Cookie & Similar Technologies Policy
This policy explains how the Xiezhua group uses cookies, local storage and similar technologies across Acosmi products, and the rights you have to manage or withdraw consent.
Applicable region: International (users outside mainland China). Users in mainland China please switch to the Simplified Chinese (China region) version.
Effective: June 3, 2026 | Last updated: June 3, 2026
1. Data Controllers
The Acosmi services you use are provided jointly under the "Acosmi" brand by two affiliated companies within the Xiezhua group, acting as joint data controllers:
| Entity | Role |
|---|---|
| Xiezhua (Beijing) Intelligent Technology Co., Ltd. | Platform operator: Acosmi, Crab Code, open API platform, payments and subscriptions |
| Hongshen (Beijing) Legal Consulting Co., Ltd. | Legal services entity: 众律宝 (Bench), 可信时间章 (Trusted Timestamp) |
In this policy, "we," "us," and "our" refer to the above entities (individually or jointly, depending on the service involved).
This policy supplements the Privacy Policy and focuses specifically on our use of cookies and similar technologies on our websites, web applications, mobile apps and desktop clients. For the full picture of how we handle your personal data, please read the Privacy Policy alongside this document.
This policy is adopted in compliance with the EU ePrivacy Directive (2002/58/EC as amended), the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable data-protection laws. To the extent GDPR applies, the lawful bases for processing through cookies are consent (for non-essential cookies, Article 6(1)(a)) and legitimate interests / contract performance (for strictly necessary cookies, Article 6(1)(b)/(f)).
2. What Are Cookies and Similar Technologies
2.1 Cookies
A cookie is a small text file placed on your device by a web server via the HTTP Set-Cookie response header. When you return to the same domain your browser automatically re-sends that file in the request, allowing the server to recognise your session, authentication state or preferences.
Cookies may be:
- Session cookies — deleted automatically when you close the browser tab or window.
- Persistent cookies — retained on your device until their expiry date or until you delete them.
They may also be:
- First-party cookies — set by the domain you are visiting (e.g.,
acosmi.com). - Third-party cookies — set by a domain other than the one you are visiting, typically by an embedded third-party service.
2.2 Local Storage (localStorage / sessionStorage)
localStorage is a key-value storage mechanism provided by the browser. Data persists on your device with no built-in expiry until explicitly cleared by JavaScript code or the user. We use localStorage for interface preferences (language, theme) and authentication-state flags.
sessionStorage behaves identically but is scoped to a single browser tab. Data is erased when the tab is closed. We use sessionStorage for transient per-tab state such as in-flight payment-session context.
2.3 Device Identifiers and Mobile Local Storage
Within the Acosmi mobile apps (iOS, Android, HarmonyOS) and the Crab Code desktop client, we may use:
- Application-level local storage (e.g.,
NSUserDefaults,SharedPreferences, HarmonyOS Preferences API) to store login tokens, user preferences and push-notification tokens. - App-generated UUID — a random identifier generated by our servers and assigned at first launch, stored in the app sandbox. It is used for session management and crash diagnostics. We do not read advertising identifiers (IDFA, Google Advertising ID, OAID) for advertising-targeting purposes.
- Network-level signals (IP address, User-Agent string) — collected as part of every request, used strictly for security and anomaly detection.
2.4 SDKs (Software Development Kits)
We integrate a small number of third-party SDKs that may, at a technical level, read or write data to your device through mechanisms similar to cookies. See Section 4 for details.
2.5 Tracking Pixels
We do not currently use third-party advertising-network tracking pixels (1×1 transparent images linked to ad-exchange identifiers) in our international products. Should this change, we will update this policy and seek your prior consent.
3. Categories of Cookies We Use
The table below sets out the categories of cookies and similar technologies we deploy, their purposes, and the legal basis under GDPR / applicable law.
| Category | Purpose | Example identifiers / keys | Storage type | Legal basis (GDPR) | Consent required? |
|---|---|---|---|---|---|
| Strictly necessary | Login sessions, CSRF protection, security tokens, load-balancing, 2FA trusted-device state, payment session continuity | tk_sess, tk_csrf, tk_auth_ticket | Cookie (session / persistent), localStorage, sessionStorage | Contract performance / Legitimate interests | No |
| Functional / preferences | Remembering language (zh/en), UI theme (dark/light), dismissed onboarding prompts, keyboard-shortcut preferences | tk_locale, tk_theme, tk_onboard_done | localStorage | Consent | Yes |
| Analytics / performance | Measuring page-load times, error rates, feature-usage frequency using our own first-party analytics (not shared with third-party ad networks) | Internal analytics UUID, error-tracking session ID | Cookie (persistent), internal SDK | Consent | Yes |
| Marketing | We use minimal marketing cookies internationally: a session-scoped UTM source parameter on the marketing website only; no cross-site behavioural advertising cookies | tk_utm_src (session-scoped) | sessionStorage | Consent | Yes (if any) |
3.1 Strictly Necessary
Strictly necessary technologies are essential for the operation of our services. Without them you cannot log in, maintain a session, complete a payment, or use security features. Under GDPR Recital 25 and the ePrivacy Directive Article 5(3), prior consent is not required where the technical storage or access is strictly necessary to provide a service explicitly requested by the user. We rely on this exemption for the cookies listed in this category.
3.2 Functional and Preferences
Preference cookies allow us to remember your settings and deliver a more personalised experience. This data is stored locally on your device and is not uploaded to our servers or used for any analytics or advertising purpose. You can clear these at any time via browser settings, or by updating your preferences in the product.
3.3 Analytics and Performance
We use a proprietary, first-party analytics system — not a third-party analytics platform — to collect aggregated product-usage data. This data helps us identify performance issues and improve our features. Key safeguards:
- All analytics data is stored on servers within the People's Republic of China and, for international users, subject to our standard data-transfer safeguards (see Privacy Policy).
- IP addresses are pseudonymised at ingestion.
- Data is not cross-referenced with your real-world identity outside of authenticated sessions.
- Analytics data is not sold to or shared with third-party advertising systems.
3.4 Marketing
We do not use third-party behavioural advertising cookies or retargeting pixels. Where we record a UTM source parameter, this is stored in sessionStorage only, is cleared when the tab closes, and is used solely to understand which of our own marketing channels brought you to the site. It is not shared externally.
4. Third-Party SDKs and Processors
The following categories of third-party services are integrated into our products. Each third party acts as a data processor under a written data-processing agreement that restricts their use of data to the described purposes and requires appropriate technical and organisational security measures.
| SDK / Service category | Purpose | Data residency / transfer | Typical data types |
|---|---|---|---|
| Payment channel SDK (licensed payment processors) | Initiating payment requests, verifying results, fraud-risk scoring | Processed by the licensed payment processor in accordance with applicable financial regulations | Device identifier, transaction context (no raw card data transmitted by us) |
| Third-party login SDK (e.g., social / enterprise identity providers) | Obtaining OAuth tokens for fast registration or login via third-party accounts | Handled server-side; we exchange tokens through our back-end, not client-side | OAuth access token, user ID, display name (within authorised scope) |
| Crash and error monitoring SDK | Real-time capture of crash stack traces for bug triage | Stored on servers subject to our sub-processor DPA | Device model, OS version, anonymised crash stack (no personal identity information) |
| CDN / static-asset delivery | Accelerating page and asset load times; edge caching | CDN edge nodes globally; access logs auto-purged per CDN provider's retention policy | Access log (IP address pseudonymised, request path) |
| Push notification service (mobile) | Delivering service notifications (not promotional push advertising) | Processed by the mobile OS push infrastructure (Apple APNs / Google FCM / HMS) | Push token, device type |
| Electronic signature / trusted timestamp SDK (Bench / Trusted Timestamp only) | Lawful electronic authentication under PRC Electronic Signature Law | Processed within mainland China by Hongshen (Beijing) Legal Consulting Co., Ltd. | Signature metadata, timestamp certificate |
We do not integrate:
- Demand-side platform (DSP) or data-management platform (DMP) advertising SDKs;
- Cross-app user-profiling SDKs;
- SDKs that access clipboard, camera, or microphone beyond the scope explicitly authorised by the user.
For a full list of our data processors and sub-processors, or to exercise your rights in relation to third-party processing, please contact us using the details in Section 9.
5. Consent Management
5.1 Managing Cookies
You can manage or delete cookies through your browser settings at any time (see Section 6). An in-site cookie consent management tool is being rolled out progressively. If you wish to object to any non-essential cookie use in the meantime, please contact us at fuwu@acosmi.com.
Strictly necessary cookies are required for the service to operate. Disabling them may prevent you from logging in or using core features.
5.2 Withdrawing Consent
You may withdraw or limit cookie processing at any time through browser settings without affecting the lawfulness of any prior processing.
To manage or restrict cookies:
- Browser settings: See Section 6 for step-by-step instructions for all major browsers.
- Contact us: Email fuwu@acosmi.com with the subject "Cookie Preferences" and we will assist you.
Strictly necessary cookies are not affected by withdrawal — without them you cannot log in, maintain a session, or complete a payment.
5.3 CCPA — Right to Opt Out of Sale/Sharing
Under CCPA/CPRA, California residents have the right to opt out of the "sale" or "sharing" of personal information, including through cookies and similar technologies. We do not sell personal information. We also do not share personal information collected through cookies with third parties for cross-context behavioural advertising. California residents may nonetheless submit an opt-out request via the contact details in Section 9, and we will treat all non-essential cookie processing as subject to that opt-out.
5.4 Mobile App Permissions
On mobile apps, we request OS-level permissions (e.g., push notification authorisation) separately at runtime, in accordance with iOS, Android, and HarmonyOS permission frameworks. You may revoke any such permission at any time in your device's system Settings → App Permissions.
6. Managing Cookies Through Browser Settings
All major browsers provide built-in tools to view, control and delete cookies and local storage. The paths below are indicative; exact locations depend on your browser version.
| Browser | Path |
|---|---|
| Google Chrome | Settings → Privacy and security → Cookies and other site data |
| Safari (macOS) | Preferences → Privacy → Manage Website Data |
| Safari (iOS) | Settings app → Safari → Advanced → Website Data |
| Mozilla Firefox | Settings → Privacy & Security → Cookies and Site Data |
| Microsoft Edge | Settings → Cookies and site permissions → Cookies and site data |
| Brave | Settings → Privacy and security → Cookies and other site data |
6.1 Effect of Disabling Cookies
Disabling all first-party cookies will affect:
- Login sessions — you will be signed out when you close the browser; auto-login will not work.
- Payment flows — payment sessions may be interrupted, preventing transaction completion.
- Preferences — UI language, theme and other personal settings cannot be saved.
- Two-factor authentication (2FA) — trusted-device status cannot be maintained; every sign-in will require a fresh verification step.
Disabling only third-party cookies (the default or near-default in most modern browsers) will have no material effect on our core product functionality, because all strictly necessary cookies we set are first-party.
6.2 Clearing Local Storage via Browser Developer Tools
You can inspect and clear localStorage and sessionStorage for our domains using browser developer tools (typically opened with F12):
- Open DevTools → navigate to the "Application" (Chrome/Edge) or "Storage" (Firefox) panel.
- In the left sidebar, expand "Local Storage" or "Session Storage" and select the
acosmi.comorigin. - Click "Clear All" to remove all stored entries.
Clearing localStorage will reset your preferences and sign you out.
7. Do Not Track and Global Privacy Control
7.1 Do Not Track (DNT)
Some browsers transmit a Do Not Track (DNT: 1) header. There is no uniform legal standard requiring us to honour this signal. We currently do not alter our data practices in response to DNT headers alone.
7.2 Global Privacy Control (GPC)
The Global Privacy Control (GPC) signal is a browser-level mechanism that, under CCPA/CPRA and similar laws, communicates a user's opt-out of the sale or sharing of personal data. Where technically feasible and legally required, we treat a valid GPC signal as an opt-out request equivalent to one submitted manually. Our web properties are being updated to detect and honour GPC signals programmatically; until full implementation is confirmed, California users may also submit an explicit opt-out request via fuwu@acosmi.com.
We encourage you to use browser settings (see Section 6) in parallel, as they provide the most direct control over cookie-based tracking regardless of browser signal support.
8. Retention and Expiry of Cookies and Local Storage
| Category | Typical retention | Notes |
|---|---|---|
| Session cookies (strictly necessary) | Deleted on browser/tab close | No persistent storage on device |
| Persistent authentication cookie | 30 days (auto-renewed on activity, maximum 12 months) | Invalidated immediately on explicit sign-out |
| localStorage — preferences | Indefinite until cleared or account deleted | Cleared by client-side code on account deletion |
| localStorage — analytics UUID | Up to 12 months | A new pseudonymous UUID is generated on expiry |
| sessionStorage — transient state | Deleted on tab close | No manual action required |
| Mobile app local storage (login credential) | Until app uninstall or account deletion | Cleared by app code on sign-out or deletion |
9. Account Deletion and Clearing Local Data
9.1 Deleting Your Account
You have the right to delete your Acosmi account at any time. Account deletion is currently handled via our support channel; in-product self-service deletion is being rolled out. To submit a deletion request, contact:
- Support email: fuwu@acosmi.com (subject: "Account Deletion Request"; include your registered email or phone number)
- Phone: 4000269678
After verifying your identity we initiate a cooling-off period of approximately 7 days. You may cancel the deletion request by contacting support during this period. Once the cooling-off period expires, your account and associated personal data are deleted irreversibly. All server-side session tokens and cookie identifiers linked to your account are immediately invalidated.
Full details of what happens to your data after deletion, including any legally required retention periods, are set out in the Account Deletion Guide.
9.2 Clearing Device-Side Data After Sign-Out or Deletion
Server-side invalidation of tokens does not automatically erase data already stored on your device. After signing out or deleting your account, we strongly recommend that you clear residual local data — especially if the device is shared.
In the browser:
- Open browser settings and choose "Clear browsing data."
- Select "Cookies and other site data" and "Site storage data (localStorage, etc.)."
- Ensure the time range covers all stored data and includes our domain (
acosmi.com).
In the Acosmi mobile app:
- Signing out will cause the app to automatically erase locally stored authentication tokens and session keys.
- For a complete wipe: on Android/HarmonyOS go to Settings → Apps → Acosmi → Storage → Clear data; on iOS, delete and reinstall the app.
In Crab Code (desktop client):
- Sign-out automatically clears the session token from the local configuration directory (typically
~/.config/crabcode/on Linux/macOS or%APPDATA%\crabcode\on Windows). - To fully remove all local data, delete the configuration directory after signing out.
10. Changes to This Policy
We may revise this policy as our products evolve, as new technologies emerge, or to comply with changes in applicable law. When we make changes:
- The updated policy will be published on this page with a revised "Last updated" date.
- If a change involves adding a new category of non-essential cookies or expanding the purpose of an existing category, we will notify you via an in-product notification (in-app message or email) and will seek fresh consent before the change takes effect.
- Minor editorial clarifications that do not affect your rights will take effect on publication without a separate notification.
Your continued use of our products after a change takes effect constitutes acceptance of the updated policy to the extent that re-consent is not required.
11. Contact Us
If you have any questions about this policy, wish to exercise your rights (including right of access, rectification, erasure, restriction, portability, objection, or right to withdraw consent), or wish to lodge a complaint, please contact us:
| Channel | Details |
|---|---|
| Support email | fuwu@acosmi.com |
| Phone | 4000269678 |
| Response time | We aim to respond within 30 days of receiving a verified request (GDPR Article 12) |
| Postal address | As set out in the Privacy Policy |
If you are located in the European Economic Area and believe we have not adequately resolved your concern, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, CNIL in France, or the relevant authority in your EU member state). If you are in California, you may also contact the California Privacy Protection Agency (CPPA).
Related documents