What we collect and why
WUWE Holographic Research Lab ("we", "our", "us") operates the Quantum Flow Bio-Sync OS Chrome extension, the @QuantumFlowOS_bot Telegram Bot, and the website wuweholographic.com (collectively, the "Service"). This policy explains what personal data we collect, how we use it, and your rights over it.
We collect the minimum data necessary to operate the Service. We do not sell your data. We do not display advertisements.
Information collected
| Data | Purpose | Stored | Retention |
|---|---|---|---|
| Email address | License validation and digital delivery | Supabase (PostgreSQL, encrypted at rest) | Duration of account |
| Hardware ID (HWID) | Device binding to prevent license sharing (extension only) | Supabase (PostgreSQL, encrypted at rest) | Duration of license |
| License key | Tier authentication | Supabase (PostgreSQL, encrypted at rest) | Duration of license |
| Referral code | Referral reward tracking | Supabase (PostgreSQL, encrypted at rest) | Duration of account |
| AI Scan request text | Processing personalised wellness requests | Supabase (PostgreSQL, encrypted at rest) | 30 days after delivery |
| Birth data (Master & TG Blueprint buyers) | BaZi PDF Blueprint generation via Dify + PDFMonkey | Transient — passed through Dify pipeline only | Not persisted in our database. Deleted from upstream provider caches per their retention policies. |
| Telegram chat_id & username | Delivering messages, files and reports via Telegram Bot | Supabase (PostgreSQL, encrypted at rest) | Duration of account |
| Payment metadata | Order reconciliation, refund handling, fraud prevention | Supabase (PostgreSQL) + Stripe | 7 years (statutory accounting requirements) |
| Generated PDF reports | Re-delivery of purchased Blueprint within delivery window | PDFMonkey hosted storage (signed URLs) | Up to 90 days after generation |
Birth data handling: Birth date, time, and location submitted for Blueprint generation (Chrome Extension Master tier or Telegram Bot Blueprint purchases) are passed through an encrypted Dify workflow solely to generate your personalised PDF. This data is not written to our primary user database. Only your account identifier (email or Telegram chat_id) and submission timestamp are retained for delivery confirmation and re-delivery support.
Extension data handling
Local storage (on your device only)
The Quantum Flow extension stores the following data locally in chrome.storage.local, on your device only. This data is never transmitted to our servers:
- Your licence key (for authentication)
- Session count and streak data
- Element usage statistics
- User-selected timer preferences
- Blueprint submission status
Host permissions
The extension requests access to all pages (<all_urls>) solely to inject the fullscreen breathing overlay (霸屏) on the active tab when a protocol is triggered. The extension does not read, collect, or transmit any content from the pages you visit.
Data transmitted to our backend
The extension sends only the following to our backend (Supabase via n8n) when you interact with paid features:
- License key + HWID — for verification on each session start
- Email address — at registration and at Master tier purchase
- Birth data — only when you submit the Blueprint form (Master tier)
- Anonymous usage events (e.g.
register,verify,blueprint_submit) — for fraud detection and feature analytics
Telegram Bot data handling
Data we collect when you message the bot
When you interact with @QuantumFlowOS_bot, the Telegram platform forwards the following to our backend:
- Telegram chat_id — required for the bot to reply to you
- Telegram username (if set) — used for support and referral attribution
- Language code — used to localise replies
- Message contents you send to the bot — including birth data you supply for BaZi or AI Scan requests
What the bot does not collect
- Your phone number (Telegram does not share this with bots by default, and we do not request it)
- Messages from groups or channels you are in (the bot only sees messages directly addressed to it)
- Your Telegram contacts
How conversations are processed
Bot interactions flow through our self-hosted n8n automation server, are written to Supabase as session and event records, and are routed to AI providers (Dify) only for the analysis you explicitly request. Birth data submitted through the bot follows the same transient-processing rule described in section 02.
Deleting your bot data
To delete all data associated with your Telegram account, send /delete_me to the bot, or email [email protected] referencing your Telegram username. We will purge your records within 14 days, except where retention is required by law (e.g. payment records).
Sub-processors
We use the following third-party services to operate the Service. Each is bound by its own privacy policy and, where applicable, a data processing agreement with us:
- Stripe — Payment processing. Stripe's privacy policy applies to payment data. We do not store card information.
- Supabase — Primary user database (PostgreSQL). Stores account, license, session and event data. Hosted in EU region with encryption at rest and in transit.
- n8n (self-hosted) — Automation and webhook routing. Runs on infrastructure we control; no data is shared with the n8n vendor.
- Dify — AI workflow engine used exclusively for Blueprint, AI Scan, and TCM analysis generation.
- PDFMonkey — PDF generation and signed-URL hosting for Blueprint and other purchased reports.
- Resend — Transactional email delivery (license keys, PDF delivery, support replies).
- Telegram Messenger LLP — Bot infrastructure. Telegram receives all messages you send to the bot under its own privacy policy.
- Cloudinary — Legacy media hosting for previously generated Blueprint PDFs. Being phased out in favour of PDFMonkey.
GDPR & CCPA rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and associated data.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing where our legal basis is legitimate interest.
- Restriction: Request that we restrict processing of your data.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
California residents (CCPA): We do not sell personal information. You have the right to know what data we collect and to request deletion.
Cookies
The wuweholographic.com website does not use tracking cookies or third-party analytics. The Chrome extension does not use cookies. The Telegram Bot does not use cookies (Telegram handles session state on its own platform). We do not use cross-site tracking technologies.
How we protect your data
All data in transit is encrypted via HTTPS/TLS. Our Supabase PostgreSQL database is access-controlled via service-role keys held only by authorised personnel and is encrypted at rest. Our n8n automation server runs on a dedicated, firewalled instance with key-based SSH access only. Stripe handles all payment data under PCI-DSS Level 1 compliance. We conduct periodic reviews of our data access controls and rotate API credentials on a regular schedule.
Policy updates
We may update this policy periodically. The effective date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy. Material changes will be communicated via email and, for Telegram Bot users, via in-bot notification.