1.1 Collection methods

We start collecting and using personal information only after you read and agree to this privacy policy. Collection methods include:

• Information you provide, such as account registration and feedback.
• Information collected after your authorization, such as device and log information.
• Information collected by third-party SDKs after authorization, such as device identifiers and network information.

1.2 Types and purposes

To keep app functions running properly, we may collect the following information after authorization, each for a clear purpose:

• Network access permission for server connection, content loading, login, and resource access.
• Device information such as model, system version, and resolution for adaptation and performance optimization.
• Installed app list to check compatibility and support app calls or jumps. We do not collect unrelated app information.
• Media or storage permission for importing sheet files, images, and music resources. We do not read unrelated file content.
• Floating window permission for playback controls and teaching overlays. You may refuse it, but some features may be affected.
• Foreground service permission for stable background music playback and other core features.
• Screen capture or recording permission for key-position recognition after user consent.
• Install package permission for app installation or updates, always requiring user confirmation.
• Sensor information may be accessed by third-party webpages opened in WebView after browser authorization. Such data is handled by the third party and is not actively collected, stored, or uploaded by us.

2.1 Purposes

We value privacy protection and mainly collect and use personal information to:

• Provide, maintain, and improve services, including development, quality control, and troubleshooting.
• Provide personalized services, including recommendations and settings.
• Communicate service notices, account security reminders, updates, and marketing messages where permitted.
• Perform data analysis and research to improve products and services.
• Prevent fraud, abuse, security risks, and illegal activities.
• Comply with laws and cooperate with regulators.

2.2 Use methods

We may use personal information in the following ways:

• Provide personalized recommendations and service experiences based on usage habits and preferences.
• Analyze user behavior to optimize product functions and service quality.
• Share necessary information with third-party service providers to provide complete services.
• Use information for security, anti-fraud, anti-cheating, and risk control.
• Use information for other purposes permitted by law.

2.3 De-identification

For analysis and research, we de-identify collected information so it cannot identify a specific person. De-identified information may be used to improve products and services and may be shared for lawful purposes.

3.1 Retention period

We retain personal information for the shortest period necessary to achieve the purposes described in this policy, unless law requires otherwise or you consent.

3.2 Storage method

We use physical, technical, and organizational measures to protect personal information from unauthorized access, use, modification, or disclosure.

4.1 Sharing

We may share personal information with third parties in the following cases:

• Sharing with your explicit consent.
• Sharing required by laws, litigation, dispute resolution, or lawful requests from authorities.
• Sharing with authorized partners only to achieve purposes stated in this policy and provide better service.
• Sharing with affiliates to provide consistent services under a unified account system.

4.2 Transfer

We do not transfer personal information to companies, organizations, or individuals except:

• Transfer with your explicit consent.
• Transfer during merger, acquisition, or bankruptcy liquidation, while requiring the new holder to remain bound by this policy or obtain your consent again.

4.3 Public disclosure

We publicly disclose personal information only:

• After your explicit consent.
• When required by law, legal procedures, litigation, or competent government authorities.

4.4 Exceptions to prior consent

Under applicable laws, consent may not be required for sharing, transfer, or disclosure in cases directly related to:

• National security or national defense.
• Public safety, public health, or major public interests.
• Criminal investigation, prosecution, trial, or judgment enforcement.
• Protecting major lawful interests such as life or property when consent is difficult to obtain.
• Information you publicly disclosed yourself.
• Information collected from lawful public disclosures such as news reports or government information.

10.1 Identity verification and registration retention

This product is a piano practice and teaching tool. It currently does not provide phone registration or real-name verification. Registration and login use account password, email, and third-party login such as QQ. We retain necessary account identifiers, registration time, recent login time, device information, app version, and login IP where available for account security and risk control, generally for at least 12 months before cleanup or archiving.

10.2 Account, log, and published information retention

We keep account and operation logs, including user ID, operation time, operation type, request interface or page, result status, client IP, User-Agent, device model, system version, and app version. Logs are centrally stored with access control, audit, desensitization, HTTPS transmission, encryption, and permission management. Logs are retained for at least 12 months.

10.3 Prevention and handling of illegal or harmful information

This product does not provide public content distribution features such as public squares, reposting, comments, or groups. Editable display fields such as nicknames, avatars, and bios may be filtered and risk-controlled. If illegal content is found, we may prompt modification, restrict changes, restrict login, or ban accounts and retain handling records for at least 12 months.

10.4 Protection and risk control measures

We follow data minimization, provide notices and obtain authorization, use HTTPS, apply permission controls, audits, desensitization, and encrypted storage, and regularly perform security hardening and fixes. Public dissemination risk is low, and editable fields are subject to filtering, account risk controls, manual checks, and reporting channels.

10.5 Complaints and reports

We maintain complaint and report mechanisms. In-app path: Settings / Help and Feedback / Complaint and Report. Support email: email@fishceo.com. Other channel: WeChat public account “Finelo”. We will receive, verify, handle, and retain related records.

10.6 Regulatory and law-enforcement assistance

We maintain procedures to assist regulators and law enforcement according to law. Upon receiving valid legal documents, authorized staff will review requests and provide necessary registration information, login and operation logs, or handling records under minimization principles, with encrypted transfer and approval records. User reports about account issues, profile violations, or infringement will be handled and retained for at least 12 months.