How we handle your data.

Last updated: May 26, 2026

01 Information we collect

You give us

• Account information — email address, display name, and (if you choose) a profile photo.
• Wellness profile — your responses to the constitution assessment, including health-related questions about energy, sleep, and digestion.
• Daily check-ins — how you're feeling on any given day, what you ate, which recipes you tried.
• Conversations with the AI — messages you send to TiaoLi's AI companion.

We collect automatically

• Device information — model, OS version, language, and timezone (so we know your local solar term).
• Usage data — which features you use, how often you open the app.
• Approximate location — country and region only, never precise GPS coordinates unless you explicitly enable it.

What we never collect

• Precise GPS location (unless you opt in for a specific feature)
• Your contacts, photos, or microphone
• Information about apps you use outside of TiaoLi
• Sensitive identifiers (Social Security, passport, etc.)

02 How we use it

We use your information to do three things:

1. Personalize your recommendations. Your constitution, recent check-ins, and the current solar term all inform what we suggest for meals, teas, and movement.
2. Improve TiaoLi. Aggregate, anonymized usage data helps us understand which features work and which don't. We never use your individual data to train AI models for other companies.
3. Communicate with you. Important account updates, occasional product news (you can unsubscribe anytime), and your direct conversations with our team.

03 AI and your data

TiaoLi uses AI (large language models like those from OpenAI and Anthropic) to generate personalized recipes, tea suggestions, and conversation responses.

When you interact with the AI:

• Your message and relevant context (constitution type, season, recent check-ins) are sent to the AI provider for processing.
• We don't include your name, email, or identifying information in these requests.
• AI providers process your message to generate a response and then delete it according to their policies (typically within 30 days).
• We do not allow AI providers to use your data to train their models.

04 Sharing & third parties

We never sell your data. We share information only with these service providers, and only what they need:

• Cloud infrastructure (Cloudflare, AWS) — to host your data securely
• Payment processing (Apple, Google, Stripe) — to handle subscriptions; we never see your card details
• Analytics (privacy-respecting tools only) — for anonymized usage patterns
• AI providers (OpenAI, Anthropic) — to generate AI responses, as described above
• Email delivery (Postmark, SendGrid) — to send you account and product emails

We will only share your data with law enforcement when legally required to do so, and we will challenge requests we believe are overreaching.

05 Data retention

• Active accounts — we keep your data as long as your account is active.
• Deleted accounts — when you delete your account, we remove your personal data within 30 days. Some anonymized records may be retained for legal or analytical purposes.
• Inactive accounts — accounts inactive for 24+ months may be archived; we'll email you before doing this.
• Backups — our backup systems may retain data for up to 90 days after deletion before being fully purged.

06 Security

We protect your data using industry standard measures:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• We use strong access controls and audit logs for our internal systems
• Regular security reviews and dependency updates
• Limited employee access on a need-to-know basis

No system is perfect, however. If we ever detect a security incident affecting your data, we will notify you within 72 hours.

07 Your rights

You have control over your data:

• Access — request a copy of all data we have about you
• Correct — fix any incorrect information
• Delete — request full deletion of your account and associated data
• Export — download your data in a portable format (JSON)
• Restrict — limit how we use your data
• Object — opt out of any processing you disagree with

To exercise any of these rights, email us at privacy@tiaoli.app — we'll respond within 30 days.

08 International users

TiaoLi is operated from our home offices, with data stored on Cloudflare's global edge network. If you're in the EU or UK, GDPR applies; if you're in California, CCPA applies; if you're in other jurisdictions, applicable local laws apply.

Specifically:

• EU/UK users (GDPR) — our lawful basis for processing is consent and legitimate interest. You can withdraw consent anytime.
• California users (CCPA) — you have the right to know what's collected, the right to delete, and the right to opt out of any sale (we don't sell data).
• Chinese users — if/when TiaoLi is available in China, we will comply with PIPL and store relevant data within China per applicable regulations.

09 Children's privacy

TiaoLi is not designed for children under 13 (or under 16 in some jurisdictions). We do not knowingly collect data from anyone in that age range. If you believe a child has provided us their information, please contact us and we will delete it immediately.

10 Changes to this policy

We may update this policy as our practices evolve. When we make material changes, we will notify you by email at least 30 days before the changes take effect. The "Last updated" date at the top will always reflect the most recent version.

11 Contact us

Questions, concerns, or requests? Reach us at:

• Privacy questions: privacy@tiaoli.app
• General inquiries: hello@tiaoli.app

We read every email and aim to respond within 3 business days.