Privacy Policy

Effective Date: May 7, 2026
Last Updated: May 30, 2026

Welcome to 轻风像素画 (hereinafter referred to as "this application"). We understand the importance of your personal information and will protect your personal data and privacy in accordance with laws and regulations. Please read and fully understand this Privacy Policy before using this application.

This Privacy Policy applies to 轻风像素画 clients (including iOS, Android, Web, Windows, macOS, Linux platform versions) and related services.

1. How We Collect and Use Your Personal Information

1.1 Registration and Account

When you register an account, we need to collect the following information:

Information Type	Required	Purpose
Username	Yes	Unique account identifier, used for login
Password	Yes	Account security verification, stored using PBKDF2 encryption
Nickname	Yes	Display name in the community
Email	Optional	Account security verification, password reset, account deletion confirmation

1.2 Profile Information

While using this application, you may voluntarily complete the following profile information:

Avatar: Used for personal profile page and community display
Background Image: Used for personal profile page decoration
Gender: Used for personal profile page display (options: Unknown / Male / Female)
Bio: Used for personal profile page display
Title: Virtual titles earned through levels, achievements, events, memberships, etc.

All the above information is provided voluntarily, and you can modify or delete it at any time.

1.3 Device Information

To ensure stable service operation and optimize user experience, we collect the following device information:

Device Identifier: A UUID v4 generated on first app launch, stored locally, used for session tracking and device binding
Operating System Version: e.g., Android 14, iOS 17, etc.
Device Model: e.g., Samsung Galaxy S24, iPhone 15 Pro, etc.
App Version: The currently installed app version
Platform Type: Android / iOS / Web / Windows / macOS / Linux

The above information is reported only when the app starts or returns to the foreground, and is used for:

Counting application usage (session start/end, session duration)
Maintaining session heartbeat (every 30 seconds)
Binding the device to the user account after login

1.4 Usage Records

We record the following usage behavior data:

Session Records: App launch time, usage duration, session ID
Login Records: Last login time
Interaction Data: Follower/following count, creations count, likes count, favorites count
Block Records: Records of users you have blocked (blocked user ID, block time)
Report Records: Records of content reports you have submitted
Notification Records: Read/unread status of system notifications and interaction notifications

1.5 User-Generated Content

When you create and share content within this application, we process the following:

Pixel Art Creations: Canvas data, project files, exported images
Collections: Information about your creation collections
Topics: Topic creation and participation information

The above content is uploaded to the server when you actively publish it. Unpublished works are stored only on your local device.

1.6 Images and Files

We access your images and files in the following scenarios:

Selecting images from the gallery: Used as reference images for creation, avatar upload, background image upload
Taking photos: Used as reference images for creation (requires camera permission)
Saving images to the gallery: Export/save pixel art creations
Selecting files: Desktop versions (Windows/macOS/Linux) for selecting local image files

2. How We Use Permissions

2.1 Android Permissions

Permission	Corresponding API Level	Purpose	Can Be Denied
`READ_MEDIA_IMAGES`	Android 13+	Read gallery images as reference images or upload avatar/background image	Yes; if denied, cannot select images
`READ_EXTERNAL_STORAGE`	Android 12 and below	Read images from external storage	Yes; if denied, cannot select images
Camera permission (runtime)	All	Take photos as reference images	Yes; if denied, cannot take photos

2.2 iOS Permissions

Permission	Purpose	Can Be Denied
`NSPhotoLibraryUsageDescription`	Access the photo library to select reference images; reference images help you as a visual guide while drawing pixel art	Yes; if denied, cannot select images
`NSPhotoLibraryAddUsageDescription`	Save images to the photo library	Yes; if denied, cannot save to photo library
Camera permission (runtime)	Take photos as reference images	Yes; if denied, cannot take photos

2.3 Permission Notes

All permissions require your active consent; we will not access related functions without authorization.
You can revoke granted permissions at any time in the system settings.
Denying a permission does not affect the normal use of other app features; it only affects the specific features that rely on that permission.
Before requesting sensitive permissions (such as camera), we will display a permission purpose description dialog.

3. How We Store and Protect Your Personal Information

3.1 Information Storage Methods

Local Storage

SharedPreferences: Used to store identity authentication tokens (Access Token, Refresh Token) and device identifier
SQLite Database: Used to store local pixel art documents, animation frames, materials, and other creation data

Data stored locally does not leave your device (unless you actively upload and sync).

Server Storage

Cloudflare D1 Database: Stores user account information, profile data, social relationships, work metadata, etc.
Cloudflare R2 Object Storage: Stores user-uploaded image files (avatars, background images, work images, etc.)
Cloudflare KV: Stores Refresh Tokens for server-side token revocation verification

Servers are located on Cloudflare's global edge network, and all data transmission is encrypted via TLS.

3.2 Security Measures

We take the following measures to protect the security of your personal information:

Password Protection: Stored using PBKDF2 algorithm (100,000 iterations) with salted hash; the server does not store plaintext passwords.
Token Security:
- Access Token is valid for 7 days, signed with HS256
- Refresh Token is valid for 30 days, using a token rotation mechanism (old tokens automatically expire after use)
- Upon logout, the server deletes the Refresh Token record from KV, implementing server-side token revocation
- When tokens expire, automatic silent refresh is attempted; requests are queued during the refresh process
Transmission Encryption: All network communications are encrypted using HTTPS (TLS)
Minimal Permissions: API requests carry authentication tokens only when necessary; public interfaces do not require authentication
Account Deletion: Account deletion is supported; upon confirmation, the account and associated data will be permanently deleted immediately

3.3 Data Retention Period

Account Information: Retained as long as you use this application; deleted or anonymized after account deletion
Authentication Tokens: Access Token expires in 7 days; Refresh Token expires in 30 days or is deleted upon logout
Device Identifier: Stored locally; automatically deleted when the app is uninstalled
Session Data: Used for statistical analysis; retained for no more than 180 days
Created Content: Retained until you delete it or your account is deleted
Block Records: Retained for as long as you use this application; after unblocking, records may still be retained for audit or statistical purposes

We do not sell your personal information to any third party. We may share your information in the following circumstances:

Service Providers: We use Cloudflare for server hosting, databases, object storage, and CDN services. Cloudflare processes your data only as necessary to provide these services.
Legal Requirements: We may be required to share your information in compliance with laws, regulations, legal proceedings, or mandatory requests from government authorities.

4.2 Public Disclosure

The following information may be visible to other users:

Public Profile: Nickname, avatar, gender, bio, current title, level, followers/following/creations/likes/favorites count
Public Works: Works you publish as public
Public Collections: Collections you create
Social Relationships: Following list, followers list

You can control whether a work is visible to other users by setting its visibility (Public/Private).

We will not share the following information with third parties:

Your password (stored encrypted; no one can view the plaintext)
Your authentication tokens
Your email address (not displayed to other users)
Your device identifier
Your unpublished works
Your block list (visible only to yourself)
Your report records

5. Your Rights

5.1 Access and Correction

You have the right to access and correct your personal information through the following methods:

Profile: View and modify nickname, avatar, background image, gender, and bio on the "Edit Profile" page
Email: Change the bound email address in account settings (requires verification code confirmation)
Work Management: View, edit, and delete your published works

5.2 Deletion

Work Deletion: You can delete published works and collections
Account Deletion: You can apply to delete your account in account settings
- Upon confirmation, the account and associated data will be permanently deleted immediately; this operation is irreversible

5.3 Permission Withdrawal

You can revoke granted permissions at any time in the device system settings:

Android: Settings → Apps → 轻风像素画 → Permissions
iOS: Settings → Privacy & Security → Corresponding permission

5.4 Data Export

You can export pixel art work files (.pxa format or image format) stored locally, but bulk export of server-side data is not supported at this time.

6. Protection of Minors

We attach great importance to the protection of minors' personal information. If you are under 14 years of age, please use this application under the supervision and guidance of a guardian, and obtain the guardian's consent before registering and providing personal information.

If we discover that we have collected personal information from a minor without the guardian's consent, we will delete the relevant information as soon as possible.

7. Updates to This Privacy Policy

We may revise this Privacy Policy from time to time. The updated Privacy Policy will be announced within the application or notified to you through other appropriate means. For material changes, we will provide more prominent notice.

If you continue to use this application after the Privacy Policy is updated, you are deemed to have agreed to be bound by the revised Privacy Policy.

8. Contact Us

If you have any questions, comments, or suggestions regarding this Privacy Policy, you can contact us through the following methods:

In-App Feedback: Submit feedback via the feedback feature in the application
Email: contact@windpix.com

We will respond to your request within 15 working days.

Appendix: Third-Party SDK List

The third-party SDKs integrated into this application and the information they may collect are as follows:

SDK Name	Purpose	Information That May Be Collected	Privacy Policy
Flutter Framework	Application development framework	Device information, app information	https://flutter.dev/privacy
image_picker	Image selection	Gallery access (requires authorization)	https://pub.dev/packages/image_picker
file_picker	File selection (desktop)	File access (requires user action)	https://pub.dev/packages/file_picker
share_plus	System sharing	No personal information collected	https://pub.dev/packages/share_plus
permission_handler	Permission management	No personal information collected	https://pub.dev/packages/permission_handler
url_launcher	Opening external links	No personal information collected	https://pub.dev/packages/url_launcher
shared_preferences	Local key-value storage	No personal information collected	https://pub.dev/packages/shared_preferences
sqflite	Local database	No personal information collected	https://pub.dev/packages/sqflite
device_info_plus	Device information retrieval	Device model, system version	https://pub.dev/packages/device_info_plus
package_info_plus	App information retrieval	App version number	https://pub.dev/packages/package_info_plus
http	Network requests	No additional information collected	https://pub.dev/packages/http
Cloudflare Workers	Backend API service	Request logs (automatic)	https://www.cloudflare.com/privacypolicy/
Cloudflare R2	File object storage	No additional information collected	https://www.cloudflare.com/privacypolicy/

Privacy Policy ​

1. How We Collect and Use Your Personal Information ​

1.1 Registration and Account ​

1.2 Profile Information ​

1.3 Device Information ​

1.4 Usage Records ​

1.5 User-Generated Content ​

1.6 Images and Files ​

2. How We Use Permissions ​

2.1 Android Permissions ​

2.2 iOS Permissions ​

2.3 Permission Notes ​

3. How We Store and Protect Your Personal Information ​

3.1 Information Storage Methods ​

Local Storage ​

Server Storage ​

3.2 Security Measures ​

3.3 Data Retention Period ​

4. How We Share, Transfer, and Publicly Disclose Your Personal Information ​

4.1 Sharing ​

4.2 Public Disclosure ​

4.3 What We Do Not Share ​

5. Your Rights ​

5.1 Access and Correction ​

5.2 Deletion ​

5.3 Permission Withdrawal ​

5.4 Data Export ​

6. Protection of Minors ​

7. Updates to This Privacy Policy ​

8. Contact Us ​

Appendix: Third-Party SDK List ​