Privacy Policy
This policy explains how the Xiezhua group (Acosmi system) collects, uses, shares, and protects your personal information, and your rights under applicable law.
Applicable region: International (users outside mainland China). Users in mainland China should switch to the Chinese (China region) edition.
Effective: June 3, 2026 | Last updated: June 3, 2026
1. Who we are: data controller statement
The Acosmi services you use are provided jointly under the single brand "Acosmi" by two affiliated companies that together form the Xiezhua group (also referred to as the "Acosmi system"). Both companies act as joint data controllers:
| Entity | Role | Personal data processing scope |
|---|---|---|
| Xiezhua (Beijing) Intelligent Technology Co., Ltd. ("Xiezhua Tech") | Platform operator | Account registration/login, Acosmi AI agents, Crab Code, open platform, payments and subscriptions, logs and security |
| Hongshen (Beijing) Legal Consulting Co., Ltd. ("Hongshen Legal") | Affiliated legal-service entity | Bench (Zhonglvbao) legal workbench, Trusted Timestamp e-certification and evidence preservation, identity verification, legal consultation records |
Both entities operate under a unified account system, unified security standards and a unified customer-service channel. You do not need to contact each company separately: any rights request submitted to our unified support channel (see Section 12) will be coordinated internally and handled by the appropriate entity.
Where we refer to "we", "us" or "our" in this policy, we mean the Xiezhua group and, depending on the specific service you are using, the applicable entity or both entities jointly.
The two affiliated entities may share your basic account information (phone number, email address, identity-verified status) between themselves to the minimum extent necessary to provide you with a unified login experience, unified entitlements and unified customer support. This sharing is based on our legitimate interests in providing an integrated service and does not require separate consent for that limited purpose.
This policy is issued under, and complies with, the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data-protection laws. Our representative in the European Economic Area can be reached at fuwu@acosmi.com.
2. Personal data we collect
2.1 Registration and account data
| Data type | Details | Required? |
|---|---|---|
| Phone number | Registration, login, verification, account recovery | Required (or email) |
| Email address | Login, notifications, account recovery | Required (or phone) |
| Third-party login identifiers | WeChat OpenID/UnionID, GitHub ID, Google ID, etc. (only when you choose third-party login) | Optional |
| Display name and avatar | Profile display | Optional |
| Password (salted hash — never stored in plain text) | Account authentication | Required when using password login |
2.2 Identity verification data
When you use Bench (Zhonglvbao), Trusted Timestamp or other compliance-grade legal services, we collect:
- Legal name
- Government-issued ID number (e.g., national ID card, passport)
- Facial biometric data for liveness checks (processed directly by a licensed verification provider; we receive only the pass/fail conclusion)
- Bar licence number and law-firm name (attorneys only)
Identity verification data is stored with the highest level of security and is never used for marketing.
2.3 Device and log data
| Data type | Details |
|---|---|
| Device identifiers | Device model, OS version, unique device identifiers (IDFA/OAID/Android ID, subject to platform and your consent) |
| Network information | IP address, network type (Wi-Fi/4G/5G), approximate geolocation (city/region level, derived from IP) |
| Browser information | Browser type and version, language preference, time zone |
| Application logs | Feature click records, page view records, operation timestamps, error logs and crash reports |
| Cookies and similar technologies | See our Cookie Policy |
2.4 Usage and interaction data
- Conversation inputs and prompts you type into Acosmi or Crab Code
- Workflow and Agent Studio configurations and code snippets you create or edit
- Files, documents, images, audio and video you upload (only when you do so voluntarily)
- Legal queries and case-related text you submit in Bench (Zhonglvbao)
- File hashes or file content submitted for Trusted Timestamp evidence preservation
- Your feedback, ratings and reports
Important notice on AI processing and model training
Content you input into Acosmi, Crab Code or Bench (conversations, files, prompts) is used solely to provide you with the requested service during and after that session. It is not used to train or fine-tune any foundation large-language model (ours or any third party's) without your separate, explicit, written consent. If we ever wish to use your content for model training, we will notify you at least 30 days in advance and give you a clear opt-out that does not affect your continued use of the service.
2.5 Payment and invoicing data
| Data type | Purpose |
|---|---|
| Payment-channel identifiers (e.g., Alipay UID, WeChat Pay OpenID, Stripe customer ID) | Initiating and verifying payments |
| Payment amounts and order records | Subscription management, refund processing, financial reconciliation |
| Billing name, tax ID number, billing email | Issuing electronic invoices or receipts (only when you request them) |
| Last four digits of card (card payments only) | Payment verification |
We do not store full card numbers. Complete payment credentials are held by licensed payment processors under their own security obligations.
2.6 Customer-service records
Communications with us via fuwu@acosmi.com or by phone (400-026-9678): call recordings (where legally permitted and disclosed), email content, ticket records and live-chat transcripts.
3. How we use your personal data
We use your personal data only for the purposes and on the lawful bases described below. We rely on the following GDPR lawful bases:
| Processing purpose | Data types involved | GDPR lawful basis |
|---|---|---|
| Providing core products and services (account management, AI conversation, agent execution, legal workbench) | Account data, usage data, AI inputs | Contract (Art. 6(1)(b)) |
| Identity verification and legal compliance (real-name auth, Trusted Timestamp compliance, anti-fraud) | Identity data, device data | Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f)) |
| Payment processing and subscription management | Payment data | Contract (Art. 6(1)(b)) |
| Security assurance (anomaly detection, risk control, vulnerability remediation) | Device data, log data | Legitimate interests (Art. 6(1)(f) — ensuring security) |
| Customer service and complaints handling | Service records, account data | Contract (Art. 6(1)(b)) |
| Product improvement and bug fixing (aggregate analysis; no individual profiling) | Anonymised / pseudonymised usage data | Legitimate interests (Art. 6(1)(f)) |
| Personalised feature suggestions (based on your own history; no cross-user profiling for ads) | Usage data | Legitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a), withdrawable) |
| Service notifications (security alerts, subscription renewal reminders) | Phone, email | Contract (Art. 6(1)(b)) |
| Marketing communications | Phone, email | Consent (Art. 6(1)(a)) — you may unsubscribe at any time |
| Issuing invoices and receipts | Invoicing data | Legal obligation (Art. 6(1)(c)) |
| Legal disputes, regulatory obligations, law-enforcement requests | As required | Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, you have the right to object. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
4. AI processing and model-training statement
4.1 How AI processing works
Content you input is processed by AI inference services — either developed by Xiezhua Tech or provided by authorised third-party model-compute providers (see Section 5.2). All processing is encrypted in transit. Third-party providers act solely as data processors acting on our documented instructions and are contractually prohibited from using your data for their own purposes.
4.2 No training without consent
We make an unambiguous commitment: none of your input content will be used to train or fine-tune any foundation large-language model (including our own or any third party's) without your separate, explicit, written consent. If our data practices ever change in a way that involves model training, we will give you at least 30 days' advance notice and a meaningful opt-out option that does not degrade your core service access.
4.3 Conversation history
Your conversation history is stored under your account and is accessible only to you (authorised support staff may access it only to the minimum extent necessary when resolving a complaint). It is never shared with other users. You may delete all or part of your conversation history in-app at any time.
5. Sharing and disclosure of personal data
5.1 Within the Xiezhua group (affiliated entities)
Xiezhua Tech and Hongshen Legal may share basic account information (account identifiers, real-name status, entitlement status) when you use cross-product features (e.g., accessing Bench with your Acosmi account). This sharing is on a need-to-know, minimum-necessary basis for the purpose of delivering the integrated service.
5.2 Data processors (service providers)
We engage third-party service providers who act as data processors. They process your data only on our documented instructions and are bound by data-processing agreements:
| Processor category | Example purpose | Data categories involved |
|---|---|---|
| AI inference and compute providers | Processing conversation inference requests | AI input content (encrypted in transit) |
| Payment processors (e.g., Alipay, WeChat Pay, Stripe) | Initiating payments, handling subscription agreements | Payment identifiers, order amounts |
| Third-party login providers (e.g., WeChat, GitHub, Google) | OAuth login verification | Third-party login identifiers |
| Identity-verification authorities (licensed) | Liveness and document verification | Name, ID number, facial biometrics |
| Cloud storage and CDN providers | Storing user-uploaded files, delivery acceleration | User-uploaded files |
| Analytics providers (pseudonymised data only) | Crash analysis, performance monitoring | De-identified log data |
| Customer-service platforms | Online support ticketing | Support communications |
| E-invoicing service providers | Issuing and delivering VAT e-invoices or receipts | Invoicing data |
An up-to-date list of specific named sub-processors is available on request at fuwu@acosmi.com.
5.3 Legal and regulatory disclosure
We may disclose personal data without prior notice in the following circumstances:
- To comply with applicable law or enforceable governmental / regulatory orders;
- To enforce our terms or protect our legal rights in litigation;
- To protect the vital interests or safety of any person;
- With your consent.
Where permitted by law, we will notify you of such requests before disclosure.
5.4 Business transfers
If we undergo a merger, acquisition, reorganisation or asset sale, your personal data may transfer as a business asset. We will notify you at least 15 days beforehand and ensure the recipient is bound by standards no less protective than this policy. You may close your account and request data deletion before any transfer takes effect.
6. International data transfers
Our primary servers are located in mainland China. Certain operations may involve international data transfers, including:
- International AI model providers (e.g., Anthropic, OpenAI, Google DeepMind): when you use these models, your prompts and conversation content are transmitted to servers in the provider's jurisdiction(s);
- International developers / API users accessing the Acosmi open platform;
- Third-party integrations you choose to connect.
For transfers of personal data from the EEA, UK or Switzerland, we rely on the following transfer mechanisms:
| Transfer mechanism | When used |
|---|---|
| EU Standard Contractual Clauses (SCCs — 2021 edition) + UK International Data Transfer Addendum | Transfers to processors and controllers in non-adequate countries |
| Adequacy decisions | Where the destination country has been deemed adequate by the European Commission or UK ICO |
| Your explicit consent (Art. 49(1)(a) GDPR) | For specific, limited one-off transfers where SCCs are not yet in place |
Copies of the relevant SCCs are available on request at fuwu@acosmi.com.
For transfers involving special-category or biometric data, we apply supplementary technical measures (encryption at rest and in transit, pseudonymisation where possible) in addition to the contractual safeguards above.
7. Retention periods
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law.
| Data type | Retention period | Treatment at end of period |
|---|---|---|
| Account data (phone, email, display name) | Duration of the account; deleted within 15 days of account closure | Secure deletion |
| Conversation records and AI inputs | Until you delete them or 15 days after account closure | Secure deletion |
| Uploaded files | Until you delete them or 15 days after account closure | Secure deletion (expired files purged automatically) |
| Identity verification conclusion (masked ID number) | Duration of service relationship plus minimum period required by law (generally 5 years) | Secure deletion |
| Payment and order records | 5 years from transaction date (e-commerce regulations) | Archived then deleted |
| Invoice / receipt data | 10 years from issue date (tax regulations) | Archived then deleted |
| Security and access logs | Minimum 6 months; generally 12 months | Deleted |
| Customer-service records and call recordings | 3 years after ticket closure | Deleted |
| Consent and marketing-preference records | Minimum 3 years (compliance evidence) | Deleted |
Where retention is required by legal obligation beyond these periods, data is stored securely and access is restricted to compliance purposes only; it is permanently deleted as soon as the legal retention period expires.
8. Security measures
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, alteration, unauthorised disclosure or access:
8.1 Technical safeguards
- Encryption in transit: All communications use TLS 1.2 or higher;
- Encryption at rest: Sensitive fields (identity data, payment identifiers) are encrypted in the database;
- Access controls: Least-privilege principle; production database access requires multi-factor authentication and is logged;
- Pseudonymisation: Internal analytics use pseudonymised or anonymised datasets;
- Vulnerability management: Regular security audits, penetration testing and responsible-disclosure programme (report to fuwu@acosmi.com).
8.2 Organisational safeguards
- A dedicated Data Protection/Privacy Officer oversees compliance;
- Employees are bound by confidentiality obligations and receive regular data-security training;
- Sub-processors are subject to contractual data-security obligations and our right to audit;
- An incident response plan is in place and tested regularly.
8.3 Personal-data breach response
In the event of a breach likely to result in a risk to your rights and freedoms, we will:
- Contain the breach and take remedial action immediately;
- Notify the relevant supervisory authority within 72 hours of becoming aware (where required by GDPR Art. 33);
- Notify affected individuals without undue delay where the breach is likely to result in a high risk (GDPR Art. 34);
- Maintain an internal breach register.
If you discover unauthorised access to your account, please change your password immediately and contact us.
9. Your rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 Rights under GDPR (EEA/UK)
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of the personal data we hold about you | Email fuwu@acosmi.com; in-app self-service is being rolled out |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Some fields editable in-app; others via fuwu@acosmi.com |
| Erasure (Art. 17) | Request deletion of your data (subject to legal retention obligations) | Contact fuwu@acosmi.com or 400-026-9678; in-app self-service forthcoming |
| Restriction (Art. 18) | Restrict our processing of your data in certain circumstances | Submit written request by email |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format | Conversation export is available in-product; for a full personal-data copy, email fuwu@acosmi.com — broader in-app export is being rolled out |
| Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing | In-app privacy preferences or email |
| Withdraw consent | Withdraw consent at any time without affecting prior processing | In-app privacy preferences or email |
| Automated decision-making (Art. 22) | Not to be subject to solely automated decisions with significant legal effects | Contact us |
9.2 Rights under CCPA/CPRA (California residents)
| Right | Details |
|---|---|
| Know | Know the categories and specific pieces of personal information collected, and how it is used and shared |
| Delete | Request deletion of personal information we hold (subject to exceptions) |
| Correct | Request correction of inaccurate personal information |
| Opt out of sale or sharing | We do not sell personal information, nor share it for cross-context behavioural advertising purposes within the meaning of CCPA/CPRA |
| Limit use of sensitive personal information | Restrict use of sensitive personal information to providing the requested service |
| Non-discrimination | You will not receive discriminatory treatment for exercising your CCPA/CPRA rights |
To submit a CCPA/CPRA request, contact us at fuwu@acosmi.com or call 400-026-9678. We will verify your identity before processing the request and respond within 45 calendar days (extendable by a further 45 days with notice).
9.3 How to exercise your rights
- Conversation export: Conversation content can be exported directly in-product. To obtain a full copy of your personal data or to exercise access and correction rights, please contact us by email; broader in-app self-service is being rolled out.
- Email: Send your request to fuwu@acosmi.com with the subject line "Data Rights Request".
- Phone: Call 400-026-9678 (Mon–Fri, 09:00–18:00 CST).
We will respond within 30 days of receiving your request (or within the shorter period required by applicable law). If a request is complex or numerous, we may extend this by a further 30 days with notice.
9.4 Right to lodge a complaint with a supervisory authority
If you are in the EEA, you have the right to lodge a complaint with your local data-protection authority. To find your national authority, visit the European Data Protection Board website. In the UK, complaints may be addressed to the Information Commissioner's Office (ico.org.uk). We ask that you contact us first so we can attempt to resolve your concern directly.
10. Children and minors
Our services are not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children below that age. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at fuwu@acosmi.com and we will delete that information promptly.
For more detailed protections applicable to minor users, please read our Minors Protection Policy.
11. Account deletion
You have the right to close and delete your Acosmi account at any time. Deletion permanently erases your data across all products in the Acosmi system — including conversation history, uploaded files, credits balance and subscription entitlements — and cannot be undone.
11.1 How to request deletion
Account deletion is currently handled via our support channel. In-product self-service deletion is being rolled out. To submit a deletion request, please contact us:
- Email: fuwu@acosmi.com (subject: "Account Deletion Request"; include your registered email or phone number)
- Phone: 400-026-9678
After verifying your identity we will initiate the deletion process. A 7-day cooling-off period applies; if you sign in during this period the request is automatically cancelled. Once the cooling-off period expires, your account is permanently closed and your personal data is deleted within 15 calendar days.
11.2 Important notes before deleting
- Deletion is irreversible — download or export any data you wish to keep before proceeding;
- Active subscriptions will terminate at account deletion; prepaid credits and unused subscription periods are forfeited (contact support before deleting if you wish to discuss a refund);
- Any in-progress e-signing, Trusted Timestamp or legal-certification workflows should be completed before you delete your account;
- Accounts under active investigation or subject to a legal hold may have deletion requests deferred pending resolution.
11.3 Deletion contact
To submit or follow up on a deletion request, contact us:
- Email: fuwu@acosmi.com (subject: "Account Deletion Request"; include your registered email or phone number)
- Phone: 400-026-9678
For full details, see Account Deletion Guide.
12. Changes to this policy
We may update this Privacy Policy from time to time. For material changes — including changes to the categories of personal data collected, purposes of processing, your rights, or the entities that process your data — we will provide at least 30 days' advance notice via an in-app notification or email before the changes take effect.
For non-material changes (such as wording clarifications or contact-detail updates), we will update the "Last updated" date at the top of this page. Your continued use of our services after the effective date of any changes constitutes acceptance of the revised policy.
A history of previous versions of this policy is available on request at fuwu@acosmi.com.
13. Contact us
| Data Protection / Privacy Officer | fuwu@acosmi.com (subject: "Privacy / Data Protection") |
| General support email | fuwu@acosmi.com |
| Service phone | 400-026-9678 (Mon–Fri, 09:00–18:00 CST) |
| Platform operator | Xiezhua (Beijing) Intelligent Technology Co., Ltd. |
| Legal-service entity | Hongshen (Beijing) Legal Consulting Co., Ltd. |
| Related policies | Cookie Policy · Terms of Service · Minors Protection · Account Deletion Guide · Payment and Subscription Agreement · OAuth and Login Agreement · E-Certification Agreement |