Privacy Policy

Last updated: May 8, 2026

XinYu AI ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, applications, and related services (collectively, the "Service"). Please read this policy carefully. By using the Service, you consent to the practices described herein.

1. Information We Collect

1.1 Information You Provide

Account Information: When you register, we collect your email address, display name (nickname), and password (stored as a cryptographic hash using bcrypt). If you register via Google OAuth, we receive your name, email address, and profile picture from Google.
Payment Information: When you purchase Xin Points or subscribe to a plan, payment is processed by Stripe, Inc. We do not store your full credit card number or bank account details. We receive and store your Stripe customer ID, transaction references, and payment status.
Content You Upload: Reference images, videos, audio files, prompts, and other materials you upload to the Service.
Canvas and Project Data: Your canvas layouts, project configurations, workflow settings, and template data.
Communications: If you contact us for support, we collect the information you provide in your messages.

1.2 Information Collected Automatically

Usage Data: We collect information about how you interact with the Service, including features used, generation tasks submitted, models selected, and settings configured.
Device and Technical Data: Browser type and version, operating system, screen resolution, device identifiers, and referring URLs.
IP Address: We collect your IP address for security purposes, rate limiting, and fraud prevention.
Log Data: Server logs that record requests made to our Service, including timestamps, API endpoints accessed, and response status codes.

1.3 Cookies and Similar Technologies

We use essential cookies to maintain your session and authentication state (JWT session cookies). We do not use third-party advertising or tracking cookies. Your session cookie has a maximum age of 30 days.

2. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service: To operate, maintain, and deliver the features and functionality of the Service, including processing your AI generation tasks and managing your projects.
Account Management: To create and manage your Account, authenticate your identity, and maintain your preferences.
Payment Processing: To process transactions, manage your Xin Points balance, and fulfill Subscription obligations.
Content Compliance: To verify uploaded assets for compliance with content policies and applicable regulations, including automated face detection and NSFW screening.
Security and Fraud Prevention: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues, including rate limiting by IP address.
Service Improvement: To analyze usage patterns, diagnose technical problems, and improve the quality and performance of the Service.
Communication: To send you service-related notices, including account verification, billing notifications, security alerts, and policy updates.
Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, our legal bases for processing your personal data include:

Contract Performance: Processing necessary to perform our contract with you (providing the Service, managing your Account, processing payments).
Legitimate Interests: Processing necessary for our legitimate interests, including security, fraud prevention, service improvement, and analytics, where such interests are not overridden by your data protection rights.
Legal Obligation: Processing necessary to comply with legal obligations to which we are subject.
Consent: Where you have given specific consent to the processing of your personal data for one or more specific purposes. You may withdraw consent at any time.

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 Third-Party Service Providers

Provider	Purpose	Data Shared
Google	OAuth authentication	Email, name, profile picture (received from Google)
Stripe, Inc.	Payment processing	Email, payment details, transaction data
AI Model Providers	Content generation & compliance verification	Prompts, reference images/videos/audio submitted for generation
Cloud Infrastructure	Hosting & storage	All Service data (encrypted at rest and in transit)

4.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Retention

Account Data: Retained for the duration of your Account and for a reasonable period afterward (typically 90 days) to allow for account recovery and comply with legal obligations.
Generated Content & Assets: Retained for the duration of your Account. You may delete individual assets at any time through the Service.
Transaction Records: Retained for a minimum of 7 years to comply with financial and tax regulations.
Server Logs: Retained for up to 90 days for security and debugging purposes.
Audit Logs: Retained for a minimum of 2 years for security and compliance purposes.

Upon Account deletion, we will delete or anonymize your personal data within 90 days, except where retention is required by law.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Passwords are hashed using bcrypt with a cost factor of 12 and are never stored in plaintext
All data in transit is encrypted using TLS/HTTPS
Database access is restricted and monitored
API rate limiting to prevent brute-force attacks
JWT-based session management with configurable expiration
Idempotency keys on financial transactions to prevent duplicate processing
Comprehensive audit logging for administrative actions

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from the laws of your country. When we transfer personal data internationally, we implement appropriate safeguards, such as standard contractual clauses, to ensure your data is protected in accordance with this Privacy Policy and applicable law.

8. Your Rights

8.1 General Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request that we correct inaccurate or incomplete personal data.
Deletion: Request that we delete your personal data, subject to legal retention requirements.
Portability: Request a copy of your data in a structured, machine-readable format.
Restriction: Request that we restrict the processing of your personal data in certain circumstances.
Objection: Object to the processing of your personal data for certain purposes.
Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time.

8.2 GDPR Rights (EEA/UK)

If you are located in the European Economic Area or the United Kingdom, you have the rights described above under the General Data Protection Regulation (GDPR). You also have the right to lodge a complaint with your local data protection authority.

8.3 CCPA Rights (California)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

8.4 Exercising Your Rights

To exercise any of these rights, please contact us at support@xinyuai.app. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with personal information, please contact us at support@xinyuai.app.

10. Do Not Track Signals

Our Service does not respond to "Do Not Track" signals. However, we do not use third-party advertising or behavioral tracking cookies.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Service prior to the changes taking effect. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

XinYu AI

Email: support@xinyuai.app