Contents
  1. Overview and Plain-English Summary
  2. Data We Collect
  3. How We Use Data
  4. API Request and Response Content
  5. Third-Party Sharing
  6. International Data Transfers
  7. Data Retention
  8. Data Security
  9. Your Rights (GDPR, CCPA, and Others)
  10. Cookies and Tracking
  11. Regional Access Restriction
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact and Data Protection Officer

1. Overview and Plain-English Summary

XinoAPI ("we", "us") provides a unified API gateway that routes requests to large language models operated by third parties. We take your privacy seriously and have designed our service to minimize data collection.

Plain English

We collect what we need to run a paid service: your email, payment info (via Stripe), and metered usage (token counts, model used, timestamps). We do not store the plaintext of your prompts or the model's responses beyond the time it takes to answer your request. Where audit controls are enabled, we may keep non-reversible cryptographic hashes or metadata for integrity checks. We do not train AI models on your data. We do not sell your data. When you call a model, your prompt necessarily reaches the upstream provider that operates that model — and some of those providers are based in mainland China.

This policy explains the details. If anything is unclear, email privacy@xinoapi.com.

Regional restriction

XinoAPI's paid API service is intended for users and businesses outside mainland China. We may use IP geolocation, payment country, account metadata, and abuse signals to block registration, payments, dashboard access, or API calls that appear to originate from mainland China, except for approved administrator access.

2. Data We Collect

Category Examples Source
Account data Email, hashed password, display name, account creation date You (or GitHub/Google OAuth)
OAuth identity GitHub username, Google email, profile photo URL GitHub or Google when you log in
Payment data Last 4 digits of card, billing country, transaction history Stripe (we never see full card numbers)
Usage data Token counts per request, model used, timestamps, latency, error codes Generated by our gateway
API request hashes SHA-256 hashes of request and response bodies (audit only) Generated by our gateway
Technical data IP address, user agent, request headers Your browser or HTTP client
Communication Support emails, feedback messages You
Analytics Aggregate page views, button clicks (no PII) Google Analytics 4

What we do NOT collect:

3. How We Use Data

We use the data we collect to:

We do NOT:

4. API Request and Response Content

This section is the most important. Read it carefully.

What happens when you call our API

When you make an API request to api.xinoapi.com/v1/..., the following happens:

  1. Your request enters our gateway servers in Singapore (AWS) or Frankfurt (Cloudflare edge)
  2. Our gateway computes a SHA-256 hash of your request body and forwards the request to the appropriate Upstream Provider
  3. The Upstream Provider's servers (which may be in mainland China, Singapore, or the United States) generate a response
  4. Our gateway receives the response, optionally signs it with HMAC-SHA256, scans it for malicious content, and forwards it to you
  5. The audit log records the timestamp, request hash, response hash, model used, token counts, and latency. The plaintext content is NOT logged.

What we store after the response is sent

After the API response is delivered to you:

What Upstream Providers do with your prompts

Important

When you call a model, the prompt necessarily reaches the Upstream Provider that operates that model. We have no control over what the Upstream Provider does with the prompt after it reaches them. We attempt to opt out of training data usage where possible, but we cannot guarantee that no provider will use your prompts to improve their models, comply with their local laws, or share data with their own service providers.

For each major Upstream Provider, here is the current state of their data practices (as of April 2026):

Provider Data Region Training Opt-Out
DeepSeek Mainland China API requests opted out by default
Alibaba (Qwen) Singapore (international tier) Available; we apply opt-out by default
Zhipu (GLM) Mainland China Enterprise tier only; standard tier may be used
Moonshot (Kimi) Mainland China API requests opted out by default
MiniMax Mainland China + Singapore Available; we apply opt-out by default

If you need stricter data handling guarantees, we strongly recommend using our XinoAPI Privacy SDK, which performs client-side PII redaction before the prompt leaves your environment. The SDK is open-source and free.

5. Third-Party Sharing

We share data with the following categories of third parties only as described:

Recipient What We Share Purpose
Upstream Providers (DeepSeek, Alibaba, Zhipu, Moonshot, MiniMax) Your prompt content, our forwarding API key, request metadata To generate the model response you requested
Stripe, Inc. Email, billing address, payment method details Process payments
Amazon Web Services Encrypted account data, request logs (no plaintext content) Hosting and infrastructure
Cloudflare, Inc. HTTP traffic metadata, cached static assets Edge caching, DDoS protection, DNS
Google (Analytics) Anonymized page views, click events Website analytics (you can opt out via your browser)
Google / GitHub (OAuth) OAuth handshake data only when you choose to log in Authentication
Email service (Resend or similar) Your email address, message content Send transactional emails (verification, billing receipts)
Legal authorities Only data legally required (account info, subpoenaed records) Comply with binding legal requests; we challenge overbroad requests

We do NOT share or sell data to advertising networks, data brokers, or marketing services.

6. International Data Transfers

XinoAPI operates from Singapore. Your data may be transferred to, processed in, or stored in:

For EU/EEA users (GDPR)

We rely on the following legal bases for transfers outside the EU/EEA:

For transfers to mainland China specifically, please be aware that Chinese law (including the Data Security Law and Personal Information Protection Law) may grant Chinese authorities access to data processed there. If this is unacceptable for your use case, we recommend either using only Upstream Providers based outside China (e.g., self-hosted models) or applying client-side PII redaction via our Privacy SDK.

7. Data Retention

Data Type Retention Period
Account data (email, OAuth identity) While account is active + 30 days after closure
Payment records 7 years (legal accounting requirement)
API request hashes and metadata 13 months
API key (hashed) Until revoked + 30 days
Plaintext prompts and responses Not retained (discarded after response delivery)
Server logs (IP, user agent) 30 days
Email correspondence 3 years
Backups Encrypted, retained 90 days, then automatically deleted

8. Data Security

We protect your data with industry-standard practices:

No security system is perfect. If you suspect a security incident, please email security@xinoapi.com immediately. We have a responsible disclosure policy and welcome reports from researchers.

9. Your Rights

Universal rights (regardless of jurisdiction)

You can:

If you are in the EU/EEA, UK, or Switzerland (GDPR)

You additionally have the right to:

If you are in California (CCPA/CPRA)

You have the right to:

To exercise any right, email privacy@xinoapi.com. We will respond within 30 days (45 days for complex requests). We may need to verify your identity before processing the request.

10. Cookies and Tracking

We use a minimal set of cookies and similar technologies:

Cookie Purpose Duration
session Keep you logged in 30 days
csrf_token Prevent cross-site request forgery Session
_ga, _gid (Google Analytics) Anonymized site analytics Up to 2 years (you can opt out)
theme Remember your dark/light mode preference 1 year

We do NOT use:

You can disable cookies in your browser settings. The Service will continue to function, but you may need to log in more frequently. To opt out of Google Analytics specifically, install the Google Analytics Opt-out Browser Add-on.

11. Regional Access Restriction

To maintain a clear cross-border compliance boundary, XinoAPI does not permit users located in mainland China to register for, purchase, access, or use the paid API service. We may process technical data such as IP address, country/region inference, user agent, request path, timestamp, payment country, and account status to enforce this restriction, prevent circumvention, and protect the Service.

Approved XinoAPI administrators may connect from controlled networks or fixed IP addresses for operational maintenance. Those accesses are logged as security metadata.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@xinoapi.com and we will delete the information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

For non-material changes (clarifications, additional details), the updated policy becomes effective immediately. Your continued use of the Service after the effective date constitutes acceptance of the changes.

14. Contact and Data Protection Officer

For privacy-related questions or to exercise your rights:

For other inquiries:

If you have unresolved concerns, you have the right to lodge a complaint with your local data protection authority.