Privacy.
Written by humans. Meant to be read. The legal version is below — this part is the truth in plain language.
IN SHORT
- Your tasks, memories, and conversations live on your device. We don't see them.
- What syncs across your iPhone and Mac is end-to-end encrypted. We hold the box. You hold the key.
- We don't sell data. We don't train models on your content. We don't run ads.
- If you delete An, your data goes with it. No 90-day backups quietly waiting on a server.
- If we ever break any of these, we will tell you on the home page within 72 hours. That's the deal.
01What we collect
Two buckets, and we keep them strictly separate.
On your device (we don't see this)
Tasks, calendar events you let An read, conversations with the assistant, briefings, the contents of your Memory Center, and the priority signals derived from all of the above. This data never leaves your device unencrypted.
On our servers (we do see this)
| Type | Why |
|---|---|
| Apple ID hash | To know your subscription is valid. We store a one-way hash, not your email. |
| Encrypted sync blobs | Opaque ciphertext we shuttle between your devices. We can't read it. |
| Crash reports | Stack traces only. Stripped of any personal content. Off by default. |
| Anonymous usage counters | "How many people opened a briefing today." Aggregated, not per-user. Off by default. |
02Where it lives
On your device, encrypted with a key generated locally on first launch and held in iCloud Keychain. Sync blobs travel through our own backend servers in mainland China and are routed via TLS 1.3, then stored encrypted at rest. We don't hold the key.
We do not have a database of "what tasks Lin has." We have a database of opaque blobs labeled by device hash.
03Who can see it
Your data: only you. Even if our entire team wanted to read what's in your Memory Center, we couldn't — we don't have your key.
Aggregate metrics (when you opt in): the engineering team, anonymized. "How many briefings were sent yesterday?" — yes. "What did Lin's briefing say?" — never.
Government requests: we publish every one we receive in our Transparency Report. To date: zero.
04Third parties
The shortest list we could write.
| Vendor | What they do | Sees your content? |
|---|---|---|
| Apple | App distribution, payments, Sign in with Apple | No |
| Cloudflare | Edge routing, DDoS | No (encrypted in transit) |
| Our own backend (CN) | Storage of encrypted sync blobs | No (encrypted at rest) |
| iCloud Keychain | Holds your encryption key only | No (Apple-encrypted; we never see it) |
No analytics SDKs. No advertising networks. No "AI partners" we ship your conversations off to.
05Your rights
PIPL (mainland China) and CCPA (California) give you the rights below. We honor the same set globally — your region doesn't change what we do.
- Access — see everything we have about you. (Spoiler: it's your subscription hash and a list of opaque blobs.)
- Export — full backup of your on-device data, in open JSON. Settings → Memory Center → Export.
- Delete — Settings → Account → Delete everything. Server-side blobs are wiped within 24 hours.
- Object & restrict — turn off analytics, sync, or any specific processing in Settings → Privacy.
No forms. No "please allow up to 30 days." The buttons exist, you press them, things happen.
06Children
An is built for adults. We don't knowingly collect data from anyone under 14 (mainland China). If we learn we have, we delete it.
07Changes
When this policy changes meaningfully, we email you 30 days before it takes effect. "Meaningful" means: anything that expands what we collect, store, or share. Typo fixes don't count.
A diff of every revision lives in our public changelog on GitHub. You can always see what changed and when.
08Contact
Privacy questions, data requests, or anything that feels off — write to us. A real person responds within two business days.
Privacy team
Two-business-day response. If we're slower than that, escalate.
privacy@yiyiii.comData Protection Officer · YIYIII (Hangzhou) Technology Co., Ltd.