Third-Party Login & OAuth Authorization Agreement

This agreement explains what information we collect when you sign in to Acosmi via phone verification code, email, or a third-party identity provider — and how you can manage, limit, or revoke that access.

Applicable region: International (users outside mainland China). Users in mainland China should switch to the Simplified Chinese (中国区) edition.

Effective: June 3, 2026 | Last updated: June 3, 2026

1. Scope and relationship to other agreements

This Third-Party Login & OAuth Authorization Agreement ("Agreement") is a supplemental agreement to the Terms of Service. It governs how we handle identity information collected when you register or sign in using phone verification codes, email addresses, or third-party identity providers. Together with the Terms of Service, this Agreement forms the complete contract between you and the Xiezhua group ("we", "us", "Acosmi"). Where this Agreement conflicts with the Terms of Service on login and authorization matters, this Agreement prevails; on all other matters the Terms of Service govern.

Who we are. Acosmi is provided jointly by two affiliated companies operating as a single platform under the "Acosmi" brand:

Entity	Role
Xiezhua (Beijing) Intelligent Technology Co., Ltd.	Platform operator — unified account system, Acosmi, Crab Code, open platform, payments
Hongshen (Beijing) Legal Consulting Co., Ltd.	Legal services — Bench (众律宝), Trusted Timestamp (可信时间章)

One Acosmi account grants access to all products from both entities. References to "we", "us", or "the platform" mean the applicable entity or both, depending on the service you use.

Consent. By clicking "Sign in", "Register", or "Continue with [provider]", you confirm that you have read, understood, and agreed to this Agreement. If you do not agree, please stop using these sign-in methods. You may contact us to delete any information already collected.

1.1 Legal framework

This Agreement is prepared in compliance with applicable laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data-protection laws in jurisdictions where we operate internationally. Processing of personal data described in this Agreement is based on one or more of the following legal bases under GDPR Article 6:

Performance of a contract (Article 6(1)(b)) — processing your identifier and contact details is necessary to create and maintain your account and provide the service you requested;
Legitimate interests (Article 6(1)(f)) — security logging, fraud prevention, and session management;
Consent (Article 6(1)(a)) — where specifically indicated, such as for optional avatar synchronization.

The table below lists all currently supported sign-in methods and their regional availability:

Method	China region	International region	Notes
Phone number + SMS code	Available	—	Mainland China numbers only; real-name registration required
Email + password	Available	Available	All regions
WeChat (scan / mini program)	Available	—	Requires a real-name WeChat account
Google	—	Available	Generally unreachable from mainland China networks
GitHub	Available (when reachable)	Available	Common for developers
Apple (Sign in with Apple)	Planned	Planned	Not yet available

Availability notice. The above reflects the current technical and compliance status. We may add or remove sign-in methods at any time in response to regulatory requirements, third-party platform policy changes, or product updates. Material changes will be communicated to you in accordance with Section 11.

Note on email verification codes. Email verification codes are currently used for account registration, linking a new sign-in method, and password reset — they are not a standalone passwordless login method.

Enterprise SSO. Single sign-on for enterprise customers is available via custom integration; it is not currently based on standard SAML 2.0 or OpenID Connect. Organizations interested in enterprise SSO should contact us at fuwu@acosmi.com.

3. What information we receive from third-party providers

3.1 Minimum-necessary principle

We apply the principle of data minimisation as required under GDPR Article 5(1)(c): we request only the minimum scope of authorization necessary to authenticate you and initialize your account. We do not request permissions to access data unrelated to sign-in.

3.2 Information received per provider

Provider	Information we request	Information we never receive
Google	Unique account identifier (sub), email address, display name, profile picture URL	Google Drive contents, Calendar, Contacts, any data beyond the openid/email/profile scopes, your Google password
GitHub	Numeric user ID, username (login), publicly visible email address (if set), avatar URL	Private repositories, SSH keys, secrets, tokens, your GitHub password
WeChat	WeChat OpenID (app-scoped), UnionID (where applicable across the Xiezhua group's WeChat presence), nickname, public avatar URL	Friend list, contacts, WeChat Pay information, Moments content, your WeChat password
Phone / email	Phone number or email address (for code delivery and account binding)	No third-party account data

We never obtain your password on any third-party platform. All third-party authentication occurs entirely on the provider's servers. We receive a short-lived authorization credential (OAuth 2.0 Access Token or OpenID Connect ID Token) over an encrypted channel, which we exchange for the minimum profile data listed above.

3.3 How we use the information

We use the information received solely for:

Account identification. The unique identifier (sub, GitHub ID, Apple user identifier, phone number, or email) lets us determine whether you already have an Acosmi account, so we can sign you in rather than create a duplicate.
Account initialization. Your display name and avatar URL (if provided) populate your initial Acosmi profile. You can update these at any time in Settings → Profile.
Communication. Your email address or phone number is used to send verification codes and security alerts (such as sign-in from a new device or location).
Cross-product identity. Where you have granted access across multiple Acosmi products (Acosmi, Crab Code, Bench, Trusted Timestamp), the same account identifier ensures a single unified account.

If you sign in for the first time using a method not yet linked to an existing Acosmi account, we automatically create a new Acosmi account for you.

What this means in practice:

Single account, all products. Your new account immediately grants access to all products and services provided by both Xiezhua (Beijing) and Hongshen (Beijing) under the Acosmi brand.
Pre-populated profile. If the provider supplied a display name and avatar, these are used as your initial Acosmi display name and avatar. You may change them at any time.
Instant and seamless. Account creation and sign-in happen in a single request; no additional confirmation step is required.

4.1 Handling potential account conflicts

If you previously registered an Acosmi account with an email address that matches the email returned by a third-party provider, the system may detect this overlap and prompt you to link the two. Any account-merge flow will clearly describe the data scope and irreversibility before asking for your confirmation.

You can link multiple sign-in methods to a single Acosmi account in Settings → Account Center → Sign-in methods. For example, you may link your email address, GitHub account, and Google account simultaneously — any one of them can be used to sign in.

Why this matters. If one provider experiences an outage, or you lose access to one linked account, you can still sign in using another method and recover your Acosmi account.

You can unlink any sign-in method at any time from Settings → Account Center → Sign-in methods. No customer support request is needed. The change takes effect immediately.

Minimum requirement. To protect you from accidental lockout, you must keep at least one usable sign-in method linked to your account (phone number, email, or a third-party account — at least one). If you try to unlink your only remaining method, the platform will ask you to add another one first.

5.3 Effects of unlinking

What you unlink	Effect
A third-party account (e.g. Google, GitHub)	That provider account can no longer be used to sign in to Acosmi. Your Acosmi data, subscriptions, and history are unaffected.
A phone number	That phone number can no longer receive verification codes for this account. Other sign-in methods continue to work normally.
An email address	That email can no longer be used to sign in or receive notifications. If another email is linked, notifications are routed there instead.

Unlinking a sign-in method does not delete your Acosmi account. For full account deletion, see Section 10 below.

6. Withdrawing OAuth authorization

6.1 Revoking at the provider

You can revoke Acosmi's access to your third-party account at any time directly on the provider's platform:

Google: Google Account → Security → Third-party apps with account access → Find Acosmi → Remove access.
GitHub: GitHub → Settings → Applications → Authorized OAuth Apps → Find Acosmi → Revoke.
WeChat: WeChat → Me → Settings → Privacy → Authorized Services → find Acosmi → cancel.

After revoking at the provider, that third-party account can no longer be used to sign in to Acosmi. However, this action does not automatically delete your Acosmi account or the information we already legitimately obtained. To delete your account and its data, follow Section 10.

6.2 Revoking within Acosmi

Unlinking a third-party sign-in method within Acosmi (Section 5.2) is equivalent to revoking our application's connection to that provider. Any Access Token we hold for that connection will be invalidated within 24 hours. After that, we will not initiate any API requests to that provider on your behalf.

6.3 Data handling after revocation

Following revocation:

We will stop using the revoked authorization to fetch any new data from the third-party provider.
Basic profile information already stored (such as a display name synced from GitHub at first login) remains part of your Acosmi account unless you separately request deletion via Settings or a deletion request to us.
We retain or delete data in accordance with the retention schedule in the Privacy Policy.

Under GDPR Article 7(3), withdrawing consent (where consent was the legal basis) does not affect the lawfulness of processing carried out before withdrawal.

7. Account security

7.1 Our security measures

Tokens are not stored in plaintext. Third-party OAuth Access Tokens are used only to fetch the minimum profile at the moment of authorization and are not stored long-term in plaintext. Where a long-lived token is genuinely necessary for a specific feature (e.g., continued access to your data on a third-party platform), we will seek separate, explicit consent and disclose this clearly.
TLS-encrypted communications. All login and authorization flows use HTTPS/TLS to prevent eavesdropping and man-in-the-middle attacks.
Anomalous sign-in alerts. If we detect a sign-in from a new device or an unusual geographic location, we will notify you by email or SMS (if you have a phone number on file).
Session management. You can view active sessions and sign out devices from your account settings (this feature is being rolled out); to sign out a device immediately, contact support.

7.2 Your responsibilities

Secure your devices and credentials. You are responsible for keeping the devices on which you are signed in to Acosmi secure, including the passwords and two-factor authentication methods for any linked third-party accounts.
Do not share credentials. Do not share your Acosmi session tokens, cookies, or third-party account credentials with anyone, including services claiming to act on your behalf.
Sign out on shared devices. Always sign out of Acosmi and clear browser sessions when you finish using a shared or public device.

7.3 If a linked account is compromised

If you believe a third-party account linked to Acosmi has been taken over, immediately:

Go to the third-party platform, change the password, and enable two-factor authentication.
Revoke Acosmi's authorization at the provider (Section 6.1).
If you can still sign in to Acosmi, sign out all other sessions from your account settings (if available) or contact support for help.
If you cannot sign in to Acosmi, contact us immediately to freeze your account:
- Email: fuwu@acosmi.com
- Phone: 4000269678 Provide a description of the incident and any available identity verification.

8. How we process your personal data from this flow

Personal information obtained through the sign-in flows described in this Agreement is processed as part of your Acosmi account data and is subject to our Privacy Policy in full, including:

Purposes and legal bases for processing (GDPR Article 6; contract performance and, where applicable, consent);
Retention periods and deletion rules;
Your rights as a data subject — including the right to access, rectification, erasure ("right to be forgotten"), data portability, restriction of processing, and objection;
International transfers (including appropriate safeguards such as Standard Contractual Clauses where data is transferred outside the EEA or UK);
How to exercise your rights and how to lodge a complaint with a supervisory authority.

Note on profile pictures. Avatar URLs from third-party providers point to the provider's servers. We generally store only the URL, not the image itself. If the provider later changes or expires that URL, your avatar may no longer display correctly. To use a persistent avatar, upload one directly in Settings → Profile.

9. Acosmi as an OAuth authorization server (for developers)

When Acosmi acts as an OAuth authorization server — allowing applications to request "Sign in with Acosmi" — different rules apply. This capability currently serves first-party products and approved partner clients. Self-service OAuth client registration for third-party developers is being rolled out; until then, developers wishing to integrate should contact us (see Developer Terms). Developers who integrate with the Acosmi Open Platform OAuth service must comply with the Developer Terms, including restrictions on authorization scope, data usage, security requirements, and user notification obligations.

As an end user, you have the right to:

View and revoke which third-party applications have been granted access to your Acosmi account (self-service management is being rolled out; you may also contact support to query and revoke);
Revoke authorization for any third-party application at any time;
Report any unauthorized application authorizations to us immediately at fuwu@acosmi.com.

10. Account deletion

10.1 How to delete your account

At this time, account deletion is handled through our customer support team. To request deletion, please contact us via one of the channels below — we will verify your identity and then process the request:

Email: fuwu@acosmi.com
Phone: 4000269678 (business hours, Beijing time)

An in-product self-service deletion flow is forthcoming and will be announced when available.

After your deletion request is accepted, a cooling-off period of approximately 7 days begins. During this period you may cancel the request and restore your account. Once the cooling-off period expires, deletion is permanent and irreversible.

10.2 What deletion means

Deleting your account has the following irreversible effects:

All sign-in methods are unlinked simultaneously. Your phone number, email, WeChat, GitHub, Google, and any other linked sign-in method will all be disassociated. After deletion, none of these can be used to sign in to Acosmi.
Account data is permanently deleted. This includes your conversation history, agent configurations, Bench case data, Trusted Timestamp records, subscriptions, and credit/token balances.
Unused entitlements are forfeited. Prepaid subscription time, token balances, and add-on packages that remain at the time of deletion are non-refundable. Please ensure you have addressed any such entitlements before initiating deletion.
Third-party application authorizations are terminated. Any application you authorized through Acosmi's Open Platform OAuth will immediately lose access.
Developer API keys are revoked. If you have issued Open Platform API keys, they will be immediately deactivated.

10.3 Data retained after deletion

Following account deletion, we will retain certain information for the minimum periods required or permitted by applicable law (for example, transaction logs for accounting or fraud-prevention purposes) and will then delete it. See the Privacy Policy and Account Deletion guide for the full retention schedule.

Under GDPR Article 17, you also have the right to request erasure of your personal data independently of account deletion. Contact us at fuwu@acosmi.com to exercise this right.

10.4 Assisted deletion

If you are unable to complete the self-service deletion flow, or have special circumstances requiring assistance:

Email: fuwu@acosmi.com
Phone: 4000269678
Full step-by-step instructions are available in the Account Deletion guide.

11. Changes to this Agreement

We may update this Agreement from time to time to reflect changes in applicable law, third-party platform policies, or product functionality.

Material changes (for example, adding a new sign-in method, expanding the scope of information requested, or introducing a new processing purpose) will be communicated to you at least 15 calendar days in advance via in-app notification, dashboard message, or email. Before the change takes effect, you may decline and request account deletion.
Non-material changes (for example, clarifying language, correcting links, or administrative updates) will be reflected in an updated version of this page with a revised "Last updated" date. Continued use of sign-in functions after any change constitutes acceptance of the revised Agreement.
Version history. Prior versions are archived and available upon request via fuwu@acosmi.com.

12. Contact us

If you have questions or concerns about this Agreement, wish to exercise your data-subject rights, or need to report a security incident, please reach out to us:

Support email: fuwu@acosmi.com
Phone: 4000269678 (business hours, Beijing time)
Postal address: Available upon request via the support email above

Related agreements: Terms of Service | Privacy Policy | Account Deletion | Developer Terms