Effective Date: June 04, 2026
Updated Date: June 04, 2026
Sanke Xiaocao (Shenzhen) IoT Technology Co., Ltd. together with its affiliates and subsidiaries (hereinafter collectively referred to as "we", "us" or "our") is committed to protecting your privacy. This Privacy Statement (the "Statement") describes how we process personal data and safeguard information privacy when you use the services, products and related mobile applications collectively referred to as the "Products".
This Statement applies to the Wuya App and complies with applicable laws and regulations including but not limited to the General Data Protection Regulation (EU Regulation 2016/679) ("GDPR"), UK General Data Protection Regulation ("UK GDPR"), California Consumer Privacy Act ("CCPA"), which grant consumers specific rights and data protection safeguards.
For the purposes of this Statement: "Personal Data" means any information that identifies or can be used to identify a natural person either alone or in combination with other information. "Smart Device" means non-standard computing hardware equipped with human-machine interfaces and capable of wireless data transmission, including smart home appliances, wearable electronics, smart cameras, smart digital photo frames and similar equipment. "App" refers to mobile applications developed by Sanke Xiaocao enabling end-users to remotely control smart devices and connect to our IoT cloud platform.
For third-party branded Apps supported by our technical services, the respective brand client determines what personal data is collected via our Products, and we collect information strictly per the agreed service scope with such clients. If you are an end-user of our business partner’s application and no longer wish to be contacted by that partner, please contact the relevant brand operator directly to submit your request.
We collect necessary personal information to deliver requested services. Refusal to provide required information may render us unable to provide corresponding products or functions.
Account Information: Upon account registration, we collect your account name and contact details such as email address, mobile phone number, username and login credentials. During your ongoing product usage, supplementary profile data including nickname, avatar, country code, language preference and time zone may also be collected.
Third-Party Account Login: When you authorize login via third-party platforms, we obtain shared profile data (avatar, nickname, regional information) from relevant third parties to bind with your Wuya account for one-click sign-in. Such data usage complies with relevant legislations and privacy agreements between us and applicable third-party service providers.
User Feedback: When you submit feedback or suggestions via our built-in feedback tool, we collect your email address, phone number and feedback content to resolve product defects and service inquiries efficiently.
We collect additional necessary personal information matching specific products and services to fulfill service obligations as applicable.
Optional Data Collected for Value-Added Features
Supplementary permission-based data collection below is optional; disabling relevant permissions will not affect core App/WeChat Mini Program basic functions but restricts access to corresponding premium features:
(1) Location-Based Services: We gather geographic location data only after you enable location permissions on your device for device network configuration and weather lookup. Precise GPS coordinates are captured exclusively during manual user-initiated pairing or weather checkups without persistent background polling; location collection terminates immediately once device setup completes. You may enable/disable location access via App path: My Page > Privacy & Authorization > Location Permission or system device settings.
(2) Camera Access: Camera activation only occurs when users manually trigger QR code scanning or video recording for device addition; no silent background camera wake-up happens. Toggle permission via My Page > Privacy & Authorization > Camera Permission.
(3) Microphone Permission for Voice Functions: Audio data is captured solely upon user-initiated voice assistant activation or manual video recording. Microphone access can be modified under My Page > Privacy & Authorization > Microphone Permission.
(4) Storage Permission: Storage read/write access is requested to save local app logs, images and crash reports ensuring stable App operation. Permission control path: My Page > Privacy & Authorization > Storage Permission.
(5) Bluetooth Functions: Bluetooth device name and hardware data are collected only on manual device discovery, home page refresh, device pairing and direct connection operations; historical total collection count stands at 4,098 times all triggered by user actions with no background periodic scanning. Bluetooth data collection ceases immediately once system Bluetooth permission is disabled. Manage access via My Page > Privacy & Authorization > Bluetooth Permission.
(6) Push Notification Permission: Enabled to send device alert notifications and service updates; adjust system push settings under My Page > Privacy & Authorization > System Push.
(7) Installed App List Access (QUERY_ALL_PACKAGES_RUNTIME): Installed application inventory is read only for crash troubleshooting and third-party SDK compatibility verification without bulk/frequent scanning; data is exclusively used for bug fixes and never for user profiling or targeted advertising. Collection stops after relevant permissions are revoked.
(8) Fingerprint Permission Update: The App has fully removed android.permission.USE_FINGERPRINT from permission list; no fingerprint biometric data will be requested or collected at present in compliance with Google privacy specifications. Any future biometric feature rollout will trigger an updated privacy policy and separate explicit user consent.
Enabling any listed permission authorizes us to collect corresponding personal data for related features; disabling a permission terminates future relevant data collection without invalidating lawfully collected information obtained under prior consent.
Mobile Device Metadata: To safeguard account security, stabilize service operation and optimize product experience, we automatically collect device model, IMEI, OS type & version, login IP address, Wi-Fi connection parameters, App build version, push token, network information and system runtime logs during product interaction.
Usage Statistics: We record behavioral metrics including page access, clicks, downloads and message sending/receiving to analyze service usage patterns.
System Log Data: App runtime and crash logs contain visitor IP, system language, OS version and access timestamp.
Hardware Address Information: Mobile Wi-Fi MAC & BSSID are collected only during manual smart device Wi-Fi configuration (total historical collection: 33 instances from active user pairing actions), solely for network verification with no persistent storage for alternate usages. IMEI and Wi-Fi SSID are obtained exclusively during device add procedures to complete network setup.
Standalone device/log metadata cannot identify a specific natural person; should such non-personal data be combined with other datasets to enable individual identification, combined information will be anonymized or pseudonymized unless legally permitted or user-approved.
Basic Device Information: Upon your smart device binding to our platform, we store device name, unique ID, online status, activation timestamp, firmware version and upgrade records.
Device Sensor Data: Dependent on connected hardware type, we receive sensor outputs: body scale/health trackers transmit height, weight, body fat percentage (BFM), BMI and skeletal muscle mass (SMM); smart cameras generate captured images/videos. After your explicit consent to link with third-party health platforms (Apple Health, Google Fit, Fitbit etc.), limited health metrics (BMI, height, weight, body fat rate) may be shared solely for health analysis; no further disclosure to unaffiliated third parties is allowed, and users can revoke platform linkage anytime via respective health application settings.
Bugly SDK Data: Crash analysis SDK collects runtime logs, Android ID/IDFV, network details, device OS and country codes for troubleshooting.
We may receive advertising identifiers (IDFA, OAID), device metadata and ad interaction records from advertising and data analytics partners to optimize advertisement delivery and performance measurement.
Service Delivery: Account, device, location and smart device data are processed to fulfill contractual obligations and deliver purchased products/services under your user agreement.
Product Optimization & Security Maintenance: User behavioral and device information is analyzed to upgrade features, prevent fraud and abnormal misuse based on contractual terms of service.
Mandatory Non-Marketing Communications: Critical service notifications, policy amendment alerts and administrative updates are sent as required for contract performance; such messages cannot be unsubscribed.
Marketing Correspondence: Promotional emails are dispatched only with your consent; all marketing mails include an unsubscribe link. Your personal data may also be used for prize draws and promotional activities you voluntarily join based on your approval.
Targeted Advertising: Anonymized device and usage data are shared with advertising partners for relevant ad matching and campaign effectiveness evaluation.
After-Sales Troubleshooting: Crash logs and runtime stack data retrieved via Bugly SDK are used exclusively to diagnose App malfunctions and deploy fixes.
Legal Compliance: We process personal data where necessary to comply with applicable laws, court orders, official government requests, enforce terms of service, protect legal rights/property of us and users, and mitigate potential legal losses.
Sensitive Data Commitment: Precise geolocation, health metrics and hardware unique identifiers (MAC/IMEI) classified as sensitive personal information under CCPA/GDPR are restricted exclusively to permitted use cases: device pairing, equipment control, after-sales maintenance and contractual performance. No sensitive data will be used for unauthorized commercial marketing, cross-domain user profiling or data resale without your separate written consent for future scope expansion.
Automated Decision-Making & User Profiling Rules: (1) Automated processing is limited to abnormal IoT device risk alerting via connectivity data only; no standalone fully-automated rulings imposing legal or substantial adverse impacts on end-users are implemented. (2) Calculation logic relies purely on device connectivity logs and operational status following standard IoT industry threshold rules (e.g., offline device overtime alert); no user portraits are built from health data or precise location information, nor are core App functionalities restricted via algorithmic decisions. (3) Automated outputs only generate private in-app device alerts with zero external data disclosure and no negative user rights restriction. (4) Statutory User Rights under GDPR Article 22: ① You may object to automated data processing anytime by emailing services@xciotapp.com; relevant algorithmic analysis will be suspended upon valid request. ② Manual review of incorrect algorithm alerts is available upon application with resolution completed within 30 calendar working days. ③ Plain-language explanation of automated decision logic can be requested without disclosure of proprietary commercial algorithm secrets.
CCPA Data Sale Declaration: We never sell user personal information for monetary compensation. Limited data sharing only proceeds under conditions specified herein or upon your separate explicit authorization.
Permitted data sharing scenarios:
1. Authorized Service Vendors: We share required personal information with third-party contractors providing hosting, data analytics, payment processing, IT infrastructure, customer support and email delivery services strictly for order fulfillment.
2. Business Partners: Limited data disclosure to hardware manufacturers and distribution partners enabling smart device and network service provision to end-users.
3. Corporate Restructuring: In events of merger, acquisition, divestiture, bankruptcy or asset transfer, personal data may transfer to successor entities; users will receive advance written notification via email or in-app announcement detailing revised data usage rules and opt-out options.
4. Legal Mandate: Information disclosure to domestic or overseas competent authorities is conducted to satisfy legal obligations, judicial proceedings and official regulatory inquiries.
5. Intra-Group Affiliates: Data sharing within our corporate group for regular internal business operations.
6. Advertising Partners: Aggregated device and usage statistics shared with ad networks for campaign optimization; such transmission may qualify as "sharing/sale" under CCPA with applicable user opt-out rights.
Additional third-party disclosure requires your explicit prior consent outside listed exceptions above.
Your personal and smart device information may be stored and processed outside your resident jurisdiction for global business operations where local data protection legislation differs. All cross-border transfers comply with GDPR Article 46 via execution of approved EU Standard Contractual Clauses (SCCs). Contact our official mailbox for further details regarding cross-border data protection safeguards.
All right requests can be submitted via in-app path My > Feedback & Suggestions > Submit Feedback > Account Related or email services@xciotapp.com free of charge; we respond within 30 calendar days after identity verification.
(1) Right of Access: Request full copy of stored personal data including data source, processing purpose and recipient categories via App feedback form or registered email with ID verification; complete data disclosure within 30 days upon validation.
(2) Right to Rectification: Submit correction applications for inaccurate account details, bound device records or health metrics with supporting documents; verified amendments are finished within 30 days with relevant third-party partners notified synchronously. No service downgrade will be enforced due to valid revision applications.
(3) Right to Erasure: California residents under CCPA may delete all personal data via in-app account cancellation (My > Personal Info > Account & Security > Delete Account) or formal email request; full data deletion including third-party replicated records completes within 45 calendar days except mandatory legal retention scenarios with written justification provided. Non-California users exercise GDPR Article17 erasure right with 30-day fulfillment timeline.
(4) Right to Restrict Processing: Disable corresponding permissions in App privacy settings or submit email to suspend targeted personal data processing immediately upon approval.
(5) Data Portability: Request structured machine-readable personal data export delivered to your reserved email address through App feedback or official mail.
(6) Right to Object: Opt out of consent-based or legitimate-interest data processing including automated algorithm analysis via formal email; relevant automated functions cease within 30 working days after approval.
All statutory right applications incur zero administrative fees; identity validation only requires registered account information submission.
Definition of Sensitive Personal Information under CCPA: Includes precise GPS geolocation, biometric data, unique hardware identifiers (IMEI/MAC/BSSID), physical health metrics, private contact credentials (phone/email), camera/microphone recorded audiovisual content.
Sensitive Data Restriction Opt-out: Users may restrict sensitive information collection either by disabling respective permissions under My > Privacy & Authorization inside App or submitting restriction emails to services@xciotapp.com; we stop unauthorized sensitive data usage and external sharing within 45 days after receiving valid opt-out.
Third-Party Data Sharing Opt-out Right: Terminate non-mandatory external data sharing via in-app feedback channel or email application; opt-out becomes effective within 45 calendar days suspending all non-statutory third-party information disclosure.
Authorized Agent Representation for CCPA Claims: California consumers may appoint individual or California-registered business agents to submit all CCPA legal requests via in-app feedback, official email (subject line: CCPA Agent Application + Consumer Full Name) or postal mail. Valid submission requires either consumer manually signed power-of-attorney document or notarized POA under California Probate Code §4000~4465; authorized agents shall only process user data within approved scope and destroy all obtained information after case closure.
We will not intentionally sell or share personal information of users below age 16. Upon verified written guardian email request, all stored minor personal data will be fully erased with all data collection terminated immediately. Any lawful minor data collection requires explicit written guardian consent; children under 13 follow dedicated additional child privacy rules.
Exercising any statutory rights under GDPR/CCPA including data deletion, rectification, sensitive data restriction and sharing opt-out will never result in service price hikes, functional limitation or denial of core product access from our side.
1. Identifiers: account nickname, mobile number, email, IMEI, IDFA/OAID, MAC address, unique device ID
2. Geolocation data: precise GPS coordinates, Wi-Fi SSID/BSSID collected during pairing
3. Device & usage data: hardware model, OS version, runtime/crash logs, Bluetooth device name, installed app inventory
4. Health metrics: weight, body fat rate, BMI and other hardware-generated physiological data
5. Commercial transaction records: order information, after-sales service records, payment related data
6. Audiovisual data: user-initiated camera/ microphone recordings from manual scan or video capture
Users may permanently delete their account via in-app navigation: My > Personal Information > Account & Security > Account Cancellation.
We deploy commercially reasonable physical, administrative and technical protection mechanisms to secure personal data integrity: proprietary access authentication & data isolation algorithms for smart device connection, end-to-end encrypted data transmission with dynamic encryption keys, strict input validation & full data audit trails during processing, and encrypted confidential information storage. Contact services@xciotapp.com promptly if you suspect account or data security compromise.
Personal data is retained for the shortest necessary duration to fulfill specified processing purposes with a minimum baseline retention of 7 working days unless mandatory legal retention rules apply. All data will be securely destroyed upon retention expiry; irreversible anonymization will be applied if full deletion is technically infeasible to block further data exploitation.
Our service targets users aged 18 or above. Minors under 18 must obtain legal guardian consent and supervision prior to App usage. We will not knowingly collect personal identifiable information from children under 13 or higher age threshold required by applicable regional laws.
| SDK Name | Provider | Core Purpose | Privacy Policy URL |
|---|---|---|---|
| Huawei Push | Huawei | Message Push Service | https://developer.huawei.com/consumer/cn/doc/app/20213 |
| Huawei Distribution SDK | Huawei | Message Push Service | https://developer.huawei.com/consumer/cn/doc/app/20213 |
| Tencent Bugly | Tencent | App Crash Diagnostics | https://static.bugly.qq.com/bugly-sdk-privacy-statement.pdf |
| Alipay SDK | Ant Group | Payment Service | https://opendocs.alipay.com/common/02kiq3 |
| Xiaomi Push | Xiaomi | Message Push Service | https://dev.mi.com/console/doc/detail?pId=1339 |
| OPPO Push | OPPO | Message Push Service | https://open.oppomobile.com/new/developmentDoc/info?id=10288 |
| vivo Push | vivo | Message Push Service | https://dev.vivo.com.cn/documentCenter/doc/652 |
| Amap SDK | AutoNavi | Location & Map Service | https://lbs.amap.com/pages/privacy/ |
| Alibaba Cloud One-Click Login | Alibaba Cloud | Third-party Quick Login | https://terms.aliyun.com/legal-agreement/terms/suit_bu1_ali_cloud/suit_bu1_ali_cloud201902141711_54837.html?spm=a2c4g.103075.0.0.58467553vXAT3I |
| Alibaba Cloud Push | Alibaba Cloud | Message Push Service | https://terms.aliyun.com/legal-agreement/terms/suit_bu1_ali_cloud/suit_bu1_ali_cloud202107091605_49213.html?spm=5176.12818093_-1363046575.console-base_help.1.57ea16d0KeYeLt |
| China Mobile Login SDK | China Mobile | Third-party Quick Login | https://dev.10086.cn/account/login/serviceagreement/ |
| WeChat Login SDK | Tencent WeChat | Third-party Quick Login | https://open.weixin.qq.com/cgi-bin/frame?t=news/protocol_developer_tmpl |
For detailed SDK data collection rules, refer to respective provider’s standalone privacy agreements via attached links above.
Unresolved privacy disputes may be escalated to relevant EU data protection supervisory authorities via: https://edpb.europa.eu/about-edpb/board/members_en if our internal customer service cannot deliver satisfactory resolution.
We reserve the right to revise this Statement to reflect updated data processing practices. Material policy amendments will be notified via registered user email or prominent in-app notice prior to effective implementation. Regular periodic review of this document is recommended for latest privacy practice updates. Consent to revised privacy terms is required to complete App login as login process inherently collects basic account and access logs.
This Privacy Statement is governed and construed under the laws of the People’s Republic of China with relevant judicial jurisdiction in mainland China.
Company Name: Sanke Xiaocao (Shenzhen) IoT Technology Co., Ltd.
Postal Address: Bailuwan Science and Technology Ecological Park, Jinjiang District, Chengdu City, Sichuan Province, P.R.China
Official Service Email: services@xciotapp.com
Data Protection Officer Email: yucao@lianlemo.com