隐私政策
生效日期:April 21, 2026 · 符合 GDPR、CCPA/CPRA、PIPL
本政策说明 肖桓颉 (Xiao Huanjie)(以下简称"我们")如何收集、使用、存储、共享和保护您在使用 airrapp.com(以下简称"本服务")时的个人信息。
核心承诺: 我们不会将您提交的任何答案或自然语言文本用于训练 AI 模型、不会出售您的数据、不会用于广告定向。
1. 我们收集哪些信息
1.1 您主动提交的信息
- 问卷答案:免费 30 题 + 付费 20 题的选择与自然语言补充
- 基础信息:身份/职业、当前焦虑来源、3 年愿景(3 个自由填写字段)
- 支付邮箱:由 Lemon Squeezy 在结账时收集并共享给我们用于报告收据
1.2 自动收集的信息
- 技术日志:IP 地址(经 Cloudflare 处理后仅保留区域级)、User-Agent、访问时间戳、访问路径
- 本地存储:您的草稿与报告缓存(存在您浏览器 localStorage 中,不上传)
- Cookie:见下文 §5
1.3 我们不收集的信息
我们不收集您的信用卡号、姓名、身份证、位置、通讯录、人脸/声纹或任何生物识别数据。
2. 我们为什么收集(法律依据)
| 目的 | 数据 | GDPR 法律依据 |
|---|
| 生成个性化 AI 报告 | 问卷答案 + 基础信息 | 合同履行 Art. 6(1)(b) |
| 发送订单确认/客服回复 | 邮箱 | 合同履行 Art. 6(1)(b) |
| 安全风控与反滥用 | IP、UA、访问日志 | 合法利益 Art. 6(1)(f) |
| 合规义务(税务/反欺诈) | 订单与 IP | 法律义务 Art. 6(1)(c) |
3. 子处理者 (Sub-processors)
我们使用以下服务商帮助提供本服务。签署 Data Processing Agreement 并限定其仅按我们的指令处理数据:
| 服务商 | 用途 | 位置 |
|---|
| Cloudflare, Inc. | CDN、DNS、边缘计算 (Workers/KV)、DDoS 防护 | US / 全球边缘 |
| Lemon Squeezy Inc. | 支付处理、发票、税务合规 (MoR) | US |
| Apiyi (api.apiyi.com) | AI 模型代理(OpenAI GPT-5.4-mini / Anthropic Claude Opus 4.7) | 中国 |
| OpenAI / Anthropic(经由 Apiyi) | AI 推理生成 | US |
您的问卷文本会以请求-响应的形式传入 Apiyi 并透传给 OpenAI/Anthropic 用于本次报告生成。OpenAI 与 Anthropic 均已声明 API 提交数据默认不用于训练模型(参见其官方隐私条款)。
4. 保留与删除
- 问卷答案与报告全文:生成完成后 30 天内自动从我们服务器删除;您的浏览器 localStorage 中的副本由您自行控制。
- 订单记录(含邮箱):基于税务/反欺诈义务保留 7 年。
- 技术日志:Cloudflare 侧保留 ≤ 30 天。
您可随时发邮件至 support@airrapp.com 请求提前删除。
5. Cookie & 类似技术
本站不使用第三方广告/追踪 Cookie。仅使用:
- 严格必要的本地存储(localStorage)保存草稿、报告缓存、语言偏好、支付会话引用;不属于 EU Cookie 法严格意义的 Cookie,无需同意横幅。
- Cloudflare __cf_bm Cookie:由 Cloudflare 用于机器人风控,有效期约 30 分钟。
6. 您的权利
EU / 英国 / 加州居民及其他法域用户在适用法律下享有以下权利:
- 访问 (Right to access):获取我们持有的您的数据副本
- 更正 (Right to rectification)
- 删除 / 被遗忘 (Right to erasure)
- 限制处理 (Right to restrict processing)
- 数据可携 (Right to data portability)
- 反对自动化决策 (Right to object to automated decisions)
- 加州居民:拒绝"出售/共享"(我们不出售,但您仍可明示拒绝)
行权方式:发邮件到 support@airrapp.com,30 天内回复。我们不会因您行权而歧视您。
7. 未成年人
本服务不面向 16 岁以下用户。若您发现 16 岁以下未成年人向我们提交了数据,请立即联系我们删除。
8. 跨境数据传输
由于使用 Cloudflare 边缘网络与境外 AI 服务商,您的部分数据可能被传输到您所在国家/地区以外处理。我们通过以下机制确保合规:
- 与子处理者签署欧盟标准合同条款 (SCCs)
- 数据最小化(仅传输为本次报告所需的内容)
- 传输全程 TLS 加密
9. 数据安全
我们采取行业标准的安全措施:全站 HTTPS、TLS 1.3、Cloudflare DDoS 防护、JWT 签名令牌、敏感密钥通过 Cloudflare Workers Secrets 管理(开发者不可见)。尽管如此,互联网传输无法保证 100% 安全,请您妥善保管设备与支付邮箱。
10. 数据泄露通知
若发生影响您权利的数据泄露,我们将在知悉后 72 小时内通过注册邮箱通知您,并向相关监管机构报告。
11. 本政策的变更
我们可能不时更新本政策。重大变更将在首页公告并更新本页"生效日期"。
12. 联系我们 / DPO
数据保护相关事宜:support@airrapp.com(也作为数据保护联系点 DPO 邮箱)
通讯地址:Apt 709, Binbin Apartment, Fenghuang Subdistrict, Tianhe District, Guangzhou, Guangdong 510630, China (广东省广州市天河区凤凰街道宾宾公寓 709)
Privacy Policy
Effective date: April 21, 2026 · GDPR · CCPA/CPRA · PIPL compliant
This policy describes how 肖桓颉 (Xiao Huanjie) ("we", "us") collects, uses, stores, shares, and protects your personal information when you use airrapp.com (the "Service").
Core commitments: We do not use your submitted answers or free-form text to train AI models. We do not sell your data. We do not use it for ad targeting.
1. What we collect
1.1 Information you actively provide
- Questionnaire answers: 30 free + 20 paid questions, including free-form text
- Basic info: identity/role, current anxiety source, 3-year vision (3 free-text fields)
- Payment email: collected by Lemon Squeezy at checkout and shared with us for receipt
1.2 Automatically collected
- Technical logs: IP (region-level via Cloudflare), User-Agent, timestamp, access path
- Local storage: draft & report cache (stored in your browser localStorage — not uploaded)
- Cookies: see §5 below
1.3 What we do NOT collect
We do not collect your credit-card number, legal name, ID, location, contacts, face/voice, or any biometric data.
2. Why we collect (legal basis)
| Purpose | Data | GDPR basis |
|---|
| Generate personalized AI report | Answers + basic info | Contract, Art. 6(1)(b) |
| Send order/receipt/support emails | Email | Contract, Art. 6(1)(b) |
| Security / anti-abuse | IP, UA, logs | Legitimate interest, Art. 6(1)(f) |
| Legal obligation (tax, anti-fraud) | Orders + IP | Legal obligation, Art. 6(1)(c) |
3. Sub-processors
We rely on the following vendors under signed Data Processing Agreements, restricted to processing data only on our instructions:
| Vendor | Purpose | Location |
|---|
| Cloudflare, Inc. | CDN, DNS, edge compute (Workers/KV), DDoS | US / global edge |
| Lemon Squeezy Inc. | Payments, invoicing, tax (Merchant of Record) | US |
| Apiyi (api.apiyi.com) | AI-model proxy for OpenAI GPT-5.4-mini / Anthropic Claude Opus 4.7 | China |
| OpenAI / Anthropic (via Apiyi) | AI inference | US |
Your questionnaire text is transmitted through Apiyi to OpenAI/Anthropic in request-response form for the current report only. Both OpenAI and Anthropic state that API submissions are not used for model training by default (see their official privacy terms).
4. Retention & deletion
- Answers and report body: automatically purged from our servers within 30 days after generation; the copy in your browser localStorage is under your control.
- Order records (incl. email): retained 7 years for tax/anti-fraud obligations.
- Technical logs: ≤ 30 days at Cloudflare.
Email support@airrapp.com any time to request earlier deletion.
5. Cookies & similar tech
We use no third-party advertising or tracking cookies. Only:
- Strictly necessary localStorage for draft, report cache, language preference, and payment session reference — not cookies under EU law; no banner required.
- Cloudflare __cf_bm cookie: ~30 min, bot-management only.
6. Your rights
Depending on your jurisdiction (EEA/UK/California/others), you have rights to:
- Access a copy of your data
- Rectify inaccuracies
- Erase / be forgotten
- Restrict processing
- Data portability
- Object to automated decisions
- California: opt out of "sale/sharing" (we never sell, but you may confirm explicitly)
To exercise: email support@airrapp.com. We reply within 30 days and will not discriminate against you for exercising a right.
7. Children
The Service is not directed at users under 16. If you believe a minor submitted data, contact us to delete immediately.
8. International data transfers
Because we rely on Cloudflare's global edge and overseas AI vendors, your data may be processed outside your country. We ensure compliance via:
- EU Standard Contractual Clauses (SCCs) with sub-processors;
- Data minimization (only what is necessary for this report);
- TLS encryption end-to-end in transit.
9. Security
We use HTTPS everywhere, TLS 1.3, Cloudflare DDoS, JWT signed tokens, and Cloudflare Workers Secrets for key management (invisible to developers). Still, no Internet transmission is 100% secure — please protect your device and payment email.
10. Breach notification
Upon becoming aware of a breach affecting your rights, we will notify you through your registered email and report to regulators within 72 hours.
11. Changes to this policy
We may update this policy occasionally. Material changes will be posted on the homepage and the "Effective date" above will be updated.
12. Contact / DPO
Data-protection matters: support@airrapp.com (also serves as DPO contact).
Postal address: Apt 709, Binbin Apartment, Fenghuang Subdistrict, Tianhe District, Guangzhou, Guangdong 510630, China (广东省广州市天河区凤凰街道宾宾公寓 709)