Privacy Policy

Last updated: June 9, 2026 | Effective date: June 9, 2026

Welcome to Niannian Diary (念念日记) ("the App", "we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data. We primarily serve users in the Asia-Pacific and North America regions, use the Singapore Personal Data Protection Act 2012 (PDPA) as our baseline compliance framework, and also comply with the data protection laws applicable in your jurisdiction (including, without limitation, California's CCPA/CPRA and Canada's PIPEDA).

Summary: We collect the data needed to provide accounts, diary and note features, AI generation, sync, export, feedback, and service security. Your content is protected in transit by encryption. We do not sell your personal data, and we do not use your diary content to train our own AI models. AI features are optional and can be turned off at any time in Settings; basic recording features remain fully available. You can export, edit, or delete your data in the App.

1. Data We Collect

1.1 Data You Provide

Data TypeDetailsPurpose
Account informationApple Sign-In identifier, email address, display name, and avatarAccount creation and management, login verification, and account security
Login and security recordsLogin time, login method, and risk-control / anti-abuse recordsAccount security and prevention of account takeover and abuse
Diary and note contentDiary text, Q&A records, free-form notes, tags, mood, and weatherCore diary and note features: storage, search, statistics, export, and AI generation
Media uploadsPhotos and images you attach to diary entries or notesMedia storage and display
Location informationLocation is an optional feature. Only when you actively tap to locate, the App obtains your device coordinates once in the foreground and uses the iOS system (Apple CoreLocation / CLGeocoder) to reverse-geocode them on the device into city / district / street text. Only that place text is saved to our servers with your diary entry (you can edit or delete it before saving), and our servers do not store raw GPS coordinates; if reverse geocoding cannot produce a place name, the App may fall back to approximate coordinate text. Location text you enter manually is likewise stored with your diary entryTo add location context to diary entries
Profile informationNickname and avatar you set manuallyPersonalisation
FeedbackContent and contact information you submit through in-app feedbackSupport, troubleshooting, and product improvement

1.2 Data Collected Automatically

Data TypeDetailsPurpose
Device and app informationDevice model, OS version, app version, and language settingsCompatibility, troubleshooting, and service optimisation
Usage and log dataFeature usage records, operation logs, error logs, and crash reportsService operation, security audit, troubleshooting, and product improvement
Network informationIP address, network type, and request timeSecurity, abuse prevention, service optimisation, and approximate region detection

1.3 Data We Do Not Collect

2. How We Use Your Data

We do not use your data for personalised advertising.

3. AI Services and Third-Party Data Processing

Important: We do not proactively use your diary content to train our own AI models.

For third-party AI services, we prioritise providers that commit not to use API request content to train models or that provide appropriate data protection commitments. A provider's handling of request data remains subject to its applicable service terms, privacy policy, and data processing commitments.

When you use AI diary generation, AI question recommendation, AI profile summary, or similar AI features, relevant diary entries, notes, tags, mood labels, location text, and other necessary content may be sent to a third-party AI service provider for processing. We minimise the content sent and avoid sending account identifiers, email addresses, or other unnecessary information.

3.1 AI Service Providers

ProviderRolePurposeData Processing Region
Qwen (Alibaba Cloud International)AI providerDiary generation, question recommendation, AI profile summary, and related AI featuresSingapore (Alibaba Cloud International)

When the AI provider has availability issues (e.g., timeouts, quota exhaustion, or network failures), the App automatically falls back to local basic template generation that does not rely on any third-party AI, in order to maintain service continuity; in that case your content is not sent to any other third-party AI provider. We currently do not send your content to AI providers in Mainland China for processing.

3.2 Data Minimisation

4. Data Storage and Security

4.1 Storage Location

We prioritise Singapore and Asia-Pacific cloud infrastructure to provide the service. Depending on the actual deployment of cloud hosting, object storage, content delivery, email, and AI service providers, some data may be processed or transferred outside Singapore. For cross-border transfers, we use reasonable measures such as encrypted transmission, access controls, and contractual safeguards to ensure a standard of protection comparable to that of the PDPA.

4.2 Security Measures

4.3 Encryption Disclosure (Important)

The current version of this App does not provide end-to-end encryption (E2EE).

This means:

End-to-end encryption is on our product roadmap and may be offered in a future version. We will announce it in release notes when available.

While we take reasonable security measures, no method of internet transmission or electronic storage is 100% secure. We recommend that you regularly export and back up your important data.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to any third party. We may share your data only in the following limited circumstances:

ScenarioDetails
AI service processingData transfer necessary for AI features (see Section 3)
Email servicesSending account-related emails, security notices, or support replies
Cloud services and content deliveryServer hosting, databases, image storage, content delivery, logs, and security protection
Payment processingVIP subscriptions are processed through Apple In-App Purchase; we do not directly handle your payment card information
Security and complianceInvestigating fraud, abuse, security incidents, unlawful conduct, or Terms violations
Legal requirementsWhen required by law, regulation, court order, public authority, or regulator
User consentWith your explicit consent
Business transferIn the event of a merger, acquisition, or asset transfer, your data may be transferred; we will notify you in advance

6. Cookies and Tracking Technologies

This App does not use cookies or web tracking technologies (as it is a native mobile application).

We may use the following technologies for service optimisation:

We do not use any third-party advertising tracking SDKs and do not participate in cross-app tracking.

7. Data Retention

Data TypeRetention Period
Account and diary dataRetained for the duration of your account
Deleted diary entriesDeleted from your account-visible data and primary service database after you delete them; residual copies in backups, caches, or logs are cleared according to system cycles, except where retention is needed for legal, compliance, security, or dispute-resolution purposes
Account deletion dataAfter you request account deletion, your account enters an approximately 30-day recovery period. After the recovery period, personal data that is no longer required will be deleted or anonymised through our system process, except where retention is needed for legal, compliance, security, or dispute-resolution purposes
Server logsAutomatically purged after 90 days
Crash reportsAnonymous data retained for up to 180 days
Verification-code and abuse-prevention recordsRetained for a limited period as needed for security, anti-abuse, and audit purposes

We retain personal data only as long as needed for the purposes described in this Policy, to comply with legal obligations, resolve disputes, maintain security, or enforce agreements. When personal data is no longer required, we will delete, anonymise, or otherwise cease retaining it by reasonable means.

8. Your Rights

8.1 Rights Under Singapore PDPA

If the Singapore PDPA applies to you, you may exercise the following rights:

You can also edit your profile and diary content directly in the App, use the export feature to obtain your data, or request account deletion from the Profile page.

8.2 Users in the EU / EEA (GDPR)

If you are a resident of the European Union or the European Economic Area, under the General Data Protection Regulation (GDPR) you additionally have the following rights:

Our legal bases for processing your data are: (a) your consent; (b) performance of our service contract with you; and (c) our legitimate business interests.

8.3 Users in Other Asia-Pacific Jurisdictions

This App is currently available in the following Asia-Pacific countries and regions: Singapore, Japan, South Korea, Hong Kong SAR, Macao SAR, Taiwan, Malaysia, Thailand, the Philippines, Australia, and New Zealand. If any of the following laws or similar local data protection laws apply to you, you may have rights of access, correction, deletion, withdrawal of consent, and the right to lodge a complaint with your local data protection authority:

We will respond to your rights requests in accordance with the law applicable to you, and on a standard no lower than the Singapore PDPA.

8.4 United States Users (California CCPA/CPRA and Other State Privacy Laws)

If you are a resident of California (CCPA/CPRA), Virginia, Colorado, or another U.S. state that has enacted a comprehensive privacy law, you have the following rights. The categories, sources, and purposes of the personal information we collect are described in Section 1, and the disclosure scenarios in Section 5 (which together serve as our "notice at collection").

We do not make solely automated decisions based on sensitive personal information that produce legal or similarly significant effects. You may submit a request via the email below; after verifying your identity, we will respond within the period required by applicable law (generally 45 days in California, extendable where necessary).

8.5 Canada Users (PIPEDA)

If Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) or provincial laws such as Quebec's Law 25 apply to you, you have the right to access and correct your personal information and to complain about how we handle it. We collect and use your personal information on the basis of consent; when personal information is transferred to third-party service providers (including providers located outside Canada, such as in Singapore) for processing, we use contractual and other means to ensure a comparable level of protection and remain accountable for that processing. You may complain to the Office of the Privacy Commissioner of Canada (OPC).

8.6 How to Exercise Your Rights

After verifying your identity, we will handle your request as soon as practicable and respond within the period required by applicable law; if more time is needed, we will try to explain why and provide an estimated timeline.

9. Third-Party Services

This App may integrate or link to the following third-party services:

ServiceProviderPurpose
Apple Sign-InApple Inc.User authentication
Email serviceResend (primary) / SMTP provider (backup)Sending account-related emails, security notices, or support replies
Location and reverse geocodingApple CoreLocation / CLGeocoder (iOS system)Obtaining device coordinates and reverse-geocoding them into city / district / street text
Apple In-App PurchaseApple Inc.VIP subscription payments
AI featuresQwen (Alibaba Cloud International / Singapore)AI diary generation, question recommendation, and AI profile summary
Object storage and content deliveryCloudflare (R2 object storage + CDN)Storage and global accelerated delivery of user-uploaded images

Each third-party service provider has its own privacy policy, and we recommend you review how they process data. We transmit to third parties only the minimum data necessary to provide the service.

10. Children's Privacy

This App is not intended for children under 13 years of age, for minors below a higher minimum age set by applicable local law (some APAC jurisdictions set 14 or 16 as the threshold), or for minors who require parental or guardian consent under applicable local law but have not obtained it.

11. Cross-Border Data Transfers

Your core data is processed primarily through Singapore and Asia-Pacific infrastructure. Cross-border data transfers may occur in the following situations:

We take reasonable steps under the PDPA Transfer Limitation Obligation to ensure that overseas recipients provide a standard of protection comparable to that of the PDPA, unless an applicable legal exception applies.

12. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, or that meets a notification threshold under applicable law, we will assess, contain, and remediate the incident, and notify affected users and the relevant supervisory authorities of applicable jurisdictions as required by law (including but not limited to Singapore PDPC, Hong Kong PCPD, New Zealand Privacy Commissioner, Australia OAIC, relevant U.S. state attorneys general, and the Office of the Privacy Commissioner of Canada (OPC)).

13. Changes to This Policy

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or need to make a complaint, please contact us:

Data Protection Officer
📧 Email: support@niannian.app

After verifying your identity, we will review and respond to your request as soon as practicable. If a request is complex or requires more time, we will let you know our estimated processing time. If you are not satisfied with our response, you may also consult or lodge a complaint with the data protection authority in your jurisdiction (such as Singapore PDPC, Hong Kong PCPD, Taiwan's PDPA competent authority, New Zealand Privacy Commissioner, Australia OAIC, relevant U.S. state authorities, or the Canada OPC).