最後更新日期:2026年6月9日
本文件構成 SPCY App 生態系統(下稱「本服務」、「我哋」)嘅具法律約束力嘅協議,包含三部分:
(i) 服務條款、(ii) 隱私政策,以及 (iii) 敏感數據保護機制。本文件適用於本生態系統下所有服務,包括但不限於 AI
Studio、Drink Record(奶茶記錄,MT)、SmartSpend AI(智能記帳,Expense)、Score
Editor(樂譜編輯器)、Mindmap PPT / AI Slides(心智圖簡報)、Credits &
Billing(點數與付費),以及共用嘅登入服務(Auth)。當你訪問或使用任何一個服務,就代表你已經閱讀、明白同接受本文件所有條款。如果你唔同意,請立即停止使用本服務並關閉帳戶。
使用資格:
- 你必須有能力訂立具法律約束力嘅協議先可以使用本服務。
- 本服務唔係為 13 歲以下嘅兒童而設計,亦唔會故意收集佢哋嘅個人資料。如果你未滿 18 歲,請喺家長或法定監護人嘅同意及陪同下使用。
- 任何付款、購買點數、訂閱方案等金融功能,只限年滿 18 歲(或你所在地區嘅法定成年年齡)嘅用戶使用。
- 你保證你提供嘅所有註冊資料(包括透過 Google 登入傳送嘅資料)為真實、準確、屬於你本人。
法律管轄: 本文件受
香港特別行政區法律管轄並按其詮釋。如果你喺
歐洲經濟區、英國、瑞士、中國大陸或其他地區使用本服務,當地法律可能會額外賦予你進一步嘅權利,相關詳情見第
17 條「國際與跨境」。
1. 接受條款
當你訪問或使用本系統內嘅任何服務時,即表示你已閱讀、理解並同意受本文件所有條款嘅約束。本生態系統採用統一嘅身分驗證機制,你嘅帳戶資訊會喺各應用程式之間共享,以提供無縫嘅體驗。我哋可能會不時更新本文件(見第 14 條),你繼續使用即表示接受更新後嘅版本。除非另有說明,新增功能亦會受本文件約束。
2. 服務內容與描述
auto_awesomeAI Studio
實驗性 AI 對話平台,支援文字、多模態分析、深度研究(Deep Research)、圖像生成(Imagen)、影片生成(Veo)、語音合成(Lyria)同函式呼叫(function calling)。可選擇性連接 Google Workspace(Gmail、Drive、Calendar)同 Microsoft 365(Outlook)嘅 connector。
local_drinkDrink Record (MT)
飲品追蹤工具。透過裝置鏡頭/相簿上載飲品相片,利用 AI 識別飲品類型、糖分、熱量、容量等營養資訊並建立歷史記錄。可自訂類別同單位。
receipt_longSmartSpend AI (Expense)
智能支出追蹤工具。透過上載收據/發票相片,利用 AI 自動辨識商戶、項目、金額、貨幣、日期同類別;支援預算管理、多貨幣換算同統計分析。
music_noteScore Editor (樂譜編輯器)
瀏覽器內嘅樂譜建立、編輯同播放工具(ABC 記譜法)。你可以由零開始寫譜、用 AI 根據文字描述作曲,或者上載相片或錄音畀 AI 自動識別成樂譜。
account_treeMindmap PPT / AI Slides
AI 驅動嘅動畫心智圖簡報工具,將文件或想法轉化為結構化、可播放嘅互動式心智圖,並可一鍵生成正式投影片(Slides)。支援由 AI Studio 直接生成。
tollCredits & Billing (點數與付費)
點數及訂閱系統。AI 功能會按模型同處理量消耗點數;你可以透過我哋嘅付款夥伴 Stripe 購買點數或訂閱方案。詳情見第 5 條。
3. 帳戶與使用守則
你需要為自己帳戶下嘅所有活動負責,亦要妥善保管你嘅登入資料。每個帳戶只供一個人使用,唔可以共享、轉售或以其他方式提供畀第三方使用。使用本服務時,你同意唔會做以下嘅事:
- 上載、生成或散佈任何違法、侵權、誹謗、仇恨、騷擾、色情、有害、歧視或鼓吹暴力嘅內容;
- 製作涉及兒童嘅性化內容、未經同意而合成真實人物嘅深偽(Deepfake)或私密影像,或其他類型嘅性與生殖健康(CSAM)內容;
- 侵犯他人嘅知識產權、私隱、肖像權、人格權或其他合法權利;
- 利用本服務生成、發布或宣傳誤導性資訊、詐騙、釣魚、垃圾訊息或未經授權嘅商業通訊;
- 嘗試入侵、干擾、爬取(scrape)、自動化大量請求、進行阻斷服務攻擊、注入攻擊,或者用任何方式繞過點數、配額、頻率限制或安全機制;
- 對本服務或其任何部分進行反向工程、反編譯、反彙編、複製或轉售(除適用法律明確允許外);
- 嘗試訪問、推斷或竊取其他用戶嘅數據;
- 利用本服務傳播惡意程式(包括病毒、蠕蟲、特洛伊木馬、勒索軟件等),或者進行任何危害系統、其他用戶或第三方嘅行為;
- 上載含有惡意代碼、超鏈接追蹤陷阱、虛假 meta 標籤或其他用於欺騙 AI 或本服務嘅內容;
- 違反任何適用法律,包括但不限於美國、英國、歐盟、聯合國、中國大陸或香港嘅出口管制、制裁、反洗錢、反恐融資等法律法規。
如果你違反上述守則,我哋可以即時暫停或終止你嘅帳戶(見第 12 條),並可能將違法行為報告畀執法機關。
4. 知識產權與授權
- 你嘅內容: 喺法律允許嘅範圍內,你保留自己建立或上載內容嘅擁有權。你須自行確保擁有上載任何素材(包括相片、音訊、文件、樂譜等)嘅合法權利,並承擔因侵權引起嘅法律責任。
- 給我哋嘅有限授權: 為咗營運服務(包括儲存、處理、模型推論、同步同顯示返畀你睇),你授予我哋一個有限、非獨佔、不可轉讓、可撤回嘅授權,去使用你嘅內容。呢個授權只限於提供服務所必須嘅範圍,唔包括將你嘅內容用於訓練任何 AI 模型、轉售或作其他商業用途。
- AI 生成內容: AI 生成內容嘅權利,須按適用法律(包括生成內容所在地嘅版權法)及相關 AI 供應商嘅條款而定。你須自行判斷 AI 輸出嘅合法性同適當性。你同意唔會用本服務製作深偽、有害、侵權、淫穢或歧視性內容。
- 我哋嘅財產: 本生態系統嘅介面設計、商標、品牌名稱、源代碼、AI 模型選擇邏輯、定價演算法同累積知識均受版權、商標同商業秘密法保護,未經我哋事先書面許可,不得複製、修改、散布或使用。
- 反饋: 如果你向我哋提供關於服務嘅意見或建議,你同意我哋可以免費、永久、不可撤回地使用該反饋去改進服務(但唔會公開標識你為來源)。
5. 點數、付款與帳單 (Credits & Billing)
- 點數係咩: 點數係一種預付餘額,用嚟使用各項 AI 功能。點數只係系統內嘅使用額度,並非貨幣、存款、財產、金融工具或證券,亦冇任何現金價值,亦唔受存款保險計劃保障。
- 免費點數: 新用戶首次登入會獲贈一批免費點數(目前為 1,000 點)。推廣或贈送嘅點數可能附帶條件或有效期。我哋保留隨時調整、撤回或更改免費/推廣點數條款嘅權利。
- 購買與付款: 購買點數或訂閱方案會由我哋嘅第三方付款夥伴 Stripe, Inc.(下稱「Stripe」)處理。我哋唔會睇到、儲存、處理或傳輸你完整嘅信用卡號碼、CVV 或到期日。所有支付卡資料均由 Stripe 喺其 PCI-DSS 一級認證嘅環境中處理,受Stripe 服務條款及Stripe 私隱政策約束。
- 點數消耗與定價: 每次 AI 操作會根據所用嘅模型(Gemini、Imagen、Veo、Lyria、Grok、DeepSeek、Qwen、Anthropic Claude 等)、輸入輸出 token 數量、圖像解析度、影片時長、語音長度等因素消耗相應點數。價格同消耗率可能會不時變動;畫面顯示嘅餘額屬於估算,實際結算以伺服器記錄為準。
- 所有購買一經完成即為最終: 除適用法律強制要求外,已加入嘅點數一般不可退款,已部分使用嘅點數亦不可退還。如果技術錯誤導致雙重扣款,我哋會主動退款。
- 訂閱: 訂閱方案會自動續期,直至你取消為止。你可以隨時透過 Stripe 客戶中心(Customer Portal)取消;服務會維持到當期結束,當期內不設按比例退款。
- 不可轉讓: 點數屬於你個人,不可轉讓、套現、轉贈,亦不可跨帳戶合併。
- 到期與失效: 點數可能會喺長期未使用後到期;訂閱點數會喺當期結束時歸零。如果帳戶因違規而被關閉或終止,剩餘點數會被作廢,且不獲退款。
- 拒付與欺詐: 對合法收費提出拒付(chargeback)或進行任何欺詐行為,會導致帳戶被即時暫停並失去所有點數;我哋亦會保留追究法律責任嘅權利。
- 稅項與定價錯誤: 標示價格可能未包含適用稅項,相關稅項由你自行承擔,Stripe 會代為收取並代我哋匯繳。如出現明顯嘅定價錯誤,我哋有權取消或更正相關訂單。
- 變更或停止: 我哋可能會喺合理通知下更改或停止點數系統;如有此情況,我哋會盡合理努力處理你已購買嘅餘額。
6a. 數據收集與私隱保障 (Data Collection & Privacy)
我哋極度重視你嘅個人私隱,並承諾以下事項:
-
verified_user
身分驗證 (Google Sign-In)
我哋使用 Google Identity Services (GIS) 登入。登入時,Google 會向我哋傳送你嘅 用戶唯一識別碼 (User Unique Identification Code)(不可變、由 Google 提供)、已驗證電郵、姓名同頭像 URL。我哋只會儲存呢啲資料嚟建立同維護你嘅帳戶。
-
storage
Cookies 同本地儲存
- 必要 Cookies: 一個非 HttpOnly嘅登入識別碼 cookie(畀前端 UI 識別用戶狀態)、一個 HttpOnly 嘅裝置指紋驗證 cookie(用作會話驗證、防止 cookie 偽造),以及一個管理員專用嘅管理員識別 cookie。
- LocalStorage: 用戶偏好(包含語言/主題嘅設定值)、登入權杖、用戶資料快取、最後活躍時間。呢啲資料只儲存喺你嘅瀏覽器,我哋嘅伺服器唔會接收。
- SessionStorage: 登入後跳轉目標(10 分鐘後自動失效)。
- 我哋冇用任何追蹤性/廣告性 cookies,亦冇整合 Google Analytics、Meta Pixel 或同類第三方追蹤工具。
-
cloud_queue
雲端數據儲存與保留
你嘅對話紀錄、樂譜、記帳資料、上載嘅文件同相片會安全咁存儲喺採用嚴格存取控制嘅基礎設施:
- Google Cloud Storage (GCS),由 Google 提供嘅基礎設施保護。預設設定下,暫存附件(如對話附件)喺上載 7 日後自動刪除。用戶可以選擇改用 Google Drive 儲存(無自動刪除)。
- 加密應用資料庫,由我哋自行託管。每個應用嘅資料以邏輯隔離嘅方式儲存,並以嚴格嘅存取控制確保用戶只可以讀取自己嘅資料。
-
payments
付款資料
付款由 Stripe 全權處理。我哋只會保留交易紀錄(金額、時間、購買嘅方案、Stripe 客戶 ID 同付款意向 ID),唔會儲存、亦無法讀取你完整嘅信用卡/扣帳卡資料。
-
smart_toy
AI 處理
為咗生成回應,你嘅提示同上載內容會傳送畀相關 AI 供應商處理。AI 供應商會根據佢哋各自嘅條款及私隱政策處理呢啲數據,詳見第 6c 條。我哋唔會用你嘅私人內容嚟訓練我哋自己嘅模型,亦唔會出售。
-
badge
滑動會話
只要你持續使用服務,會話有效期會自動延長(sliding session),無需重新登入。最長閒置 7 日後會自動過期。
-
manage_accounts
你嘅選擇與權利
你可以隨時刪除對話、刪除單項資料、撤銷 connector 嘅授權(透過設定頁面或Google 帳戶權限頁面),或者透過電郵要求刪除整個帳戶。詳細程序見第 17 條。
-
no_transfer
絕不轉售
我哋絕不向任何第三方出售、租賃、交易或以其他方式轉移你嘅個人數據或對話內容。數據只會用嚟提供服務同履行法律義務。
6b. 按 OAuth 範疇(Scope)嘅敏感數據保護細項 (Per-OAuth-Scope Sensitive Data Protection)
本節逐項列舉本服務從第三方供應商取得嘅敏感數據類別、所採用嘅保護機制,以及處理原則,協助你了解你嘅資料點樣被保護。
通用安全措施(適用於所有數據類別):
-
lock
傳輸加密
所有請求均使用 TLS 1.2+ 加密。
-
encrypted
靜態加密
- GCS 上傳嘅檔案: Google 預設使用 AES-256 對靜態數據加密。
- OAuth 存取權杖/刷新權杖: 使用 libsodium
crypto_secretbox(XSalsa20-Poly1305)對稱加密後儲存喺資料庫,密鑰透過伺服器環境變數管理,唔會寫入源代碼或日誌。
- 應用資料庫: 託管喺受控嘅雲端伺服器,硬碟層級由雲端商提供靜態加密。應用層會對需要保護嘅欄位(例如第三方存取權杖)進行額外加密。
-
admin_panel_settings
存取控制 (RBAC + 最小權限)
所有用戶資料查詢均採用參數化查詢同嚴格嘅用戶身份過濾,強制每個用戶只能存取自己嘅數據。管理員後台採用白名單制;管理員「以其他用戶身份查看」(view-as)操作會記錄到稽核日誌並受速率限制。
-
account_tree
邏輯數據隔離
每個用戶嘅資料透過唯一嘅用戶識別符喺應用層進行邏輯隔離;不允許跨用戶資料存取。
-
schedule
速率限制 (Rate Limiting)
採用固定時間窗口嘅速率限制機制,按應用+動作設定;例如 AI 聊天每分鐘 20 次、樂譜識別每分鐘 10 次。付款結帳等敏感動作喺系統故障時會主動回傳錯誤(fail-closed),避免重試造成雙重扣款。
-
fingerprint
瀏覽器指紋驗證
每個登入階段綁定一個基於瀏覽器特徵(例如語言、螢幕、時區、平台)嘅加密指紋 cookie,防止 cookie 遭竊取後被盜用。
-
gpp_good
reCAPTCHA 防濫用
登入同關鍵 API 採用 Google reCAPTCHA Enterprise,以風險評分判斷可疑流量。生產環境若無配置 reCAPTCHA 密鑰會自動拒絕所有請求(fail-closed)。
-
verified
定期安全審查
源代碼會定期審查,並針對已知漏洞進行評估。
-
notification_important
安全事故應對
如發生影響用戶數據嘅數據洩露事故,我哋將按適用法規喺 72 小時內通知受影響用戶同相關監管機關(包括香港個人資料私隱專員公署 PCPD)。
-
auto_delete
數據保留與刪除
用戶數據(對話記錄、文件、樂譜、支出記錄)會保留至帳戶刪除為止;對話附件預設 7 日後自動刪除。如需即時刪除,請電郵至 spcyapp@gmail.com。
各 OAuth 範疇(Scope)保護機制明細
下表列舉我哋向 Google / Microsoft 申請嘅每個受限範疇,以及對該範疇數據所採用嘅具體保護機制。
| 數據存取類型 (Data Access Type) |
可存取嘅敏感數據 |
保護機制 |
| Google 登入檔案 |
用戶唯一識別碼 (User Unique Identification Code)、姓名、電郵、頭像 URL、語言偏好 |
僅用於建立帳戶同顯示 UI;電郵只用作帳戶識別,唔會用於行銷;頭像 URL 僅喺 UI 顯示;無第三方分享。 |
| Gmail 存取 |
用戶 Gmail 收件箱電郵元數據(寄件人、主旨、日期、訊息 ID)同內容(用戶明確要求讀取時) |
- 僅由指定嘅單一 AI Service Provider處理;其他 AI 供應商唔會收到此範疇數據。
- 僅用於用戶當下要求嘅操作(例如「搵關於…嘅電郵」)。
- 永遠唔會儲存電郵內容到我哋伺服器。
- 唔會用於訓練 AI 模型;唔會與第三方共享。
- 用戶可隨時喺「Google 帳戶權限」撤銷授權,或喺應用程式內按「斷開連接」。
|
| Gmail 草稿建立 |
以用戶身份建立 Gmail 草稿(唔會自動發送) |
- 草稿由 AI 草擬後,用戶必須在 Gmail 內手動檢查並按下「發送」;我哋唔會代為發送電郵。
- 草稿本身存喺用戶嘅 Gmail 帳戶,唔經我哋伺服器中轉。
- AI 處理時僅生成草稿內容;唔會儲存、訓練或分享。
|
| Google Drive 讀取 |
用戶Google Drive 檔案(僅讀取,僅限用戶選擇嘅檔案) |
- 僅由指定嘅單一 AI Service Provider 處理;其他 AI 供應商唔會收到此範疇數據。
- 僅用於用戶明確要求嘅操作(例如「摘要呢份文件」)。
- 用戶可以選擇將暫存副本儲存到 GCS(預設 7 日後自動刪除,由 Google AES-256 保護)或用戶自己嘅 Drive(無自動刪除,由用戶自行管理)。
- 唔會用於訓練 AI 模型;唔會與第三方共享。
- 用戶可隨時撤銷範疇或刪除個別檔案。
|
| Google Drive 建立/編輯(本應用建立嘅檔案) |
建立/編輯由本應用建立嘅 Google Drive 檔案(Docs、Sheets、Slides) |
- 僅限建立同編輯由本應用建立嘅檔案(
drive.file 範疇設計本身限制)。
- 用戶可以喺自己嘅 Drive 內查看、分享、刪除呢啲檔案。
- AI 處理時唔會讀取用戶其他 Drive 檔案。
|
| Google 日曆存取 |
用戶Google Calendar 事件(讀取同建立) |
- 僅由指定嘅單一 AI Service Provider 處理;其他 AI 供應商唔會收到此範疇數據。
- 僅用於用戶要求嘅操作(讀取/建立事件)。
- 永遠唔會儲存事件到我哋伺服器。
- 建立事件時使用 RFC 3339 + Asia/Hong_Kong (+08:00) 時區,確保時區正確。
- 唔會用於訓練或分享。
|
| Microsoft 登入檔案 |
用戶 Microsoft 帳戶基本檔案 |
同 Google 嘅 openid/profile 處理原則一致;僅作帳戶識別同 UI 顯示。 |
| Outlook 郵件存取 |
用戶 Outlook 收件箱電郵(讀取) |
同 gmail.readonly 處理原則一致;僅由指定嘅單一 AI Service Provider處理,唔會儲存、訓練或分享。 |
| Microsoft 離線權限 (token 刷新) |
授權我哋喺用戶離線時刷新存取權杖 |
刷新權杖經 libsodium 加密後儲存;用戶可隨時撤銷。 |
Google API Services User Data Policy(Limited Use)承諾
我哋遵守 Google API Services User Data Policy,包括其 Limited Use 要求。具體而言,我哋承諾:
- 只會喺用戶明確要求嘅範圍內讀取、寫入或修改用戶嘅 Google Workspace 數據;
- 唔會將用戶嘅 Google Workspace 數據用於訓練任何通用 AI/機器學習模型;
- 唔會將用戶嘅 Google Workspace 數據出售、租賃、交易或以其他方式轉移畀第三方;
- 唔會將用戶嘅 Google Workspace 數據用於廣告、跨應用行為追蹤或建立廣告檔案;
- 只會將數據傳送畀提供實質服務功能所需嘅第三方(即我哋嘅指定 AI Service Provider);
- 使用安全嘅伺服器對伺服器 OAuth 2.0 流程並以 state nonce 防止 CSRF;
- 提供清晰、顯眼嘅授權同意畫面、撤銷路徑,以及本私隱政策連結;
- 如果用戶要求刪除帳戶,會喺 30 日內從我哋嘅系統中永久刪除相關 Google 數據(最遲不超過 60 日)。
Google Generative AI Prohibited Use Policy 承諾
我哋遵守 Google Generative AI Prohibited Use Policy,並禁止用戶將本服務用於以下用途:
- 生成涉及兒童嘅性化內容或任何 CSAM;
- 生成、宣傳或協助暴力、恐怖主義、種族滅絕、自殘、非法武器等內容;
- 生成騷擾、仇恨、誹謗、欺凌真實或法律上被認定為真實嘅人物嘅內容;
- 生成用於欺詐、釣魚、身分冒充、社會工程學嘅內容;
- 生成用於未經授權嘅醫療、法律或財務專業意見嘅內容;
- 大規模生成用於政治宣傳、虛假資訊嘅內容;
- 侵犯他人知識產權、隱私權、肖像權嘅內容;
- 任何非法活動,或協助他人從事非法活動。
SynthID 與生成內容標識
透過 Imagen / Veo 等 Google 生成嘅圖像或影片,預設包含 Google SynthID 浮水印(隱性數位浮水印,無需破壞視覺效果)。用戶不得嘗試移除、偽造或隱瞞呢啲浮水印。我哋亦鼓勵用戶在公開分享 AI 生成內容時,主動標示其為 AI 生成。
6c. 第三方服務同供應商條款 (Third-Party Services & Provider Terms)
本服務會將必要嘅數據傳送畀以下第三方服務供應商。當你使用對應功能時,即表示你同意受其各自嘅條款同私隱政策約束。
7. 各應用程式嘅具體數據處理
Drink Record (MT)
收集:飲品相片(用戶主動上載)、AI 識別後嘅飲品名稱、類型、糖分、熱量、容量、飲用日期、用戶自訂類別同單位。可選:上載至 GCS 或用戶嘅 Google Drive。AI 模型供應商可能隨服務發展而變更。保留期:直至用戶刪除記錄或刪除帳戶。
SmartSpend AI (Expense)
收集:收據/發票相片(用戶主動上載)、AI 識別後嘅商戶名稱、項目、金額、貨幣、日期、類別、用戶自訂預算同類別。可選:GCS/Drive 儲存。AI 模型供應商可能隨服務發展而變更。保留期:直至用戶刪除記錄或刪除帳戶。
Score Editor
收集:用戶建立或編輯嘅樂譜(ABC 記譜法)、用戶上載嘅相片或音訊檔案(用於 AI 識別)、AI 識別結果。AI 模型供應商可能隨服務發展而變更。樂譜檔案預設儲存喺我哋嘅加密應用資料庫,音訊/相片附件預設儲存喺 Google 雲端硬碟(附件 7 日後自動刪除)。
AI Studio / Mindmap PPT / AI Slides
收集:用戶嘅提示詞、對話歷史、上載附件、用戶連接嘅 Connector 數據(見 6b)。AI 模型供應商可由用戶於設定中選擇,並可能隨服務發展而變更;Connector 數據只會由指定嘅單一供應商處理。對話保留期:直至用戶刪除或帳戶刪除。
Auth(登入服務)
收集:用戶唯一識別碼 (User Unique Identification Code)、姓名、電郵、頭像 URL、IP 位址、User-Agent、登入時間、瀏覽器指紋雜湊、登入日誌。用戶唯一識別碼係不可變嘅識別符,即使你更改 Google 帳戶名或電郵亦唔會改變。
Credits & Billing
收集:點數餘額、點數交易紀錄、訂閱狀態、Stripe 客戶參考編號與交易參考編號、帳單名稱同電郵(傳送畀 Stripe)。我哋唔會收集或儲存任何完整信用卡/扣帳卡資料。
8. AI 使用與免責聲明
warning重要提醒
- 準確性限制: AI 可能會生成錯誤、不完整、過時或誤導性嘅資訊,包括所謂「幻覺」(hallucination)現象。生成嘅內容唔應該當作醫療、法律、財務、工程、學術或任何其他專業意見嘅替代品。
- 飲食與支出數據: 營養估算(例如糖分、熱量)同消費分析只供參考,唔可以當作專業營養師、註冊會計師或理財顧問嘅意見;如有健康或財務需要,請諮詢合資格嘅專業人士。
- 樂譜識別: AI 由相片或錄音識別出嚟嘅樂譜可能有錯,請自行核對同修改後先使用。
- 數位浮水印: Imagen、Veo 等生成嘅圖像/影片可能包含 SynthID 隱性浮水印。用戶不得嘗試移除、偽造或隱瞞呢啲浮水印。
- 深度研究: 深度研究模式會使用外部搜尋引擎獲取即時資訊,準確性取決於外部來源;我哋唔對外部來源嘅內容負責。
- 自動化決策: 本服務唔會就你作出法律效力嘅決定進行純自動化處理;所有 AI 輸出僅供你參考,最終決定由你作出。
- 你嘅責任: 你需要為自己點樣使用 AI 生成嘅內容負全責,包括喺發佈、依賴、商業使用之前自行核實其合法性同準確性。
9. 使用限制與公平使用
為確保系統穩定性與資源公平分配:
- 免費額度: 免費使用設有滑動時段(sliding window)同每日限額,確保每位用戶都能公平使用 AI 資源;超出免費額度後,部分功能會改為消耗點數。
- 每日重置: 每日免費配額喺香港時間 (UTC+8) 午夜重置。
- 速率限制: 每個 API 動作都有按用戶分桶嘅速率限制(見 6b)。
- 濫用處理: 若偵測到惡意刷取、自動化請求、撞庫、token 重放或違反使用政策,我哋保留限速、暫停、終止帳戶或主動封鎖 IP 嘅權利。
10. 服務性質與免責(按現狀提供)
本服務屬於實驗性質,並以「現狀」(as is)及「現有」(as available)基礎提供,唔附帶任何明示或暗示嘅保證,包括但不限於對可商售性、特定用途適用性、唔侵權、準確性或可靠性的保證。我哋唔保證服務一定可用、唔會中斷、絕對準確或冇錯誤;服務可能會有停機、維護或功能變動。我哋可以隨時新增、修改或移除任何功能。對於因第三方服務(例如 AI 供應商或付款夥伴)中斷而引致嘅影響,我哋喺適用法律允許嘅最大範圍內唔承擔責任。
11. 責任限制
喺適用法律允許嘅最大範圍內,對於任何間接、附帶、特殊、衍生或懲罰性嘅損失(包括但不限於數據遺失、利潤損失、業務中斷、商譽損失、替代服務成本),我哋、我哋嘅關聯方、供應商、授權方、董事、員工或代理人概不負責,即使我哋已被告知此類損害嘅可能性。喺任何情況下,我哋就本服務所承擔嘅總責任,上限為你喺事件發生前十二 (12) 個月內就相關服務實際支付畀我哋嘅金額(如未有付款,則為港幣 100 元)。部分地區(包括但不限於歐盟成員國、英國、美國新澤西州)可能唔允許某啲責任限制,喺嗰啲情況下,本條款只會喺法律允許嘅範圍內適用。
12. 賠償
你同意就你重大違反本文件條款而直接引致嘅第三方索償、損失或損害,為我哋作出辯護並賠償合理範圍內嘅費用。本條款唔適用於因你上載合法內容或正常使用服務而引致嘅索償。
13. 暫停與終止
如果你違反本文件任何條款,或適用法律要求我哋咁做(包括收到執法機關嘅有效命令),我哋可以暫停或永久終止你嘅帳戶而毋須事前通知。你亦可以隨時停止使用本服務。帳戶終止後,你可能會失去存取你嘅內容嘅權利,剩餘點數亦會作廢(見第 5 條)。我哋會喺合理範圍內提供至少 30 日嘅帳戶資料導出期(透過電郵聯絡);導出期後資料可能會被永久刪除。某啲按性質應於終止後繼續生效嘅條款(包括但不限於第 4、5、6、7、8、9、10、11、12、14、15、16、17、18 條)會繼續有效。
14. 條款修訂
我哋可能會不時更新本文件。修訂後嘅版本一經喺本頁發佈即時生效,「最後更新日期」亦會相應更新。如有重大變更(包括數據收集範圍、用途、共享對象、保留期、安全機制嘅重大改變),我哋會透過電郵、應用程式內通知、登入時橫幅等合理方式預先通知你;喺歐盟、英國等要求更高通知期嘅地區,我哋會至少提前 30 日 通知。你喺更新生效日後繼續使用服務,即表示接受新版本嘅條款。如果你唔同意,請停止使用並要求刪除帳戶。
15. 適用法律與爭議解決
本文件受香港特別行政區法律管轄並按其詮釋。因本服務引起或與之相關嘅任何爭議,雙方同意首先透過電郵聯絡 spcyapp@gmail.com 嘗試友好解決;如 30 日內未能解決,雙方同意提交香港國際仲裁中心(HKIAC),按其提交時有效嘅香港國際仲裁中心仲裁規則進行仲裁;仲裁地為香港;仲裁語言為中文(繁體)或英文。仲裁裁決為終局,對雙方均具約束力。本仲裁條款不影響你作為消費者喺香港或你居住地享有嘅非訴訟爭議解決權利(包括向香港個人資料私隱專員公署投訴嘅權利)。
16. 可分割性、轉讓、第三方受益人、不可抗力
- 可分割性: 如果本文件任何部分被裁定為無效或不可執行,其餘部分仍然完全有效。
- 完整協議: 本文件連同任何適用嘅附加條款,構成你同我哋之間就本服務嘅完整協議,取代任何先前嘅協議。我哋未有行使某項權利,唔代表放棄該項權利。
- 轉讓: 你唔可以將本文件下嘅權利或義務轉讓畀第三方。我哋可以將本文件下嘅權利或義務轉讓畀我哋嘅關聯方、收購方或繼承方。
- 第三方受益人: 除本文件明文規定外,本文件唔擬亦唔會授予任何非當事人第三方任何可強制執行嘅權利。
- 不可抗力: 對於因超出我哋合理控制範圍嘅事件(包括但不限於天災、戰爭、恐怖主義、疫情、政府行為、網絡攻擊、大規模斷電、第三方服務中斷)導致嘅延誤或未能履行,我哋概不負責。
- 出口管制: 你承諾唔會喺受到美國、歐盟、聯合國或香港制裁嘅國家或地區使用本服務,亦唔會為被列入制裁名單嘅實體或個人使用本服務。
17. 數據當事人權利與跨境傳輸
17.1 你嘅權利
不論你位於邊度,我哋會根據適用法律尊重你嘅資料當事人權利。一般而言,你享有以下權利(具體範圍以適用法律為準):
- 查閱權: 要求我哋提供你個人資料嘅副本。
- 更正權: 要求更正唔準確或不完整嘅資料。
- 刪除權: 要求刪除你嘅個人資料(除法律規定必須保留嘅紀錄外)。
- 限制處理權: 要求暫停處理你嘅資料。
- 反對權: 反對基於正當利益或直接行銷嘅處理。
- 資料可攜性: 以結構化、機器可讀嘅格式獲取你提供畀我哋嘅資料。
- 撤回同意權: 撤回你之前畀我哋嘅任何同意。
- 投訴權: 向你所在地區嘅資料保護監管機關投訴。
行使方式: 請將請求電郵至 spcyapp@gmail.com,並提供足以驗證你身份嘅資料。我哋會喺適用法律規定嘅期限內回覆。為咗保護你,喺執行你嘅請求前我哋可能會要求身份驗證。如請求明顯無根據或過度,我哋保留收取合理行政費用嘅權利。
17.2 跨境數據傳輸
本服務嘅主要伺服器位於香港,而部分處理(包括 AI 模型推論)會將必要嘅數據傳送至以下地區嘅供應商:
- 美國: Google(Gemini、GCS、reCAPTCHA、Maps)、Stripe、xAI、Anthropic。
- 新加坡、日本: Google Cloud 區域節點。
- 中國大陸: 阿里雲通義千問 (Qwen)、字節跳動火山引擎 (BytePlus),僅喺用戶明確選擇相關模型時傳送(且僅傳送提示詞,唔傳送 Google Workspace 數據)。
所有跨境傳輸均透過加密通道進行,並只限於提供你所要求服務所必須嘅範圍。我哋依賴歐盟標準合約條款(SCCs)及類似機制,作為將歐洲經濟區、英國數據傳輸至第三國嘅法律基礎。
17.3 法定保留義務
即使你要求刪除帳戶,我哋只會喺適用法律要求嘅期間內保留相關紀錄(包括付款、稅務、反洗錢及執法機關嘅合理要求所需嘅紀錄)。
18. 版權、侵權通知與執法合作
18.1 版權
如果你認為本服務上出現嘅內容侵犯咗你嘅版權,請向下列「版權代理人」提交DMCA 風格嘅侵侵權通知,並提供:(i) 聲稱被侵權嘅版權作品識別、(ii) 涉嫌侵權內容喺本服務嘅位置(URL 或 ID)、(iii) 你嘅聯絡資料、(iv) 一份聲明表示你真誠相信該使用未獲授權、(v) 你嘅電子或實體簽名。我哋會喺收到有效通知後 10 個工作天 內處理。
18.2 執法請求
對於來自香港、中國大陸、美國、歐盟或其他具備有效法律程序嘅司法管轄區執法機關嘅合法請求(包括搜查令、傳票、法院命令),我哋會喺核實後按適用法律配合。如你對執法請求有異議,請聯絡我哋查詢狀態。
18.3 反濫用
如果你發現本服務被用於從事違法活動(包括但不限於 CSAM、恐怖主義、嚴重傷害兒童),請立即電郵通知我哋,我哋會喺收到報告後 24 小時內採取行動(包括向 NCMEC、IWF 等相關機構通報)。
19. 無障礙(Accessibility)
我哋致力遵守 Web Content Accessibility Guidelines (WCAG) 2.2 AA 級別。如果你喺使用本服務時遇到任何無障礙障礙,請電郵 spcyapp@gmail.com,我哋會盡力協助。
如有任何疑問,請透過 spcyapp@gmail.com 聯繫開發團隊。
繼續使用即表示你同時接受本文件列明嘅所有第三方供應商條款(見 6c)。
© 2026 SPCY App Ecosystem. 本文件受版權保護。
Last Updated: June 9, 2026
This document is a legally binding agreement between you and the SPCY App Ecosystem ("we", "us", "our") and consists of three parts: (i) Terms of Service, (ii) Privacy Policy, and (iii) Sensitive Data Protection Mechanisms. It applies to all services in the ecosystem, including but not limited to AI Studio, Drink Record (Milk Tea Tracker), SmartSpend AI (Expense Tracker), Score Editor, Mindmap PPT / AI Slides, Credits & Billing, and the shared sign-in service (Auth). By accessing or using any service, you confirm that you have read, understood, and accepted every term in this document. If you do not agree, stop using the service immediately and close your account.
Eligibility:
- You must be able to form a legally binding agreement to use the service.
- This service is not directed to children under 13, and we do not knowingly collect their personal data. If you are under 18, please use the service only with the consent and supervision of a parent or legal guardian.
- Any payment, credit-purchase, or subscription features are limited to users aged 18 or older (or the age of majority in your jurisdiction).
- You represent that all registration data you provide (including data transmitted via Google Sign-In) is true, accurate, and belongs to you.
Governing law: This document is governed by the laws of the
Hong Kong Special Administrative Region. If you access the service from the
European Economic Area, the United Kingdom, Switzerland, mainland China, or another jurisdiction, local law may grant you additional rights — see Section
17 "International & Cross-Border".
1. Acceptance of Terms
By accessing or using any service within this ecosystem, you signify that you have read, understood, and agree to be bound by every term of this document. This ecosystem uses a unified authentication mechanism; your account information is shared across applications to provide a seamless experience. We may update this document from time to time (see Section 14); your continued use means you accept the updated version. Unless stated otherwise, new features are also subject to this document.
2. Service Description
auto_awesomeAI Studio
Experimental AI chat platform supporting text, multimodal analysis, Deep Research, image generation (Imagen), video generation (Veo), speech synthesis (Lyria), and function calling. Optionally connects to Google Workspace (Gmail, Drive, Calendar) and Microsoft 365 (Outlook) connectors.
local_drinkDrink Record (MT)
Drink tracking tool. Upload drink photos from the device camera/gallery; AI identifies drink type, sugar, calories, and volume, then logs the record. Custom categories and units are supported.
receipt_longSmartSpend AI (Expense)
AI-powered expense tracking tool. Upload receipt/invoice photos; AI extracts merchant, items, amounts, currency, date, and category. Supports budgets, multi-currency conversion, and analytics.
music_noteScore Editor
Browser-based music score editor (ABC notation). Write scores from scratch, let AI compose from text, or upload photos or audio for AI to transcribe into notation.
account_treeMindmap PPT / AI Slides
AI-driven animated mind-map presentation tool. Transforms documents or ideas into structured, playable interactive mind-maps, and one-click exports to formal slides. Can be generated directly from AI Studio.
tollCredits & Billing
Credits and subscription system. AI features consume credits per model and per work-unit. Buy credits or subscribe via our payment partner Stripe. See Section 5.
3. Accounts & Acceptable Use
You are responsible for all activity under your account and for keeping your login details secure. Each account is for a single person and may not be shared, resold, or otherwise provided to third parties. When using the service, you agree not to:
- upload, generate, or distribute any unlawful, infringing, defamatory, hateful, harassing, pornographic, harmful, discriminatory, or violence-inciting content;
- create sexualized content involving minors, non-consensual deepfakes or intimate imagery of real people, or any form of CSAM;
- infringe the intellectual property, privacy, publicity, personality, or other legal rights of others;
- generate, publish, or promote misleading information, scams, phishing, spam, or unauthorized commercial communications;
- attempt to hack, disrupt, scrape, send automated bulk requests, perform DoS attacks, perform injection attacks, or bypass credits, quotas, rate-limits, or security in any way;
- reverse engineer, decompile, disassemble, copy, or resell any part of the service (except as expressly permitted by applicable law);
- attempt to access, infer, or steal other users' data;
- use the service to spread malware (viruses, worms, trojans, ransomware, etc.) or to harm the system, other users, or third parties;
- upload content containing malicious code, hyperlink tracking traps, deceptive meta tags, or any other content designed to deceive the AI or the service;
- violate any applicable law, including but not limited to export control, sanctions, anti-money-laundering, and counter-terrorist financing laws of the US, UK, EU, UN, mainland China, or Hong Kong.
If you breach these rules, we may immediately suspend or terminate your account (see Section 13) and may report illegal activity to law enforcement.
4. Intellectual Property
- Your content: To the extent permitted by law, you retain ownership of the content you create or upload. You must have the right to use any material you upload (including photos, audio, documents, scores) and bear all liability for infringement.
- Limited license to us: To operate the service (store, process, model inference, sync, and display it back to you), you grant us a limited, non-exclusive, non-transferable, revocable license to use your content. This license is limited to what is necessary to provide the service, and does not include using your content to train any AI model, resell it, or use it for other commercial purposes.
- AI-generated content: Rights to AI-generated content are subject to applicable law (including copyright law in the jurisdiction where the content is generated) and the relevant AI provider's terms. You must independently judge the legality and appropriateness of AI output. You agree not to use the service to create deepfakes, harmful, infringing, obscene, or discriminatory content.
- Our property: The ecosystem's interface design, trademarks, brand names, source code, AI model selection logic, pricing algorithms, and accumulated know-how are protected by copyright, trademark, and trade-secret law, and may not be copied, modified, distributed, or used without our prior written permission.
- Feedback: If you provide us with feedback or suggestions about the service, you agree that we may use such feedback free of charge, in perpetuity, and irrevocably to improve the service (but we will not publicly identify you as the source).
5. Credits, Payments & Billing
- What credits are: Credits are a prepaid balance used to access AI features. They are an in-service allowance only — they are not money, a deposit, property, financial instrument, or security, have no cash value, and are not covered by deposit insurance.
- Free credits: New users receive a batch of free credits on first sign-in (currently 1,000). Promotional or gifted credits may carry conditions or expiry dates. We reserve the right to adjust, withdraw, or change free/promotional credit terms at any time.
- Purchases & payment: Buying credits or subscriptions is handled by our third-party payment partner Stripe, Inc. We do not see, store, process, or transmit your full card number, CVV, or expiry date. All payment-card data is handled by Stripe in its PCI-DSS Level 1 certified environment and is subject to the Stripe Services Agreement and Stripe Privacy Policy.
- Consumption & pricing: Each AI action consumes credits based on the model (Gemini, Imagen, Veo, Lyria, Grok, DeepSeek, Qwen, Anthropic Claude, etc.), input/output token count, image resolution, video duration, audio length, etc. Prices and consumption rates may change from time to time; the balance shown on screen is an estimate, with the server record being authoritative.
- All purchases are final: Except where required by applicable law, credits, once added, are generally non-refundable, and partially used credits cannot be refunded. If a technical error causes double-charge, we will proactively refund.
- Cooling-off: Where required by applicable law, you may have a right to cancel subscriptions within a statutory period.
- Subscriptions: Subscription plans auto-renew until cancelled. You can cancel anytime via the Stripe Customer Portal; service continues until the end of the current period, with no pro-rata refund for that period.
- Non-transferable: Credits are personal to you and cannot be transferred, cashed out, gifted, or combined across accounts.
- Expiry & forfeiture: Credits may expire after a long period of inactivity; subscription credits reset at the end of each period. If an account is closed or terminated for a violation, remaining credits are forfeited and not refunded.
- Chargebacks & fraud: Disputing a legitimate charge (chargeback) or any fraudulent activity will result in immediate suspension and loss of all credits; we also reserve the right to pursue legal remedies.
- Taxes & pricing errors: Listed prices may exclude applicable taxes, which are your responsibility; Stripe collects and remits taxes on our behalf. We may cancel or correct any order affected by an obvious pricing error.
- Changes or discontinuation: We may change or discontinue the credit system with reasonable notice; if we do, we will make reasonable efforts to honor balances you have already purchased.
6a. Data Collection & Privacy
We prioritize your privacy and commit to the following:
- verified_user
Authentication (Google Sign-In)We use Google Identity Services (GIS). On sign-in, Google transmits to us your User Unique Identification Code (immutable, provided by Google), verified email, name, and avatar URL. We store this data only to create and maintain your account.
- storage
Cookies and local storage- Strictly necessary cookies: an non-HttpOnly login-identifier cookie (so the frontend can read login state), an HttpOnly device-fingerprint verification cookie (to prevent cookie spoofing), and an admin-only admin-identifier cookie.
- LocalStorage: user preferences (including language / theme settings), sign-in token, user-profile cache, last-active timestamp. This data is stored only in your browser and is never sent to our servers.
- SessionStorage: post-login destination (auto-expires after 10 minutes).
- We use no tracking or advertising cookies, and we have not integrated Google Analytics, Meta Pixel, or similar third-party tracking tools.
- cloud_queue
Cloud data storage and retentionYour chat history, scores, expense records, uploaded files, and photos are securely stored in infrastructure with strict access control:- Google Cloud Storage (GCS), protected by Google's infrastructure. By default, temporary attachments (e.g. chat uploads) are auto-deleted 7 days after upload. Users can choose Google Drive storage (no auto-deletion) instead.
- Encrypted application databases, self-hosted. Each application's data is stored with logical isolation and strict access control to ensure users can only read their own data.
- payments
Payment dataPayments are processed entirely by Stripe. We only retain transaction records (amount, time, plan purchased, Stripe customer reference and transaction reference numbers) and do not store, and cannot read, your full card details.
- smart_toy
AI processingTo generate responses, your prompts and uploaded content are sent to the relevant AI providers. AI providers process this data under their own terms and privacy policies (see Section 6c). We do not use your private content to train our own models, and we do not sell it.
- badge
Sliding sessionsAs long as you keep using the service, your session is automatically extended (sliding session) — no need to re-authenticate. The maximum idle period before expiry is 7 days.
- manage_accounts
Your choices and rightsYou can delete chats or data at any time, revoke connector authorizations (via the settings page or your Google Account permissions), or request account deletion by email. See Section 17.
- no_transfer
No resaleWe never sell, rent, trade, or otherwise transfer your personal data or conversation content to third parties. Data is used solely to provide the service and comply with legal obligations.
6b. Per-OAuth-Scope Sensitive Data Protection
This section explicitly enumerates the categories of sensitive data the service accesses from third-party providers, the protection mechanisms in place, and the processing principles — so you can understand exactly how your data is protected.
Universal safeguards (apply to all data categories):
- lock
Encryption in transitAll requests use TLS 1.2+ encryption.
- encrypted
Encryption at rest- Files in GCS: Google encrypts data at rest with AES-256 by default.
- OAuth access/refresh tokens: Symmetrically encrypted with libsodium
crypto_secretbox (XSalsa20-Poly1305) before storage. Keys are managed via server environment variables and are never written to source code or logs. - Application databases: Hosted on managed cloud servers; disk-level encryption is provided by the cloud vendor. The application layer additionally encrypts sensitive fields (e.g. third-party access tokens) before storage.
- admin_panel_settings
Access control (RBAC + least privilege)All user-data queries use parameterised queries and strict per-user identity filtering, enforcing per-user data isolation. Admin access is controlled by a whitelist; admin "view-as" actions are audit-logged and rate-limited.
- account_tree
Logical data isolationEach user's data is isolated at the application layer by their unique user identifier; cross-user access is not permitted.
- schedule
Rate limitingA fixed-window rate limiter, configured per app + action (e.g. AI chat 20/min, score recognition 10/min). Sensitive actions like checkout are fail-closed on system error (HTTP 503) to prevent double-grant on retry.
- fingerprint
Browser fingerprintEach session is bound to an encrypted fingerprint cookie derived from browser characteristics (e.g. language, screen, timezone, platform), preventing stolen-cookie impersonation.
- gpp_good
reCAPTCHA anti-abuseLogin and key API endpoints use Google reCAPTCHA Enterprise with a risk-score-based assessment. In production, missing reCAPTCHA secret fails closed (rejects all requests).
- verified
Periodic security reviewSource code is reviewed regularly and known vulnerabilities are evaluated.
- notification_important
Incident responseIn the event of a data breach affecting user data, we will notify affected users and the relevant regulators (including HK PCPD) within 72 hours per applicable regulations.
- auto_delete
Data retention and deletionUser data (chat history, files, scores, expense records) is retained until account deletion. Chat attachments default to auto-deletion after 7 days. For immediate deletion, email spcyapp@gmail.com.
Per-OAuth-scope safeguards
The table below enumerates each restricted scope we request from Google / Microsoft, the sensitive data it grants access to, and the specific safeguards applied.
| Data Access Type | Sensitive data accessed | Safeguards |
| Google Sign-In profile | User Unique Identification Code, name, email, avatar URL, locale | Used only to create the account and render the UI; email is used for identification only — never for marketing; avatar URL is rendered in the UI; never shared with third parties. |
| Gmail access | User Gmail inbox email metadata (sender, subject, date, message ID) and content (when explicitly requested by the user) | - Processed only by the designated AI Service Provider; other AI providers never receive this scope's data.
- Used only for the user's immediate request (e.g. "find emails about…").
- Email content is never stored on our servers.
- Never used to train AI; never shared with third parties.
- Users can revoke at any time via the Google Account permissions page or by clicking "Disconnect" in the app.
|
| Gmail draft creation | Create Gmail drafts on the user's behalf (never auto-sent) | - Drafts are created by AI; the user must manually review and press "Send" in Gmail. We never send on the user's behalf.
- Drafts live in the user's Gmail account, not on our servers.
- AI processes only the draft content; never stored, trained on, or shared.
|
| Google Drive read access | User's Google Drive files (read-only, only files the user selects) | - Processed only by the designated AI Service Provider; other AI providers never receive this scope's data.
- Used only for the user's explicit request (e.g. "summarize this document").
- Users can choose to save temporary copies to GCS (auto-deleted after 7 days, protected by Google AES-256) or to the user's own Drive (no auto-deletion, user-managed).
- Never used to train AI; never shared with third parties.
- Users can revoke the scope or delete individual files at any time.
|
| Google Drive create/edit (app-created files) | Create / edit Google Drive files (Docs, Sheets, Slides) created by this app | - Limited to creating and editing files created by this app (a built-in restriction of the
drive.file scope). - Users can view, share, and delete these files in their own Drive.
- AI does not read the user's other Drive files when processing this scope.
|
| Google Calendar access | User's Google Calendar events (read & create) | - Processed only by the designated AI Service Provider; other AI providers never receive this scope's data.
- Used only for the user's request (read / create events).
- Events are never stored on our servers.
- Event creation uses RFC 3339 + Asia/Hong_Kong (+08:00) time-zone to ensure correctness.
- Never used for training or sharing.
|
| Microsoft Sign-In profile | User Microsoft account basic profile | Same handling as Google openid/profile; account identification and UI only. |
| Outlook mail access | User Outlook inbox (read) | Same as gmail.readonly; designated AI Service Provider only, never stored, trained on, or shared. |
| Microsoft offline access (token refresh) | Authorize us to refresh access tokens while the user is offline | Refresh tokens are libsodium-encrypted at rest; user can revoke at any time. |
Google API Services User Data Policy (Limited Use) commitment
We comply with the Google API Services User Data Policy, including its Limited Use requirements. Specifically, we commit to:
- Reading, writing, or modifying user Google Workspace data only within the scope the user explicitly requests;
- Never using user Google Workspace data to train any general AI / ML model;
- Never selling, renting, trading, or otherwise transferring user Google Workspace data to any third party;
- Never using user Google Workspace data for advertising, cross-app behavioural tracking, or building advertising profiles;
- Transferring data only to third parties that provide substantive service functionality (i.e. our designated AI Service Provider);
- Using secure server-to-server OAuth 2.0 flows with a state nonce to prevent CSRF;
- Providing clear, prominent consent screens, revocation paths, and a link to this privacy policy;
- Permanently deleting the relevant Google user data from our systems within 30 days (and no later than 60 days) of an account-deletion request.
Google Generative AI Prohibited Use Policy commitment
We comply with the Google Generative AI Prohibited Use Policy and prohibit users from using the service for:
- Generating sexualized content involving minors or any CSAM;
- Generating, promoting, or facilitating violence, terrorism, genocide, self-harm, or illegal weapons;
- Generating content that harasses, hates, defames, or bullies real or legally identifiable persons;
- Generating content for fraud, phishing, impersonation, or social engineering;
- Generating content that provides unauthorized medical, legal, or financial professional advice;
- Mass-generating content for political propaganda or disinformation;
- Infringing the intellectual property, privacy, or publicity rights of others;
- Any illegal activity, or assisting others in illegal activity.
SynthID and content provenance
Images and videos generated via Google Imagen / Veo are watermarked with Google SynthID (an imperceptible digital watermark) by default. Users must not attempt to remove, forge, or conceal such watermarks. We also encourage users to voluntarily label AI-generated content as such when sharing it publicly.
6c. Third-Party Services & Provider Terms
The service transmits necessary data to the following third-party providers. By using the corresponding features, you agree to be bound by each provider's own terms and privacy policy.
| Provider | Data received | Purpose | Terms link |
| Google Gemini API (incl. Imagen, Veo, Lyria, Gemma) | Prompts, uploaded files (image, audio, document, video), function-call results | AI text/multimodal responses, image/video/audio generation | Gemini API Terms · Google Privacy |
| Google Cloud Storage | User-uploaded files | Cloud file storage (AES-256 at rest) | GCP ToS |
| Google Sign-In (GIS) / reCAPTCHA | Sign-in credential, reCAPTCHA token | Authentication, abuse prevention | Google ToS · Privacy |
| Google Maps | Location / address lookups | Map display and geocoding (only when the user actively uses it) | Maps ToS |
| Microsoft Graph (Outlook) | User Microsoft account profile, Outlook email, calendar events | Connector features (after user connects) | Microsoft Services Agreement · Microsoft Privacy |
| Notion API | User-authorized Notion content (read/write) | Connector features (after user connects) | Notion ToS |
| xAI (Grok) | Prompts only (no Google Workspace data) | Optional AI backend | xAI ToS · xAI Privacy |
| DeepSeek | Prompts only (no Google Workspace data) | Optional AI backend | DeepSeek ToS |
| Alibaba Qwen | Prompts only (no Google Workspace data) | Optional AI backend | Qwen ToS |
| Anthropic Claude | Prompts only (no Google Workspace data) | Optional AI backend | Anthropic ToS · Privacy |
| BytePlus (Volcano Engine video) | Prompts, text descriptions | Optional video generation backend | BytePlus ToS |
| Stripe | Billing name, email, payment method | Payment processing, subscription management, fraud prevention | Stripe Consumer ToS · Stripe Privacy |
| Adobe PDF Embed API | User-selected PDF files | In-browser PDF preview | Adobe ToS · Privacy |
7. Per-App Data Handling
Drink Record (MT)
Collects: drink photos (actively uploaded by user), AI-extracted drink name, type, sugar, calories, volume, drink date, user-defined categories and units. Optional: GCS or Google Drive. AI model providers may change as the service evolves. Retention: until record deletion or account deletion.
SmartSpend AI (Expense)
Collects: receipt/invoice photos (actively uploaded by user), AI-extracted merchant, items, amounts, currency, date, category, user-defined budgets and categories. Optional: GCS/Drive. AI model providers may change as the service evolves. Retention: until record deletion or account deletion.
Score Editor
Collects: user-created/edited scores (ABC notation), user-uploaded photos or audio files (for AI recognition), AI recognition results. AI model providers may change as the service evolves. Scores are stored in our encrypted application database; audio/photo attachments default to Google Cloud Storage (7-day auto-deletion).
AI Studio / Mindmap PPT / AI Slides
Collects: user prompts, conversation history, uploaded attachments, user-connected connector data (see 6b). AI model providers are user-selectable in settings and may change as the service evolves; connector data is processed only by a designated single provider. Retention: until user or account deletion.
Auth (sign-in service)
Collects: User Unique Identification Code, name, email, avatar URL, IP address, User-Agent, sign-in timestamp, browser fingerprint hash, sign-in audit log. The User Unique Identification Code is an immutable identifier — it does not change even if you rename or change email on your Google account.
Credits & Billing
Collects: credit balance, transaction history, subscription status, Stripe customer reference and transaction reference numbers, billing name and email (sent to Stripe). We do not collect or store any full card details.
8. AI Use & Disclaimer
warningImportant notice
- Accuracy limits: AI may produce incorrect, incomplete, out-of-date, or misleading information, including the so-called "hallucination" phenomenon. Generated content must not be used as a substitute for medical, legal, financial, engineering, academic, or any other professional advice.
- Diet and expense data: Nutritional estimates (sugar, calories) and spending analysis are for reference only and do not constitute professional dietitian, accounting, or financial advice; consult a qualified professional for health or financial decisions.
- Score recognition: AI-transcribed scores from photos or audio may contain errors — review and edit them yourself before use.
- Digital watermarks: Images/videos generated by Imagen / Veo may include the SynthID imperceptible watermark. Users must not attempt to remove, forge, or conceal such watermarks.
- Deep Research: Deep Research uses external search engines; accuracy depends on those external sources, and we are not responsible for their content.
- Automated decision-making: The service does not make legally binding decisions about you on a fully automated basis; all AI output is for your reference and the final decision is yours.
- Your responsibility: You bear full responsibility for how you use AI-generated content, including verifying its legality and accuracy before publishing, relying on, or commercially using it.
9. Usage Limits & Fair Use
To ensure system stability and fair resource allocation:
- Free allowance: Free usage is subject to a sliding window and a daily quota to ensure fair access for everyone; beyond the free allowance, some features switch to consuming credits.
- Daily reset: Daily free quota resets at midnight Hong Kong time (UTC+8).
- Rate limits: Every API action has a per-user rate limit (see 6b).
- Abuse handling: If we detect malicious farming, automated requests, credential stuffing, token replay, or other policy violations, we reserve the right to rate-limit, suspend, or terminate accounts, or to block IP addresses.
10. Service Nature & Disclaimer ("As Is")
The service is experimental and is provided on an "as is" and "as available" basis, without warranties of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, or reliability. We do not guarantee that the service will be available, uninterrupted, perfectly accurate, or error-free; downtime, maintenance, and feature changes may occur. We may add, modify, or remove any feature at any time. To the maximum extent permitted by applicable law, we are not responsible for effects caused by interruptions of third-party services (e.g. AI providers or our payment partner).
11. Limitation of Liability
To the maximum extent permitted by applicable law, we, our affiliates, suppliers, licensors, directors, employees, and agents are not liable for any indirect, incidental, special, consequential, or punitive damages (including but not limited to loss of data, loss of profits, business interruption, loss of goodwill, or cost of substitute services), even if we have been advised of the possibility of such damages. In any case, our total liability for the service is capped at the amount you actually paid us for the relevant service in the twelve (12) months before the event (or HK$100 if you have made no payment). Some jurisdictions (including but not limited to EU member states, the UK, and the US state of New Jersey) may not allow certain limitations of liability; in those cases, this section applies only to the extent permitted by law.
12. Indemnification
You agree to defend and indemnify us for third-party claims, losses, or damages directly arising from your material breach of this document, to the extent reasonable. This section does not apply to claims arising from your lawful uploads or normal use of the service.
13. Suspension & Termination
If you breach any term of this document, or if applicable law requires us to do so (including receipt of a valid order from a law enforcement authority), we may suspend or permanently terminate your account without prior notice. You may also stop using the service at any time. After termination, you may lose access to your content, and any remaining credits are forfeited (see Section 5). We will, to a reasonable extent, provide at least 30 days of account data export window (via email); after the export window, data may be permanently deleted. Provisions that by their nature should survive termination (including but not limited to Sections 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18) will continue to apply.
14. Changes to Terms
We may update this document from time to time. The revised version takes effect once posted on this page, and the "Last Updated" date is updated accordingly. For material changes (including material changes to data-collection scope, purpose, sharing parties, retention period, or security mechanisms), we will notify you in advance by reasonable means (email, in-app notification, sign-in banner). In regions with longer notice requirements (EU, UK), we will notify at least 30 days in advance. Your continued use after the effective date means you accept the new terms. If you do not agree, please stop using the service and request account deletion.
15. Governing Law & Disputes
This document is governed by the laws of the Hong Kong Special Administrative Region. For any dispute arising out of or relating to the service, both parties agree to first attempt amicable resolution by emailing spcyapp@gmail.com; if not resolved within 30 days, the dispute shall be submitted to the Hong Kong International Arbitration Centre (HKIAC) under its rules in force at the time of submission. The seat of arbitration is Hong Kong; the language of arbitration is Traditional Chinese or English. The award is final and binding on both parties. This arbitration clause does not affect your non-judicial dispute-resolution rights as a consumer in Hong Kong or your place of residence (including the right to file a complaint with the HK PCPD).
16. Severability, Assignment, Third-Party Beneficiaries, Force Majeure
- Severability: If any part of this document is held invalid or unenforceable, the remaining parts remain in full effect.
- Entire agreement: This document, together with any applicable additional terms, constitutes the entire agreement between you and us regarding the service, replacing any prior agreement. Our failure to exercise a right does not waive that right.
- Assignment: You may not assign your rights or obligations under this document to any third party. We may assign our rights or obligations to an affiliate, acquirer, or successor.
- Third-party beneficiaries: Except as expressly provided in this document, this document is not intended to and does not grant any enforceable right to any non-party third party.
- Force majeure: We are not responsible for delays or failures caused by events beyond our reasonable control (including but not limited to natural disasters, war, terrorism, pandemic, government action, cyberattacks, mass power outages, third-party service outages).
- Export control: You agree not to use the service in any country or region subject to US, EU, UN, or HK sanctions, and not to use it for any entity or individual on a sanctions list.
17. Data Subject Rights & Cross-Border Transfers
17.1 Your rights
Regardless of where you are located, we will honour your data-subject rights under applicable law. In general, you have the following rights (the exact scope is governed by applicable law):
- Right of access to a copy of your personal data.
- Right of rectification of inaccurate or incomplete data.
- Right of erasure, subject to records we are legally required to retain.
- Right to restriction of processing.
- Right to object to processing based on legitimate interests or direct marketing.
- Data portability in a structured, commonly used, machine-readable format.
- Right to withdraw consent at any time.
- Right to lodge a complaint with your local data-protection regulator.
How to exercise: Email spcyapp@gmail.com with information sufficient to verify your identity. We will respond within the period required by applicable law. To protect you, we may require identity verification before acting on your request. If a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable administrative fee.
17.2 Cross-border data transfers
The service's primary servers are located in Hong Kong; some processing (including AI model inference) transfers necessary data to providers in:
- United States: Google (Gemini, GCS, reCAPTCHA, Maps), Stripe, xAI, Anthropic.
- Singapore / Japan: Google Cloud regional nodes.
- Mainland China: Alibaba Qwen and BytePlus Volcano Engine — only when the user explicitly selects those models (and only prompts, never Google Workspace data).
All cross-border transfers are made through encrypted channels and are limited to what is necessary to provide the service you request. We rely on EU Standard Contractual Clauses (SCCs) and similar mechanisms as the legal basis for transferring data from the EEA and UK to third countries.
17.3 Statutory retention obligations
Even after you request account deletion, we will retain records only as required by applicable law, including records needed for payment, tax, anti-money-laundering, and reasonable law-enforcement requests.
18. Copyright, Takedown & Law-Enforcement Cooperation
18.1 Copyright
If you believe content on the service infringes your copyright, please submit a DMCA-style takedown notice to our designated agent with: (i) identification of the copyrighted work claimed to be infringed; (ii) the location of the allegedly infringing content on our service (URL or ID); (iii) your contact details; (iv) a statement that you have a good-faith belief the use is unauthorized; and (v) your electronic or physical signature. We will process valid notices within 10 business days.
18.2 Law-enforcement requests
For valid legal process (search warrants, subpoenas, court orders) from law enforcement in Hong Kong, mainland China, the United States, the EU, or any other jurisdiction with valid legal process, we will comply after verification, in accordance with applicable law. If you wish to challenge a law-enforcement request, please contact us.
18.3 Anti-abuse
If you discover the service being used for illegal activity (including but not limited to CSAM, terrorism, or serious child harm), please immediately notify us by email. We will take action within 24 hours of receiving the report (including reporting to NCMEC, IWF, and other relevant authorities).
19. Accessibility
We strive to comply with Web Content Accessibility Guidelines (WCAG) 2.2 Level AA. If you encounter any accessibility barrier while using the service, please email spcyapp@gmail.com and we will do our best to assist.
For any questions, contact the development team at spcyapp@gmail.com.
By using the service, you also accept the terms of all third-party providers listed in section 6c.
© 2026 SPCY App Ecosystem. This document is protected by copyright.