Privacy Policy
How XinoAPI collects, uses, and protects your data — written in plain English.
- Overview and Plain-English Summary
- Data We Collect
- How We Use Data
- API Request and Response Content
- Third-Party Sharing
- International Data Transfers
- Data Retention
- Data Security
- Your Rights (GDPR, CCPA, and Others)
- Cookies and Tracking
- Regional Access Restriction
- Children's Privacy
- Changes to This Policy
- Contact and Data Protection Officer
1. Overview and Plain-English Summary
XinoAPI ("we", "us") provides a unified API gateway that routes requests to large language models operated by third parties. We take your privacy seriously and have designed our service to minimize data collection.
We collect what we need to run a paid service: your email, payment info (via Stripe), and metered usage (token counts, model used, timestamps). We do not store the plaintext of your prompts or the model's responses beyond the time it takes to answer your request. Where audit controls are enabled, we may keep non-reversible cryptographic hashes or metadata for integrity checks. We do not train AI models on your data. We do not sell your data. When you call a model, your prompt necessarily reaches the upstream provider that operates that model — and some of those providers are based in mainland China.
This policy explains the details. If anything is unclear, email privacy@xinoapi.com.
XinoAPI's paid API service is intended for users and businesses outside mainland China. We may use IP geolocation, payment country, account metadata, and abuse signals to block registration, payments, dashboard access, or API calls that appear to originate from mainland China, except for approved administrator access.
2. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email, hashed password, display name, account creation date | You (or GitHub/Google OAuth) |
| OAuth identity | GitHub username, Google email, profile photo URL | GitHub or Google when you log in |
| Payment data | Last 4 digits of card, billing country, transaction history | Stripe (we never see full card numbers) |
| Usage data | Token counts per request, model used, timestamps, latency, error codes | Generated by our gateway |
| API request hashes | SHA-256 hashes of request and response bodies (audit only) | Generated by our gateway |
| Technical data | IP address, user agent, request headers | Your browser or HTTP client |
| Communication | Support emails, feedback messages | You |
| Analytics | Aggregate page views, button clicks (no PII) | Google Analytics 4 |
What we do NOT collect:
- Plaintext prompts or model responses (only hashes are retained)
- Full credit card numbers (handled by Stripe)
- Biometric or genetic data
- Browsing history outside our website
- Data about you from data brokers
3. How We Use Data
We use the data we collect to:
- Provide the Service: route API requests, authenticate accounts, deduct credits, generate dashboards
- Bill you: process payments via Stripe, calculate usage, send invoices
- Secure the Service: detect abuse, fraud, and unauthorized access; maintain audit logs (using hashes, not content)
- Comply with the law: respond to legal requests, enforce our Terms, prevent illegal activity
- Communicate with you: send service emails (account verification, billing, security alerts) and, with your consent, product updates
- Improve the Service: aggregate, anonymized analytics (e.g., "DeepSeek V4 has higher error rates than Qwen 3.6 in region X")
We do NOT:
- Use your prompts or responses to train AI models
- Sell, rent, or trade your personal data
- Use your data for advertising on third-party platforms (we do not run retargeting campaigns)
- Profile you for purposes unrelated to providing the Service
4. API Request and Response Content
This section is the most important. Read it carefully.
What happens when you call our API
When you make an API request to api.xinoapi.com/v1/..., the following happens:
- Your request enters our gateway servers in Singapore (AWS) or Frankfurt (Cloudflare edge)
- Our gateway computes a SHA-256 hash of your request body and forwards the request to the appropriate Upstream Provider
- The Upstream Provider's servers (which may be in mainland China, Singapore, or the United States) generate a response
- Our gateway receives the response, optionally signs it with HMAC-SHA256, scans it for malicious content, and forwards it to you
- The audit log records the timestamp, request hash, response hash, model used, token counts, and latency. The plaintext content is NOT logged.
What we store after the response is sent
After the API response is delivered to you:
- The plaintext of your prompt and the response is discarded from our servers
- We retain only the SHA-256 hashes (64 hexadecimal characters each) for audit purposes
- We retain metadata: timestamp, model, token counts, your account ID, the API key used (hashed)
What Upstream Providers do with your prompts
When you call a model, the prompt necessarily reaches the Upstream Provider that operates that model. We have no control over what the Upstream Provider does with the prompt after it reaches them. We attempt to opt out of training data usage where possible, but we cannot guarantee that no provider will use your prompts to improve their models, comply with their local laws, or share data with their own service providers.
For each major Upstream Provider, here is the current state of their data practices (as of April 2026):
| Provider | Data Region | Training Opt-Out |
|---|---|---|
| DeepSeek | Mainland China | API requests opted out by default |
| Alibaba (Qwen) | Singapore (international tier) | Available; we apply opt-out by default |
| Zhipu (GLM) | Mainland China | Enterprise tier only; standard tier may be used |
| Moonshot (Kimi) | Mainland China | API requests opted out by default |
| MiniMax | Mainland China + Singapore | Available; we apply opt-out by default |
If you need stricter data handling guarantees, we strongly recommend using our XinoAPI Privacy SDK, which performs client-side PII redaction before the prompt leaves your environment. The SDK is open-source and free.
5. Third-Party Sharing
We share data with the following categories of third parties only as described:
| Recipient | What We Share | Purpose |
|---|---|---|
| Upstream Providers (DeepSeek, Alibaba, Zhipu, Moonshot, MiniMax) | Your prompt content, our forwarding API key, request metadata | To generate the model response you requested |
| Stripe, Inc. | Email, billing address, payment method details | Process payments |
| Amazon Web Services | Encrypted account data, request logs (no plaintext content) | Hosting and infrastructure |
| Cloudflare, Inc. | HTTP traffic metadata, cached static assets | Edge caching, DDoS protection, DNS |
| Google (Analytics) | Anonymized page views, click events | Website analytics (you can opt out via your browser) |
| Google / GitHub (OAuth) | OAuth handshake data only when you choose to log in | Authentication |
| Email service (Resend or similar) | Your email address, message content | Send transactional emails (verification, billing receipts) |
| Legal authorities | Only data legally required (account info, subpoenaed records) | Comply with binding legal requests; we challenge overbroad requests |
We do NOT share or sell data to advertising networks, data brokers, or marketing services.
6. International Data Transfers
XinoAPI operates from Singapore. Your data may be transferred to, processed in, or stored in:
- Singapore: primary servers (AWS ap-southeast-1)
- United States: Stripe, Cloudflare, AWS regions, Google Analytics
- European Union: Cloudflare edge nodes, EU customer routing
- Mainland China: when your prompt is routed to DeepSeek, Zhipu, Moonshot, or MiniMax
For EU/EEA users (GDPR)
We rely on the following legal bases for transfers outside the EU/EEA:
- Adequacy decisions where applicable (e.g., transfers to UK, Switzerland, Canada commercial)
- Standard Contractual Clauses (SCCs) with non-adequate jurisdictions, where the recipient processes data on our behalf
- Performance of contract when the transfer is necessary to deliver the Service you requested (e.g., when you specifically choose a model hosted in mainland China)
For transfers to mainland China specifically, please be aware that Chinese law (including the Data Security Law and Personal Information Protection Law) may grant Chinese authorities access to data processed there. If this is unacceptable for your use case, we recommend either using only Upstream Providers based outside China (e.g., self-hosted models) or applying client-side PII redaction via our Privacy SDK.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, OAuth identity) | While account is active + 30 days after closure |
| Payment records | 7 years (legal accounting requirement) |
| API request hashes and metadata | 13 months |
| API key (hashed) | Until revoked + 30 days |
| Plaintext prompts and responses | Not retained (discarded after response delivery) |
| Server logs (IP, user agent) | 30 days |
| Email correspondence | 3 years |
| Backups | Encrypted, retained 90 days, then automatically deleted |
8. Data Security
We protect your data with industry-standard practices:
- Encryption in transit: TLS 1.3 for all API and dashboard connections
- Encryption at rest: AES-256 for stored data and backups
- API key hashing: stored using salted SHA-256 hashes; we cannot recover lost keys
- Network isolation: production databases not exposed to the public internet
- Access controls: role-based access, multi-factor authentication for our team
- Audit logging: optional hash-chained audit logs for API calls where enterprise audit controls are enabled
- Vendor reviews: we review the security posture of Stripe, AWS, Cloudflare, and our Upstream Providers
- Regular updates: dependencies are updated regularly to patch known vulnerabilities
No security system is perfect. If you suspect a security incident, please email security@xinoapi.com immediately. We have a responsible disclosure policy and welcome reports from researchers.
9. Your Rights
Universal rights (regardless of jurisdiction)
You can:
- Access your data: download a copy of your account data, usage history, and audit logs
- Correct your data: update your email, name, or other profile information from the dashboard
- Delete your account: close your account and request deletion of personal data (subject to legal retention requirements like accounting records)
- Revoke API keys: terminate any API key from the dashboard at any time
- Export your data: receive your data in a structured, machine-readable format (JSON)
If you are in the EU/EEA, UK, or Switzerland (GDPR)
You additionally have the right to:
- Restrict or object to processing
- Data portability
- Withdraw consent (where consent is the legal basis)
- Lodge a complaint with your local data protection authority. For EU users, we are subject to the EDPB; you can find your local DPA at edpb.europa.eu
If you are in California (CCPA/CPRA)
You have the right to:
- Know what personal information we collect, use, and share
- Delete personal information we hold about you
- Correct inaccurate personal information
- Opt out of "sales" or "sharing" of personal information (we do not sell or share, but you can confirm this)
- Limit use of "sensitive personal information" (we do not collect special categories)
- Non-discrimination for exercising these rights
To exercise any right, email privacy@xinoapi.com. We will respond within 30 days (45 days for complex requests). We may need to verify your identity before processing the request.
10. Cookies and Tracking
We use a minimal set of cookies and similar technologies:
| Cookie | Purpose | Duration |
|---|---|---|
| session | Keep you logged in | 30 days |
| csrf_token | Prevent cross-site request forgery | Session |
| _ga, _gid (Google Analytics) | Anonymized site analytics | Up to 2 years (you can opt out) |
| theme | Remember your dark/light mode preference | 1 year |
We do NOT use:
- Advertising cookies or pixels (no Meta Pixel, no Google Ads conversion, no LinkedIn Insight Tag)
- Cross-site tracking
- Session replay tools (no FullStory, no Hotjar)
You can disable cookies in your browser settings. The Service will continue to function, but you may need to log in more frequently. To opt out of Google Analytics specifically, install the Google Analytics Opt-out Browser Add-on.
11. Regional Access Restriction
To maintain a clear cross-border compliance boundary, XinoAPI does not permit users located in mainland China to register for, purchase, access, or use the paid API service. We may process technical data such as IP address, country/region inference, user agent, request path, timestamp, payment country, and account status to enforce this restriction, prevent circumvention, and protect the Service.
Approved XinoAPI administrators may connect from controlled networks or fixed IP addresses for operational maintenance. Those accesses are logged as security metadata.
12. Children's Privacy
The Service is not intended for individuals under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@xinoapi.com and we will delete the information.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send you an email at least 30 days before the changes take effect (for material changes)
- Post a prominent notice on our website
For non-material changes (clarifications, additional details), the updated policy becomes effective immediately. Your continued use of the Service after the effective date constitutes acceptance of the changes.
14. Contact and Data Protection Officer
For privacy-related questions or to exercise your rights:
- Email: privacy@xinoapi.com
- Postal address: Available on request via privacy@xinoapi.com
- Response time: Within 30 days (45 days for complex requests)
For other inquiries:
- Security: security@xinoapi.com
- Legal: legal@xinoapi.com
- General support: support@xinoapi.com
If you have unresolved concerns, you have the right to lodge a complaint with your local data protection authority.