奇画 AI

最近更新 / Last Updated: 2026-05-19

隐私政策 · Privacy Policy

适用框架 / Frameworks: PIPEDA (Canada) + PIPL (PRC extraterritorial)

本页中英双语并列; 中文为约定本, 英文为参考翻译, 二者冲突时以中文为准.
This page is presented bilingually; the Chinese text is authoritative and the English text is a reference translation. In case of inconsistency, the Chinese text prevails.

1. 数据控制者/ 1. Data Controller

本《隐私政策》(以下简称 "本政策") 由 Stellar Byte Tech Team (StellarByte, 加拿大不列颠哥伦比亚省合法注册的法人实体, 法人代表 Harrison Ming, 注册地温哥华, 以下简称 "我们") 制定并发布. 我们是您在使用奇画 AI (qihuaai.com, 以下简称 "本平台") 期间所收集个人信息的数据控制者 (Data Controller).

本政策遵循加拿大《个人信息保护与电子文件法》(Personal Information Protection and Electronic Documents Act, PIPEDA) 与中国《个人信息保护法》(以下简称 "PIPL") 的双重要求. 由于本平台面向中国大陆用户提供服务, 我们承认 PIPL 第 3 条的域外适用并相应履行用户权利保障义务.

This Privacy Policy is published by Stellar Byte Tech Team (StellarByte), a corporation duly incorporated under the laws of the Province of British Columbia, Canada, with registered office in Vancouver and represented by Harrison Ming ("we", "us"). We are the data controller of the personal information collected from your use of qihuaai.com (the "Platform").

This Policy is designed to satisfy both the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the People's Republic of China Personal Information Protection Law ("PIPL"). Because the Platform provides services to data subjects located in mainland China, we acknowledge the extraterritorial application of Article 3 of PIPL and undertake the corresponding obligations to safeguard data subject rights.

2. 我们收集的数据/ 2. Data We Collect

  • 账户数据: 邮箱地址、口令哈希 (我们不存储明文口令)、注册时间、注册 IP、套餐与订阅状态、API Key 元数据 (我们不存储 Key 明文, 仅存哈希 + 前 8 位指纹).
  • 使用数据: 您每次调用模型时输入的 prompt 文本、上传的图像或参考素材、生成的产物 (图像 / 视频 / 音频) 以及 call_id、调用时间戳、模型 ID、上游 provider、token / 帧 / 秒数等计量数据.
  • 计费数据: 每次调用的预扣 (hold) / 实扣 (settle) / 退款 (refund) credits 记录、余额变动流水、充值与订阅交易凭证 (Stripe、NowPayments 等持牌支付方代收, 我们不直接存储信用卡号或加密货币私钥).
  • 技术数据: IP 地址、浏览器 UA、操作系统、设备指纹 (通过 Sentry 收集用于错误归因)、Cookie 标识符、Referer、错误堆栈与会话回放 (默认开启采样, 您可在 Cookie 设置中关闭 session replay).
  • 客服数据: 您通过 abuse@、support@、billing@、legal@、privacy@ 等邮箱与我们交互的内容, 以及您在工单系统提供的截图与上下文.
  • Cookie: Supabase 鉴权 Cookie (必要)、CSRF token (必要)、Sentry 性能采样 (可选).
  • Account data: email address, password hash (no plaintext password storage), registration timestamp and IP, plan and subscription status, API key metadata (we store only a hash and the first 8 characters as a fingerprint; the plaintext key is never stored).
  • Usage data: prompt text you input on each invocation, uploaded images or reference materials, generated outputs (images / videos / audio), and associated call_id, invocation timestamps, model IDs, upstream provider identifiers, and metering data such as tokens, frames or seconds.
  • Billing data: per-invocation hold / settle / refund credits records, balance change ledger, top-up and subscription transaction receipts collected via licensed payment processors such as Stripe and NowPayments. We do not directly store credit-card numbers or crypto private keys.
  • Technical data: IP address, browser user agent, operating system, device fingerprint (collected via Sentry for error attribution), Cookie identifiers, Referer, error stacks and session replay (sampled by default; you may disable session replay in Cookie settings).
  • Customer support data: content of your communications with us through abuse@, support@, billing@, legal@ and privacy@ mailboxes, including screenshots and context you provide in tickets.
  • Cookies: Supabase authentication cookie (necessary), CSRF token (necessary), Sentry performance sampling (optional).

3. 数据使用目的与法律依据/ 3. Purposes and Legal Bases

  • 提供服务: 履行您与我们之间的服务合同, 包括账户注册、模型调用、计费计量、产物分发. 法律依据: PIPEDA 合理目的 / PIPL 第 13 条第 (二) 项 "为订立和履行合同所必需".
  • 计费与审计: 维持准确的财务流水、出具发票、配合税务审计 (加拿大 CRA 要求税务凭证保留 6 年). 法律依据: PIPEDA 法律义务 / PIPL 第 13 条第 (三) 项.
  • 安全与风控: 识别欺诈、阻止恶意请求、维护服务安全、防止 DDoS / 滥用. 法律依据: PIPEDA 合法权益 / PIPL 第 13 条第 (五) 项.
  • 内容审核: 我们使用 OpenAI moderation API 对 prompt 与生成内容进行合规预检, 拦截违反《可接受使用政策》的请求. 法律依据: PIPEDA 合法权益 / PIPL 第 13 条第 (五) 项 "法律法规规定的其他情形" + 加拿大 / 中国内容合规要求.
  • 服务改进: 在去标识化基础上分析请求模式, 优化路由策略、定价模型与产品功能. 我们不会将您的 prompt 或生成产物用于训练第三方模型. 法律依据: PIPEDA 合法权益, 已去标识化情形下 PIPL 不再适用.
  • 营销通知: 向您发送账户、安全、账单、产品更新邮件. 营销邮件 (newsletter、活动) 仅在您明确同意后发送, 每封邮件附取消订阅链接. 法律依据: PIPEDA 同意 / PIPL 第 13 条第 (一) 项.
  • Service provision: to perform the service contract between you and us, including registration, model invocation, billing and output delivery. Legal basis: PIPEDA reasonable-purposes / PIPL Art. 13(2) ("necessary for the conclusion or performance of a contract").
  • Billing and audit: to maintain accurate financial records, issue invoices, and comply with tax audits (the Canada Revenue Agency requires tax records to be retained for 6 years). Legal basis: PIPEDA legal obligation / PIPL Art. 13(3).
  • Security and risk control: to detect fraud, block malicious requests, secure the service and prevent DDoS / abuse. Legal basis: PIPEDA legitimate interest / PIPL Art. 13(5).
  • Content moderation: we use the OpenAI moderation API to pre-check prompts and generated outputs and intercept content that violates the Acceptable Use Policy. Legal basis: PIPEDA legitimate interest / PIPL Art. 13(5) ("other circumstances stipulated by laws") plus Canadian and PRC content compliance requirements.
  • Service improvement: to analyze request patterns on a de-identified basis and improve routing, pricing models and product features. We do not use your prompts or outputs to train third-party models. Legal basis: PIPEDA legitimate interest; PIPL ceases to apply once data is de-identified.
  • Marketing notifications: to send account, security, billing and product-update emails. Marketing communications (newsletter, events) are sent only after explicit consent and include an unsubscribe link in every message. Legal basis: PIPEDA consent / PIPL Art. 13(1).

4. 数据共享与第三方处理者/ 4. Data Sharing and Third-Party Processors

  • OpenAI (gpt-image-2 / Sora 2 / Sora 2 Pro / moderation API): 您调用上述模型时, prompt 文本、上传素材 (图像) 与必要的元数据 (call_id 等) 转发至 OpenAI, 受其《商业级数据使用条款》约束. OpenAI 数据中心位于美国. OpenAI 商业级 API 默认不使用您的数据训练模型.
  • Runway (gen4_turbo / gen4_pro 等视频生成): 您调用视频模型时, prompt、参考图像与必要元数据转发至 Runway, 受其《Dev API 商业级条款》约束. Runway 数据中心位于美国.
  • Cloudflare R2 (生成产物存储): 视频、图像等大文件产物存储于 Cloudflare R2 公网可访问 URL, 默认保留 7 天后自动清理. R2 服务商位于美国.
  • Supabase (鉴权 + Postgres 数据库): 账户、计费、调用元数据存储于 Supabase 美东区域 (East US).
  • Sentry (错误监控): 错误堆栈、性能数据、可选 session replay 发送至 Sentry (totvan 组织), Sentry 数据中心位于美国.
  • Discord webhook (运维告警): 部署通知、容量告警等运维事件通过 Discord webhook 发送, 不包含用户个人数据.
  • Stripe / NowPayments (支付处理): 信用卡与 USDT 支付分别由 Stripe (美国 / 爱尔兰) 与 NowPayments (爱沙尼亚) 处理, 受各自隐私政策约束.
  • 执法与合规: 仅在收到合法、明确的传票、法院命令或紧急安全请求时, 根据所在地法律配合提供必要信息; 除非法律禁止 (例如刑事保密令), 我们将在合理范围内提前通知用户.
  • OpenAI (gpt-image-2 / Sora 2 / Sora 2 Pro / moderation API): prompt text, uploaded image inputs and necessary metadata (call_id etc.) are forwarded to OpenAI, governed by OpenAI's Business Terms. OpenAI's data centers are in the United States. The OpenAI commercial API does not use your data to train models by default.
  • Runway (gen4_turbo / gen4_pro and other video models): prompt text, reference images and necessary metadata are forwarded to Runway under its Dev API commercial terms. Runway's data centers are in the United States.
  • Cloudflare R2 (output storage): video and image outputs are stored on publicly accessible Cloudflare R2 URLs and automatically purged after 7 days. R2 operates from the United States.
  • Supabase (authentication + Postgres database): account, billing and invocation metadata are stored on Supabase's East US region.
  • Sentry (error monitoring): error stacks, performance data and optional session replay are sent to Sentry (totvan organization). Sentry's data centers are in the United States.
  • Discord webhook (operations alerting): deployment notifications and capacity alerts flow through Discord webhooks; no user personal data is included.
  • Stripe / NowPayments (payment processing): credit-card and USDT payments are processed by Stripe (United States / Ireland) and NowPayments (Estonia) respectively, governed by their respective privacy policies.
  • Law enforcement and compliance: we will provide necessary information only upon receipt of a lawful and specific subpoena, court order or emergency safety request, in accordance with applicable law. Unless legally prohibited (e.g. criminal gag orders), we will notify the user in advance to the extent reasonable.

5. 跨境数据传输 (PIPL 关键)/ 5. Cross-Border Data Transfer (PIPL Critical)

本平台运营主体位于加拿大, 主要基础设施位于美国 (Supabase East US, Cloudflare R2, OpenAI, Runway, Sentry). 中国大陆用户的个人信息将不可避免地从中国传输至加拿大主体、美国基础设施与上游 provider 数据中心.

依据 PIPL 第 38 条, 我们采取的合法出境路径为 "取得个人单独同意". 您在注册时与首次启用相关功能时, 将以独立弹窗或勾选框方式获取您的明示同意, 同意书内容包括: 接收方名称与所在国 / 地区、处理目的与方式、个人信息类别、您撤回同意的方式、跨境传输可能存在的风险等.

对于敏感个人信息 (例如未成年人信息、身份证件信息) 的跨境传输, 我们将采取额外的同意与最小化措施. 我们承诺与所有境外接收方签署具有 GDPR / PIPEDA / PIPL 等价保护水平的数据处理协议 (DPA) 或标准合同条款 (SCC).

The Platform's operator is located in Canada and its main infrastructure is in the United States (Supabase East US, Cloudflare R2, OpenAI, Runway, Sentry). Personal information of users in mainland China will inevitably be transferred from China to the Canadian operator, U.S. infrastructure and upstream provider data centers.

Pursuant to Article 38 of PIPL, our chosen legal basis for the export is "separate consent". At registration and on first activation of relevant features, we obtain your explicit consent via a dedicated dialog or checkbox. The consent disclosure includes: name and jurisdiction of recipients, purposes and methods of processing, categories of personal information, your right to withdraw consent, and the risks that may arise from the cross-border transfer.

For cross-border transfer of sensitive personal information (such as information about minors or identity documents), we adopt additional consent and data-minimization measures. We commit to entering into data processing agreements (DPAs) or standard contractual clauses (SCCs) with all overseas recipients that provide a level of protection equivalent to GDPR / PIPEDA / PIPL.

6. 您的权利/ 6. Your Rights

  • PIPEDA 项下: 访问、更正、投诉等权利.
  • PIPL 项下 (第 44-50 条): 知情、决定、查询、复制、更正、补充、删除、转移 (数据可携) 个人信息的权利; 限制 / 拒绝处理的权利; 撤回同意的权利; 要求解释自动化决策的权利.
  • 申请路径: 发送邮件至 privacy@qihuaai.com, 附身份核验材料 (注册邮箱 + 注册时间 + 最近一次充值订单号或类似凭证). 涉及未成年人或敏感请求, 我们将进行额外身份核验.
  • 响应时限: 我们承诺在 30 个自然日内对您的合理请求作出实质性回应; 涉及复杂情形 (例如跨境复核、第三方协调) 可延长 30 天, 但将书面告知延期理由.
  • 投诉与救济: 若您认为我们违反了本政策或适用法律, 您可向: (a) 加拿大隐私专员办公室 (Office of the Privacy Commissioner of Canada, OPC, https://www.priv.gc.ca), 或 (b) 中国国家网信办 / 工信部投诉举报渠道, 或 (c) 您所在司法辖区的数据保护监管机构提起投诉.
  • Under PIPEDA: rights of access, correction and complaint.
  • Under PIPL (Articles 44-50): rights to be informed, decide, query, copy, correct, supplement, delete, and port your personal information; the right to restrict or refuse processing; the right to withdraw consent; and the right to demand explanation of automated decision-making.
  • How to exercise: send an email to privacy@qihuaai.com with identity verification materials (registered email + registration date + most recent top-up order number or equivalent). For requests involving minors or sensitive matters, we will conduct additional identity verification.
  • Response timeline: we will substantively respond to reasonable requests within 30 calendar days. Complex matters (cross-border review, third-party coordination) may be extended by an additional 30 days with written notice of the reason for the extension.
  • Complaints and remedies: if you believe we have violated this Policy or applicable law, you may file a complaint with (a) the Office of the Privacy Commissioner of Canada (OPC, https://www.priv.gc.ca), (b) the Cyberspace Administration of China or the Ministry of Industry and Information Technology, or (c) the data protection authority of your jurisdiction.

7. 数据保留/ 7. Data Retention

  • 账户数据: 账户存续期间持续保留; 您注销账户后, 我们将在 30 个自然日内彻底删除或匿名化处理.
  • 使用数据 (prompt + 生成产物): 生成产物默认在 CDN 上保留 7 天; 您可主动通过下载链接备份. 服务器端的 prompt 与产物元数据 (call_id, model_id, 时间戳) 保留 6 个月用于审计与纠纷处理.
  • 计费数据: 依据加拿大 CRA 与中国税务法规, 计费流水、发票、交易凭证保留 6 年, 但在此期间将进行个人身份脱敏处理.
  • 安全日志: 鉴权日志、错误堆栈、Sentry 事件保留 90 天; 违规违法相关日志可视情况延长至 3 年.
  • 营销数据: 您撤回同意或退订营销邮件后, 我们将在 7 天内停止发送, 并在 30 天内从营销系统中删除您的联系信息 (核心账户数据仍保留).
  • Account data: retained for the duration of the account; after deletion we erase or anonymize the data within 30 calendar days.
  • Usage data (prompts + generated outputs): outputs are retained on the CDN for 7 days by default; you may proactively download backups. Server-side prompt and output metadata (call_id, model_id, timestamps) are retained for 6 months for audit and dispute resolution.
  • Billing data: pursuant to Canada Revenue Agency and PRC tax regulations, billing ledgers, invoices and transaction receipts are retained for 6 years, with personal identifiers pseudonymized during that retention period.
  • Security logs: authentication logs, error stacks and Sentry events are retained for 90 days; logs related to violations or law-enforcement matters may be retained for up to 3 years depending on the situation.
  • Marketing data: once you withdraw consent or unsubscribe, we will stop sending within 7 days and remove your contact information from the marketing system within 30 days (core account data is retained separately).

8. Cookies 与本地存储/ 8. Cookies and Local Storage

必要 Cookies (无法关闭): Supabase 鉴权 Cookie 维持登录会话, CSRF token 防止跨站请求伪造. 关闭后您将无法正常登录或调用控制台功能.

性能 Cookies (可选): Sentry 错误监控与可选的 session replay 帮助我们定位 bug. 您可在 Cookie 设置面板关闭, 关闭后我们的错误追踪能力下降但不影响您的使用.

本地存储 (localStorage): 用于缓存您的 UI 偏好 (主题、语言) 与画布草稿. 数据保留在您本地浏览器, 不上传服务器.

我们不注入任何第三方广告 Cookie, 不进行跨站追踪.

Necessary cookies (cannot be disabled): Supabase authentication cookie maintains your login session and the CSRF token protects against cross-site request forgery. Disabling these prevents you from logging in or using the dashboard.

Performance cookies (optional): Sentry error monitoring and optional session replay help us diagnose bugs. You may disable these in the Cookie settings panel; doing so degrades our error tracking but does not affect your usage.

Local storage (localStorage): used to cache UI preferences (theme, language) and canvas drafts. Data remains in your local browser and is not uploaded to the server.

We do not inject any third-party advertising cookies or perform cross-site tracking.

9. 未成年人保护/ 9. Protection of Minors

本平台不面向 13 周岁以下的未成年人提供服务. 我们不会有意收集 13 周岁以下未成年人的任何个人信息. 如发现, 我们将立即删除并通知监护人.

13-18 周岁未成年人应在监护人同意下使用本平台; 若我们识别出疑似未成年人账户, 可能要求提供监护人同意书. 监护人可通过 privacy@qihuaai.com 申请查询、更正或删除未成年人个人信息.

对于涉及未成年人的内容 (例如生成场景包含未成年人形象), 我们执行更严格的审核标准, 详见可接受使用政策第 2 条.

The Platform is not directed to individuals under the age of 13. We do not knowingly collect personal information from anyone under 13. If we discover such collection, we will delete the information immediately and notify the guardian.

Minors aged 13-18 must use the Platform with their guardian's consent. If we identify an account suspected of being held by a minor, we may require a guardian's consent letter. Guardians may submit requests to query, correct or delete the minor's personal information via privacy@qihuaai.com.

For content involving minors (e.g. generated scenes featuring minors), we apply stricter moderation standards; see Section 2 of the Acceptable Use Policy.

10. 数据安全措施/ 10. Security Measures

  • 传输安全: 全站强制 HTTPS / TLS 1.3, 任何明文 HTTP 请求被自动重定向.
  • 存储安全: 数据库与对象存储均启用静态加密 (AES-256); 口令使用 bcrypt 哈希; API Key 仅存哈希 + 前 8 位指纹.
  • 访问控制: Supabase 启用行级安全 (RLS); 后端按最小权限原则限定数据库角色; 运维操作走 SSH + Tailscale 双因素.
  • 审计日志: 所有敏感操作 (鉴权、计费、API Key 创建 / 销毁、退款) 均产生审计日志, 90 天可追溯.
  • 事件响应: 任何疑似数据泄露事件将在确认后 72 小时内通知加拿大隐私专员办公室、相关监管机构与受影响用户.
  • 员工管理: 仅 Stellar Byte Tech Team 的授权工程师可访问生产环境, 并签署保密协议; 第三方处理者通过 DPA 约束.
  • Transport security: TLS 1.3 is enforced site-wide; any plaintext HTTP request is automatically redirected.
  • Storage security: databases and object storage are encrypted at rest with AES-256; passwords are hashed with bcrypt; API keys are stored only as a hash plus an 8-character fingerprint.
  • Access control: Supabase row-level security (RLS) is enabled; the backend follows least-privilege database roles; operational access uses SSH + Tailscale with two-factor authentication.
  • Audit logging: all sensitive actions (authentication, billing, API key creation/destruction, refunds) generate audit logs traceable for 90 days.
  • Incident response: any suspected data-breach event will be reported to the Office of the Privacy Commissioner of Canada, the relevant regulators and affected users within 72 hours of confirmation.
  • Personnel: only authorized engineers of Stellar Byte Tech Team may access the production environment under NDA; third-party processors are bound by DPAs.

11. 政策修改/ 11. Policy Modifications

我们可能不时修改本政策. 涉及重大变更 (例如数据类别新增、跨境路径变化、保留期延长) 的修订, 我们将通过站内通知与邮件方式提前 30 天告知, 并在下次登录时再次提示同意.

涉及一般性调整、错别字修正、法律法规更新的修订, 我们将在发布即日生效, 并在政策页顶部显示更新日期.

We may modify this Policy from time to time. Material changes (e.g. new data categories, changes to cross-border routing, extended retention periods) will be notified at least 30 days in advance via in-app notification and email, with re-consent requested upon your next login.

Non-material changes (typo corrections, regulatory alignment) will take effect on publication, with the updated date shown at the top of the page.

12. 联系方式/ 12. Contact

数据控制者: Stellar Byte Tech Team (StellarByte), Vancouver, British Columbia, Canada.

隐私事务与数据主体权利申请: privacy@qihuaai.com

我们目前未指定独立的数据保护官 (DPO); 隐私邮箱由 Harrison Ming 直接负责处理.

首次响应时限: 收到您的请求后 7 个工作日内首次回复, 30 天内实质回应.

Data Controller: Stellar Byte Tech Team (StellarByte), Vancouver, British Columbia, Canada.

Privacy enquiries and data subject rights requests: privacy@qihuaai.com

We have not appointed a separate Data Protection Officer (DPO); the privacy mailbox is handled directly by Harrison Ming.

First-response SLA: an initial response within 7 business days of receipt, with substantive resolution within 30 days.