CoRaccoon Personal Information Protection Policy

Last Updated: September 25, 2025

Effective Date: September 25, 2025

Dear User:

Thank you for using the CoRaccoon service (hereinafter referred to as "this Service"). CoRaccoon is an intelligent programming assistant and office data analysis application operated by Shanghai Yuhuan Technology Co., Ltd. and its affiliates (hereinafter referred to as "Yuhuan" or "we"), providing users with functions such as code generation, code explanation, code correction, code conversion, unit test generation, comment generation, requirements document generation, technical document generation, intelligent Q&A, data analysis, and chart generation. We are fully aware of the importance of personal information to you and will do our utmost to protect the security of your personal information.

We will protect your personal information in accordance with national laws and regulations, adhering to the principles of consistency of rights and responsibilities, clarity of purpose, consent, minimization, openness and transparency, security, and subject participation.

To help you understand what personal information we collect through CoRaccoon, and how we use, store, share, and transfer this information when you use CoRaccoon, we have formulated this CoRaccoon Personal Information Protection Policy (hereinafter referred to as "this Policy"). Please read this Policy carefully, especially the content shown in bold. If you have any questions, comments, or suggestions, you can contact us through the contact methods in Section XI of this Policy.

This Policy will help you understand the following:

I. Scope of this Policy

II. How We Collect and Use Your Personal Information

III. Exceptions to Authorized Consent

IV. How We Use Cookies and Similar Technologies

V. How We Store Your Personal Information

VI. How We Share, Transfer, and Publicly Disclose Your Personal Information

VII. How We Protect Your Personal Information

VIII. Your Rights

IX. How We Handle Minors' Personal Information

X. Changes and Revisions to this Policy

XI. How to Contact Us

XII. Effectiveness of this Policy

I. Scope of this Policy

This Policy applies to the services we provide to you through CoRaccoon.

It should be noted that this Policy does not apply to services provided to you by other third parties, such as third-party services or websites you link to through CoRaccoon. You understand that these services are provided independently by third parties, and they will be solely responsible for the processing of your personal information in accordance with their own policies or user agreements.

II. How We Collect and Use Your Personal Information

Personal Information: Personal information is any information recorded electronically or otherwise that relates to an identified or identifiable natural person, not including anonymized information. The definition of personal information depends on the jurisdiction in which you are located. Under this Policy, only the definition applicable to your jurisdiction applies to you. In this Policy, this includes user nicknames, mobile phone numbers, mobile verification codes, email addresses, WeChat account information (including WeChat OpenID and UnionID), your uploaded content, device information, log information, IP addresses, etc.

When you use CoRaccoon, we will collect and use the personal information necessary to provide the relevant services as described below. If you do not use a specific function, we will not collect the corresponding information.

1. Ensuring the Normal Provision of Services

   To enhance the security of your use of the services provided by us, our affiliates, and partners; to protect the personal safety, property safety, account security, and transaction security of you, other users, or the public; to better prevent security risks such as phishing websites, fraud, network vulnerabilities, computer viruses, network attacks, network intrusions, and malicious programs; and to more accurately identify violations of laws, regulations, or CoRaccoon-related agreements and rules, we may collect your device information. This includes immutable device identification information (a string of characters programmed into the device by the manufacturer for identification purposes, such as service log information, IP address, device identifiers, and we may use or integrate your device information, service log information, and information shared by our affiliates and partners with your authorization or according to law. Among these, we may collect service log information, IP address, device identifiers, and other device identifiers for risk verification while the application is running in the background), to comprehensively assess your account and transaction risks, conduct identity verification, detect and prevent security incidents, and take necessary recording, auditing, analysis, and disposal measures in accordance with the law.

2. Account Registration/Login

   【Account Registration】When you register for our products and/or services, to help you complete the registration process, you need to provide us with your mobile phone number, SMS verification code, and account password to create an account.

   【Account Login】When you use your registered account to log in to our products and/or services, you need to provide us with your mobile phone number for verification.

   This Service supports registration and login using third-party platform accounts (e.g., WeChat). If you use a third-party account for registration and login, we will, based on your authorization, obtain relevant information from that third-party account, including: your WeChat OpenID and UnionID, mobile phone number, and designated school's .edu email (for Education Edition only), to register and bind with your account, enabling you to log in and use this Service directly.

   This Service supports both individual and team account registration. The team administrator has the right to add and invite team members. When you add or invite team members, you will also need to provide us with their mobile phone numbers. We will send a notification SMS to your team members, and their accounts will only be activated after they click to confirm joining your team and complete the team member account registration process.

   Please ensure that you have fully informed and obtained consent from your team members to process their personal information.

   For the avoidance of doubt, with respect to the personal information of team members, we are the data processor and you are the data controller. You are responsible for informing team members of the purpose, method, and scope of personal information collection and use. If team members have questions about the processing of their personal information or wish to exercise their rights, you are responsible for handling such requests, and we will provide cooperation within a reasonable scope.

   【Account Settings】You can modify your account information in the account settings interface. To enrich your account profile, send you important notices about CoRaccoon services, and facilitate identity verification through various means, we will collect the username and email information that is either automatically generated by the system or modified by you.

   We will use your email information to provide you with consultations, promotions, and marketing information related to CoRaccoon services. We will not use your personal information for marketing purposes unless we have obtained your consent (or non-objection notice).

   You may choose to refuse to provide the aforementioned personal information, but your email information will help us contact you quickly when there are important notices about CoRaccoon services.

3. Intelligent Programming

   When you use CoRaccoon's functions such as code generation, code explanation, code correction, code conversion, unit test generation, comment generation, requirements document generation, technical document generation, intelligent Q&A, data analysis, chart generation, usage dashboard, and knowledge base management, we need to collect your input code, conversational messages, device information, and log information to provide you with a consistent service. The aforementioned device and log information includes: device identifiers, IP address; your operational and behavioral log information, including your browsing records, generation records, sharing records, upload records, download records, and access dates. Notably, unless you check the box to agree to participate in the user improvement program, the conversational messages and code information you upload to us will only be used to provide you with inference content. They will not be stored long-term in any form, nor will they be used for model training.

   If you are using a team member account, your operational and behavioral log information will be synchronized with your team administrator's account for team management purposes.

   To provide you with the aforementioned functions, we must collect the aforementioned personal information. This information is necessary for these functions. If you do not provide this information, you may not be able to use these functions normally.

4. Office Data Analysis

   When you use CoRaccoon's functions for data cleaning, data calculation, trend analysis, predictive analysis, comparative analysis, correlation analysis, data visualization, and usage dashboard, we need to collect your uploaded data documents, conversational messages, device information, and log information to provide the requested features. The aforementioned device and log information includes: IP address; your operational and behavioral log information, including your browsing records, generation records, sharing records, upload records, download records, and access dates. The data you upload is only used to provide you with inference content and to view your historical session records. It will not be stored long-term in any form, nor will it be used for model training.

   To provide you with the aforementioned functions, we must collect the aforementioned personal information. If you do not provide this information, you may not be able to use these functions normally.

5. Knowledge Management

   When you use CoRaccoon's "My Documents" and "Knowledge Base Management" functions, we need to collect your uploaded data documents, conversational messages, device information, and log information to provide the requested features. The aforementioned device and log information includes: IP address; your operational and behavioral log information, including your browsing records, generation records, sharing records, upload records, download records, and access dates. We will also display your knowledge base's storage space, capacity, total file count, and current-level file count. The data you upload is only used to provide you with inference content. We will provide you with personalized planning, analysis, and writing assistance based on your knowledge base and preferences. It will not be stored long-term in any form, nor will it be used for model training.

   To provide you with the aforementioned functions, we must collect the aforementioned personal information. If you do not provide this information, you may not be able to use these functions normally.

6. Placing Orders and Payment

   When you purchase our products and/or services, we need to collect some or all of the following personal information based on the service type: transaction service information, transaction amount, order time, order number, order status, payment method, and payment status. We collect this information to help you complete transactions smoothly, ensure your transaction security, query order information, and provide customer service. This information is necessary for this function. If you do not provide this information, you may not be able to participate in the above activities normally.

7. Device Permission Calls

   During the provision of this Service, we need to request certain system permissions to provide specific functions. We will ask for your authorization when you use these functions and will only access your personal information within the scope of your explicit authorization. If you do not need to use these functions, you can deny authorization. After granting permission, you can withdraw it at any time by going to your device's settings interface (the permission management pages may vary depending on the device model and system version; please refer to the actual page). After you withdraw your authorization, we will stop accessing the corresponding permissions.

   The permissions we request and their corresponding functions include:

   • Folder Access Permission
     • Permission Function: Read folder contents
     • Can it be disabled and the impact: Can be disabled, but the user may not be able to use the corresponding function.

8. Customer Service and Dispute Resolution

   When you contact us or file a dispute resolution request, to protect your account and system security, we need you to provide necessary personal information to verify your member identity.

   To facilitate contact with you, help you resolve issues as quickly as possible, or record the resolution and results of related issues, we may save your communication/call records and related content with us (including account information, other information you provide to prove relevant facts, or your contact information). If you consult, complain, or provide suggestions about a specific order, we will use your account and order information.

   Refusing to provide the foregoing information will not affect your use of CoRaccoon services but may affect our ability to provide customer service or assist you in resolving related issues you encounter.

9. If the information you provide contains the personal information of other users, you must ensure that you have obtained their legal authorization before providing it to us.

10. If we use your information for other purposes not specified in this Policy, or use information collected for a specific purpose for other purposes, we will obtain your prior consent.

11. Third-Party Services

    To implement specific software functions and better provide services to you, we have integrated third-party software development kits (SDKs) and application programming interfaces (APIs) into our software. Please click here to view the directory of third parties integrated into our product Third-Party Information Sharing List to understand the third parties that may obtain your information, the identity of the relevant service providers, the scope of your information they collect or obtain through us, and the purpose of its use. We will conduct technical testing and behavioral audits of such partners or service providers from time to time and require them to comply with cooperation legal agreements to ensure, to the greatest extent possible, that they collect and use data in accordance with laws, regulations, and agreements. Please note that although we will require such third parties to strictly protect your personal information through contractual and technical means, they will be independently responsible for protecting your personal information in accordance with their own privacy policies.

III. Exceptions to Authorized Consent

According to relevant laws and regulations, the collection and use of your personal information in the following situations do not require your authorized consent:

1. Related to our fulfillment of obligations stipulated by laws and regulations;
2. Directly related to national security and defense security;
3. Directly related to public safety, public health, and major public interests;
4. Directly related to criminal investigation, prosecution, trial, and judgment execution;
5. For the purpose of protecting the major legitimate rights and interests, such as life and property, of the personal information subject or other individuals, where it is difficult to obtain your consent in time;
6. The personal information collected is disclosed to the public by yourself;
7. Collecting personal information from legally and publicly disclosed information, such as legal news reports, government information disclosure, and other channels;
8. Necessary for maintaining the safe and stable operation of the products or services provided, such as discovering and handling faults in products or services;
9. Necessary for academic research institutions to conduct statistical or academic research for the public interest, and when providing the results of academic research or descriptions, the personal information contained in the results is de-identified;
10. Other circumstances stipulated by laws, regulations, or national standards.

IV. How We Use Cookies and Similar Technologies

A Cookie is a small piece of data (text file) that we ask your browser to store on your device (e.g., computer or smartphone) to remember information about your login status or your device, so you do not have to log in again on your next visit. "Similar technologies" related to the general term "cookies" also include local objects (sometimes called flash cookies), web beacons, pixel tags, browser fingerprinting technologies, or any technology that stores or accesses information on a user's device. This information usually does not allow us to identify you, but it can provide a better user experience when you visit websites (including our website). We use various cookies on our website for different purposes, including Strictly Necessary Cookies and Functional Cookies.

If you disable cookies, it will not prevent you from browsing this website, but the use of certain services may be restricted, which may affect your browsing experience. You can manage cookies and set your cookie preferences by enabling the cookie function in your browser software or by performing corresponding actions. We will strictly use cookies in accordance with your wishes.

V. How We Store Your Personal Information

Personal information collected and generated by us within the territory of the People's Republic of China will be stored within the territory of the People's Republic of China.

We will only retain your personal information for the period necessary to achieve the purposes described in this Policy, unless there is a mandatory retention requirement by law. We determine the storage period of personal information mainly by reference to the following standards, whichever is longer:

1. To complete the business functions you have agreed to use, including after-sales service;
2. The retention period you have agreed to;
3. Whether there are other special agreements regarding the retention period.

After the retention period expires, we will delete your personal information or anonymize it in accordance with applicable legal requirements.

If we cease to operate CoRaccoon and related services, we will promptly stop collecting your personal information and will issue a notice of cessation of operations in the form of an announcement. At the same time, we will delete or anonymize the personal information we store.

Please note that if you use a team account and provide us with the personal information of team members, and if a team member requests the deletion of their personal information, such a request should be respected, but deleting the team member's personal information may render the corresponding service unavailable.

Note: Anonymization refers to the process of technically processing personal information so that the subject of the personal information cannot be identified or associated, and the processed information cannot be restored. According to relevant laws, regulations, and national standards, anonymized information is not personal information.

VI. How We Share, Transfer, and Publicly Disclose Your Personal Information

(I) Sharing

We will not share your personal information with any company, organization, or individual, except in the following cases:

1. With your explicit consent, we will share your personal information with other parties.
2. We may share your personal information externally in accordance with laws and regulations, the needs of litigation and dispute resolution, or as required by administrative and judicial authorities in accordance with the law.
3. To the extent permitted by law and regulations, it is necessary to share your personal information to protect us, our affiliates or partners, you or other users, or the public interest, property, or safety from harm.
4. Sharing with our affiliates. To facilitate our provision of services to you, we may share your personal information with our affiliates. However, we will only share necessary personal information, and the use of your personal information by our affiliates is bound by this Policy or an affiliate policy that you have authorized and that provides a level of protection for your personal information substantially similar to this Policy. Both we and our affiliates will strictly comply with Shanghai Yuhuan Technology Co., Ltd.'s personal information and data security protection systems and policies.

(II) Transfer

We will not transfer your personal information to any other company, organization, or individual, except in the following situations:

1. After obtaining your explicit consent or authorization in advance;
2. When necessary to provide it in accordance with applicable laws and regulations, legal procedures, or mandatory administrative or judicial requirements;
3. In accordance with relevant agreements signed with you (including electronic agreements signed online and corresponding platform rules) or other legal documents;
4. As our business develops, we and our affiliates may undergo mergers, acquisitions, asset transfers, or other similar transactions. If such transactions involve the transfer of your personal information, we will require the new company, organization, or individual holding your personal information to continue to be bound by this Policy; otherwise, we will require that company, organization, or individual to obtain your authorization and consent again.

(III) Public Disclosure

We will only publicly disclose your personal information in the following circumstances:

1. After obtaining your explicit consent;
2. Disclosure based on law: We may publicly disclose your personal information in cases of mandatory requirements by law, legal procedures, litigation, or government authorities.

VII. How We Protect Your Personal Information

We take the security of your personal information very seriously and have adopted industry-standard security measures to protect the personal information you provide, to prevent data from unauthorized access, public disclosure, use, modification, damage, or loss. We will take all reasonably practicable measures to protect your personal information.

1. Shanghai Yuhuan Technology Co., Ltd. and its affiliates have appointed a dedicated Personal Information Protection Officer responsible for handling all matters related to users' personal information in the products and services of Shanghai Yuhuan Technology Co., Ltd. and its affiliates, as well as for planning and formulating company policies, reviewing user agreements for each product, and supervising the working principles and information processing mechanisms of each product.

2. We have obtained ISO 27001 Information Security Management System certification, ISO 27701 Privacy Information Management System certification, and have completed the graded evaluation of the Cybersecurity Multi-Level Protection Scheme (MLPS) for key products. In accordance with the requirements of the MLPS, we have formulated an overall policy and security strategy for information security work, established a security management system covering hosts, data, applications, and management, established an information security management committee and an information security executive committee, and designated the System Platform Department as the functional department for product security management. We have clarified the responsibilities, division of labor, and skill requirements for various departments and positions within the security management organization, and have formulated clear employee recruitment and departure management standards.

3. We encrypt the transmission and storage of identifiable personal sensitive information, with encryption strength meeting security requirements to ensure data confidentiality. Our application systems provide identity authentication, user ID uniqueness checks, role-based access control, and use the HTTPS security protocol for communication. We have set a maximum number of concurrent session connections and can monitor and alarm when the system service level drops to a pre-specified minimum. We deploy access control mechanisms on the server side, adopt the principle of least privilege for staff who may have access to your personal information, and regularly review the list of access personnel and access records. Our server operating systems and database systems have password complexity requirements, use the SSH security protocol for remote management, strictly restrict the access rights of default accounts, have changed default passwords, and have comprehensive audit records covering all users.

4. The server systems where we store user personal information are all security-hardened operating systems. We conduct account auditing and monitoring of server operations. If a server operating system with a publicly announced security vulnerability is discovered, we will perform a server security upgrade at the earliest opportunity to ensure the security of all server systems and applications.

5. We regularly hold training sessions on personal information protection laws and regulations for our staff to enhance their awareness of user privacy protection.

6. We have formulated a network security incident emergency response plan and allocated sufficient resources to ensure its execution. We conduct training and emergency drills for the emergency plan annually. In the unfortunate event that our physical, technical, or administrative protective measures are compromised, we will promptly activate the emergency plan to prevent the security incident from escalating, report to the competent national authorities as required by laws and regulations, and promptly inform you of the basic situation of the security incident, its possible impact, the measures we have taken or will take, etc., through reasonable and effective means such as push notifications and announcements.

VIII. Your Rights

If you are using a personal account, you can access and manage your personal information in the following ways during your use of CoRaccoon:

(I) Accessing and Correcting Your Personal Information You have the right to query, correct, or supplement your information. If you wish to access and correct other personal information, you can do so by visiting the 【Account Settings】 section on the CoRaccoon website to access and correct your username, email, and password.

(II) Deleting Your Personal Information You can request us to delete your personal information in the following situations:

1. We have collected your personal information illegally without your consent.
2. Our processing of your personal information violates laws and regulations.
3. We have used and processed your personal information in violation of our agreement with you.
4. You no longer use our products or services.
5. We have ceased to provide services to you.

You can request the deletion of your personal information by sending an email to xiaohuanxiong@sensetime.com, and we will respond within 15 working days. To ensure security, you may need to provide a written request or otherwise prove your identity. We may first ask you to verify your identity before processing your request. When we delete your personal information from our servers, we may not immediately delete the corresponding data from our backup systems but will delete it during the next backup update. Please note that if deleting your personal information is technically difficult, we will promptly stop processing your personal information.

(III) Withdrawing Your Consent Each business function requires some basic personal information to be completed. For other personal information you provide voluntarily, you can give or withdraw your consent at any time. Your withdrawal of consent does not affect our previous processing activities based on your consent, but we will not continue to process your personal information. You can contact us to change the scope of your authorized consent by sending an email to xiaohuanxiong@sensetime.com. To ensure security, you may need to provide a written request or otherwise prove your identity. We may first ask you to verify your identity before processing your request.

(IV) Deleting Your Account You can contact us to delete your account at any time by sending an email to xiaohuanxiong@sensetime.com or directly delete your account by visiting 【Account Settings - My Account - Delete Account】 on xiaohuanxiong.com. To ensure security, you may need to provide a written request or otherwise prove your identity. We may first ask you to verify your identity before processing your request.

(V) Unsubscribing from Marketing Messages If you no longer wish for us to use your email to send you promotional offers or other marketing materials, please contact us by sending an email to xiaohuanxiong@sensetime.com. To ensure security, you may need to provide a written request or otherwise prove your identity. We may first ask you to verify your identity before processing your request.

(VI) Obtaining a Copy of Your Personal Information You can contact us to obtain a copy of your personal information by sending an email to xiaohuanxiong@sensetime.com. To ensure security, you may need to provide a written request or otherwise prove your identity. We may first ask you to verify your identity before processing your request.

Where technically feasible, such as if data interfaces are compatible, we can also, at your request, directly transfer a copy of your personal information to a third party designated by you.

A special reminder: if you are using a team account and have questions about the processing of your personal information or wish to exercise your rights, you should contact your team administrator. We will provide cooperation within a reasonable scope.

IX. How We Handle Minors' Personal Information

Our products and services are intended for adults only. Minors under the age of 18 are not permitted to use our products or services.

If we discover that we have collected personal information from a minor, we will try to delete the relevant data as soon as possible.

X. Changes and Revisions to this Policy

Our Privacy Policy may change. We will not restrict your rights under this Policy without your explicit consent.

For material changes to this Policy, we will provide a prominent notice. You can also review the latest policy on the CoRaccoon platform at any time.

Material changes referred to in this Policy include, but are not limited to:

1. Significant changes in our service model, such as the purpose of processing personal information, the types of personal information processed, the way personal information is used, etc.;

2. Significant changes in our control, etc., such as changes in ownership caused by mergers and acquisitions, etc.;

3. Changes in the main recipients of personal information sharing, transfer, or public disclosure;

4. Significant changes in your rights to participate in the processing of personal information and the ways to exercise them;

5. When our responsible department for personal information security, contact methods, and complaint channels change;

6. When the personal information security impact assessment report indicates a high risk.

Your continued use of our products and services after such changes and revisions will be deemed as your agreement to the changes and revisions of this Policy.

XI. How to Contact Us

Shanghai Yuhuan Technology Co., Ltd. is the operating entity of CoRaccoon, with its contact address at 1900 Hongmei Road, Caohejing Emerging Technology Development Zone, Xuhui District, Shanghai. If you have any questions, comments, suggestions, or complaints about our policy and our processing of your personal information, please send an email to xiaohuanxiong@sensetime.com. Under normal circumstances, we will respond to your request within 15 working days.

Please understand that due to material review, business verification, operational procedures, and other reasons, the time to complete the processing of user requests may be longer than the above time limit. If you are not satisfied with our response, especially if our personal information processing has harmed your legitimate rights and interests, you can also file a complaint or report to regulatory authorities such as the Cyberspace Administration, Telecommunications, Public Security, and Administration for Market Regulation in our locality; or file a lawsuit with a court of competent jurisdiction in our locality. We hope that users can engage in friendly negotiations with us before complaining or suing the government or court, and we welcome and appreciate users' supervision and suggestions.

XII. Effectiveness of this Policy

This version of the Policy was updated on September 25, 2025, and will become effective on September 25, 2025.