Privacy Policy
Note: The Chinese version prevails in case of discrepancy.
Effective Date: {{EFFECTIVE_DATE}}
This Privacy Policy applies to iching123.app and its associated domains (collectively, "the Service"). The Service is operated by {{OPERATOR_LEGAL_NAME}}. For questions, please contact {{CONTACT_EMAIL}}.
1. What Data We Collect
1.1 Email Address
Used for one-time password (OTP) authentication. Your email is processed and stored by third-party service provider Supabase (United States).
1.2 Session Cookies
Required to maintain your login state, server-side entitlement checks, and session security. When you browse while logged out, the Service does not intentionally create application session cookies.
1.3 Anonymized Analytics Data (Cookieless)
We collect anonymized usage statistics via PostHog (hosted in the European Union), including: pages visited, feature usage frequency, and session duration. This analytics setup uses no cookies or local storage, creates no cross-session identifiers, and honors your browser's Do Not Track (DNT) setting. Legal basis: legitimate interest (service improvement). You may object at any time by enabling DNT or contacting us.
1.4 Payment Data
Payment transactions are processed by Stripe (United States). The Service does not store payment card information. We retain only payment status, billing email, and transaction summaries.
1.5 Hosting and Infrastructure Data
The Service is hosted on Vercel (United States), and emails are sent via Resend (United States). Access logs and technical data are retained by these service providers.
2. Legal Basis for Data Collection
Under the General Data Protection Regulation (GDPR) and applicable privacy laws, we collect data based on:
- Contract Performance: Account authentication, payment processing, and service delivery
- Legitimate Interests: Cookieless anonymized analytics (see 1.3, with right to object), security, legal compliance
- Consent: Should we ever introduce processing that requires consent (e.g., non-essential cookies), we will ask for your explicit consent before enabling it
3. Data Processors and International Transfers
Our primary data processors include:
| Processor | Location | Purpose | Protection |
|---|
| Supabase | United States | Account authentication, data storage | Standard Contractual Clauses (SCC) |
| Stripe | United States | Payment processing | Standard Contractual Clauses (SCC) |
| PostHog | European Union (EU region) | Usage analytics (cookieless, anonymized) | Data stored within the EU |
| Vercel | United States | Website hosting | Standard Contractual Clauses (SCC) |
| Resend | United States | Email delivery | Standard Contractual Clauses (SCC) |
All cross-border data transfers comply with EU Standard Contractual Clauses (SCC) or equivalent protection mechanisms.
4. Data Retention
- Account Data: Retained during your account lifetime. After deletion, personal data is removed from all systems within 30 days
- Payment/Billing Records: Retained per financial law requirements for 7 years; access restricted to authorized personnel only
- Analytics Data: Anonymized data auto-deleted after 12 months
- Logs: Hosting provider access logs typically retained for 30–90 days
5. Your Data Rights
Under GDPR and applicable privacy laws, you have the right to:
- Access: Know what data we hold about you
- Correction: Update inaccurate information
- Deletion: Request deletion of your account and associated data (see self-service option below)
- Data Portability: Receive your data in transferable format
- Objection: Opt out of certain data processing (e.g., analytics)
- Withdraw Consent: Revoke permission for non-essential data collection anytime
6. How to Delete Your Account
6.1 Self-Service Deletion
Log in, go to the "/account" page, select the confirmation checkbox in the "Delete Account" area, then click "Permanently Delete My Account." After confirmation, your Supabase Auth account is deleted immediately and the profiles row is removed by database foreign-key cascade; residual personal data in backups or logs is removed within 30 days.
6.2 Email Deletion
If you cannot access your account, email {{CONTACT_EMAIL}} with the subject "Request to Delete My Account" and provide your registered email. We will complete deletion within 14 days.
7. Cookie Policy
7.1 Essential Cookies
Required for service operation; enabled by default without consent:
- Supabase authentication session cookies (created only after login to maintain login state)
- `openzhouyi-access-token` server-side entitlement cookie (created only after login to read the current free/paid entitlement on the server; HttpOnly; SameSite=Lax)
The Service currently sets no language preference, advertising, marketing, or cross-site tracking cookies.
7.2 Analytics Cookies: Not Used
Our analytics is cookieless and anonymized (see 1.3). We set no analytics or tracking cookies and use no local storage for tracking. For this reason, this site does not need — and does not display — a cookie consent banner. Should we ever introduce cookies requiring consent, we will update this policy and show a consent prompt first.
8. What We Don't Do
- Don't sell user data to advertisers or third parties
- Don't create automated personal profiles or precise targeting
- Don't target users under 16 (if you are under 16, please stop using this Service immediately)
- Don't use data for automated decision-making or algorithmic judgment
9. Security Measures
We employ the following safeguards:
- Transport-layer encryption (HTTPS/TLS)
- Passwordless architecture: login uses one-time codes/OAuth; we never store passwords
- Database row-level security (RLS) isolating user data
- Data minimization and strict access controls
10. Policy Changes
We may update this policy. For significant changes, we will notify you by:
- Updating the "Effective Date" at the top of this page
- Sending an email notification to your registered address
- Displaying an update notice on the website
Continued use of the Service implies acceptance of the updated policy.
11. Contact Us
For privacy questions or rights requests, contact:
{{OPERATOR_LEGAL_NAME}} Email: {{CONTACT_EMAIL}} Governing Law: {{JURISDICTION}}
Under GDPR, you also have the right to file a complaint with your local data protection authority.