Privacy Policy
Last updated: May 30, 2026 · Applies to HexAstral, Yuel, Fēng, Cycle, and all satellite apps published by UseONE, LLC
1. Overview
We take your privacy seriously. This Privacy Policy describes how UseONE, LLC ("we", "us") collects, uses, stores, and protects your personal information across the HexAstral universe of apps — currently Yuel and Yuun (and other apps as released).
This Policy complies with applicable data protection laws, including Apple App Store and Google Play privacy requirements and relevant international regulations.
2. Information We Collect
2.1 Information you provide • Birth information: solar date, time index, gender, optional city and coordinates (used for astrology calculations — Ba Zi, Zi Wei, fate timeline, compatibility). In Yuun, birth date is optional and may be kept on-device. • Personal name / nickname (optional). • Display name and optional avatar image (if you upload one). • Apple ID identifier (when signing in with Apple) or Google account identifier (when signing in with Google). • Email address (optional, provided either automatically by Apple/Google on first sign-in or by you via the OTP binding flow). • Recipient email addresses you supply when initiating an invite or compatibility pairing (e.g. inviting a partner to Yuel). • Partner / third-party birth information you submit on behalf of someone else (e.g. compatibility readings in Yuel). • Your local friends / 亲友 list in Yuun (the people you track alongside the daily almanac). • Subscription receipts and entitlement state (via RevenueCat) when you purchase a paid product.
2.2 Automatically collected information • Device identifiers (IDFV only — not IDFA; no advertising tracking). • Device locale and time zone. • App usage logs: anonymous feature usage statistics, daily activity / streak markers, reading view marks. We do not log the textual content of your readings here. • Push notification tokens (when you grant push permission): used to send timeline / almanac / fortune alerts. Push tokens are revoked when you turn off push permission. • Crash reports (via Cloudflare, used for bug fixes). • IP address (for regional detection, abuse prevention, and rate limiting; not stored long-term). • Daily / monthly quota counters keyed off user account (and IP for anonymous use).
2.3 Cross-app identifiers • Apple ID / Google account identifier (shared across the HexAstral universe of apps when you sign in with the same provider account). • Internal user ID (links your account across the HexAstral universe of apps — currently Yuel and Yuun, and other apps as released). • These identifiers enable account recovery and cross-app data continuity (see Sections 13–14).
2.4 What we do NOT collect • We do not request access to your photo library or contacts unless you actively use a feature that needs them, and even then we only process what is needed for that feature. • We do not collect precise GPS location (city-level only for timezone correction). • We do not perform cross-app advertising tracking. We have no advertising business. • We do not sell or rent your personal data.
3. How We Use Your Information
Your birth information and related data are used for:
• Core features: destiny chart readings, fate cycle analysis, compatibility readings, daily almanac • AI reading generation: your birth data is sent to AI model APIs (Cloudflare Workers AI and partner LLM providers) to generate personalized readings • Service improvement: aggregated, anonymized analytics to improve calculation accuracy • Security: necessary verification to prevent abuse
We do not sell, rent, or share your personal birth information with third parties for commercial purposes.
4. AI Models & Third-Party Services
To provide AI-powered readings, your birth information (not identity information) is transmitted to the following third-party AI providers:
• Cloudflare Workers AI (United States) — inference tasks • Anthropic / Google Gemini (depending on feature) — advanced reading generation
These providers process data under their own privacy policies. We have signed Data Processing Agreements (DPAs) prohibiting use of your data for model training or other unauthorized purposes.
Analytics: PostHog (EU data residency configurable), collecting only anonymous behavioral data.
5. Data Storage & Security
• Storage: Cloudflare global edge network (data stored in nearest region, default APAC) • Transmission: all data transmitted via TLS 1.3 encryption • At rest: database-level encryption (AES-256) • Access controls: strict employee permission tiers, principle of least privilege • Retention: account data permanently deleted within 30 days of account deletion; anonymized analytics retained up to 24 months
6. Your Rights
Under applicable law, you have the right to:
• Access: view the personal data we hold about you • Correction: fix inaccurate personal information • Deletion ("right to be forgotten"): request deletion of all account data • Data portability: export your chart data in machine-readable format • Withdraw consent: revoke consent to data processing at any time
To exercise these rights, email: privacy@hexastral.com We will respond within 15 business days.
7. Photo & Image Inputs
Yuel and Yuun do not require you to upload photographs of yourself to generate readings. If a HexAstral universe app later introduces a feature that processes an image you supply (for example, an uploaded photo), we will:
• Transmit the image temporarily to an AI vision model only during analysis • Delete the image from our servers immediately after analysis; we do not retain it • Save only the text description of the result to your history (deletable at any time) • Never use your image for model training
We will obtain any additional consent required by law before enabling such a feature.
8. Email & invite communications
How we obtain your email • Sign in with Apple: Apple may share your email address (real or relay) ONLY on the very first authorization. If we do not capture it then, Apple will not send it again on subsequent sign-ins. We store this email on first capture and never overwrite it on later auths. • Sign in with Google: Google passes your email on every successful sign-in. We store it on first capture and keep it stable until you unbind or change it. • Manual OTP binding: in apps that support invite-based features (e.g. Yuel), you may explicitly bind any email via a 6-digit one-time code we mail to you. Sent only on your action.
How we use email • Account recovery: re-link your account on a new device. • Sign-in verification: the OTP itself (6-digit code, single use, 10-minute expiry). • Invite-by-email feature: when YOU send a friend an invitation (e.g. a Yuel compatibility resonance request), we deliver ONE email to the address you supply. Your friend's address is used only to deliver that invitation and is not retained for any other purpose. If they do not respond, the invitation expires (typically 7 days) and we stop using their address. • Transactional notices: significant account events (e.g. password-recovery flow, account-deletion confirmation).
Frequency commitment We do not send marketing emails. Each email we deliver is triggered by either (a) your direct action (sign-in, invite send, OTP request), or (b) a security/account-management event. We do not maintain mailing lists, and we will not add you to one without explicit, separate opt-in.
Unbinding your email At any time you may remove your bound email without deleting your account (Me → Unbind email in the app, or email privacy@hexastral.com). The server sets `users.email = NULL`; you may rebind a different email later via OTP. This is your right under GDPR Art. 7 (withdraw consent for email processing).
Third-party email delivery Transactional email is sent via Amazon SES (US data residency). SES processes the address solely to deliver the message; we have signed a DPA with AWS prohibiting any other use.
9. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal information from minors. If you believe a minor has used the Service, contact us and we will immediately delete any related data.
10. Policy Changes
For material changes to this Policy, we will notify you via in-app modal or push notification, and update the "Last updated" date on this page. Continued use of the Service constitutes acceptance of the updated Policy.
11. Contact Us
For privacy-related questions, contact:
Email: privacy@hexastral.com
We are committed to responding to all privacy inquiries within 15 business days.
12. Product family
UseONE, LLC publishes the HexAstral universe of apps under a unified data architecture. The apps currently shipping are:
• Yuel — relationship synastry and compatibility analysis (合盘) • Yuun — daily Chinese almanac (黄历)
Additional apps may be released into the HexAstral universe over time. All universe apps share the same backend infrastructure, user account system, and privacy fundamentals described in this Policy. Each app may surface different inputs (for example, partner birth info in Yuel, or a local friends list in Yuun). Review the in-app disclosures that match the app you installed for concrete collection examples.
13. Cross-app identity linking
All apps in the HexAstral universe share a single user account system. When you sign in with Apple in any of our apps, your Apple ID is used to identify you across all apps from the same developer.
How it works: • On first launch, each app creates an anonymous local account. • When you sign in with Apple in any app, your Apple ID is linked to that account. • If you later install another universe app and sign in with the same Apple ID, we recognize you as the same user and restore your data (readings, bonds, friends) from the original account.
This means: • Your birth information entered in one universe app may be available in another if you sign in with the same Apple ID — for example, birth info you enter in Yuel may be reused in Yuun. • Your friends list (亲友) in Yuun and your bonds in Yuel can carry over between the two apps in both directions, so the people you track stay consistent across the universe. • You can opt out of cross-app data access by using different Apple IDs or remaining anonymous (not signing in with Apple) in separate apps.
14. Cross-app data sharing & portfolio memory
Reading results generated in HexAstral universe apps may be stored in a shared reading history ("portfolio"). When you are signed in, this portfolio is accessible across the universe apps you have to provide a richer, more personalized experience.
Specifically: • Reading results are stored with your user ID and can be recalled across your universe apps to provide contextual advice. • Yuel compatibility readings and Yuun almanac activity may contribute to this shared portfolio, and either app's AI features may reference the other's history (for example, your Yuel bonds informing an Yuun daily note, or vice versa). • AI features may reference past readings from any universe app you use to generate more personalized responses.
You can control this: • Portfolio memory is off by default. You must explicitly opt in via app settings to enable cross-app reading recall. • You can delete individual reading history entries at any time. • Deleting your account removes all portfolio data across all apps within 30 days.
15. Profile visibility
Your profile is private. Yuel and Yuun do not publish a public web profile of your account, and the data you enter (birth information, friends/亲友, bonds, readings) is not exposed to anyone outside the apps without your action.
What we never expose publicly. We never publish your raw birth date / time / city, email address, Apple/Google ID, internal user ID, push tokens, billing receipts, the precise content of private messages, or any data from your contacts.
Sharing you initiate. Some features let YOU share something deliberately — for example, inviting a partner to Yuel by email so you can synthesize a pair reading, or sharing a reading you generated. These shares happen only on your action and only reach the recipients you choose.
If a HexAstral universe app later offers an opt-in public profile, it will be OFF by default, field-granular, and revocable at any time, and we will describe its mechanics here before enabling it.
16. International data transfers
We process data on Cloudflare's global edge network. Depending on your region, your data may be stored or processed in one or more of the following locations: the United States, the European Union (Ireland/Germany), the United Kingdom, Singapore, Japan, or Australia.
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the relevant authority, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK Addendum, as applicable. We have signed SCCs with our sub-processors, including:
• Cloudflare, Inc. (United States) — edge compute, storage, and AI inference; • Anthropic and partner LLM providers (United States) — model inference for premium readings; • Google LLC (United States) — Gemini models for reading generation; • Amazon Web Services (United States) — Amazon SES for transactional email delivery; • RevenueCat (United States) — subscription receipt validation and entitlement grants.
Technical and organizational safeguards include TLS 1.3 in transit, AES-256 encryption at rest, strict role-based access controls, and least-privilege defaults. We periodically review our sub-processors and their privacy posture.
A copy of the SCCs we use is available on request to privacy@hexastral.com.
17. Data breach notification
In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:
• Notify the appropriate supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach (GDPR Art. 33); • Notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34), via in-app notification and to your bound email address; • Provide a description of the nature of the breach, the categories and approximate number of affected users, the likely consequences, and the measures we have taken or propose to take to address it.
We maintain incident-response procedures and conduct annual tabletop exercises. We have a documented chain of escalation from the engineer on call → privacy lead → CEO, and we log every confirmed incident in an internal register that is preserved for at least three years.
You may contact us at security@hexastral.com to report a suspected vulnerability or compromise. We acknowledge bona-fide security reports within 48 hours.