Privacy Policy

Last updated: May 30, 2026

1. Information We Collect

As an independent developer, we follow a data minimization principle and collect only the information necessary to provide the core features of BitBeads, including the creator marketplace, wallet, and withdrawals:

Data Type	Purpose	Storage Location
Apple ID identifier	Used for unique account identification and login security.	Cloudflare D1
Email sign-in and verification code information	Including the email address you provide, verification code request and verification records, device identifier, device model, App version, IP address, and client language, used for account registration/sign-in, sending verification codes, account security protection, abuse prevention, and troubleshooting abnormal sign-ins.	Cloudflare D1 / Alibaba Cloud DirectMail / Resend
Patterns and finished images	Used for pattern sync, version management, and community sharing.	Cloudflare R2
Basic device information	Including device model and operating system version for compatibility optimization.	Cloudflare D1
Membership entitlement status	Used to determine membership package validity period, expiration status, and whether benefits are available, and stored with strict protection.	Cloudflare D1
AI image generation data	Including reference images you upload, selected styles, generated results, task status, and error information for AI image generation, result lookup, risk control auditing, and service optimization.	Cloudflare R2 / Cloudflare D1
Marketplace orders and virtual property data	Including listing identifiers, prices in virtual currency such as Caidou, order status, and purchase or download authorization checks to complete transactions, prevent duplicate purchases, reconcile records, and handle disputes.	Cloudflare D1
Creator wallet and ledger data	Including creator earnings balances in units such as Jindou, locked or available states, and records of exchanges and withdrawals for settlement, risk control, and finance reconciliation.	Cloudflare D1
Creator listing and moderation metadata	Including work metadata, categories, tags, and cover or preview asset URLs that you submit or that operators review for listing display, moderation queues, and platform enforcement.	Cloudflare D1 / R2
Camera permission and QR scan view	Used only when you actively use Scan or scan a QR code to open pattern details. The camera is used to recognize a pattern sharing QR code and navigate to the corresponding pattern detail page. The scan view is processed instantly on your device and is not used for photo upload, background collection, or any other purpose.	Processed locally in real time; not stored
Sharing commands in the clipboard	When you open the App, return it to the foreground, or actively use sharing command recognition, the App may temporarily check whether the clipboard contains text matching the BitBeads sharing command format. This is used to recognize a share short code and ask whether you want to open the corresponding pattern detail page. We do not continuously monitor the clipboard and do not read, upload, or store clipboard content unrelated to sharing commands.	Temporarily recognized locally; only the share short code is submitted to the server for resolution

Device permission and clipboard notice: Camera permission is used to scan QR codes and open pattern details. It is invoked only after you tap a scan entry and grant system permission, and its scope is limited to local QR code recognition. Clipboard access is used to recognize BitBeads sharing commands that you have copied. It is performed once when the App opens, returns to the foreground, or when you actively trigger recognition, and its scope is limited to formats such as a short code wrapped in "￥" or a BitBeads sharing short link. After a match, we use only the short code in the command to query the corresponding pattern from the server and do not upload the full clipboard content.

Email verification code note: When you use email verification code sign-in or registration, we use email delivery providers such as Alibaba Cloud DirectMail or Resend to send a login verification code to the email address you provide. Verification codes are valid for 10 minutes by default. We do not retain verification codes in plain text; the server stores only necessary records such as the verification code hash, expiration time, attempt count, request IP, and device identifier to complete verification, prevent reuse, limit abusive requests, and troubleshoot abnormal sign-ins.

Payment information note: On iOS, membership subscriptions and consumable in-app purchases such as Caidou are processed through Apple In-App Purchase (IAP). On Android, membership packages and virtual goods such as Caidou are processed through Alipay App Pay. We do not collect, store, or access your bank card number, payment password, or other sensitive financial information. To complete transactions, reconciliation, risk control, and dispute handling, we store necessary transaction records such as order numbers, payment channel, payment status, transaction identifiers, purchased items, and credited entitlements.

Withdrawals and payouts: If you apply for creator withdrawals or cooperate with finance verification, we may collect payout account information (such as account name and number) that you actively provide, only for transfers, tax, and compliance retention as described on the in-App withdrawal screens. We will not ask you to submit such information through unofficial channels.

2. Privacy Notice for AI Image Generation

Purpose of processing: When you use the AI image generation feature, we process the images and related task parameters that you actively submit in order to generate images, return results, display history, and manage daily quotas.
Third-party processing: To provide the AI image generation feature, relevant image URLs and necessary parameters will be sent to integrated third-party AI service providers for processing. Our current integrated third-party AI service provider is Grsai. We share data only to the extent necessary for this feature, which may include the access URL of your uploaded image, selected style or model parameters, task identifier, generation progress, result URL, and necessary error status information.
Result storage: After successful AI generation, the result image will be stored in our object storage so that you can later view, download, and manage it.
Risk control and auditing: We record task status, failure reasons, and necessary logs for quota management, troubleshooting, abuse prevention, and security auditing.
Deletion and account closure: You may request deletion of related data by deleting works, deleting records, or closing your account. After account closure, we will delete AI-related data associated with you in accordance with platform rules, unless laws or regulations require otherwise.
Cross-border and global transfer notice: Because we use Cloudflare's global infrastructure and third-party AI services, related data may be transmitted through or stored on server nodes outside mainland China during transfer, caching, or processing. We will make reasonable efforts to require our partners to protect such data according to standards no lower than those described in this policy.
Retention period: AI task logs are retained for a reasonable period necessary to provide the service, troubleshoot issues, and satisfy required compliance obligations. AI source images you upload and generated result images will be deleted when you delete them, delete related records, close your account, or when they are cleared under server-side cleanup policies. If laws or regulations require a longer retention period, we will delete or anonymize the data after the required period ends.

3. Storage and Security of Information

Global storage: We use Cloudflare's global infrastructure, including D1 databases and R2 storage, to store your data.
Encrypted transmission: All of your data is protected in transit using HTTPS encryption.
Access control: Your personal patterns are protected by authentication such as JWT and are accessible only to you or within the community scope you authorize.
Verification code security: We store verification codes only after hashing and reduce misuse risks through expiration, attempt limits, and request rate limits.

4. Third-Party Services

To provide a complete service experience, we integrate the following third-party services:

Sign in with Apple: Used for user authentication.
Alibaba Cloud DirectMail / Resend: Used to send login/registration verification codes to the email address you provide. To deliver verification emails, we provide email delivery providers with necessary information such as your email address, verification email subject, and email body.
Apple StoreKit API: Used for iOS membership packages, consumable purchases such as Caidou, and purchase restoration. iOS IAP payments are processed through Apple's systems.
Alipay App Pay: Used for Android purchases of membership packages and virtual goods such as Caidou. During payment, Alipay may process necessary payment account, transaction, and risk-control information under its rules.
Cloudflare: Used for API routing, database storage, and static asset hosting.
Grsai (third-party AI service provider): Used to process AI image generation tasks that you actively initiate, and receives only the minimum data necessary to provide this feature. Relevant data types may include image access URLs, model or style parameters, task progress, and result information.
Umeng+ SDK (service provider: Umeng Tongxin (Beijing) Technology Co., Ltd.): Used for app analytics, operational performance analysis, uninstall analysis, anti-fraud, and security risk control.
Types of personal information collected: device identifiers such as Android ID, OAID, IDFA, IDFV, OpenUDID, GUID, and, where permitted by system settings and applicable compliance requirements, IMEI, IMSI, ICCID, and MAC address; basic device information such as device brand, model, operating system version, App version, distribution channel, language, and time zone; network information such as IP address, network type, and carrier information; App usage behavior and event logs; crash or performance information; and, if you authorize it or related features require it, geolocation information.
Privacy policy: https://www.umeng.com/policy

We do not sell your personal data to advertisers or other third-party organizations.

5. Your Rights

You have full control over your own data:

You can view or edit your account profile in the App's personal center.
You can delete specific patterns or works at any time.
Complete account closure: You may request account closure in settings. Once completed, we will permanently delete all personal data associated with you from our database (D1) and storage bucket (R2).

6. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. Any major changes will be communicated through in-app notices or by updating this page: https://pindou.aimagicengine.com/protocol/privacypolicy