Anto Privacy Policy

1. Who We Are

This Privacy Policy is published and enforced by:

• Service Provider: Linsen Wang (Australian sole trader)
• Trade Name: Ant and Giant
• App Name: Anto (iOS App)
• ABN: 97 551 780 857
• Registered in: Australia · New South Wales (NSW)
• Domain: antandgiant.com

Contact:

• Privacy: privacy@antandgiant.com
• Support: support@antandgiant.com
• Legal: legal@antandgiant.com

2. Data We Collect

We only collect data necessary to operate the service, organized into the following categories:

3. Purpose & Legal Basis

Each data category corresponds to a specific purpose and a GDPR Article 6 legal basis:

We do NOT use any of the above for: (a) AI foundation model training; (b) cross-app advertising; (c) sale to third parties.

4. Third-Party Services (Sub-processors)

To deliver the service we use the following sub-processors. All transfers are encrypted, governed by their respective privacy policies, and bound by enterprise-grade Data Processing Agreements (DPAs) which contractually prohibit using our transmitted data for AI model training or resale:

On AI model training: Our calls to Anthropic Claude and Google Gemini APIs follow each provider's default data handling policies:

• Anthropic Claude API: Standard API calls are not used for model training by default (see Anthropic Trust Center)
• Google Gemini API: We use Google Cloud paid-tier API keys; paid-tier data is not used to improve Google services (including model training; see Google Gemini API Terms)
• If any provider's policy changes to involve training, we will notify users via in-app notifications and email at least 30 days before the change takes effect

4.1 AI Data Flows in the Anto iOS App

When you use the following features in the Anto iOS app, the corresponding data is relayed by our backend to third-party AI providers (your device never calls the third-party APIs directly):

All calls use HTTPS / TLS 1.2+ encryption. Our backend runs on Vercel's Sydney (syd1) data center. Each AI provider processes data per their respective DPA (see §4 main table above).

On first launch of the Anto iOS app, we present a mandatory onboarding screen disclosing the above data flows and asking for your consent. AI features are only enabled after you accept. You can review your current consent status and revoke it at any time in Profile → Privacy → AI Data; once revoked, all translation / voice / explanation / pronunciation features are immediately disabled, while your locally saved vocabulary remains intact.

5. Data Retention

• Account data: retained while account exists; upon your deletion request, soft-deleted immediately (inaccessible) and permanently erased after 30 days by an automated job (GDPR / CCPA / Apple App Store 5.1.1(v) compliant)
• OTP codes: 10-minute validity; cleaned up within 24 hours after verification
• Audio files: deleted immediately after recognition (≤5 seconds); never persisted
• Crash logs: Sentry default 90 days
• Email logs: Resend default 30 days
• Database backups: may persist up to 90 days post hard-delete (for disaster recovery)

6. International Data Transfers

Our service is operated from Australia, while certain sub-processors are located in the USA / EU / Japan / Global, so your data will be transferred internationally. We protect cross-border transfers as follows:

• All transfers are HTTPS / TLS 1.2+ encrypted
• Standard Contractual Clauses (SCCs) under GDPR are in place with all USA / EU processors
• Core database (Neon), AI inference (Anthropic / Google) data are stored in vendor enterprise-grade compliant regions
• We do NOT transfer personal data to third countries lacking GDPR or equivalent protections

7. Data Security

• All transfers HTTPS encrypted (TLS 1.2+)
• Database encryption at rest (Neon AES-256)
• Passwords stored with bcrypt hashing (irreversible even if database compromised)
• OTP codes bcrypt-hashed; 5-attempt lockout + 15-minute cooldown
• Access restricted to core service personnel; all access audit-logged
• Firebase Authentication supports multi-factor authentication (you can enable in account settings)

8. Your Rights

Under GDPR, CCPA / CPRA, the Australian Privacy Act 1988, and China's Personal Information Protection Law (PIPL), you have the following rights:

8.1 Universal Rights

• Right to access: request a copy of your data
• Right to rectification: correct inaccurate data
• Right to erasure / right to be forgotten: permanent account & data deletion
• Right to restrict processing: pause processing of certain data
• Right to data portability: export your data in machine-readable format (JSON)
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: revoke previously granted consent at any time. In particular, AI data sharing consent inside the Anto iOS app can be withdrawn anytime in Profile → Privacy → AI Data; once withdrawn, all translation / voice / explanation / pronunciation features stop immediately, while your locally saved vocabulary and settings remain intact
• Right to lodge a complaint: with a supervisory authority (Australian OAIC / EU member state DPAs)

8.2 How to Exercise

• In-app self-service: iOS App → Profile → Permanent account deletion (immediate soft-delete · 30-day hard-delete)
• Email request: send to privacy@antandgiant.com · we respond within 30 days
• Free of charge: all data requests are free; we do not penalize you for exercising your rights

9. Children

This service is intended for users aged 13 and above. We do not knowingly target, collect, or market to children under 13.

If you are between 13 and 16 in a jurisdiction requiring parental / guardian consent (such as GDPR for users under 16), please use this service with the supervision of a parent or guardian.

If we learn we have inadvertently collected personal data of a child under 13, we will delete it immediately. If you believe a minor's data has been collected in error, contact privacy@antandgiant.com.

10. Cookies & Tracking

Website (antandgiant.com)

• Essential cookies: session persistence, CSRF protection (cannot be disabled)
• Performance / error monitoring: Sentry session (anonymized)
• We do NOT use: third-party advertising cookies, cross-site tracking, social media tracking pixels

iOS App (Anto)

• No App Tracking Transparency (ATT) prompt: we do not perform cross-app tracking
• No IDFA or similar advertising identifiers collected
• Local storage used only for session / learning preferences (UserDefaults · declared in PrivacyInfo.xcprivacy)

11. Data Breach Notification

In the unlikely event of a security incident affecting your personal data:

• We will notify the relevant supervisory authority within 72 hours of discovery (GDPR Art. 33 standard)
• If the breach poses high risk to you, we will notify you directly (in-app + email)
• Notification will include: nature of breach, potential consequences, remediation taken, steps you can take to protect yourself

12. Policy Updates

We may update this Privacy Policy from time to time. Any changes:

• Minor changes (wording, formatting): only the "Last updated" date at the top is changed
• Material changes (e.g., new processing categories, new sub-processors): we will notify you via in-app notification + registered email, at least 30 days before effective date
• Continued use constitutes acceptance; if you disagree, please cease use and exercise your deletion rights under §8

Contact Us

For any questions, requests, or complaints regarding this Privacy Policy:

• Privacy / data requests: privacy@antandgiant.com
• User support: support@antandgiant.com
• Legal: legal@antandgiant.com

The Chinese version is the governing version. Please refer to 中文版 in case of conflict.