返回首页

privacy and cookie notice

占位符由主人上线前填写;当前页面保留原样,避免 agent 猜测法律主体信息。

隐私政策

生效日期: {{EFFECTIVE_DATE}}

本隐私政策适用于 iching123.app 及其关联域名(以下统称"本服务")。本服务由 {{OPERATOR_LEGAL_NAME}} 运营。如有疑问,请联系 {{CONTACT_EMAIL}}

1. 我们收集哪些数据

1.1 电子邮箱

用于一次性验证码登录认证。您的邮箱由第三方服务商 Supabase(美国)处理和存储。

1.2 必要会话 Cookie

用于维持您的登录状态、服务端权益判断和会话安全性。未登录访问时,本站不会主动写入应用会话 Cookie。

1.3 匿名化分析数据(无 Cookie)

我们通过 PostHog(欧盟区域托管)收集匿名使用统计数据,包括:访问页面、功能使用频率、会话时长等。该分析不使用任何 Cookie 或本地存储、不建立跨会话身份标识、遵循浏览器"请勿追踪"(DNT)设置,法律依据为正当利益(改进服务)。您可通过开启浏览器 DNT 或联系我们行使反对权。

1.4 支付数据

您的付费交易由支付处理商 Stripe(美国)处理。本服务不存储任何支付卡信息。我们仅保存付费权限状态、账单邮箱及交易记录摘要。

1.5 托管与基础设施数据

本服务托管于 Vercel(美国),电子邮件发送由 Resend(美国)处理。相应的接入日志和技术数据由这些服务商保存。

2. 数据收集的法律依据

根据《通用数据保护条例》(GDPR) 和相关隐私法规,我们基于以下法律依据收集数据:

  • 合同履行:账户认证、支付处理和服务提供所必需
  • 正当利益:无 Cookie 的匿名使用分析(见 1.3,您有权反对)、安全防护、法律合规
  • 用户同意:如未来引入任何需要同意的数据处理(如非必要 Cookie),我们将在启用前征求您的明确同意

3. 数据处理方名单与国际传输

我们的主要数据处理方包括:

处理方地点用途隐私保护机制
Supabase美国账户认证、数据存储标准合同条款 (SCC)
Stripe美国支付处理标准合同条款 (SCC)
PostHog欧盟(EU 区域)使用分析(无 Cookie、匿名)数据存储于欧盟境内
Vercel美国网站托管标准合同条款 (SCC)
Resend美国电子邮件发送标准合同条款 (SCC)

所有跨境数据传输均遵守《欧盟标准合同条款》(SCC) 或等效保护机制。

4. 数据保留期限

  • 账户数据:保留期间为您的账户存续期间。删除账户后,您的个人数据将在 30 天内从所有系统中删除
  • 支付/账单记录:根据财务法规要求保留 7 年,仅限授权人员访问
  • 分析数据:匿名数据保留 12 个月后自动删除
  • 日志:托管商的接入日志通常保留 30-90 天

5. 您的数据权利

根据 GDPR 及其他隐私法规,您有权:

  • 访问权:了解我们持有您的哪些数据
  • 更正权:更新不准确的信息
  • 删除权:要求删除您的账户及关联数据(见下文自助入口)
  • 数据可携权:获取您的数据副本,格式为可转移形式
  • 反对权:反对某些数据处理(如营销分析)
  • 撤回同意:随时撤回对非必要数据收集的同意

6. 如何删除您的账户

6.1 自助删除

登录后,进入"/account 账户"页面,在"删除账户"区域勾选确认框并点击"永久删除我的账户"。确认后,您的 Supabase Auth 账户会立即删除,profiles 记录会通过数据库外键级联删除;备份或日志中的残留个人数据将在 30 天内删除。

6.2 邮件删除

如无法访问账户,请直接发送邮件至 {{CONTACT_EMAIL}},主题行写"请求删除我的账户",并提供注册邮箱。我们将在 14 天内完成删除。

7. Cookie 政策

7.1 必要类 Cookie

这些 Cookie 为服务运行所必需,默认启用,无需同意:

  • Supabase 认证会话 Cookie(仅登录后用于维持登录状态)
  • `openzhouyi-access-token` 服务端权益 Cookie(仅登录后用于在服务端读取当前 free/paid 权限,HttpOnly,SameSite=Lax)

本站当前不设置语言偏好、广告、营销或跨站追踪 Cookie。

7.2 分析类 Cookie:本站不使用

本站的使用分析采用无 Cookie 的匿名统计(见 1.3),不设置任何分析或追踪类 Cookie,也不使用本地存储做追踪。因此本站无需、也不显示 Cookie 同意横幅。若未来引入需要同意的 Cookie,我们将先行更新本政策并展示同意提示。

8. 我们不做什么

  • 不出售用户数据 给广告商或第三方
  • 不进行自动化个人画像 或精准定向
  • 不面向 16 岁以下儿童 提供服务(如您未满 16 岁,请立即停止使用)
  • 不使用数据进行自动化决策 或算法判断

9. 安全保护措施

我们采取以下措施保护您的数据:

  • 传输层加密(HTTPS/TLS)
  • 无密码架构:登录采用一次性验证码/OAuth,本服务不存储任何密码
  • 数据库行级安全策略(RLS)隔离用户数据
  • 最小化数据收集与访问控制

10. 政策变更

我们可能不时更新本政策。重要变更时,我们将通过以下方式通知您:

  • 在本页面顶部更新"生效日期"
  • 向您的注册邮箱发送通知邮件
  • 在网站显著位置展示更新公告

您继续使用本服务即表示接受更新后的政策。

11. 联系我们

如有任何隐私问题或权利申请,请联系:

{{OPERATOR_LEGAL_NAME}} 电子邮件:{{CONTACT_EMAIL}} 管辖法律:{{JURISDICTION}}

根据 GDPR,您也有权向您所在地的数据保护机构投诉。

English version

Privacy Policy

Note: The Chinese version prevails in case of discrepancy.

Effective Date: {{EFFECTIVE_DATE}}

This Privacy Policy applies to iching123.app and its associated domains (collectively, "the Service"). The Service is operated by {{OPERATOR_LEGAL_NAME}}. For questions, please contact {{CONTACT_EMAIL}}.

1. What Data We Collect

1.1 Email Address

Used for one-time password (OTP) authentication. Your email is processed and stored by third-party service provider Supabase (United States).

1.2 Session Cookies

Required to maintain your login state, server-side entitlement checks, and session security. When you browse while logged out, the Service does not intentionally create application session cookies.

1.3 Anonymized Analytics Data (Cookieless)

We collect anonymized usage statistics via PostHog (hosted in the European Union), including: pages visited, feature usage frequency, and session duration. This analytics setup uses no cookies or local storage, creates no cross-session identifiers, and honors your browser's Do Not Track (DNT) setting. Legal basis: legitimate interest (service improvement). You may object at any time by enabling DNT or contacting us.

1.4 Payment Data

Payment transactions are processed by Stripe (United States). The Service does not store payment card information. We retain only payment status, billing email, and transaction summaries.

1.5 Hosting and Infrastructure Data

The Service is hosted on Vercel (United States), and emails are sent via Resend (United States). Access logs and technical data are retained by these service providers.

2. Legal Basis for Data Collection

Under the General Data Protection Regulation (GDPR) and applicable privacy laws, we collect data based on:

  • Contract Performance: Account authentication, payment processing, and service delivery
  • Legitimate Interests: Cookieless anonymized analytics (see 1.3, with right to object), security, legal compliance
  • Consent: Should we ever introduce processing that requires consent (e.g., non-essential cookies), we will ask for your explicit consent before enabling it

3. Data Processors and International Transfers

Our primary data processors include:

ProcessorLocationPurposeProtection
SupabaseUnited StatesAccount authentication, data storageStandard Contractual Clauses (SCC)
StripeUnited StatesPayment processingStandard Contractual Clauses (SCC)
PostHogEuropean Union (EU region)Usage analytics (cookieless, anonymized)Data stored within the EU
VercelUnited StatesWebsite hostingStandard Contractual Clauses (SCC)
ResendUnited StatesEmail deliveryStandard Contractual Clauses (SCC)

All cross-border data transfers comply with EU Standard Contractual Clauses (SCC) or equivalent protection mechanisms.

4. Data Retention

  • Account Data: Retained during your account lifetime. After deletion, personal data is removed from all systems within 30 days
  • Payment/Billing Records: Retained per financial law requirements for 7 years; access restricted to authorized personnel only
  • Analytics Data: Anonymized data auto-deleted after 12 months
  • Logs: Hosting provider access logs typically retained for 30–90 days

5. Your Data Rights

Under GDPR and applicable privacy laws, you have the right to:

  • Access: Know what data we hold about you
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your account and associated data (see self-service option below)
  • Data Portability: Receive your data in transferable format
  • Objection: Opt out of certain data processing (e.g., analytics)
  • Withdraw Consent: Revoke permission for non-essential data collection anytime

6. How to Delete Your Account

6.1 Self-Service Deletion

Log in, go to the "/account" page, select the confirmation checkbox in the "Delete Account" area, then click "Permanently Delete My Account." After confirmation, your Supabase Auth account is deleted immediately and the profiles row is removed by database foreign-key cascade; residual personal data in backups or logs is removed within 30 days.

6.2 Email Deletion

If you cannot access your account, email {{CONTACT_EMAIL}} with the subject "Request to Delete My Account" and provide your registered email. We will complete deletion within 14 days.

7. Cookie Policy

7.1 Essential Cookies

Required for service operation; enabled by default without consent:

  • Supabase authentication session cookies (created only after login to maintain login state)
  • `openzhouyi-access-token` server-side entitlement cookie (created only after login to read the current free/paid entitlement on the server; HttpOnly; SameSite=Lax)

The Service currently sets no language preference, advertising, marketing, or cross-site tracking cookies.

7.2 Analytics Cookies: Not Used

Our analytics is cookieless and anonymized (see 1.3). We set no analytics or tracking cookies and use no local storage for tracking. For this reason, this site does not need — and does not display — a cookie consent banner. Should we ever introduce cookies requiring consent, we will update this policy and show a consent prompt first.

8. What We Don't Do

  • Don't sell user data to advertisers or third parties
  • Don't create automated personal profiles or precise targeting
  • Don't target users under 16 (if you are under 16, please stop using this Service immediately)
  • Don't use data for automated decision-making or algorithmic judgment

9. Security Measures

We employ the following safeguards:

  • Transport-layer encryption (HTTPS/TLS)
  • Passwordless architecture: login uses one-time codes/OAuth; we never store passwords
  • Database row-level security (RLS) isolating user data
  • Data minimization and strict access controls

10. Policy Changes

We may update this policy. For significant changes, we will notify you by:

  • Updating the "Effective Date" at the top of this page
  • Sending an email notification to your registered address
  • Displaying an update notice on the website

Continued use of the Service implies acceptance of the updated policy.

11. Contact Us

For privacy questions or rights requests, contact:

{{OPERATOR_LEGAL_NAME}} Email: {{CONTACT_EMAIL}} Governing Law: {{JURISDICTION}}

Under GDPR, you also have the right to file a complaint with your local data protection authority.