Legal

Privacy Policy

Last updated:

This Privacy Policy explains how xilistudios OÜ, the Estonian company behind xili, collects, uses, shares, and protects information when you use the xili mobile app, website, and related services.

1. Who we are and when this policy applies

xili is a mobile-first social app built around random gallery posting. The app asks you to publish a randomly selected photo before you can fully see what your friends posted. xili is provided by xilistudios OÜ, an Estonian company.

This policy applies to the xili app, xili-web pages, support communications, and related features such as profiles, friend requests, posts, comments, ratings, notifications, rewards, rerolls, gems, and purchases.

For personal information covered by this policy, xilistudios OÜ acts as the controller/operator for xili unless a different role is explicitly stated.

For privacy questions, data requests, or company/controller details, contact us at contact@xiliapp.com.

2. Information you give us or create in xili

We collect information you provide directly and information created through your use of the app.

  • Account information, such as your Firebase user ID, email address, display name, username, profile photo, biography, language preference, sign-in provider, and account settings.
  • Profile content, such as avatar images you choose, resized avatar versions, profile edits, and public or friend-visible profile details.
  • Social content, such as posts, captions, comments, ratings, friend requests, friend relationships, notification records, profile share links, unlock status, and feed entries.
  • Support information, such as messages you send to contact@xiliapp.com or through official xili channels.

3. Photos, gallery access, and random posting

xili requests access to your photo library so the app can count eligible images, pick a random gallery asset, show it to you in the posting flow, and let you publish it if you continue.

The app does not upload your entire gallery. A photo is uploaded to xili only when you publish it as a post or choose it as a profile image. Local drafts, selected image references, and lightweight caches may be stored on your device so the posting flow can recover if the app is interrupted.

When you publish, xili may resize, compress, and store the image in Firebase Storage. We also store related post data, such as your user ID, post time, caption text, image type, ratings, and the number of rerolls before publishing.

4. Device, app, purchases, ads, and security information

We collect technical information needed to run and protect xili.

  • Device and app information, such as operating system, app version, locale, notification permission state, Expo push token, and basic diagnostics.
  • Security and integrity information, including Firebase App Check, App Attest, Play Integrity, or debug integrity tokens used to help protect our backend from abuse.
  • Purchase and reward information, including RevenueCat customer identifiers, product IDs, app-store transaction information, purchase or restore status, gem balances, hashed transaction records, reroll counts, reward eligibility, streaks, and ad-watch counters.
  • Advertising information related to rewarded ads, such as ad availability, reward events, ad unit configuration, frequency limits, and information processed by Google Mobile Ads according to its own policies.

5. How we use information

We use information to provide, maintain, secure, and improve xili.

  • Authenticate users and maintain sessions.
  • Create and update profiles, usernames, avatars, friend graphs, feeds, posts, comments, ratings, notifications, unlocks, and rewards.
  • Operate the random posting mechanic, including rerolls, posting verification, feed locking, and feed unlocking.
  • Send push notifications, daily reminders, friend request alerts, comment alerts, rating alerts, and service messages when enabled.
  • Process purchases, restore purchases, credit gems, prevent duplicate transaction credit, and support refunds or account issues.
  • Show rewarded ads, enforce ad limits, and grant eligible in-app rewards.
  • Prevent fraud, spam, abuse, unauthorized access, and violations of our Terms.
  • Respond to support requests, debug issues, analyze reliability, and comply with legal obligations.

6. Legal bases for EEA and UK users

Where European or UK data protection law applies, we rely on the following legal bases depending on the context.

  • Contract, when processing is needed to provide the xili service you request, such as account access, posting, friend features, purchases, and support.
  • Consent, when you grant optional permissions such as photo library access or push notifications, or where consent is required for certain advertising or tracking activity.
  • Legitimate interests, when we secure the service, prevent abuse, improve reliability, maintain app integrity, or communicate about service-related matters in a way that does not override your rights.
  • Legal obligation, when we must keep records, respond to lawful requests, enforce legal rights, or comply with consumer, tax, accounting, safety, or platform rules.

7. How information is shared

xili is social, so some information is shared with other users as part of the product. We also use trusted service providers to operate the app.

  • Other users may see your profile details, posts, comments, ratings, friend-related activity, and related feed or notification details depending on the feature, your friend graph, and the app's unlock rules.
  • Firebase and Google Cloud help us provide authentication, database, storage, cloud functions, security, and hosting infrastructure.
  • Apple and Google may process sign-in, app-store, purchase, platform, and device-integrity information when you use their services.
  • Expo may process push notification tokens and delivery information so notifications can reach your device.
  • RevenueCat helps us manage in-app purchase products, customer identifiers, purchase events, restore flows, and purchase-related support information.
  • Google Mobile Ads may process advertising and rewarded-ad information when ads are requested, loaded, viewed, or rewarded.
  • We may share information when required by law, to protect users or the service, to enforce our Terms, or as part of a merger, financing, acquisition, reorganization, or similar business transaction.

We do not sell personal information for money. Some advertising SDK activity may be considered targeted advertising, sharing, or sale under certain US state privacy laws. Where required, we will provide applicable opt-out controls or honor platform and device-level choices.

8. Website, cookies, and local storage

The xili website uses limited storage needed for basic site behavior, such as remembering language and light or dark theme preferences. Standard server logs may include information such as IP address, browser type, requested page, referrer, and timestamp.

The mobile app may use on-device storage such as MMKV or platform storage to keep authentication sessions, drafts, lightweight caches, and app preferences. Removing the app or clearing app data may remove some local data from your device, but it does not automatically delete server-side account data.

9. Retention

We keep information for as long as reasonably necessary to provide xili, maintain account history, operate social features, prevent abuse, comply with law, resolve disputes, and enforce our agreements.

Posts, comments, ratings, profile information, friends, requests, purchases, rewards, and account records may remain while your account is active unless deleted through available app features or by request. Some feed and notification records include expiry or cleanup fields, and backups or logs may remain for a limited period after deletion.

Purchase, transaction, security, and anti-fraud records may be kept longer where required for accounting, tax, refund, platform compliance, dispute resolution, or abuse prevention.

10. Your choices and privacy rights

You can update certain profile information in the app, manage notification permissions through your device settings, revoke photo library access through your device settings, delete some posts or comments through app features, and contact us for account or data requests.

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information. You may also have rights to withdraw consent, appeal a privacy decision, or complain to a data protection authority.

California and other US state residents may have rights to know, access, correct, delete, opt out of certain sharing or targeted advertising, and limit the use of sensitive personal information where applicable. To exercise rights, email contact@xiliapp.com. We may need to verify your request before acting on it.

11. Children

xili is not intended for children under 13. If you are under the age required to use online services in your country, you may use xili only with permission from a parent or legal guardian where permitted by law.

If we learn that we collected personal information from a child in a way that violates applicable law, we will take reasonable steps to delete it.

12. International transfers

xili is operated by xilistudios OÜ, an Estonian company. We and our service providers may process information in Estonia, the EEA, the United States, or other countries where we or our service providers operate. Those countries may have privacy laws that differ from yours.

Where required, we use appropriate safeguards for international transfers, such as contractual protections, platform safeguards, or other lawful transfer mechanisms.

13. Security

We use technical and organizational measures designed to protect xili, including Firebase security rules, authentication controls, storage restrictions, App Check, server-side purchase verification, and access controls.

No online service can guarantee perfect security. You are responsible for keeping your device, app-store account, sign-in credentials, and xili account access secure.

14. Changes to this policy

We may update this Privacy Policy as xili changes. If changes are material, we will take reasonable steps to notify users, such as updating the date above, posting the new policy, or providing an in-app notice where appropriate.

Your continued use of xili after an updated policy becomes effective means the updated policy applies to your use of the service.

15. Contact

For privacy questions, data requests, account requests, or concerns about this policy, contact xilistudios OÜ at contact@xiliapp.com.

Privacy Policy | xili