Version 1.1

Published date: April 27, 2026

Effective date: April 27, 2026

Insta360 InSight is a service provided by Arashi Vision Inc. and its global affiliates (hereinafter referred to as "Insta360", "we" or "us") through the Insta360 Wave, Insta360 Wave Controller and Insta360 official website, offering storage, synchronization, management, AI transcription, AI summarization, editing and sharing services (hereinafter referred to as "Cloud Service" or "Services") for your audio recordings, screenshots taken during recording, and audio tagging recorded by the Insta360 Wave (collectively, "audio recording data").

This Privacy Policy (hereinafter referred to as "this Policy") outlines the statements and commitments made by Insta360 regarding privacy and the protection of personal information in connection with Insta360 InSight provided by us through the Insta360 Wave, Insta360 Wave Controller and our official website. This Policy is developed with careful consideration of your needs, ensuring your comprehensive understanding of our practices in collecting and using personal information, while also ensuring that you ultimately have control over the personal information you provide to us, which is crucial. This Policy sets forth how we collect, use, disclose, transmit and store (collectively, "process") information provided by you when using our Insta360 InSight. If you have any questions about this Policy, you can enquire about customer service at service@insta360.com.

BEFORE USING INSTA360 INSIGHT, PLEASE CAREFULLY READ AND THOROUGHLY UNDERSTAND THIS POLICY, AND MAKE CHOICES YOU DEEM APPROPRIATE. WE WILL ADHERE TO CURRENT LAWS AND REGULATIONS, PROCESS YOUR PERSONAL INFORMATION APPROPRIATELY, BASED ON LEGAL AND LEGITIMATE MEANS, AND IN ACCORDANCE WITH THE PRINCIPLES OF GOOD FAITH. TERMS IN THE POLICY THAT SIGNIFICANTLY RELATE TO YOUR RIGHTS ARE HIGHLIGHTED IN BOLD FOR YOUR ATTENTION. IF YOU DO NOT AGREE TO THIS POLICY, PLEASE DO NOT USE THE SERVICES.

This Policy is an integral part of the Insta360 Privacy Policy. In cases where there are specific agreements related to Insta360 InSight services that differ from the Insta360 Privacy Policy, this Policy shall prevail. For matters not specified in this Policy, the Insta360 Privacy Policy shall apply. Particularly, with regard to provisions related to "Protection of Children's Information, Security Measures, Cross-border Transfers," it is advisable to thoroughly read the Insta360 Privacy Policy. Additionally, we recommend careful review of the Insta360 InSight User Service Agreement, especially in cases where this Policy does not make specific provisions.

This Policy contains:

1. Scope of Application and Basis for Personal Information Processing

2. How We Collect and Use Your Personal Information

3. How We Use Cookies and Similar Technologies

4. How We Share, Transfer, and Disclose Your Personal Information

5. How We Protect and Store Your Personal Information

6. Safeguarding Your Personal Information

7. Your Rights

8. How Your Personal Information is Transferred Globally

9. Protection of Children's Personal Information

10. Notifications and Revisions

11. How to Contact Us

1. Scope of Application and Basis for Personal Information Processing

1.1 Scope of Application

We operate globally and this Policy applies to our global users. This Policy applies to Insta360 InSight provided by Insta360 on the Insta360 Wave, Insta360 Wave Controller and our official website. It is applicable when you use Insta360 InSight, or access Insta360 InSight through affiliated or third-party platforms.

Please be aware that this Policy is only applicable to the personal information we process and does not extend to personal information handled by third-party products and/or services accessed through Insta360 InSight, including any third-party websites, apps, mini-programs, etc.

*Special Note for Singapore:

If you provide your business contact information (including name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about you), not provided by you solely for your personal purposes, such information is not bound by the personal information protection rules of this Policy, unless these business contact details have been registered with the "Do Not Call" (DNC) Registry (https://www.donotcall.gov/).

1.2 Legal Basis for Personal Information Processing

We only process your personal information when deemed necessary, and under applicable law, we do so with a valid legal basis. This may include your explicit consent, compliance with the law, the necessity to provide Services or fulfill our contractual obligations, protect your rights, or pursue our legitimate business interests. We may process your personal information based on the following legal grounds:

a) Consent: If you explicitly consent to the use of your personal information for specific purposes, we may proceed with processing your data.

b) Contractual Performance: When entering into a contract with you, we may process your personal information to fulfill the terms of our agreement.

c) Legal Obligations: To comply with applicable laws, government requests, judicial procedures, court orders, or legal processes, such as responding to court orders or subpoenas (including responding to public authorities to meet national security or law enforcement requirements), we may process your personal information as required by law.

d) Vital Interests: When necessary to protect your or another natural person's vital interests.

e) Public Interests: To fulfill obligations for public interests or based on official authority.

f) Legitimate Interests: Within the permissible scope of applicable laws, to achieve our legitimate business interests, we may process your data under reasonable and necessary circumstances.

g) Other Legal Bases Permitted by Applicable Law.

2. How We Collect and Use Your Personal Information

2.1 Select account location and choose your membership plan to Insta360 InSight

After registration, if the country and region where your account is located has officially launched Insta360 InSight and your account is in normal status, you can view the membership service content of Insta360 InSight, choose a membership plan, confirm your account location (used to determine the Regional Data Center where your data will be stored) and confirm and complete payment to purchase the corresponding package. Upon receiving or purchasing these Services, we collect and use your [account information (user ID, login IP address, account location, the Regional Data center), current membership plan and validity, order information (membership type, duration, purchase date, order amount, payment channel, order number)]. If you refuse to provide the aforementioned information, you will be unable to use the Insta360 InSight service.

2.2 Upload and Download Services

After subscribing or purchasing Insta360 InSight, you can connect your device to your Insta360 InSight in order to upload audio recording data directly from your device. You can also choose to download stored files from Insta360 InSight and configure the network conditions for uploads and downloads. For this, we collect your [data from the connected Insta360 Wave device (if enabled, including your user ID, device type, device serial number, and the storage path of audio recording data inside the Insta360 Wave)]. Uploading and downloading is a basic function of Insta360 InSight. If you do not provide the above data, we will not be able to provide you with the Insta360 InSight Service.

2.3 Auto Backup Service

You can set the Insta360 Wave to automatically upload audio recording data to Insta360 InSight during your device is simultaneously in idle, connected to Wi-Fi, and charging status to backup data. You can choose whether to enable the automatic upload service yourself.

2.4 Transcript/Summary Services

Upon uploading audio recording data to the Insta360 InSight platform, you may utilize transcript generation and AI-powered summary services. Specific operations include:

(1) Data Upload.

To enable transcription/summary services, you must upload audio recording data to Insta360 InSight. We collect and process: [User ID, total/used/remaining cloud storage capacity, audio recording data ID, Insta360 InSight storage path, file type, name, creation timestamp, duration, and file size]. Denial of such data will result in service unavailability.

(2) Transcript & AI Summary.

To transcribe selected audio recordings, our servers generate text transcripts, which will be anonymized before being sent to third-party AI models for summarization. Please rest assured that neither Insta360 nor AI vendors use your data for model training. Opting out of this process disables transcript/summary functionality.

You may provide feedback on our AI summary content or use the [Custom Summary Template] to create AI summaries. To improve and optimize our products and services, we may collect this feedback and any text you upload via the [Custom Summary Template]. Once securely encrypted and stripped of any identifying information, this data may be used to analyze and enhance the summary functionality and to improve your overall experience. We will not associate this information with personal identifiers, nor will we use it for model training or any unrelated purposes. This processing is non-essential. If you do not wish your data to be used in this way, please contact us and, once we have verified your request, we will cease such use.

(3) Speakers Tagging.

To streamline transcript readability, you may tag speakers with: [Name, title, company, email, bio]. These tags are securely linked to attendee voice profiles stored on Insta360 Wave devices for automated future tagging. Please make sure that you have obtained consent from attendees before processing their data. Refusal to provide such data disables attendee tagging and directory features.

2.5 Cloud Sharing of Data

You can externally share the data (including audio recording data, transcript and AI summary, hereinafter referred to as "data") stored in Insta360 InSight through links (valid for 7 days). You can view the information links you have shared or cancel the sharing in the Insta360 Wave. To enable cloud sharing of data, we need to collect and use your [User ID, data name, creation timestamp, duration, audio, transcript, speaker names, and AI summary]. If you refuse to provide the aforementioned information, you will be unable to use the sharing service of Insta360 InSight.

Shared link recipients may view shared data via a web interface or save it to their Insta360 accounts for future access. You are solely responsible for vetting the shared content. Insta360 is not responsible for any subsequent actions taken by shared link recipients regarding the shared content.

Additionally, with the aim of preventing the dissemination of illegal content, if Insta360 receives a complaint of illegality or infringement on your shared content, Insta360 may temporarily disable access to the shared content and conduct content moderation(including manual moderation) on data shared by you upon prior notice to you and without violating your privacy. Please understand and agree that during manual moderation, our staff will check the data you share and we will do our best to protect your privacy and security. In regard to the complaint channel and the relevant rules of content safety inspections, please refer to the Insta360 InSight User Service Agreement.

You understand and commit to obtaining authorization from others if the shared data involves their privacy or intellectual property rights before sharing it with data recipients.

2.6 AI Assistant

You may query the AI Assistant about your audio records or transcriptions via Insta360 InSight. Responses are generated by third-party AI models using your audio recording data (audio, transcripts, summaries) and public information. Your audio recording data will be transmitted to third-party AI providers to enable this feature. Opting out disables the AI Assistant. Please rest assured that neither Insta360 nor AI providers use your data for model training or algorithmic refinement.

2.7 Third-Party Service Connections

(1) File Storage. To facilitate the management and storage of your files, you may choose to connect your Google, Notion, or other third-party platform accounts to Insta360 InSight. You may limit the information we receive by adjusting the authorization settings made available by the applicable third-party platform. Subject to your instructions, we may sync and save files that you generate in, or select for storage through, Insta360 InSight to Notion, Google Drive, or other third-party platforms you authorize. You may manage your authorizations through "Account & Settings - Integrations". If you withdraw our access to information from a third-party platform, such withdrawal will not affect information we lawfully obtained from that third party prior to the withdrawal.

If you choose to connect your Google Account and use the relevant export functionality, Insta360 InSight's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

The Google permissions we request（ https://www.googleapis.com/auth/drive.file and https://www.googleapis.com/auth/documents ）solely to create and write formatted meeting‑minute content into Google Docs that our application itself creates in the user's own Google Drive, triggered by the user clicking "Export to Google Drive" on their own meeting in InSight. We do not read, list, or modify any other files in the user's Drive. We do not transfer, sell, or share this data with third parties, do not use it for advertising, and do not use it to train AI/ML models. Users can revoke this authorization at any time from within InSight.

(2) AI Tool Connections. To enable you to manage and use your file content more efficiently through third-party AI tools, you may choose to connect Insta360 InSight with a third-party AI platform of your choice. Based on the scope of authorization you select on the relevant authorization page, we may provide the third-party AI tool with your Insta360 InSight account information and file content so that you can manage and use your file content through that tool. You may manage your authorizations through "Account & Settings - Integrations". If you revoke the relevant authorization, such revocation will not apply to information that was obtained, processed, or used to complete operations requested by you prior to the revocation.

2.9 Ensuring Service Security, Optimization, and Improvement

When you use Insta360 InSight, we collect and use your [User ID, user order information, user transaction information, transaction currency, cloud space usage details, subscription duration, subscription status, subscription region, and the location of storage chosen by you on your first subscription]. This data is utilized for internal purposes only, such as ensuring the normal use of Insta360 InSight services, addressing issues encountered during service usage, improving and optimizing the Insta360 InSight service experience, securing your account, preventing, detecting, and investigating fraud, actions harmful to security, illegal activities, or violations of our agreements, policies, or rules. It aims to protect your, our, or our affiliated companies', partners', and the public's legitimate rights and interests. This data will not be disclosed externally.

2.8 Sending Marketing and Promotional Information

We do not serve third-party advertisements to you while using our Services. However, we may process your personal information, such as email addresses, as well as other data obtained from your interactions with our Services or from third-party sources, to send marketing information to you via email. Before sending such marketing information, we will seek your explicit consent. You can unsubscribe at any time by clicking the unsubscribe link in the email and choosing not to receive our marketing information. Please note that if you choose not to receive marketing information, we may still contact you regarding your use of our Services, including but not limited to responding to your questions or requests.

Please be aware that, according to relevant laws and regulations, anonymized data is not considered personal information, and we do not need your consent for processing such data. In cases involving the training and application of generative artificial intelligence large models, we adhere to transparency requirements by publicly disclosing relevant information.

*Notice Regarding Sensitive Personal Information

DATA UPLOADED BY YOU TO INSTA360 INSIGHT CLOUD SERVICES MAY CONTAIN SENSITIVE PERSONAL INFORMATION, INCLUDING [AUDIO RECORDING DATA, SCREENSHOT INFORMATION, etc. ]. PLEASE EXERCISE CAUTION WHEN UPLOADING CONTENT CONTAINING SENSITIVE PERSONAL INFORMATION, WHETHER PERTAINING TO YOURSELF OR OTHERS. WE DO NOT DIRECTLY PROCESS THE DATA YOU UPLOAD. THROUGH TECHNOLOGICAL MEANS, WE ENSURE THE SECURITY OF DATA UPLOADED TO THE CLOUD SPACE.

3. How We Use Cookies and Similar Technologies

Cookies, device identifiers, and similar technologies are standard tools widely adopted in internet operations. Within the Insta360 InSight website, we exclusively deploy strictly necessary cookies to verify your login status and authentication credentials, solely for ensuring the website's core functionality and security compliance. We expressly confirm that Cookies will not be utilized for any purposes beyond those explicitly defined in this Privacy Policy.

4. How We Share, Transfer, and Disclose Your Personal Information

We fully understand the legal responsibilities we must bear in the event of illegal sharing, transfer, or disclosure of personal information causing harm to users. We are committed to maintaining confidentiality obligations for your personal information. Any sharing, transfer, or disclosure of your personal information will be strictly conducted in accordance with the following terms:

4.1 Sharing

In the following circumstances, we may share your personal information:

a) With Service Providers: To enable core product functionalities and ensure your access to requested services, we may share your personal information with service providers under strict contractual obligations, including:

i. Payment Processors: Transaction details (order information, payment amounts) to facilitate payment services;

ii. Identity Verification Providers: Data required for real-name authentication;

iii. AI Model Vendors: Anonymized audio recording data (transcripts/summaries) for AI-driven services like audio recording summaries and assistants;

iv. Other Providers: Essential vendors supporting service operations (e.g., cloud storage, analytics).

b) With Business Partners: To optimize service stability (e.g., crash diagnostics, network performance), we may share aggregated, non-identifiable usage data (e.g., crash rates, error logs) with partners. Such data cannot be linked to individual users.

c) Necessary Sharing with Affiliates: To ensure seamless service delivery under a unified account system and enhance system/account security, your account identifiers (mobile number/email) may be shared with our affiliates. Such sharing is strictly limited to lawful purposes and technical necessities.

d) With Government Agencies: We may provide personal information to government authorities as required by public authorities, auditors, or agencies authorized to inspect us, in accordance with their legal obligations, which may request information.

e) With Your Consent: With your consent, we may disclose your personal information for any other purpose.

If there is any sharing activity, we will obtain your individual consent in accordance with the provisions of laws and regulations. We will also require affiliated companies, partners, and third parties to provide evidence of data security capabilities and information security qualifications. In the processing of sensitive personal information, we will request third parties to adopt technologies such as de-identification and encryption to better protect the security of personal information. If you have objections to the third-party processing of personal information or identify risks in their personal information processing activities, please contact us using the contact information provided in this Policy.

4.2 Disclosure

We will only disclose your personal information publicly in the following circumstances:

a) After obtaining your explicit consent.

b) Based on legal requirements: In cases where mandatory legal regulations or government and judicial authorities require it, we may publicly disclose your personal information. When we receive requests for the disclosure of personal information, we will require the requesting party to provide corresponding legal documents, such as subpoenas or investigation letters. We firmly believe that, for requests for the disclosure of personal information, transparency should be maintained to the fullest extent possible within the limits allowed by laws and regulations. We will carefully review all requests to ensure that the disclosure of personal information has a legal basis.

c) For the normal management and maintenance of Insta360 InSight orders, we may announce penalties for accounts engaging in violations, fraud, or other severe activities that harm the legitimate rights and interests of Insta360 and other users. The announcement will mainly include user account information and details of the violation.

4.3 Transfer

We will not transfer your personal information to any company, organization, or individual, except in the following cases:

a) With your consent, we may transfer your personal information to other parties.

b) Transfer is required by applicable laws and regulations or mandatory requests from government departments and judicial authorities.

c) In the event of a merger, acquisition, or bankruptcy liquidation that involves the transfer of personal information, we will require the new entity holding your personal information to continue to be bound by this Policy. Otherwise, we will request the new entity to obtain your consent again.

4.4 Exceptions to Obtaining Prior Consent for Sharing, Transfer, and Public Disclosure of Personal Information

In accordance with legal regulations, there are situations where the sharing, transfer, and public disclosure of personal information do not require prior consent from users:

a) Related to our fulfillment of obligations stipulated by laws and regulations.

b) Directly related to national security and defense security.

c) Directly related to public safety, public health, and significant public interests.

d) Directly related to criminal investigations, prosecutions, trials, and judgment executions.

e) Necessary for the protection of your or other individuals' vital legitimate interests but difficult to obtain your personal consent.

f) Personal information voluntarily disclosed by you to the public.

g) Collection of personal information from legally publicized information sources, such as lawful news reports and government information disclosures.

h) According to legal regulations, sharing, transferring, or publicly disclosing de-identified personal information, ensuring that it cannot be restored and re-identified as a specific natural person. Such actions do not constitute the sharing, transfer, and public disclosure of personal information, and no separate notification or consent from users is required for the processing of such data.

5. How We Protect and Store Your Personal Information

5.1 Storage Duration

We only store your personal information for the necessary period as described in this Policy and within the time limits specified by laws, regulations, and regulatory authorities, unless there is a mandatory retention requirement under the law. If we terminate our Services or operations, we will promptly cease the continued collection of your personal information, comply with relevant legal requirements to notify you in advance, and, upon termination of Services or operations, either delete or anonymize your personal information, except as otherwise required by laws, regulations, or regulatory authorities.

5.2 Storage Location

Your data will be stored in Regional Data Centers depending on where your account location is, which is confirmed by you upon first subscription. We have deployed regional data centers for storing global user data in Germany and the USA. This means that your personal information may be transmitted to countries or regions outside your place of residence or accessed by countries or regions outside your place of residence.

Regional data centers and their storage coverage by country/region:

5.3 Storage Security

We have implemented security measures that comply with industry standards to protect your information and prevent unauthorized access, disclosure, use, modification, damage, or loss of personal information. The following measures are taken to ensure the security of your data:

a) We use encryption technology to enhance the security of personal information. Data exchanged between your browser and our servers is encrypted using the SSL protocol, providing a secure browsing experience through the HTTPS protocol.

b) Trusted protection mechanisms are employed to prevent personal information from falling victim to malicious attacks.

c) Access control mechanisms are deployed to ensure that only authorized personnel can access personal information, thus enhancing overall data security.

d) We conduct training courses on security and privacy protection to strengthen employees' understanding of the importance of safeguarding personal information.

e) We have established dedicated data compliance management systems, processes, and organizational structures to ensure information security. For example, access to information is strictly restricted, and individuals are required to adhere to confidentiality obligations. Regular audits are conducted to verify compliance.

We will take all reasonable and feasible measures to ensure that irrelevant personal information is not collected. We only retain your personal information for the shortest period necessary to achieve the purposes described in this Policy, unless otherwise required by local laws and regulations.

The internet environment is not entirely secure. We will make every effort to ensure or guarantee the security of any information you send to us. In the event that our physical, technical, or managerial protective measures are compromised, leading to unauthorized access, public disclosure, alteration, or destruction of information, resulting in harm to your legitimate rights and interests, we will bear corresponding legal responsibilities. In the unfortunate occurrence of a personal information security incident, we will strictly adhere to the requirements of the local laws and regulations in your jurisdiction. We will promptly inform you of the basic details and potential impacts of the security incident, the measures we have taken or will take to address it, suggestions for you to autonomously prevent and mitigate risks, and remedial measures available to you. We will notify you of event-related information via email, letters, phone calls, push notifications, or other effective means. In cases where it is difficult to inform individual data subjects one by one, we will adopt reasonable and effective methods to make public announcements. Additionally, we will proactively report to regulatory authorities the handling of personal information security incidents and fulfill other obligations stipulated by applicable laws and regulations.

6. Safeguarding Your Personal Information

We place great importance on the security of personal information and take all reasonable and feasible measures to protect your personal information:

a) We employ security measures in line with industry standards, including the establishment of reasonable regulations and secure technologies to prevent unauthorized access, use, modification, and to avoid data damage or loss of your personal information.

b) In the event that we cease the operation of Insta360 InSight we will promptly cease the processing of your personal information, notify you of the cessation in an individual or public manner, and delete or anonymize the personal information we hold.

c) We employ physical, technical, and managerial security measures to reduce the risks of personal information loss, misuse, unauthorized access, disclosure, and alteration. This includes but is not limited to data encryption during transmission, firewall and encrypted storage, physical access controls, and data access authorization controls.

d) We conduct regular training on personal information protection to enhance employees' awareness of the importance of protecting personal information.

e) We have developed relevant emergency plans for personal information security incidents, regularly organize internal personnel for emergency response training and drills to ensure that they understand their responsibilities and emergency response strategies and procedures.

f) The internet environment is not completely secure, and while we strive to ensure the security of the personal information we process, we will promptly inform you in accordance with legal requirements in the event of a personal information security incident. This includes informing you of the basic details and potential impacts of the incident, the measures we have taken or will take, suggestions for your autonomous risk prevention and mitigation, and available remedial measures. We will notify you of incident-related information through push notifications, emails, messages, calls, etc. If it is difficult to inform users individually, we will use reasonable and effective methods to make public announcements. Additionally, we will proactively report to regulatory authorities on the handling of personal information security incidents. If your legitimate rights and interests are compromised, we will bear corresponding legal responsibilities.

g) The internet is not an absolutely secure environment, and we strongly recommend that you use secure methods and complex passwords to assist us in ensuring the security of your account. If you discover a leakage of your personal information, especially if your account or password has been compromised, please contact us immediately using the contact information provided in this Policy so that we can take appropriate measures. However, we are not responsible for this until we become aware of the situation and take action within a reasonable time.

7. Your Rights

In accordance with relevant laws, regulations, standards, and prevailing practices in other countries and regions, we ensure your rights to exercise the following rights over your personal information. Please note that if the requested personal information has already exceeded the necessary minimum retention period for achieving the purposes stated in this Policy or has been deleted, we may be unable to respond to your requests regarding personal information rights.

The personal information rights you can exercise include:

7.1 Right to be Informed

You have the right to be informed about how your personal information is processed.

7.2 Right to Access

You have the right, in accordance with relevant laws and regulations, to access your personal information. If you wish to access and edit personal information in your account, you can log in to your account on our website or app and navigate to the relevant pages, such as personal profile, password change, or email change.

7.3 Right to Rectify

If you discover inaccuracies in how we process your personal information, you have the right to request corrections.

7.4 Right to Erasure

You can request the erasure of personal information in the following situations, except as otherwise provided by laws and regulations:

a) The purpose of collecting or otherwise processing personal information no longer requires your information.

b) Our processing is based on your consent, and you withdraw your consent.

c) You object to our processing, and there are no overriding legitimate grounds for processing (including but not limited to completing transactions with you, fulfilling contracts with you, preventing security incidents, fraud, malicious or illegal activities).

d) We unlawfully processed your personal information.

e) Applicable laws require erasure.

The right to request erasure of personal information does not apply in the following cases: where laws and regulations provide otherwise; processing is necessary for the exercise of the right to freedom of speech and information; processing is necessary for compliance with a legal obligation; processing is necessary for archiving purposes in the public interest, scientific research, historical research, or statistical purposes, and erasure is likely to render impossible or seriously impair the achievement of such processing objectives; or processing is necessary for the establishment, exercise, or defense of legal claims.

If we decide to respond to your erasure request, we will also notify entities that have obtained your personal information from us (if any) to promptly erase it unless otherwise required by laws and regulations or these entities have obtained your separate authorization. When you erase information from our Services, we may not immediately erase the corresponding information from the backup system but will do so when the backup is updated.

7.5 Right to Account Deletion

You can deactivate a previously registered account through the methods specified on our platform or by contacting customer service. When you contact our customer service for account deactivation, we will fulfill your request within 15 working days. After deactivating the account, we will cease to provide our Services to you and, as per your request, delete your personal information, except as otherwise provided by laws and regulations. For more details, refer to the Insta360 Account Deletion Notice.

7.6 Right to Data Portability

You have the right to obtain a copy of your personal information. You can contact us at any time, and we will respond to your request within 30 days. If technically feasible, such as through data interface matching, we can also directly transmit a copy of your personal information to a third party specified by you.

It is important to note that the right to data portability may be restricted when our processing of your personal information is necessary for public interests or for the exercise of official authority vested in us. Additionally, exercising the right to data portability should not adversely affect the rights or freedoms of others.

7.7 Restrictions on Automated Decision-Making for Information Systems:

In certain business functions, we may make decisions solely based on non-human automatic decision-making mechanisms, including information systems and algorithms. If these decisions significantly affect your legal rights, you have the right to request an explanation from us, and we will also provide appropriate remedies.

7.8 Limited Processing Right for Personal Information

You can restrict our processing of your personal information in the following circumstances:

a) You question the accuracy of the personal information we collect from you, or we are verifying the accuracy of the personal information.

b) You believe that our processing of your personal information is unlawful.

c) We no longer need your relevant personal information for the processing purposes stated in this Policy, but you need the personal information for legal claims.

d) The legal basis for processing your personal information is for public interest, or our legitimate interests, or those of third parties.

7.9 Right to Object to Personal Information Processing

In the following situations, you have the right to object to our processing of your personal information:

a) You withdraw your consent.

b) The processing of personal information is necessary for the performance of a task carried out in the public interest. However, this does not apply if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

c) The processing of personal information is necessary for the pursuit of legitimate interests.

d) Personal information is processed for direct marketing purposes. You have the right to object to such processing at any time, and once you exercise this right, personal information must not be processed for such purposes.

e) The processing of personal information is for scientific or historical research or statistical purposes. This does not apply if the processing is necessary for the performance of a task carried out for reasons of public interest.

f) Solely relies on automated processing (including user profiling) to make decisions that produce legal effects or similarly significantly affect data subjects.

*Special Note for Singapore: "Do Not Call" Rule

You have the right to apply the "Do Not Call" rule, meaning that if you do not wish to receive telemarketing messages through calls, SMS, or fax, you can register your Singapore telephone number through the following channels: DNC Registry (https://www.donotcall.gov/). You can also remove your phone number from the DNC Registry at any time.

7.10 Response to the Above Requests

If you are unable to exercise the rights mentioned above, or if you believe that we have violated any provisions of laws, regulations, or agreements regarding the processing of your personal information, you can contact us through the channels specified in this Policy. For security reasons, you may need to provide a written request or other proof of your identity. In general, we may request you to verify your identity first and will respond appropriately within [30 days] in accordance with applicable laws. We will retain your requests and our responses (including any supporting documents) as required by applicable laws.

For your reasonable requests, we generally do not charge any fees. However, for repeated or excessive requests beyond reasonable limits, we may charge certain costs. We may refuse requests that are unfounded, repetitive, require excessive technical means (such as developing new systems or fundamentally changing current practices), pose risks to the legitimate rights and interests of others, or are impractical (involving information stored on backup tapes).

In the following situations, we may be unable to respond to your requests according to laws and regulations:

a) Directly related to national security or national defense.

b) Directly related to public safety, public health, or significant public interests.

c) Directly related to criminal investigation, prosecution, trial, and execution of judgments.

d) There is sufficient evidence to prove your subjective malice or abuse of rights.

e) Responding to your request would cause serious harm to your or other individuals' legitimate rights and interests.

f) Involving trade secrets.

If we respond to your erasure request, we will also notify entities that have obtained your personal information from us to promptly delete the corresponding information unless otherwise provided by laws and regulations or unless these entities have obtained your independent authorization.

*Special Note for Hong Kong SAR:

If you are a Hong Kong resident, in principle, we will respond to your request for access within 40 days, unless:

a) The request is neither made in writing in Chinese nor in writing in English;

b) You have not provided us with information that is reasonably necessary to respond to the request, etc.

If you are a Hong Kong resident, in principle we will respond to your request for correction within 40 days of unless:

a) We are unable to determine your identity;

b) The request is neither made in writing in Chinese nor in writing in English;

c) We are unable to determine whether the correction request is accurate/confident that the correction request is inaccurate, etc.

*Special Note for Singapore:

Upon receiving your request to access or correct personal information, we will respond to your application. Generally, we will fulfill our response obligation within 30 days after receiving the request. If a response cannot be provided, we will inform you in writing within 30 days of the anticipated response time. If we refuse to take action on your personal information request, we will provide reasons for the refusal and avenues for appeal within 45 days of receiving the request. Within 60 days of receiving the appeal, we will respond in writing, explaining the decision and providing reasons. If the appeal is denied, we will provide an online mechanism (if available) or other means for you to contact the Attorney General to file a complaint.

8. How Your Personal Information is Transferred Globally

As mentioned in "5. How We Protect and Store Your Personal Information", we utilize AWS to store your personal data. We have deployed regional data centers in Germany and the USA to store audio recording data from users worldwide. This means that your personal information may be transmitted to countries or regions outside your place of residence or accessed by countries or regions outside your place of residence. These countries or regions may have different regulations regarding personal information protection, or they may lack corresponding regulations. In such cases, we will make every effort to ensure that your personal information receives sufficient protection in accordance with this Policy. We will strictly adhere to the laws and regulations of your jurisdiction and the regulations of relevant regulatory authorities. This includes explaining the purpose of personal information cross-border transfers, the types of personal information involved, and ensuring that overseas entities maintain the confidentiality of the obtained personal information through measures such as agreements and on-site inspections.

*Special Note for EU:

Relying on the following bases, mechanisms, and measures, we may transfer your personal information to countries outside the EU:

• Adequacy Decisions. When applicable, we may rely on EU adequacy decisions to transfer your personal information outside the EEA. When the relevant EU authority issues an adequacy decision, that means they have found the third country to offer adequate protection for personal information.

• Derogations. We may transfer your personal information based on a derogation listed in Article 49 of the GDPR. We will only do so if the transfer of personal information meets specific strict conditions according to the GDPR or other applicable laws.

• Standard Contractual Clauses. We have implemented measures to protect your personal information, including by using Standard Contractual Clauses for transfers of personal information between us and our third-party providers. These clauses require all recipients to protect all personal information that they process originating from the EEA in accordance with European data protection laws and regulations. Our Standard Contractual Clauses can be provided upon request. We have implemented similar appropriate safeguards with our third-party service providers and further details can be provided upon request.

• Supplementary Measures. When necessary, in addition to the Standard Contractual Clauses, we may adopt technical, contractual, and organizational supplementary measures to better ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer.

*Special Note for Singapore:

In compliance with specific measures to ensure that overseas recipients have legal obligations or are subject to specific certifications that guarantee the same standard of security protection as in Singapore, and with your consent, we may transfer your personal information to countries or regions outside Singapore. If there are specific legal provisions, contractual obligations, binding corporate data protection policies, or other legally binding documents, the receiving entity may be considered to have a legal obligation to ensure the security protection of personal information. If the overseas recipient is certified under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system and the Asia-Pacific Economic Cooperation Privacy Recognition for Processors (APEC PRP) system, it is deemed to meet Singapore's legal compliance requirements for data transfer recipients, providing a level of personal information protection that is not lower than the standards set by Singapore's relevant laws and regulations. We may transfer personal information to certified recipients.

9. Protection of Children's Personal Information

If according to the jurisdiction of your residence, you are considered a child under the applicable legal age, we will not knowingly collect your personal information. Children are not allowed to register accounts on our platform or provide personal information such as names, addresses, phone numbers, or email addresses to us unless permitted by local laws and with the consent of their legal guardians. For personal information collected with the consent of legal guardians, we will only use or disclose this information in accordance with the law, with the consent of the legal guardians, or as necessary to protect the child.

If we discover that we have collected personal information from a child without obtaining the consent of their legal guardians, we will promptly delete the relevant data once informed. If you believe that we may be in possession of personal information from or about a child inappropriately, please contact us.

10. Notifications and Revisions

In order to provide you with better services and to keep pace with the development of our business, this Policy may be updated. However, without your consent, we will not diminish the rights you are entitled to under this Policy. We will publish updated versions on our website and mobile platforms, and notify you of the relevant updates through appropriate means before they take effect. Please visit our platform to stay informed about the latest privacy policy. For significant changes, we will provide more prominent notifications (such as pop-ups and pushes through the Insta360 Wave) to explain the specific changes to the privacy policy.

Significant changes referred to in this Policy include, but are not limited to:

a) Significant changes in our Services model, such as the purposes of processing personal information, types of personal information processed, and the ways personal information is used.

b) Significant changes in ownership structure, organizational structure, etc., resulting from business adjustments, bankruptcy, mergers, or other events causing changes in ownership.

c) Major changes in the main entities with whom personal information is shared, transferred, or publicly disclosed.

d) Significant changes in your rights to participate in the processing of personal information and how they are exercised.

e) Changes in the department responsible for the security of personal information, contact methods, and complaint channels.

f) When the personal information security impact assessment report indicates a high risk.

We will also archive previous versions of this Policy for your reference.

11. How to Contact Us

If you have any questions, feedback, or complaints regarding this Policy, or if you wish to contact us, please use the following methods:

11.1 For specific issues related to software or personal user accounts (including obtaining your personal information), please email us at service@insta360.com.

11.2 For general inquiries or complaints about privacy issues, or if you need to contact our Data Protection Officer, please email us at DPOcontact@insta360.com, or write to the following address:

a) For European Users: Insta360 GmbH | Gartenfelder straße 29-37 Gebäude 31，13599 Berlin，Germany

b) For users in other countries or regions: INSTA360 S.G. PTE. LTD. | 24 SIN MING LANE, #06-97, MIDVIEW CITY, SINGAPORE 573970

If you are dissatisfied with our response, especially if our handling of personal information has harmed your legitimate rights, you can also file a complaint or report to the regulatory authorities in your jurisdiction.