隐私政策

生效日期：2026 年 5 月 29 日 · 最近更新：2026 年 5 月 29 日

问易（Yi）是一款本地优先的《易经》App。AI 解卦全程在你的设备上运行；你的占问、笔记与反思默认只保存在本机；可选的跨设备同步采用端到端加密，我们的服务器只能看到无法解读的密文。简而言之：我们读不到你的任何记录。

1. 我们如何处理你的数据

仅存于你设备上的数据（我们永远收不到）

你的占问与卦象、个人笔记、复盘与反思，以及端上 AI 生成的解读，默认全部保存在你的设备本地（SwiftData）。在你未开启同步前，这些内容不会离开设备，也不会发送给我们或任何第三方。

账户数据（仅当你「使用 Apple 登录」）

开启云同步时，我们通过「使用 Apple 登录」对你进行身份验证，并仅保存：

Apple 提供的稳定用户标识符（sub）——用于识别你的账户；
可选的中转邮箱地址——仅当 Apple 向我们提供时保存，用于必要的账户通知；
账户创建与最近活跃时间等基本时间戳。

我们不会收到你的真实姓名、Apple 密码、通讯录或精确位置。

端到端加密的同步数据

开启同步后，你的记录会在离开设备之前用 AES-256-GCM 加密。我们的服务器只存储：密文、加密随机数（nonce）、以及用于同步的最小化元数据（记录类型、客户端时间戳、单调递增的同步游标、删除标记）。解密密钥永不上传——它只保存在你的 iCloud 钥匙串中，并通过 Apple 的端到端加密在你自己的设备间同步。因此我们在技术上无法读取同步内容。

技术日志

为保障服务安全与稳定运行，服务器会临时记录常规请求信息（如 IP 地址、时间、接口路径）。这些日志不用于画像或广告，并会定期清除。

2. 端上 AI 与可选的云端解读

默认情况下，解卦由运行在你设备上的本地模型生成。你的提问内容与卦象不会为了生成解读而被发送到我们的服务器或任何云端大模型。

部分设备不支持设备端 AI。在这些设备上，付费会员可在「我的 · 云端 AI」中主动开启云端解读，以获得深度 / 双语解读。仅在你明确同意并使用该功能时，问易才会发送生成解读所必需的最少信息：卦号、动爻位置、变卦名称，以及你自己输入的问题文本；不会发送你的反思、历史记录、账户邮箱或任何加密密钥。云端解读会经我们的服务器转发给第三方 AI 模型提供商完成生成，此传输过程通过 HTTPS 进行，但不同于端到端加密的同步，在到达模型环节并非端到端加密；我们不留存解读的提问与正文内容。你可随时关闭此功能。

3. 我们不做的事

不投放广告，不进行用户画像或跨 App 跟踪（不使用 IDFA）；
不集成第三方分析或广告 SDK；
不出售、不出租你的数据，也不会与第三方共享你的记录；
不读取、不分析你的占问、笔记或解读内容。

4. 数据的存储与跨境

账户与加密同步数据存储在位于日本（东京）的服务器上。无论数据在何处存储，同步内容始终为端到端加密的密文。

5. 数据保留、导出与删除

随时导出：你可以在 App 内将全部数据导出为明文文件，即使在未登录或离线时也可使用。
退出登录：仅清除本设备的登录凭证，保留本地数据与密钥。
彻底删除：在「设置」中执行「彻底删除全部数据」会删除本机的全部记录、删除服务器上与你账户关联的全部密文与账户信息，并删除本机的端到端加密密钥。此操作不可恢复。

6. 使用 Apple 登录

我们使用 Apple 提供的「使用 Apple 登录」。你可选择隐藏邮箱、使用 Apple 的私密中转地址。你可随时在 iOS 的「设置 → Apple 账户 → 使用 Apple ID 登录」中撤销问易的访问权限；撤销后请同时在 App 内执行账户删除，以清除服务器侧数据。

7. 儿童

问易并非面向 13 岁以下儿童设计，我们不会有意收集儿童的个人信息。

8. 本政策的变更

如本政策发生重大变更，我们会更新本页面顶部的生效日期，并在适当情况下于 App 内提示。

9. 联系我们

如对本隐私政策或你的数据有任何疑问，请联系：support@oneyi.net。

Privacy Policy

Effective: May 29, 2026 · Last updated: May 29, 2026

Yi (问易) is a local-first I Ching app. AI interpretation runs entirely on your device; your castings, notes and reflections stay on your phone by default; and optional cross-device sync is end-to-end encrypted, so our servers only ever see ciphertext they cannot read. In short: we cannot read any of your records.

1. How we handle your data

Data that stays on your device (we never receive it)

Your castings and hexagrams, personal notes, reviews and reflections, and the AI interpretations generated on-device are all stored locally on your device (SwiftData) by default. Until you turn on sync, none of this leaves your device or reaches us or any third party.

Account data (only if you use Sign in with Apple)

When you enable cloud sync, we authenticate you via Sign in with Apple and store only:

the stable user identifier (sub) Apple provides, to identify your account;
an optional relay email address, kept only if Apple shares one with us, for essential account notices;
basic timestamps such as account creation and last-active time.

We do not receive your real name, Apple password, contacts, or precise location.

End-to-end encrypted sync data

With sync on, your records are encrypted with AES-256-GCM before they leave your device. Our server stores only: the ciphertext, the encryption nonce, and minimal sync metadata (record type, client timestamps, a monotonic sync cursor, and a deletion flag). The decryption key is never uploaded — it lives only in your iCloud Keychain and syncs between your own devices via Apple's end-to-end encryption. We are therefore technically unable to read synced content.

Technical logs

To keep the service secure and reliable, the server temporarily logs ordinary request information (such as IP address, time, and endpoint). These logs are not used for profiling or advertising and are purged routinely.

2. On-device AI & optional cloud interpretation

By default, interpretations are produced by a model running on your device. Your question text and hexagrams are not sent to our servers or to any cloud LLM in order to generate a reading.

Some devices do not support on-device AI. On those devices, paid members may explicitly opt in to cloud interpretation (under Profile · Cloud AI) for deeper / bilingual readings. Only when you have consented and used that feature does Yi send the minimum information needed to generate the reading: the hexagram number, the changing-line positions, the resulting hexagram's name, and the question text you typed. We do not send your reflections, history, account email, or any encryption key. Cloud interpretation is relayed through our server to a third-party AI model provider; this transfer uses HTTPS but, unlike end-to-end-encrypted sync, is not end-to-end encrypted to the model. We do not retain the prompt or the generated text. You can turn this off at any time.

3. What we do not do

No advertising, no profiling, no cross-app tracking (we do not use the IDFA);
No third-party analytics or ad SDKs;
We do not sell or rent your data, nor share your records with third parties;
We do not read or analyze the content of your castings, notes, or interpretations.

4. Where data is stored

Account and encrypted sync data are stored on servers located in Japan (Tokyo). Wherever data is stored, synced content always remains end-to-end encrypted ciphertext.

5. Retention, export and deletion

Export anytime: you can export all your data as plain-text files from within the app, even while signed out or offline.
Sign out: clears only this device's session credentials, keeping your local data and key.
Delete everything: "Delete all data" in Settings removes every record on the device, deletes all ciphertext and account information associated with your account on the server, and deletes the on-device end-to-end encryption key. This action is irreversible.

6. Sign in with Apple

We use Apple's Sign in with Apple. You may hide your email and use Apple's private relay address. You can revoke Yi's access anytime via iOS Settings → your Apple Account → Sign in with Apple; after revoking, please also delete your account in the app to purge server-side data.

7. Children

Yi is not directed to children under 13, and we do not knowingly collect personal information from children.

8. Changes to this policy

If we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you in the app.

9. Contact us

For any questions about this policy or your data, contact support@oneyi.net.