TrueUnitX Privacy Policy

Last Updated: May 7, 2026
Effective Date: May 7, 2026

Welcome to TrueUnitX. This application is operated and provided by Lingyu Li (hereinafter referred to as the "App," "we," "us," or "our"). This Privacy Policy (hereinafter referred to as the "Policy") explains how we collect, use, store, share, and protect your personal information, as well as the rights you have regarding your data.

Please read and fully understand this Policy carefully before using the App. By beginning to use the App, you acknowledge that you have read and agree to this Policy.

1. Scope of Application

This Policy applies to your entire process of using the price comparison, AI image recognition, account login, subscription purchases, invitation sharing, and other services provided through the TrueUnitX mobile application (iOS/Android).

2. Information We Collect

Based on functional realization and compliance requirements, we may process the following information:

2.1 Account and Identity Information

• Apple Sign-In identification information: identityToken, userIdentifier.
• Account profile information: Email address, nickname (as provided by Apple).
• Session credential information: Access tokens, refresh tokens (used for maintaining login status and security verification).

2.2 Image and AI Recognition Information

• Product images you actively upload or take (used for AI recognition of product names, prices, specifications, and unit information).
• AI price comparison request metadata (e.g., request ID, image sequence, file name, MIME type).
• AI recognition result data (product fields, unit price calculation results, price comparison suggestions, quota deduction results).

Note: Your images are transmitted securely via encrypted channels to Cloudflare and forwarded through its AI gateway to large language models for processing. Our servers do NOT retain, cache, or store your images after forwarding them and returning the results. AI recognition results and price comparison history are stored locally on your device only. We do not upload this data to our servers or back it up to the cloud. If you uninstall the App, change devices, clear App data, or restore factory settings, the locally stored data will be permanently deleted and cannot be recovered.

2.3 Device and Permission Information

• Camera and Photo Library permissions (used to take photos, select images, and save price comparison results or product images to your photo library).
• Clipboard permission (used for your active copying of invitation codes and other texts; we only use the system's write function and do not read the private contents of your device's clipboard in the background).
• Basic device information and log information (e.g., system version, app version, error logs, request status), used for secure operation and troubleshooting.

2.4 Transaction and Subscription Information

• Subscription status, auto-renewal status, subscription product identifiers, expiration times.
• Consumable purchase status (e.g., quota packs) and quota change information.
• Note: Payments are completed by the Apple App Store. We do not directly process your complete sensitive payment information, such as credit card numbers.

2.5 Invitation and Activity Information

• Share codes, binding relationships, invitation lists, invitation counts, reward claim statuses, etc.

3. How We Use Your Information

We only use your information within the scope necessary to fulfill business functions and legal compliance purposes, including:

• Providing login authentication, account identification, and session management.
• Forwarding your uploaded images via encrypted channels to the Cloudflare AI gateway for product recognition and price calculation, and returning the results to your device. Our servers do not store or cache your image content during this process.
• Displaying and synchronizing membership/subscription status, restoring purchases, and processing payment results (via RevenueCat).
• Providing invitation rewards, operational activities, and customer support.
• Ensuring service security, preventing fraud and abuse, and locating and fixing technical faults.
• Meeting applicable laws, regulations, and regulatory requirements.

4. Legal Basis for Processing Personal Information (For Overseas Users)

For users subject to regions like GDPR/UK GDPR, our legal basis for processing personal information includes:

• Performance of a contract (to provide the services you requested).
• Your consent (e.g., camera/photo library permissions, optional notifications).
• Legal obligations (tax, audit, compliance obligations).
• Legitimate interests (security protection, anti-abuse, service optimization), provided that such processing does not unduly prejudice your rights and freedoms.

5. Information Sharing, Delegated Processing, and Third-Party Services

To implement our functions, we may provide necessary information to delegated processors or third-party service providers. We will sign data processing agreements with them and require them to fulfill security and confidentiality obligations. Typical third-party categories include:

• Apple (login authentication, in-app payment system).
• RevenueCat (subscription and in-app purchase status management).
• Cloudflare (API gateway, network acceleration, AI model forwarding). Your requests and images are forwarded via Cloudflare's global network to AI models for processing; Cloudflare does not store your images or request content.
• AI Service Providers (image recognition and structured result returning via Cloudflare AI gateway).

We will not sell your personal information to unrelated third parties, except in the following circumstances:

• With your explicit authorized consent.
• To fulfill legal obligations or respond to judicial/regulatory requests.
• To protect your or the public's personal and property safety within a reasonably necessary scope.
• In scenarios such as mergers, acquisitions, or restructuring, provided that the receiving party remains bound by this Policy.

6. Cross-Border Data Transfer

The App provides services through Cloudflare's global network. Your requests (including images) will be transmitted via encrypted channels to Cloudflare edge nodes and forwarded by its AI gateway to large models for processing. After returning the results, our servers do not retain your data. Cloudflare's global infrastructure may cause data to pass through multiple jurisdictions during transmission. We take reasonable measures to protect the security of cross-border transfers, including but not limited to:

• All transmissions are encrypted using HTTPS/TLS.
• Only the minimum information necessary to complete the current request is transmitted.
• Signing Standard Contractual Clauses (SCCs, such as EU SCCs and UK IDTA) or adopting other transfer mechanisms that meet local legal requirements when applicable.
• Conducting Transfer Impact Assessments (TIA) for cross-border transfers involving EU/UK personal data, and adopting supplementary technical measures when necessary to meet Schrems II and subsequent regulatory requirements.
• Selecting service providers with an adequate level of data protection.

7. Information Storage and Protection

7.1 Storage Period

• Account and Transaction Information: Subscription status and transaction credentials are managed via RevenueCat and maintained as long as you hold an account. After account deletion, transaction records are retained for no longer than the statutory period (typically 5-10 years, depending on the tax and compliance requirements of the specific jurisdiction), while other personal data is deleted or anonymized within 90 days after deletion.
• AI Recognition Images: Your images are used solely for the current AI processing. They are encrypted, transmitted to Cloudflare, forwarded to the large model, and discarded by the server immediately after processing, without any retention, caching, or use for training.
• AI Recognition Results and Price Comparison History: Stored only locally on your device and managed independently by you. Retained until you actively clear the history or uninstall the App. Data is not synced to any cloud service, nor does it support export backups. Uninstalling the App, changing devices, clearing App data, or restoring factory settings will cause this data to be permanently deleted and irrecoverable.
• Logs and Security Audit Data: Cloudflare's foundational logs are retained for no more than 12 months, after which they are automatically rolled and deleted.
• After you delete your account, we will delete or anonymize your personal information to the extent permitted by law, unless otherwise required by laws and regulations.

7.2 Security Measures

We employ measures including but not limited to the following to protect your information:

• Transmission encryption (HTTPS/TLS);
• Identity authentication and access control;
• Principle of least privilege and log auditing;
• Secure development and vulnerability remediation mechanisms. Please understand that the internet environment is never absolutely secure. We will do our best to ensure information security, but we cannot promise zero risk.

7.3 Data Breach Notification

In the event of a security incident involving the leakage, loss, or unauthorized access of personal information, we will:

• Report to the competent supervisory authority within 72 hours in accordance with applicable laws (including Article 33 of the GDPR).
• If the breach is likely to pose a high risk to your rights and freedoms, we will promptly notify you via email, in-app notifications, or other reasonable means, explaining the nature of the incident, its potential impact, and the response measures we have taken or intend to take.
• Establish and maintain a data breach emergency response and recording mechanism to ensure incidents are traceable and reviewable.

8. Your Rights

Within the scope provided by applicable law, you have the following rights:

• To access, correct, or supplement your personal information.
• To delete your personal information or apply for account cancellation.
• To withdraw authorized consent (without affecting the lawfulness of processing based on consent prior to withdrawal).
• To obtain a copy of your personal information (when technically feasible and legally permissible).
• To object to or restrict certain processing activities (applicable in specific jurisdictions).
• To request an explanation of or object to automated decision-making (if applicable).

8.1 Special Note on Automated Decision-Making

The AI price comparison function of this App may involve the automated processing of images you upload to generate product recognition and price comparison results. Under applicable law requirements (including Article 22 of the GDPR):

• You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
• If automated decision-making is necessary for the performance of a contract, authorized by law, or based on your explicit consent, we will provide mechanisms for human intervention, expressing viewpoints, and raising objections.
• AI price comparison results are for reference in consumption decisions only and do not constitute legally binding decisions. You may ignore them or decide whether to adopt them at your own discretion. You can submit requests via in-app functions or the "Contact Us" channels in this Policy. We generally reply within the timeframe stipulated by law.

9. Protection of Minors

This App is primarily intended for adults and does not actively collect personal information from children. If you are a minor, please use this App with the consent and under the guidance of your guardian. The age threshold for a "child" varies by jurisdiction:

• Mainland China: Under 14 years old
• United States (under COPPA): Under 13 years old
• EU/EEA (under GDPR/AVG): 16 years old (Member states may lower it to 13 years old; subject to the specific regulations of each member state where applicable)
• South Korea: Under 14 years old
• Brazil (under LGPD): 12 to 16 years old depending on circumstances
• Other Jurisdictions: Subject to the definition under applicable local laws If you meet the definition of a child in the corresponding jurisdiction above, your guardian may act as your representative to contact us regarding personal information rights requests. If we discover that a child's personal information was collected without valid parental consent, we will immediately delete the relevant data.

10. Cookies and Similar Technologies

In the mobile app scenario, we primarily use local caching and token mechanisms to maintain login status, ensure security, and optimize the experience. They are not used for illegal tracking. Should new tracking technologies be introduced in the future, we will inform you separately and, when applicable, obtain your consent.

11. Additional Note for California Residents, USA (If Applicable)

If you are a California resident, under the CCPA/CPRA, you may have the following rights:

• Right to know, right to access, right to correct, and right to delete.
• Right to opt out of the "sale/sharing" of personal information (if applicable).
• Right to limit the use of sensitive personal information for specific purposes.
• Right to non-discrimination. Currently, our business model does not involve the "sale of personal information," nor do we "share" personal information for cross-context behavioral advertising purposes. California residents may submit rights requests via "Contact Us." We will respond within 45 days of receiving a verifiable request (which may be extended by an additional 45 days if necessary).

12. Additional Note for Mainland China Users

We comply with the requirements of the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and other relevant laws and regulations, and implement processing principles such as minimum necessity, purpose limitation, openness, transparency, and security assurance.

13. Additional Notes for Users in Other Jurisdictions

13.1 Brazilian Users (LGPD)

If you are located in Brazil, under the Lei Geral de Proteção de Dados (Lei nº 13.709/2018), you have rights regarding confirmation of processing, access, correction, deletion, data portability, information, and objection to automated decision-making. The legal bases we rely on when processing data include performance of a contract, legitimate interests, legal obligations, and your consent.

13.2 Japanese Users (APPI)

If you are located in Japan, under the Act on the Protection of Personal Information, we will adhere to principles such as purpose limitation, proper acquisition, ensuring data accuracy, and security management when collecting, using, and providing personal information. You have the right to request disclosure, correction, suspension of use, or deletion of your retained personal information.

13.3 South Korean Users (PIPA)

If you are located in South Korea, under the Personal Information Protection Act, we adhere to the principles of purpose limitation, minimum collection, and security protection when collecting and using personal information. You may request access to or correction of your personal information, withdraw consent, and request deletion or suspension of processing.

13.4 Canadian Users (PIPEDA)

If you are located in Canada, under the Personal Information Protection and Electronic Documents Act and applicable provincial laws (e.g., Quebec's Law 25), you have the right to access and correct your personal information, withdraw consent, and lodge a complaint regarding how we process your data.

13.5 Australian Users

If you are located in Australia, we process personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct your information and to lodge complaints regarding privacy issues.

13.6 Indian Users

If you are located in India, under the Digital Personal Data Protection Act, 2023, we will adhere to principles such as lawful purposes, minimum collection, data quality, and security when processing your personal data. You have the rights of access, correction, erasure, grievance redressal, and nomination.

13.7 Southeast Asian Users

If you are located in Singapore, Thailand, Indonesia, or other Southeast Asian countries, we process personal information in accordance with local applicable laws (e.g., Singapore's PDPA, Thailand's PDPA, Indonesia's PDP Law) and respect the rights you hold under local laws.

14. Policy Updates

We may update this Policy according to business or legal changes. Material changes will be communicated to you via in-app announcements, pop-ups, or other reasonable means. By continuing to use the App after an update, you are deemed to have agreed to the updated Policy.

15. Contact Us

If you have any questions, comments, or complaints regarding this Policy or personal information protection, you may contact us through the following channels:

• Contact Email: privacy@trueunitx.com
• Data Protection Officer (DPO) Contact: dpo@trueunitx.com
• General Support and Feedback: support@trueunitx.com
• In-App Entrance: Settings > Privacy Policy / Account Management If you wish to exercise your right to delete data or cancel your account, please indicate "Personal Information Rights Request" in the email subject line.