AstroBox Privacy Policy
Last Updated: July 1, 2026
AstroBox (hereinafter referred to as the “Software,” “App,” or “we”) is an open-source cross-platform wearable device management toolbox used to connect, manage, and maintain wearable devices owned by or lawfully used by users. This Privacy Policy explains how the Software processes device information, account information, logs, files, network requests, and data related to third-party services.
The source code of this Software is released under the GNU Affero General Public License v3 (AGPL v3), allowing users and the community to inspect its implementation. We do not sell user data, do not serve personalized advertisements, do not use third-party advertising SDKs, and do not use data for cross-app or cross-website tracking.
1. Data We Process
1.1 Device Information
When you voluntarily connect a wearable device via Bluetooth, the Software may read the following information from the device. This data is primarily processed locally to display device status, install resources, check firmware updates, or perform device management operations:
- Device serial number, model, MAC address, hardware version, system version, and firmware version;
- IMEI (if supported and returned by the device protocol);
- Battery level, charging status, and storage usage;
- Information about installed watch faces, applications, music playlists, and other device content.
Such information is processed or stored locally on your device by default and is not automatically uploaded to our servers.
1.2 Account Information (Optional)
The Software supports optional sign-in to Xiaomi accounts, vivo accounts, AstroBox accounts, and BandBBS community accounts. Authentication occurs only when you voluntarily choose to use related features.
Depending on the account type, the Software may store the following data in the local WebView’s localStorage:
- Xiaomi Account: Cookie tokens, ServiceToken, Device ID, cUserId;
- vivo Account: Cookie tokens;
- AstroBox Account: OAuth2 access token and refresh token;
- BandBBS Account: Community cookie tokens;
- Account Metadata: Account ID, nickname, and avatar URL.
Account tokens are used only for operations initiated by you, such as checking firmware updates, downloading community resources, or accessing account-bound resources. We do not sell, rent, or use such data for advertising or tracking purposes.
1.3 Local Logs
The Software generates local runtime logs for diagnostics and troubleshooting. Logs typically include timestamps, log levels, module names, runtime states, and error messages.
- Storage location: OS-managed application log directory;
- File format:
{app_name}_{date}.log; - Retention policy: last 7 days by default;
- Debug console: last 2000 entries stored in memory only and cleared when the app exits.
Logs are never automatically uploaded. If you voluntarily submit logs for support, please ensure they do not contain information you do not wish to share.
1.4 User-Imported Files
The Software supports files selected by users, including:
| File Type | Extension | Purpose |
|---|---|---|
| Mini App | .rpk | Install to supported wearable devices |
| Watch Face | .face | Install to supported wearable devices |
| Binary Resource | .bin | Generic device resource |
These files are processed locally and transferred to devices via Bluetooth. They are not automatically uploaded unless you explicitly choose to upload, share, or download resources.
2. Purpose of Data Processing
- Connect to and identify user-selected wearable devices;
- Display device status, firmware version, battery, storage, and installed content;
- Install, manage, or transfer watch faces, mini apps, music, and resource files;
- Check firmware updates or download community resources when requested;
- Complete authentication and authorization;
- Troubleshoot issues and improve stability and security.
3. Network Communication and Third-Party Services
3.1 Bluetooth Communication
The Software communicates with wearable devices using Bluetooth Classic SPP or BLE. Bluetooth permission is required before use. Data transmitted may include installation packages, watch faces, device configuration commands, music files, and encrypted handshake data.
The web version of AstroBox may request Web Bluetooth API or Web Serial API permissions, limited to devices you explicitly select.
3.2 HTTPS Requests
The Software may perform network requests in the following scenarios:
| Scenario | Service Provider | Possible Data Transmitted | Trigger |
|---|---|---|---|
| Fetch community resource index | GitHub / CDN | Resource index request | User action |
| Download community resources | GitHub / CDN | Download request metadata | User action |
| Xiaomi account login / firmware query | Xiaomi official services | OAuth info, device model, firmware version | User action |
| vivo account login / firmware query | vivo official services | Cookies, device model, firmware version | User action |
| AstroBox account authentication | AstroBox services | OAuth2 tokens and auth data | User action |
| BandBBS login | BandBBS services | Cookie tokens and request metadata | User action |
| DNS over HTTPS | AliDNS / DNSPod / custom DoH | DNS queries | User-enabled |
All remote requests use HTTPS or equivalent secure transport. Third-party services independently process data under their own privacy policies.
4. Data Sharing
We do not sell, rent, or trade your personal data. We only share data under the following circumstances:
- You voluntarily use third-party services such as Xiaomi, vivo, BandBBS, GitHub, or DoH providers;
- You voluntarily submit logs, feedback, or support requests;
- Disclosure is required by law, legal process, or regulatory obligations.
5. Data Storage and Retention
| Data Category | Storage Location | Retention |
|---|---|---|
| Account tokens and metadata | WebView / browser localStorage | Until logout, data clearance, or uninstall |
| Application logs | OS log directory | Last 7 days by default |
| Downloaded resources | Application data directory | Until deleted or app uninstall |
| User-imported files | User-selected location | User-managed |
| Network configuration (e.g. DoH) | localStorage | Until modified or deleted |
6. Security Measures
- Remote requests use HTTPS;
- Bluetooth communication uses device-protocol encryption where available;
- Resource integrity may be verified using SHA-256;
- Account tokens are stored locally and sent only when required by user actions.
No transmission or storage method can guarantee absolute security. Please keep your device and accounts secure.
7. Children’s Privacy
The Software is not intended for children under 13. We do not knowingly collect personal information from children under 13.
8. User Rights, Account Deletion, and Data Removal
- Log out to clear locally stored account tokens;
- AstroBox accounts may be deleted through in-app or website account management;
- Associated data will be deleted or anonymized as required by law after deletion;
- Third-party account deletion must be handled through corresponding providers;
- Uninstall the app to remove local app data;
- Manually delete logs and cached files;
- Clear browser site data for the WebAssembly version;
- Revoke Bluetooth, network, or file permissions at system level.
9. App Store Privacy Disclosure
For the iOS version, App Store privacy labels are declared according to actual data handling. Most data is processed locally. When you use login, firmware queries, community downloads, DNS over HTTPS, or third-party services, necessary requests may be sent to corresponding providers. We do not use data for tracking.
10. Build Information
The Software may display build metadata such as Git commit hashes, build timestamps, and build environment usernames for version tracing and diagnostics only.
11. Open Source and Transparency
AstroBox is free and open-source software licensed under GNU AGPL v3 (with additional terms). Users may inspect source code, audit implementation, report issues, or contribute.
12. Changes to This Policy
We may update this Privacy Policy due to feature changes, legal requirements, or platform rules. Material changes will be announced through release notes, in-app notices, or our official website.
13. Contact
- Application Identifier:
com.astralsight.astrobox - Official Domain:
astrobox.online、abox.run - GitHub: Please submit issues through the project repository
警告This Privacy Policy is written in English for international reference. In case of conflict between different language versions, the Chinese version shall prevail.



