Plain-English summary: We are a privacy-first studio. Most of our products are local-only — meaning your data lives on your device, encrypted, and never crosses the network. Where our apps include advertising (clearly disclosed per-app), we use a vetted set of third-party ad networks that comply with all applicable regulations including GDPR, CCPA, COPPA, and App Store Guidelines. We never sell your data, and we never fingerprint your device.
01 · Introduction & Scope
This Privacy Policy ("Policy") describes how wangchenggroup.com ("we," "us," or "our"), a research and development studio headquartered at the Rochester Innovation Center, New York, USA, collects, uses, discloses, and protects information in connection with:
- This website (wangchenggroup.com and all subdomains);
- Our published applications on the Apple App Store, Google Play Store, and any other distribution platform, including but not limited to: ContractCheck, FilmGrade Local, PracticeMeter, SideHustle Ledger, RestRhythm, StudioStock, and any future products we release;
- Our developer services including consultation, design, engineering, and product management services for clients;
- All related communications including email, support tickets, and other interactions with us.
This Policy applies to all users worldwide, with specific regional addenda for users in the European Economic Area (EEA), United Kingdom (UK), Switzerland, United States (with state-specific protections), Canada, Australia, Brazil, China, Japan, South Korea, Singapore, India, and any other jurisdiction where we operate.
By accessing our website, downloading our applications, or engaging our services, you acknowledge that you have read and understood this Policy. If you do not agree, please discontinue use immediately.
02 · Definitions
For the purposes of this Policy:
- "Personal Information" or "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or erasure.
- "Controller" means the entity that determines the purposes and means of the Processing of Personal Data. For this website and our apps, wangchenggroup.com is the Controller.
- "Processor" means an entity that processes Personal Data on behalf of the Controller.
- "User," "you," "your" refers to any individual who accesses our website or uses our applications.
- "Service" or "Services" refers to our website, applications, and related offerings collectively.
- "Device" means any electronic equipment used to access our Services, including smartphones, tablets, computers, and smart devices.
- "Local-First" refers to our design philosophy where data is stored and processed on the user's device by default, with cloud features being optional.
03 · Information We Collect
We are committed to data minimization. The categories of information we may collect are:
3.1 Information You Provide Directly
- Account Information: When you create an account (where applicable), we collect your email address, display name, and a hashed password.
- Profile Information: Optional information such as your name, profile photo, bio, or preferences.
- Communications: When you contact us via email, support forms, or feedback mechanisms, we collect the content of those communications and any metadata.
- User Content: Content you create within our applications (contracts, photos, audio recordings, financial records, inventory items, health data) — this is, by default, stored locally on your device and not transmitted to our servers.
- Payment Information: For in-app purchases or subscriptions, payment processing is handled by Apple App Store, Google Play Store, or other platform providers. We do not directly collect credit card numbers or bank account details.
3.2 Information Collected Automatically
- Device Information: Device model, operating system version, language settings, time zone. We do not collect unique device identifiers for tracking purposes.
- Usage Information: Aggregated, anonymized statistics about how users interact with our applications (e.g., which features are most used). When collected, this is done with explicit opt-in consent and never tied to individual identities.
- Crash Reports: When an app crashes, an anonymized crash report may be generated locally. You can choose whether to share these reports with us; we never share them with third parties.
- Log Information: Server logs (IP address, browser type, referring page, time of request) are retained for a maximum of 90 days for security purposes only.
- Cookies and Similar Technologies: See Section 12 for our complete cookies policy.
3.3 Information from Third Parties
- App Store Platforms: When you download our apps, Apple or Google may share aggregate download statistics with us. We do not receive personally identifiable information from these platforms.
- Advertising Partners: When our apps display advertisements, our advertising partners may collect information as described in Section 9 (Advertising Platforms Disclosure). This collection is governed by those partners' privacy policies in addition to this Policy.
- Analytics Providers: Where used, privacy-respecting analytics providers may collect aggregated, anonymized usage statistics with your explicit consent.
3.4 Information We Do NOT Collect
To be completely transparent, we want to explicitly state that we do not collect:
- Precise geolocation data (we may collect country-level location inferred from IP for security purposes);
- Biometric data (unless explicitly provided by you within a specific app feature, in which case it remains on-device);
- Health data (except what you explicitly choose to track within specific apps, which remains local);
- Financial account information (payment is handled by App Store providers);
- Contact lists, photo libraries, or microphone recordings — unless you explicitly grant in-app permission for a specific feature;
- Cross-app tracking data;
- Device fingerprinting data;
- Data broker profiles.
04 · How We Use Information
We use the information we collect for the following purposes:
- Service Delivery: To provide, maintain, and improve our applications and website.
- Personalization: To remember your preferences and settings within our applications.
- Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
- Communications: To send you important notices about service changes, security updates, and policy updates. Marketing communications are sent only with explicit opt-in consent.
- Analytics & Improvement: To understand how our Services are used and to identify opportunities for improvement. Analytics are always aggregated and anonymized.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
- Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.
- Advertising: Where applicable, to display advertisements within our free applications. See Section 9 for detailed information.
- Research & Development: To conduct research and develop new products and features. Research data is always aggregated and anonymized.
We do not use your information for:
- Sale to third parties (we never sell Personal Information);
- Behavioral advertising across other apps or websites (unless explicitly enabled);
- Creditworthiness assessment or similar profiling;
- Solicitation of products from third parties.
05 · Legal Basis for Processing (GDPR & UK GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process Personal Data under the following legal bases as defined by the General Data Protection Regulation (GDPR):
- Consent (Art. 6(1)(a) GDPR): For optional features such as analytics, marketing communications, and personalized advertising. You may withdraw consent at any time.
- Contract Performance (Art. 6(1)(b) GDPR): To provide Services you have requested and fulfill our contractual obligations.
- Legal Obligation (Art. 6(1)(c) GDPR): To comply with applicable laws, court orders, and regulatory requirements.
- Legitimate Interests (Art. 6(1)(f) GDPR): For security, fraud prevention, product improvement, and basic service operations, where our interests are not overridden by your fundamental rights.
- Vital Interests (Art. 6(1)(d) GDPR): To protect your life or safety in emergency situations.
06 · App Store Specific Information
6.1 Apple App Store
Our applications are distributed through the Apple App Store. When you download our apps, the following applies:
- App Store Connect: Apple may share aggregated, non-personally identifiable download and usage statistics with us through App Store Connect.
- Receipts & In-App Purchases: Apple processes all payment transactions. We receive only anonymized transaction identifiers and subscription status; we never have access to your credit card or payment method details.
- Privacy Nutrition Labels: All our apps include accurate Apple Privacy nutrition labels, reviewed and updated before each submission. Labels are available on each app's App Store listing.
- App Tracking Transparency (ATT): For iOS 14.5 and later, our apps that include advertising request permission via the ATT framework before any tracking occurs. We never track users who decline ATT permission.
- Sign in with Apple: Where supported, we offer Sign in with Apple as a privacy-respecting authentication option.
- App Store Review Guidelines: All our apps comply with Apple's App Store Review Guidelines, including Guidelines 5.1.1 (Privacy) and related sub-sections.
6.2 Google Play Store
Where our apps are distributed via Google Play:
- Play Console: Google may share aggregated install and crash statistics.
- Google Play Billing: Payment processing for in-app purchases is handled by Google. We receive transaction confirmations but not your payment details.
- Data Safety Section: All our apps provide accurate Data Safety disclosures on their Play Store listing.
- Google Play Families Policy: Apps designated as family-friendly comply with the Google Play Families Policy.
- Data Deletion: Users can request account and data deletion directly from within applicable apps or via our privacy contact.
6.3 Alternative App Marketplaces
Where we distribute via alternative marketplaces (e.g., Samsung Galaxy Store, Amazon Appstore, regional stores), the same privacy principles apply, supplemented by the marketplace operator's policies.
07 · Country & Regional Policies
7.1 European Economic Area (EEA), United Kingdom, Switzerland — GDPR & UK GDPR
For users in these regions, you have the following rights under the GDPR:
- Right to access your Personal Data;
- Right to rectification of inaccurate Personal Data;
- Right to erasure ("right to be forgotten");
- Right to restrict processing;
- Right to data portability;
- Right to object to processing;
- Right not to be subject to automated decision-making, including profiling;
- Right to lodge a complaint with a supervisory authority.
We comply with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework where applicable. Our lead supervisory authority is the relevant data protection authority in the user's jurisdiction; for cross-border matters, the Irish Data Protection Commission (DPC) acts as our lead authority for EEA users.
7.2 United States — CCPA, CPRA, and State Privacy Laws
For California residents, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide the following rights:
- Right to know what Personal Information is collected, used, shared, or sold;
- Right to delete Personal Information collected;
- Right to correct inaccurate Personal Information;
- Right to opt-out of the sale or sharing of Personal Information (we do not sell Personal Information);
- Right to limit the use and disclosure of sensitive Personal Information;
- Right to non-discrimination for exercising CCPA rights.
Other US state privacy laws with similar provisions apply where residents are located: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Tennessee (TIPA), Iowa (ICDPA), Indiana (INCDPA), New Hampshire (NHPA), New Jersey (NJPA), Kentucky (KRS), Maryland (MODPA), Minnesota (MCDPA), Rhode Island (RIDPA), and others as they take effect.
7.3 Canada — PIPEDA & Quebec Law 25
For Canadian users, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Law 25. You have the right to access, correct, and request deletion of your Personal Information, and to withdraw consent.
7.4 Australia — Privacy Act 1988
For Australian users, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct your Personal Information, and to make complaints to the Office of the Australian Information Commissioner (OAIC).
7.5 Brazil — LGPD
For Brazilian users, we comply with the Lei Geral de Proteção de Dados (LGPD). You have rights including confirmation of existence, access, correction, anonymization, portability, deletion, and information about sharing.
7.6 China — PIPL
For users in the People's Republic of China, we comply with the Personal Information Protection Law (PIPL). Cross-border transfers are subject to security assessments, standard contracts, or certification as required.
7.7 Japan — APPI
For Japanese users, we comply with the Act on the Protection of Personal Information (APPI). Users have rights of access, correction, and cessation of use.
7.8 South Korea — PIPA
For South Korean users, we comply with the Personal Information Protection Act (PIPA). Cross-border transfers require consent or are conducted under specific exemptions.
7.9 Singapore — PDPA
For Singaporean users, we comply with the Personal Data Protection Act (PDPA), including the Do Not Call (DNC) Registry provisions.
7.10 India — DPDP Act
For Indian users, we comply with the Digital Personal Data Protection Act, 2023 (DPDP Act). You have rights including access, correction, erasure, and grievance redressal.
08 · Children's Privacy & Age Policies
8.1 General Age Policy
Our Services are not directed at children under the age of 13 (or under 16 in the EEA/UK, where GDPR applies). We do not knowingly collect Personal Information from children below these ages without verifiable parental consent.
8.2 COPPA Compliance (United States)
For users under 13 in the United States, we comply with the Children's Online Privacy Protection Act (COPPA):
- We do not knowingly collect Personal Information from children under 13;
- Where limited collection is necessary (e.g., for an educational app), we obtain verifiable parental consent before collection;
- Parents can review, request deletion of, or refuse further collection of their child's information;
- We do not condition participation in activities on disclosing more information than is reasonably necessary;
- We retain Personal Information collected from children only as long as reasonably necessary to fulfill the purpose for which it was collected, and securely delete it thereafter.
8.3 GDPR-K (EEA/UK)
For users under 16 in the EEA and UK (or under 13 in some member states), we process Personal Data only with verifiable parental consent, in accordance with GDPR Article 8.
8.4 Age Ratings & App Store Compliance
Our applications are assigned age ratings according to:
- Apple App Store: Age rating set per app, ranging from 4+ to 17+ depending on content (advertising, user-generated content, simulated gambling, etc.). The current rating is shown on each app's App Store listing.
- Google Play: IARC age rating, ESRB, PEGI, USK, GRAC, and ClassInd classifications applied as appropriate.
- Other marketplaces: Region-appropriate ratings are applied.
8.5 Apps Designed for Children
Where we publish apps in the "Kids" or "Designed for Families" category on Google Play, or as "Children's" on the App Store, we implement additional safeguards:
- No behavioral advertising;
- No third-party analytics that collect Personal Information;
- No in-app purchases without parental gates;
- Content appropriate for the stated age range;
- Compliance with the Google Play Families Policy and Apple App Review Guidelines for children's apps.
8.6 Parental Controls & Verification
For any feature requiring age verification, we use reasonable methods appropriate to the risk level:
- Self-declaration for low-risk features (with parental confirmation if applicable);
- Knowledge-based authentication;
- Payment card verification (where applicable);
- Government ID verification for high-risk features.
8.7 Parental Rights
Parents or legal guardians may at any time:
- Review the Personal Information collected from their child;
- Request that we delete their child's Personal Information;
- Refuse to permit further collection of their child's information.
To exercise these rights, contact us at the address in Section 21.
09 · Advertising Platforms Disclosure (AdMob & Ad Networks)
This section applies to any of our applications that display third-party advertising. Free applications may display advertisements to support development. We are committed to responsible advertising practices and comply with all applicable advertising regulations, including those from the Interactive Advertising Bureau (IAB), Google, Apple, and regional authorities.
Each application that includes advertising has its ad-supported nature clearly disclosed in:
- The application's App Store or Play Store listing;
- The application's settings or onboarding flow;
- The Apple Privacy Nutrition Label / Google Data Safety section;
- The application description and any in-app disclosures.
9.1 Primary Ad Platform: Google AdMob
Many of our applications use Google AdMob (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as their primary advertising platform. AdMob allows us to display ads from Google and from third-party ad networks integrated with AdMob's mediation layer.
Information collected by Google AdMob includes:
- Device-level information: device type, operating system version, language, screen size;
- App-level information: app version, SDK version, ad request timestamp;
- Ad interaction information: ad impressions, clicks, conversions;
- IP address (used for approximate geographic location and fraud prevention);
- Advertising ID (IDFA on iOS, GAID on Android) — only with explicit user consent via App Tracking Transparency (iOS) or opt-in (Android);
- Cookie or device-based identifiers used for ad personalization;
- Frequency capping data (to limit how often a user sees a specific ad).
How AdMob uses this information:
- To serve relevant advertisements to the user;
- To prevent fraud and invalid traffic;
- To measure ad performance;
- To improve Google's advertising services across its network.
For more information about how Google handles ad data, please review:
9.2 Comprehensive List of Ad Networks & Partners
In addition to AdMob, our applications may integrate with the following advertising platforms through AdMob's mediation, direct SDK integration, or other arrangements. Each platform has its own privacy practices, which are linked below.
Major Mobile Ad Networks
Programmatic & Header Bidding Platforms
Privacy & Consent Management Platforms
Analytics & Attribution Partners
9.3 AdMob SDK Initialization & Personalization
When you launch an app containing AdMob, the AdMob SDK initializes and may:
- Request the user's advertising identifier (IDFA on iOS, GAID on Android) — only after explicit consent;
- Load ad creatives from Google and configured mediation partners;
- Cache ad content for performance optimization;
- Transmit device information necessary for ad serving.
Personalized advertising (where enabled) uses the advertising identifier and on-device signals to serve relevant ads. Non-personalized ads are served based on coarse geographic location (country/state) and contextual information about the app.
9.4 Children's Apps and AdMob
For applications designed for or appealing to children, we configure AdMob using the "Tag For Child-Directed Treatment" (TFCDT) or "Tag For Users Under the Age of Consent in Europe" (TFUE) flags as appropriate. This restricts:
- Interest-based advertising (disabled);
- Remarketing (disabled);
- Behaviorally-targeted ad networks (excluded from mediation).
10 · Types of Ads We Display
Our applications may display the following categories of advertisements, each designed to balance monetization with user experience:
10.1 Banner Ads
Format: Small rectangular ads that appear at the top or bottom of the screen.
Typical location: Top or bottom of main app screens.
Frequency: Persistent during app usage.
User interaction: Optional; user may tap to open the advertised content in an external browser or in-app browser.
Dismissible: Some banners include a close button; others remain until the user navigates away.
10.2 Interstitial Ads
Format: Full-screen ads that appear at natural transition points (e.g., between levels, after completing a task, before opening a new screen).
Typical location: Natural transition points in app navigation.
Frequency: Capped (typically not shown more than once every 2-3 minutes, in compliance with industry best practices and platform policies).
User interaction: Either tap to open advertised content, or close button (with countdown timer where required by platform guidelines).
Dismissible: Yes, after 5 seconds on iOS (Apple requirement), immediately on Android in most cases.
10.3 Rewarded Video Ads
Format: Full-screen video ads that users voluntarily watch in exchange for in-app rewards (e.g., extra lives, premium features, virtual currency, ad-free time).
Typical location: Opt-in reward screens, daily bonus claims, hint unlocks.
Frequency: User-initiated; only shown when the user explicitly opts in.
User interaction: Must watch full video (typically 15-30 seconds) to receive the reward. Skipping early forfeits the reward.
Dismissible: Cannot be skipped; clear disclosure of reward before watching.
Compliance: Always opt-in; reward always granted upon completion; never auto-played.
10.4 Open Screen / App Open Ads
Format: Full-screen ads shown when the user opens or returns to the app.
Typical location: App launch and resume-from-background moments.
Frequency: Frequency capped (typically not shown if the user has recently seen one, to avoid excessive disruption).
User interaction: Close button (with countdown where required).
Dismissible: Yes, after a brief countdown (typically 5 seconds on iOS, immediately on Android).
10.5 Native Ads
Format: Ads designed to match the visual design of the app, integrated into content feeds or content streams.
Typical location: Content lists, recommendation feeds, between content items.
Frequency: Configured per app; clearly labeled as "Sponsored" or "Ad."
User interaction: Tap to engage; visually distinct from organic content via "Ad" disclosure.
Dismissible: User can scroll past; opt-out from personalized native ads available.
10.6 Adherence to Industry Standards
All ad formats we display comply with:
- Apple Human Interface Guidelines for advertising (where applicable);
- Google Play Ad Policy;
- IAB Quality Assurance Guidelines (LEAN);
- IAB Tech Lab Open Measurement Standards;
- Better Ads Standards from the Coalition for Better Ads.
10.7 Frequency Capping & User Experience
To protect user experience, we apply frequency caps:
- Interstitial ads: not more than once per 2-3 minutes;
- Rewarded ads: user-initiated only (no automatic triggering);
- App open ads: not shown if the user recently closed the app within the last few minutes;
- Banner ads: persistent but unobtrusive.
11 · Third-Party Ad Networks Detailed Disclosure
11.1 How We Choose Ad Partners
We select ad partners based on strict criteria:
- GDPR, CCPA, COPPA, and regional privacy law compliance;
- Support for App Tracking Transparency on iOS;
- Support for Google Play Families Policy;
- Industry certifications (IAB TCF, IAB CCPA Framework);
- Brand safety and ad quality controls;
- Transparent privacy policies and data handling practices;
- Track record of compliance with regulatory enforcement.
11.2 Data Shared with Ad Partners
When you view or interact with an advertisement, the following information may be shared with the ad network providing the ad:
- Advertising identifier (IDFA / GAID) — only with consent;
- IP address (for approximate geographic location and fraud prevention);
- Device type, operating system version, language;
- App identifier and version;
- Ad event data (request, impression, click, completion);
- Frequency capping and session identifiers;
- Information about the context in which the ad is shown (e.g., screen name);
- For rewarded ads: confirmation of completion to grant the reward.
11.3 Opting Out of Personalized Ads
You can opt out of personalized advertising at any time:
11.4 Children's Apps & COPPA Compliance
For applications designed for or known to be used by children under 13:
- We configure AdMob with "Tag For Child-Directed Treatment" (TFCDT) where required;
- We exclude all mediation partners that do not sign the Google Play Families Ads Program agreement;
- We disable interest-based advertising, remarketing, and behavioral targeting;
- We do not transmit persistent identifiers that can be used to track users across apps;
- We comply with all COPPA Safe Harbor Program requirements.
12 · Cookies & Tracking Technologies
12.1 What Are Cookies
Cookies are small text files placed on your device when you visit a website. Similar technologies include web storage, pixels, tags, and SDKs.
12.2 Cookies We Use on This Website
wangchenggroup.com uses a minimal cookie set:
Strictly Necessary Cookies
These cookies are essential for the website to function. They cannot be disabled.
- Session cookie: Maintains your session state.
- Security cookie: CSRF protection and authentication.
- Cookie consent cookie: Records your cookie preferences.
Analytics Cookies
These cookies help us understand how visitors use our website. Used only with your consent.
- Privacy-respecting analytics: We may use privacy-respecting analytics (such as Plausible, Fathom, or self-hosted Matomo with IP anonymization) which do not require cookies and do not track individuals.
Functional Cookies
These enable enhanced functionality and personalization.
- Preference cookies: Remember your settings (e.g., theme, language).
Marketing & Advertising Cookies
We do not use marketing or advertising cookies on this website. The marketing efforts for our applications are conducted through the App Store and Google Play storefronts, both governed by their respective privacy policies.
12.3 Your Cookie Choices
You can control cookies through:
- Our cookie consent banner (where applicable);
- Your browser settings (blocking, deleting, or warning about cookies);
- Privacy-focused browser extensions;
- Operating system-level privacy controls.
12.4 Do Not Track (DNT) & Global Privacy Control (GPC)
Our website honors the Global Privacy Control (GPC) signal. Where detected, we treat it as a valid opt-out of sale/sharing for the applicable browser session.
13 · Data Sharing & Disclosure
We do not sell Personal Information. Period. We share information only in the following limited circumstances:
13.1 Service Providers
We share information with vetted service providers who assist us in operating our Services, including:
- Cloud hosting providers (where used);
- Analytics providers (with consent);
- Customer support tools;
- Email delivery services;
- Payment processors (via App Store / Play Store).
Each service provider is bound by confidentiality and data protection obligations.
13.2 Advertising Partners
As detailed in Section 9, advertising partners receive information needed to serve and measure ads, governed by their privacy policies and applicable law.
13.3 Legal Requirements
We may disclose information when we believe in good faith that such disclosure is necessary to:
- Comply with applicable law, regulation, court order, or valid legal process;
- Enforce our Terms of Service;
- Protect the rights, property, or safety of wangchenggroup, our users, or others;
- Detect, prevent, or address fraud, security, or technical issues;
- Cooperate with law enforcement investigations of suspected illegal activity.
13.4 Business Transfers
In the event of a merger, acquisition, financing, or sale of assets, Personal Information may be transferred to the acquiring entity. Affected users will be notified in advance where legally required.
13.5 With Your Consent
We may share information for other purposes with your explicit consent.
14 · International Data Transfers
wangchenggroup.com is headquartered in the United States. Personal Information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate.
14.1 Transfer Mechanisms
For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:
- EU-U.S. Data Privacy Framework (DPF) and the UK Extension / Swiss-U.S. DPF, where applicable;
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- UK International Data Transfer Agreement (IDTA);
- Swiss Standard Contractual Clauses;
- Your explicit consent, where appropriate.
14.2 Safeguards
For all international transfers, we implement appropriate safeguards including encryption in transit and at rest, access controls, and contractual obligations on recipients.
15 · Data Retention
We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
15.1 Retention Periods
- Account data: For the duration of the account plus 30 days after deletion request.
- User content (within apps): Until you delete it, or until account deletion (90-day grace period).
- Support communications: 2 years from last interaction.
- Server logs: 90 days maximum.
- Anonymized analytics: Indefinitely (no longer Personal Information).
- Legal/compliance records: As required by applicable law (typically 7 years).
- Financial transaction records: 7 years for tax and accounting compliance.
15.2 Deletion
After the applicable retention period, we securely delete or anonymize the information so that it can no longer be associated with you.
16 · Security Measures
We implement robust technical and organizational measures to protect Personal Information, including:
- Encryption in Transit: TLS 1.3+ for all network communications.
- Encryption at Rest: AES-256 for stored data; Secure Enclave for cryptographic keys on Apple platforms.
- Local-First Architecture: Most user data never leaves the device.
- Access Controls: Role-based access, multi-factor authentication, principle of least privilege.
- Audit Logging: Security-relevant actions are logged.
- Vulnerability Management: Regular security scans, dependency updates, penetration testing.
- Employee Training: Privacy and security training for all team members.
- Incident Response: Documented incident response procedures, breach notification within 72 hours where required.
- Vendor Management: Security and privacy due diligence on all service providers.
While no system is perfectly secure, we continuously work to maintain and improve our security posture.
17 · Your Privacy Rights
Depending on your jurisdiction, you have various rights regarding your Personal Information:
17.1 Universal Rights
- Right to Access: Request a copy of the Personal Information we hold about you.
- Right to Rectification: Correct inaccurate or incomplete Personal Information.
- Right to Erasure / Deletion: Request deletion of your Personal Information.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
17.2 Additional GDPR Rights (EEA/UK/Switzerland)
- Right to Restriction of Processing: Request that we limit how we process your data.
- Right to Object to Processing: Object to processing based on legitimate interests or for direct marketing.
- Right to Lodge a Complaint: File a complaint with a supervisory authority in your jurisdiction.
- Right Not to Be Subject to Automated Decision-Making: Including profiling.
17.3 Additional US State Rights (CCPA/CPRA and similar)
- Right to Know: What Personal Information is collected, used, shared, or sold.
- Right to Delete: Personal Information collected from you.
- Right to Correct: Inaccurate Personal Information.
- Right to Opt-Out of Sale or Sharing: (We do not sell Personal Information.)
- Right to Limit Use of Sensitive Personal Information: To that which is necessary to provide the Services.
- Right to Non-Discrimination: For exercising your privacy rights.
17.4 Exercising Your Rights
To exercise any of these rights, contact us at the address in Section 21. We will respond within:
- 30 days for GDPR / UK GDPR requests (extendable to 90 days for complex requests, with notice);
- 45 days for CCPA / CPRA requests (extendable to 90 days with notice);
- 30 days for PIPEDA requests;
- Reasonable time for other jurisdictions.
We may need to verify your identity before responding. We will not charge you for responding to legitimate requests, unless they are manifestly unfounded or excessive.
18 · Choice & Control Mechanisms
18.1 In-App Controls
Within our applications, you can typically:
- Manage advertising preferences (personalized vs. non-personalized);
- Opt out of analytics;
- Export your data;
- Delete your data and/or account;
- Manage in-app notifications;
- Configure privacy and security settings.
18.2 Device-Level Controls
- iOS: Settings → Privacy & Security, Settings → Tracking, Settings → Notifications.
- Android: Settings → Privacy, Settings → Apps → Permissions, Settings → Notifications.
- macOS: System Preferences → Security & Privacy.
- Windows: Settings → Privacy.
18.3 Account Deletion
You can request account deletion at any time through:
- In-app account settings;
- The App Store / Play Store (where applicable);
- Email request to our privacy contact (see Section 21).
19 · Do Not Track Signals
We honor the following tracking opt-out signals:
- Global Privacy Control (GPC): Honored on our website.
- Apple App Tracking Transparency (ATT): Honored in our apps.
- Google Play's "Opt out of Ads Personalization": Honored in our apps.
- DNT (legacy): Honored where still transmitted by browsers.
20 · Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.
When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy;
- For significant changes, notify users via in-app notification or email (where we have your contact information);
- Where required by law, obtain your renewed consent before applying material changes.
We encourage you to review this Policy periodically to stay informed about how we protect your privacy.
For any privacy-related inquiries, requests, or complaints, please reach out to us at:
Privacy Contact: wangchenggroup.com
Address: Rochester Innovation Center, New York, USA
Website: wangchenggroup.com
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority:
- EEA: Your national Data Protection Authority (DPA). A list is available at edpb.europa.eu.
- UK: Information Commissioner's Office (ICO) at ico.org.uk.
- California: California Attorney General at oag.ca.gov/privacy.
- Canada: Office of the Privacy Commissioner of Canada at priv.gc.ca.
- Australia: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
22 · App-Specific Disclosures
The following summarizes app-specific data practices. Each app's full Data Safety section / Privacy Nutrition Label on the App Store provides the most current information.
ContractCheck
Local-only contract verification utility. All processing on-device. No account required. No advertising. No data leaves the device. Free version may be ad-supported in future releases; if so, Section 9 of this Policy applies in full.
FilmGrade Local
Local color grading engine. All photo and video processing on-device. No account required. No advertising. Photo access permission requested only when you choose to import.
PracticeMeter
Practice tracking for musicians. All session data local. Optional iCloud sync (end-to-end encrypted). No advertising in free tier; subscriptions available.
SideHustle Ledger
Financial tracking for side income. All financial data local. Optional encrypted export/import. No advertising.
RestRhythm
Health and rest tracking. All data local. HealthKit integration (where applicable, on-device). No advertising.
StudioStock
Inventory management. All data local. Optional CSV export. No advertising.
For future applications, the same principles apply unless explicitly stated otherwise. Each app's listing provides the specific disclosures for that app.
23 · Jurisdictional Annex
23.1 European Economic Area & United Kingdom
For users in the EEA and UK, our Data Protection Officer can be reached at the contact above. The lawful basis for processing depends on the specific activity and is documented in Section 5. Data Protection Impact Assessments (DPIAs) have been conducted for high-risk processing activities.
23.2 California (United States)
California residents may exercise CCPA/CPRA rights by contacting us at the address above. We do not sell or share Personal Information for cross-context behavioral advertising as defined under California law. We do not use sensitive Personal Information for purposes requiring a "right to limit" beyond what is necessary to provide the Services.
23.3 Virginia, Colorado, Connecticut, Utah, Texas, and Other US States
Residents of US states with comprehensive privacy laws may exercise rights including access, deletion, correction, portability, and opt-out of targeted advertising and profiling. To exercise these rights, contact us.
23.4 Canada
For Canadian users, complaints may be directed to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
23.5 United Kingdom
For UK users, complaints may be directed to the Information Commissioner's Office (ICO) at ico.org.uk. Our UK GDPR lead supervisory authority is the ICO.
23.6 Brazil
Brazilian users may exercise LGPD rights by contacting us. The Autoridade Nacional de Proteção de Dados (ANPD) is the supervisory authority.
23.7 Other Jurisdictions
For jurisdictions not specifically listed, we apply the highest applicable standard of protection.
Final note: This Privacy Policy is written in plain English to be readable by humans. If any provision is unclear or you have questions, please contact us — we'd rather explain than hide behind jargon. Your trust is the foundation of our business.