outcome of the processing was to be.
• [ ] We decided what personal data should be collected.
• [ ] We decided which individuals to collect personal data about.
• [ ] We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
• [ ] We are processing the personal data as a result of a contract between us and the data subject.
• [ ] We make decisions about the individuals concerned as part of or as a result of the processing.
• [ ] We have a direct relationship with the data subjects.
• [ ] We have appointed the processors to process the personal data on our behalf.

When Tuya acts as a data controller, personal data is collected directly from users of Tuya products and services, with Tuya determining the purposes and means of processing as outlined in the Tuya Privacy Policy. Users can opt-out of consent or file complaints if processing is against their intention or misinterpreted.

4.2. Being a Processor

A processor processes personal data on behalf of the controller. The following are indicators of acting as a processor:

• [ ] We are following instructions from Customer else regarding the processing of personal data.
• [ ] We were given the personal data by a Customer or similar third party.
• [ ] We do not decide to collect personal data from Customer's individuals.
• [ ] We do not decide what personal data should be collected from individuals, despite of heavily depending on the service.
• [ ] We do not decide the lawful basis for the use of that data.
• [ ] We do not decide what purpose or purposes the data will be used for, i.e. marketing.
• [ ] We do not decide whether to disclose the data, or to whom.
• [ ] We do not decide how long to retain the data, but the Customers do.
• [ ] We are not interested in the end result of the processing.

For customized Apps or OEM Apps, Tuya acts as a data processor, with customers (data controllers) determining the personal data and volume to be processed. Tuya processes information according to customer requirements, limited to providing agreed-upon services.

4.3. Data Processing Obligations

GDPR outlines 7 data protection principles that guide Tuya's data processing activities:

1. Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently. Tuya's Privacy Policy informs users about data collection and processing activities, and how to exercise their rights. The policy is updated promptly.
2. Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not processed further incompatibly. Tuya clarifies processing activities in its Terms of Use and Privacy Policy. Any new purposes require an updated privacy notice.
3. Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary. Tuya collects only the minimum necessary personal information agreed upon by users.
4. Accuracy: Personal data must be accurate and kept up to date. Tuya handles requests for data updates and rectifications. Accurate contact information is crucial for services like SMS notifications.
5. Storage Limitation: Personal data must be stored no longer than necessary. Tuya's Data Retention Policy specifies retention periods, after which data is returned or destroyed, unless legally required otherwise.
6. Integrity and Confidentiality: Personal data must be secured against loss, destruction, or damage. Tuya employs safeguards like encryption, robust network security (Firewall, WAF), dynamic encryption keys, and TLS1.2 for communication channels. More information is available in the Tuya Information Security White Paper.
7. Accountability: Data controllers must demonstrate compliance with these principles. Tuya is accountable for GDPR compliance, supported by its documented Privacy Management Framework, program controls, and reporting structures.

4.4. Subprocessing

When Tuya acts as a Processor, data processing activities are instructed by data controllers. If Tuya engages a third party (subprocessor), consent from controllers is required. Subprocessors are used for:

• Storing platform/App data
• Operating the website and other platform portions
• Managing support inquiries

A list of subprocessors is available upon request.

4.5. Data Inventory for Processing

Tuya maintains records of processing activities as required by GDPR Article 30. Data sources include Tuya Cloud, OEM branded Apps, Tuya API/SDK, and passive collection via cookies and web beacons. Data inventory disclosure is made only upon explicit written request on a lawful basis.

5. LEGAL BASIS FOR PROCESSING

Personal data processing requires a recognized legal basis. Tuya processes information primarily based on:

• Consent: Users provide clear consent for specific purposes as outlined in the Privacy Policy.
• Contract: Processing aligns with agreed-upon terms in Contracts or relevant documents.
• Legal Obligation: Processing complies with applicable laws, excluding contractual obligations.

6. INTERNATIONAL TRANSFERS

Personal data of EU/EEA residents can only be transferred outside the EEA if adequate protections are in place. Tuya has a data processing center in Germany, with EU personal data stored securely in Frankfurt and Amsterdam. International transfers are based on approved EU standard contractual clauses per GDPR Art. 46, as published HERE.

Tuya may transfer personal information to subprocessors in other countries (e.g., U.S.) for processing, ensuring protection as described in the Security and Compliance White Paper and contractual agreements. Customers instructing Tuya to transfer data outside the EU/EEA must fulfill standard contract clauses and inform Tuya.

7. DATA SUBJECTS RIGHTS

Data subjects (Customers and users) have rights over their personal data, with requests generally addressed within one month.

7.1. Right of Access

Users can access their personal data collected by Tuya. Inaccessible information will be provided within 30 days. The procedure involves navigating the App: Me > Setting > Privacy Policy Management > Export Personal Information. Alternatively, requests can be sent to privacy@tuya.com. Users are entitled to confirmation of data processing and details about purposes, categories, and disclosures. A form is provided for information requests.

Personal Information details for request:

• Type of Privacy Right
• Email address to confirm the request
• App Name
• Account Name for the App
• Product Device Name
• Device ID (obtainable via App: device control page > '...' icon > 'Device Info' > 'Virtual ID')
• Any other information to help locate personal data
• Specific Details of the Information Requested

Requests are processed by the privacy office, technical support, and the big data team. User data is sent via email or a link within 30 days.

7.2. Right to be Forgotten

Data subjects can request erasure of their personal data. Users can proactively delete their accounts via the App. If a user does not log in for 7 consecutive days after confirming account deletion, all personal data will be physically deleted. Logging in within 7 days cancels the deletion request.

7.3. Right to Rectify

Inaccurate personal information provided by the user (e.g., account name, time zone) can be manually modified in the App. Data collected through devices, such as logs, cannot be corrected.

7.4. Right to Restrict Processing

Processing of personal information may be restricted under certain conditions:

• Data subject contests accuracy, and Tuya is verifying it.
• Processing is unlawful, and the data subject requests restriction instead of erasure.
• Tuya no longer needs the data, but the data subject requires it for legal claims.
• Data subject objects to processing, and Tuya is determining if legitimate grounds override the subject's rights.

7.5. Right to Object

Individuals can object to certain personal data processing, such as opting out of marketing communications. This does not affect basic functions. Other personal information processing can be objected to by deleting the account.

7.6. Right to Data Portability

Users can request data portability via the App (Me > Setting > Privacy Policy Management > Export Personal Information) or by emailing privacy@tuya.com. Tuya Customer Service will confirm identity and coordinate data preparation. For customer data subjects, Tuya assists upon customer confirmation by raising a ticket via the Help Center, phone, or online form.

8. DATA PROTECTION & SECURITY

Tuya implements appropriate technical and organizational measures for data protection and security, including:

• Encryption of personal data
• Ensuring confidentiality, integrity, availability, and resilience of processing systems
• Access control mechanisms
• Ensuring availability and access to data during incidents
• Regular testing, security assessments, and evaluation of security measures

Further details are available in the Security and Compliance White Paper.

8.1. Data Protection by Design

Tuya employs technical and organizational measures to process only necessary personal data by default. The PIA/DPIA process in the Compliance Management Center identifies and remediates data privacy risks before business commencement.

8.2. Data Retention Policy

Tuya retains data in identifiable form only as long as necessary for notified and consented purposes. Retention periods are based on data amount, nature, and sensitivity. Data is destroyed upon expiry, unless legally required otherwise. Tuya uses coding or pseudonymization for longer retention periods. Customers define their own retention periods and inform Tuya.

Data retention considerations include:

• User requests to delete an account.
• Termination of service contracts with Tuya.
• Absence of active records for a user's account, app, devices, or voice controllers.

8.3. Data Processing Addendum (DPA)

Tuya prepares DPAs for customer review, detailing data processing activities and Tuya's security measures. Tuya provides advance notice of subprocessor changes and obtains written consent. DPA checklists verify vendor compliance with GDPR Article 28.

8.4. Vendor Management

Tuya manages vendor risk by evaluating subprocessors' privacy and security practices. Assessments are conducted before vendor onboarding and annually. DPAs ensure contractual obligations are met between Tuya and its subprocessors.

8.5. Data Breach Notifications

Organizations must report personal data breaches within 72 hours. Customers and users are informed of risks without undue delay. Tuya has an Incident and Data Breach Response Plan for detection, investigation, and reporting.

9. ACCOUNTABILITY & GOVERNANCE

9.1. Designation of DPO

Tuya appoints a senior technical expert and privacy manager as a Data Protection Officer (DPO) to monitor compliance, advise on data protection obligations, and act as a contact point for data subjects and supervisory authorities.

Annex I: Documentations for Further Reference