OOPLOT

Privacy Policy

Last updated: June 15, 2026

1. Introduction and Scope

OOPLOT (hereinafter referred to as “we,” “us,” or “the Platform”) values your privacy. This Privacy Policy explains how we collect, use, store, share, transfer, and protect your personal information. This Policy applies to the OOPLOT website (ooplot.net and its subdomains), mobile applications, APIs, and related services (collectively, the “Services”). By using our Services, you acknowledge that you have read and agree to this Policy. If you do not agree to any part of this Policy, please stop using the Services. This Policy should be read together with our Terms of Service.

2. Definitions

For the purposes of this Policy:

  • Personal Information means any information relating to an identified or identifiable natural person recorded electronically or otherwise, excluding information that has been anonymized.
  • Sensitive Personal Information means personal information that, if leaked or used unlawfully, may easily cause harm to the dignity of a natural person or endanger personal or property safety, including biometric, religious belief, specific identity, medical and health, financial account, and行踪轨迹 information, as well as personal information of minors under the age of 14.
  • Processing means the collection, storage, use, processing, transmission, provision, disclosure, deletion, and other handling of personal information.
  • Data Controller/Processor: The OOPLOT operating entity acts as the personal data controller that determines the purposes and means of processing personal information.

3. Information We Collect

We collect personal information only to the minimum extent necessary to achieve the purposes described in this Policy, including:

  • Account Information: email address, username, nickname, password hash, role, membership plan, subject area, research topics, etc., that you provide when registering.
  • Usage Data: pages you visit, features you use, clickstream, IP address, browser type and version, operating system, device type, time zone, language preference, referral source, and session identifiers.
  • Uploaded Content: CSV data files, images, PDF files, template code, chart configurations, and project data you choose to save, used for AI template extraction, chart generation, and service improvement.
  • Transaction Information: payment status, transaction ID, order number, subscription plan, amount, currency, and invoicing information returned by payment service providers such as Stripe, PayPal, Alipay, and WeChat Pay. We do not store full bank card numbers or payment passwords.
  • Communications: customer service emails, feedback, survey responses, and contact details you send to us.
  • AI Interaction Data: prompts, code, improvement requests, AI response summaries, token consumption, task types, execution results, and error logs you submit to AI services, used for service provision, billing review, and quality optimization.
  • Cookies and Similar Technologies: identifiers, preference settings, and usage statistics collected through cookies, local storage, session storage, pixel tags, etc.
  • Visitor Identifier: when you use the Services without logging in, we may generate an anonymous visitor identifier to limit free AI extraction attempts, which is typically reset monthly.

4. Legal Basis for Processing

We process your personal information based on the following legal grounds:

  • Performance of a Contract: processing necessary to provide your account, template editing, chart generation, AI assistance, and membership services.
  • Your Consent: we obtain your explicit consent before collecting sensitive personal information, using non-essential cookies, sending marketing communications, or conducting certain cross-border transfers; you may withdraw consent at any time.
  • Legitimate Interests: processing necessary to improve the Services, prevent fraud and abuse, ensure account security, analyze usage, and maintain network security, where such interests do not override your fundamental rights and freedoms.
  • Legal Obligations: processing to comply with tax, financial, anti-fraud, judicial, or regulatory requirements.
  • Material Public Interest: in rare cases, processing necessary to protect national security, public health, or other material public interests.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • To create and maintain your account, verify identity, and provide login and access control;
  • To provide, maintain, optimize, and improve core services such as template browsing, editor, builder, AI assistance, and chart export;
  • To process payments, subscriptions, invoices, refunds, and customer support;
  • To execute AI calls, code improvements, error correction, quota management, and billing review;
  • To analyze platform performance, user behavior, and product usage to optimize user experience;
  • To detect, prevent, and respond to fraud, abuse, security incidents, and violations of the Terms of Service;
  • To send service notifications, security alerts, billing information, and marketing messages (only with consent);
  • To comply with applicable laws, regulations, tax, audit, and regulatory requirements.

6. Cookies and Similar Tracking Technologies

We use cookies, local storage, session storage, and similar technologies to:

  • Essential Cookies (cannot be disabled): maintain login state (ooplot_token), security verification, gate pass, session identifiers, and basic functionality.
  • Analytics Cookies (optional): count page views, feature usage frequency, error rates, etc., to improve the product. You may decline via the cookie banner.
  • Advertising Cookies (optional): partners such as Google AdSense may use cookies to collect non-personally-identifiable interest data to deliver relevant ads. You may still see non-personalized ads after declining.

You can manage your consent preferences through the cookie banner on your first visit, or clear cookies at any time in your browser settings. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

7. Third-Party Services and Data Sharing

We share personal information only with the following categories of third parties to the extent necessary, and require them to comply with this Policy and applicable data protection laws:

  • Cloud Infrastructure and Database: Supabase (database hosting). Data may be stored in the United States or the European Union. We ensure compliance through Supabase's Data Processing Agreement (DPA) and Standard Contractual Clauses (SCC).
  • Payment Processors: Stripe, PayPal, Alipay, WeChat Pay, for processing subscription payments. The scope of sharing is limited to the information necessary to complete the transaction.
  • AI Service Providers: OpenAI, Kimi (Moonshot), DeepSeek, Anthropic, Alibaba Cloud, etc. Your code, data descriptions, and improvement requests are transmitted to these providers for processing.
  • Advertising and Analytics Partners: Google (AdSense, Analytics), etc., with whom we share anonymized or pseudonymized usage data. See Google's Privacy Policy.
  • Email and Communication Services: Resend, SendGrid, or SMTP providers, used to send verification codes, notifications, invoices, and marketing emails.
  • Legal and Regulatory Authorities: we may disclose necessary information to law enforcement agencies, courts, or regulators when required by laws and regulations, to protect our legitimate rights and interests, or to respond to security incidents.

We do not sell your personal information. We also do not share your personal information with third parties for their independent marketing purposes unless we have obtained your explicit consent.

8. International Data Transfers

Because we use global cloud and AI services, your personal information may be transferred to, processed, or stored on servers outside your country or region, including China, the United States, the European Union, Japan, and South Korea. We ensure the legality and security of cross-border transfers through the following mechanisms:

  • For EEA/UK Users: when transferring data outside the EEA/UK, we rely on Standard Contractual Clauses (SCC) under Article 46 of the GDPR, together with appropriate supplementary measures.
  • For Mainland China Users: under the Personal Information Protection Law (PIPL), cross-border transfers of personal information will follow statutory pathways such as security assessment, personal information protection certification, or standard contracts, and we will obtain your separate consent where applicable.
  • For US Users: when transferring personal information outside the United States, we ensure that recipients provide a level of data protection substantially equivalent to that described in this Policy and comply with applicable state privacy laws.
  • For Japan Users: when transferring personal information to a third country, we inform you of the recipient's country/region and the personal information protection system in place, and obtain your consent or take other measures permitted by the APPI.
  • For Korea Users: when transferring personal information overseas, we comply with the notice, consent, and security safeguard requirements of the Personal Information Protection Act (PIPA), and may ensure an adequate level of protection through mechanisms such as DPA/SCC.

Regardless of where data is processed, we will take contractual, technical, and organizational measures to ensure its security.

9. Data Security

We adopt industry-standard security measures to protect your data, including: full-site HTTPS/TLS encrypted transmission; database row-level security (RLS) and access controls; JWT authentication and password hashing; AES encryption for sensitive configuration storage; and regular security reviews and log monitoring. Chart generation and core data processing are performed locally in your browser by default (based on Pyodide WebAssembly), so raw data is not uploaded to our servers. When you choose to use remote rendering services, code and data are transmitted to our VPS servers for processing using TLS encryption, and data is not retained on the servers for an extended period after processing. Although we have taken the above measures, no system is absolutely secure, and we cannot guarantee absolute security of data transmission or storage.

10. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy. After the retention period expires, we will delete or anonymize the information:

  • Account information and profile: retained for 90 days after account deletion (for financial audit, dispute resolution, and compliance), then deleted or anonymized;
  • Payment and tax records: retained for 7 years or longer as required by applicable law;
  • Chart generation and project logs: retained for 12 months;
  • AI call records: retained for 6 months;
  • Cookie consent records: retained for 12 months;
  • Customer service and communication records: retained for 2 years or a reasonable period after the relevant issue is resolved;
  • Visitor extraction records: retained until the end-of-month reset or 30 days, whichever is shorter.

11. Your Rights

Depending on the applicable law in your jurisdiction, you may have the following rights regarding your personal information. We will respond to verifiable requests within 30 days, or up to 60 days for complex cases, with an explanation for the extension.

  • Right to Access: view the data we hold about you in the user center after logging in, or request a copy by email.
  • Right to Rectification: modify inaccurate or incomplete information on your profile page.
  • Right to Erasure (“Right to be Forgotten”): delete your account in account settings, or request deletion by emailing support@ooplot.net. Some information may be retained for a period required by law after deletion.
  • Right to Restrict/Suspend Processing: request that we restrict or suspend processing of your personal information in specific circumstances.
  • Right to Data Portability: request your personal data in a structured, commonly used, machine-readable format (such as JSON) and, where technically feasible, transfer it to another service provider.
  • Right to Object: object to direct marketing, profiling, or certain automated processing based on legitimate interests.
  • Right to Withdraw Consent: for processing based on consent, you may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right to Lodge a Complaint: if you believe we have infringed your rights, you may file a complaint with the data protection supervisory authority in your location.

To exercise these rights, please contact us using the details at the end of this Policy. We may need to verify your identity.

12. Sensitive Personal Information

We generally do not actively collect sensitive personal information. If images, PDFs, or data you upload contain sensitive content such as biometric information, medical and health information, or financial account information, we will process it only with your explicit consent or other statutory basis, and apply stricter protective measures. For minors under the age of 14, we process their personal information only with the consent of their guardians.

13. Children's Privacy

Our Services are not directed to children under the age of 13 (or the higher minimum age prescribed in your jurisdiction). We do not knowingly collect personal information from children. If you discover that a child has provided personal information to us, please contact us immediately and we will take steps to delete the relevant information. For Mainland China users, we comply with minor online protection regulations and require users under the age of 14 to use the Services under the supervision of a guardian.

14. Automated Decision-Making and Artificial Intelligence

We use AI technologies to assist with code generation, chart improvement, and template extraction. These systems generate outputs based on your inputs and do not constitute automated decision-making that produces legal effects or similarly significant effects on you (unless otherwise defined by applicable law). AI outputs are for reference only, and you are responsible for the final results. We do not make decisions to refuse service, adjust pricing, or take other materially adverse actions solely based on automated decision-making.

15. Policy Updates

We may update this Privacy Policy from time to time. The updated Policy will be posted on this page with a revised “Last updated” date. For material changes, we will notify you through website announcements, email, or a prompt when you next log in. Please review this page periodically. Your continued use of the Services constitutes acceptance of the updated Policy.

16. Contact Us and Data Protection Officer

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us as follows:

  • Email: support@ooplot.net
  • Data Protection Officer (DPO): dpo@ooplot.net (for GDPR, PIPL, and other data protection inquiries)
  • Mailing address: OOPLOT, [Company registered address to be filled in]

We will respond to your request as soon as possible, usually within 30 days. In case of inconsistency between any translated version and the Chinese version, the Chinese version shall prevail.