Ezily Privacy Policy

Effective Date: 03 September, 2025
Last Updated: 26 December, 2025

Ezily Co., Ltd. (“Ezily,” “we,” or “the Company”) is a Taiwan-based Software-as-a-Service (“SaaS”) provider. This Privacy Policy explains how we collect, process, store, use, share, and protect personal data in accordance with the Taiwan Personal Data Protection Act (“PDPA”) and, where applicable, selected principles inspired by the EU General Data Protection Regulation (“GDPR”).

This Privacy Policy should be read together with Ezily’s Service Agreement, Data Processing Agreement (“DPA”), and Acceptable Use Policy (“AUP”) and form part of the contractual framework between Ezily and each Client.

1. Our Roles

   1. Ezily as Data Processor
      For personal data processed through the Client’s LINE Mini App or related integrations (“Services” as defined in the Service Agreement), Ezily acts solely as a data processor on behalf of the Client (the data controller). Ezily processes such data strictly in accordance with the Service Agreement and the DPA and does not determine the purposes or essential means of processing.

   2. Ezily as Data Controller
      For personal data belonging to Client-authorized users who access Ezily’s own platform (e.g., admin dashboard, billing portal, support interface), Ezily acts as the data controller. Such processing is governed by this Privacy Policy.

   3. Client Responsibilities as Controller
      For Mini App end-user data, the Client is solely responsible for:

      • Providing all legally required privacy notices

      • Obtaining required consents

      • Determining purposes and means of processing

      • Ensuring compliance with applicable laws and LINE platform policies

      • Maintaining its own privacy policy applicable to end-users

      Ezily does not provide legal advice and assumes no responsibility for the Client’s legal obligations toward its Mini App end-users.

   4. Relationship Between This Policy and the DPA
      For personal data Ezily processes as a processor on behalf of the Client, the DPA prevails in case of any inconsistency between this Policy and the DPA.

      
      

2. Scope of Application
   This Privacy Policy applies to personal data processed by Ezily in the situations where Ezily acts as a data controller, including when:

   • Individuals use Ezily websites, applications, dashboards, or tools;

   • Client-authorized administrators use Ezily’s platform for account, billing, or configuration purposes.

   This Privacy Policy does not govern personal data processed by Ezily as a data processor on behalf of Clients. Such processing (e.g., Mini App end-user data) is governed by:

   • The Client’s own privacy policy (which applies to end-users), and

   • The Ezily–Client Data Processing Agreement (DPA), which governs Ezily’s processor obligations.

   For clarity, Ezily does not directly collect Mini App end-user data; all such data is collected by the Client, and Ezily processes it only under the Client’s instructions and the DPA.

   
   

3. Categories of Personal Data

   1. Categories We Process as Controller

      When Ezily acts as data controller for Client admin accounts and billing, we collect the following types of data, which may include or be linked to personal data:

      • Name, contact details (email, phone), job title, company

      • Login credentials and access logs

      • Billing details and payment records (excluding full card details)

      • Technical and usage data (IP, device, browser, activity logs, analytics)

      Providing this personal data is necessary for us to enter into and perform our contractual obligations with Client. If Client chooses not to provide the required personal data, we may be unable to create Client’s account or provide you with our Services.

   2. Categories We Process as Processor

      When providing Mini App services, Ezily may process data such as:

      1. End-user identifiers

      2. In-app usage events

      3. Interaction logs

      4. Content transmitted through the Mini App

      5. Transactional or operational data as configured by the Client
         
         

4. Purposes of Processing
   We collect and process personal data for:

   • Service provision, configuration, hosting, and maintenance

   • Account management and customer support

   • Security, authentication, misuse prevention, and fraud detection

   • Ensuring compliance with the AUP and LINE Mini App platform rules

   • Service improvement, analytics, and product development

   • Legal compliance and regulatory requests

   • Marketing communications (where required consents are obtained)

   For clarity, Ezily does not use personal data processed on behalf of Clients for Ezily’s own independent marketing, profiling, or unrelated purposes.

   
   

5. Data Retention, Area, Recipients, and Methods

   1. Retention Period
      Ezily retains personal data only for the period necessary to fulfill the purposes described in this Privacy Policy, to comply with applicable laws, or to perform contractual obligations. After the relevant retention period expires, personal data will be securely deleted or anonymized, subject to backup and legal requirements. For operational purposes, certain technical logs (such as access logs, usage logs, and security-related records) may be retained for a commercially reasonable period to:

      • Detect and prevent misuse or violations of the Acceptable Use Policy (AUP);

      • Maintain system integrity and security;

      • Comply with LINE Mini App platform rules;

      • Support audit, troubleshooting, or legal compliance requirements.

      Ezily does not retain personal data processed on behalf of Clients longer than instructed under the Data Processing Agreement (DPA).

   2. Area of Processing
      Personal data may be processed or stored in Taiwan and other regions where Ezily or its trusted service providers host systems, applications, or backups.

   3. Recipients

      Personal data may be disclosed to the following categories of recipients:

      • Ezily personnel who are authorized and have a legitimate need to access the data

      • Third-party service providers engaged by Ezily to support service delivery (e.g., cloud hosting providers, infrastructure and maintenance partners, analytics tools, payment processors), all bound by contractual obligations

      • Government authorities or courts with lawful authority to request such information

   4. Methods
      Personal data may be processed by automated means, electronic systems, or paper, using lawful and reasonable methods consistent with industry security practices.

6. Cookies and Tracking Technologies

   Ezily uses cookies and similar technologies to：

   • Provide and maintain core website and platform functionality

   • Optimize user experience and interface performance

   • Analyze service usage to improve products and features

   You may configure your browser to block cookies; however, some features of our services may not function properly if cookies are disabled. Ezily may use first-party cookies and third-party analytics tools (e.g., Google Analytics) to improve platform performance. These tools may receive anonymized usage information.

7. Data Subject Rights
   Under Taiwan’s PDPA, individuals may exercise certain rights regarding their personal data, including:

   • the right to inquire or request access

   • the right to request a copy

   • the right to request correction or supplementation

   • the right to request cessation of collection, processing, or use

   • the right to request deletion

   When Ezily acts as a data controller (e.g., for Client admin accounts and billing data), Ezily will handle such requests in accordance with PDPA. When Ezily acts as a data processor on behalf of a Client (e.g., for Mini App end-user data), Ezily does not respond directly to the data subject. Ezily will forward the request to the Client, the data controller, pursuant to the DPA and will assist the Client where appropriate. To exercise these rights, you may contact us at: privacy@ezily.io.

8. Cross-Border Data Transfer
   We may transfer personal data internationally (for example, when using international cloud hosting providers). Ezily implements safeguards consistent with PDPA and, where applicable, GDPR-inspired mechanisms such as contractual commitments to ensure adequate protection.
   
   Ezily will not transfer personal data to jurisdictions that Taiwan’s competent authorities have publicly announced as restricted or prohibited transfer destinations.

9. Security Measures
   Ezily implements appropriate technical and organizational security measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. These measures are applied in accordance with industry standards, the Service Agreement, the Data Processing Agreement (DPA), and applicable laws. These security measures include, but are not limited to:

   • Access controls and the principle of least privilege

   • Encryption during transmission and at rest (where applicable)

   • Regular backups and disaster recovery mechanisms

   • System monitoring, logging, and misuse detection consistent with the AUP

   • Internal security policies, data protection procedures, and employee training

   Ezily regularly reviews and updates its security practices to maintain an appropriate level of protection in light of technological developments and evolving security risks.

   
   

10. Data Breach Notification
    For data processed by Ezily as a data controller, Ezily will notify affected individuals in accordance with PDPA requirements. For data processed by Ezily as a data processor on behalf of a Client (e.g., Mini App end-user data), Ezily’s breach-notification obligations, including timing, procedures, and cooperation requirements, are governed exclusively by the Data Processing Agreement (“DPA”). Ezily will notify the Client and provide assistance as required under the DPA.

11. Electronic Marketing Opt-Out
    Where Ezily sends electronic marketing communications as controller (for example, to Client administrators), such communications will only be sent in accordance with applicable law and, where required, with prior consent. Recipients may opt out at any time by following the unsubscribe instructions in the message or by contacting privacy@ezily.io.
    
    Where Ezily processes data for electronic marketing on behalf of a Client, Ezily does so solely on the Client’s instructions and the Client remains responsible for ensuring that such communications comply with applicable laws.

12. Minors
    Under Taiwan law, individuals under 20 generally require the consent of their legal guardian to use certain services or provide personal data. Ezily may take reasonable steps to confirm such consent where applicable. In other jurisdictions, the local “digital consent” age (for example, 13–16 under GDPR) will apply. Ezily does not knowingly collect personal data from children in violation of applicable law.

13. Relationship to the Service Agreement, AUP, and DPA
    This Privacy Policy forms part of Ezily’s legal framework. In case of conflict:

    1. The Service Agreement governs the overall relationship

    2. The DPA governs processing of Mini App end-user data

    3. The AUP governs acceptable use and may affect how data is processed (e.g., logging, monitoring, suspension)

    Violations of the AUP or the Agreement may result in suspension or restriction of Services as described in those documents. However, any suspension or restriction of Services does not affect the Parties’ ongoing data-processing obligations under the DPA, which shall remain in full force and effect.

14. Changes to This Policy

    We may update this Privacy Policy from time to time in response to legal, technical, or business changes. When we do so, we will update the “Last Updated” date at the top of this document. For material changes, we may provide additional notice (such as via email or prominent notice on our website or platform).

    
    

15. Contact Us
    For questions about this Privacy Policy or our data practices, or to exercise your data subject rights, you may contact:

    • Privacy: privacy@ezily.io

    • General: corporate@ezily.io

    
    

16. Language
    This Privacy Policy is provided in English and Chinese. In the event of any inconsistency or conflict, the English version shall prevail, consistent with Ezily’s Service Agreement.