Privacy Policy

Effective date: May 26, 2026

We collect only what is mathematically required to read your chart and clear your mind. We don't ask for an email, a password, or a tracking profile. While your raw birth details stay permanently locked on your device, derived astrological context is safely transmitted to generate your panoramic readings and dialogues.

What we collect & process

No account, no tracking. The app does not ask for your email address, phone number, or password. On first launch, we provision an anonymous account token — an opaque, random identifier unique to your device. This identifier stays within your device's secure storage to maintain your chat history across sessions.

Birth data per profile (device-local). Your birth date, time, time zone, city, longitude, and gender remain strictly local on your device. This data is never sent to our servers, stored in cloud databases, or shared with third parties. If you delete the app, this data vanishes completely.

Profile metadata (device-local). Display names you assign to profiles (e.g., "Me", "Partner") are stored exclusively on-device.

Conversation messages & Oracle readings (server-side). The inquiries you send to the AI, the follow-up dialogues, and the context of drawn Guanyin Lots are securely transmitted and stored in our backend database, keyed solely to your anonymous token.

Derived chart context (server-side, transient). When you request a panoramic analysis, ask a follow-up question, or draw a Guanyin Lot, your device translates your local birth fields into a rendered astrological string (stems, branches, ten gods, luck pillars, and daily elements). We transmit this derived cosmic context, never your raw birth date or precise birthplace, to our backend and third-party AI models to generate tailored, conversational insights.

Subscription and quota state (server-side). Your purchase status (free tier, subscription tier, or top-up queries) and daily usage counters are managed server-side against an anonymous subscriber identifier. All payment processing is handled strictly by Apple via your Apple ID.

Aggregate telemetry (server-side, de-identified). Performance indicators, latency metrics, and error rates are logged for app maintenance. Your anonymous device token is irreversibly salted and SHA-256 hashed before hitting our telemetry databases, making it mathematically impossible to link back to your individual session.

Apple Sign-In identity (optional, opt-in). If you choose to link your history via Apple Sign-In to secure your purchases across device upgrades, Apple shares a unique identifier for this app, a display name (first sign-in only), and an email address (which can be masked using Apple's "Hide My Email" feature). We use this solely to secure your cross-device portability roadmap. We do not send emails, nor do we cross-reference this identity with the AI model or any third-party databases. You can sever this link instantly inside the app.

What we never collect

• Your phone number, contacts, photos, or device hardware location.
• Advertising identifiers (IDFA) or tracking pixels.
• Behavioral or cross-app usage metrics sold by ad networks or third-party data brokers.

How your data is utilized

To draw your chart. All fundamental BaZi mathematics are calculated locally on your silicon chip. No remote server is ever pinged to render your map.

To power the AI readings & Oracle lots. When engaging with a dialogue or ritual, the derived astrological context and text histories are forwarded to an isolated API endpoint of a third-party AI provider to return context-aware interpretations. No personal identifiers, emails, or hardware keys are ever passed along with this request.

To respect structural boundaries. Quota records are strictly verified on our servers to protect system health without examining the underlying spiritual nature of your prompts.

Sensitive-category data handling

Because astrological charts can reveal deeply private philosophical or spiritual leanings (qualifying as special-category personal data under frameworks like GDPR Article 9), we enforce extreme isolation:

• Raw birth timestamps never touch the internet via our app.
• The derived matrix (stems, branches, cycles) cannot be mathematically reverse-engineered to pinpoint your precise original birth entry.
• Server-side chat logs are isolated using row-level security tokens, encrypted at rest, and completely excluded from persistent application diagnostic logs.

Third-party data subprocessors

We partner only with a minimal infrastructure footprint:

• Cloud Infrastructure: Core database and secure hosting providers based entirely in the United States.
• AI Intelligence: Industry-standard AI model APIs that process chat requests dynamically. We ensure your prompts and charts are never used to train public base models.
• Subscription Ledger: An anonymous backend wrapper tracking subscription status, safely decoupled from chart data, backed by Apple App Store systems.

We do not run advertising scripts or third-party behavioral analytics tracker SDKs. For full transparency regarding our subprocessor list, reach out to support.

Data retention & full erasure

Device-Local Storage: Erased instantly if you delete the app or choose "Delete account & charts" in Settings.

Server-Side Storage: Retained anonymized to support your chat continuity. Tapping "Delete account & charts" issues an immediate database wipe that replaces sensitive records with null values to protect against block storage remnants, purging completely within 30 days.

Telemetry: Aggregated system data is kept indefinitely for long-term health monitoring, fully decoupled from any identifiable user identity.

Your rights, regional scope & device portability

You retain absolute rights to access, correct, or erase your records directly inside the app. If you are in the European Economic Area or the United Kingdom, you also retain the right to lodge a complaint with your local supervisory authority. All backend elements operate via US East cloud nodes under Standard Contractual Clauses (SCCs) where international transfers apply. This app does not support or operate within mainland China.

Because our core experience relies entirely on anonymous, hardware-locked tokens, your chat history and query balances exist inside the specific device that generated them — they do not automatically migrate if you switch phones. App Store subscriptions do transfer seamlessly through Apple's native receipt architecture (Settings → Restore Purchases on the new device). Cloud synchronization is planned for our future development roadmap.

Children

This app is not directed at children under 13. We do not knowingly collect data from children under 13. The app is rated 13+ in the App Store. If you believe a minor is using the app, please contact support and we will guide them through the deletion process.

Changes to this policy

If we make a material change — new data collected, new sub-processor, change in retention — we will update the effective date at the top of this page and post a notice in the app for active users. Continuing to use the app after a material change takes effect constitutes acceptance.

Contact

Operated by Boxuan Cui. Direct all inquiries, erasure verification requests, or structural due diligence questions to [email protected].