In a nutshell: We do not track or store personal data and we do not retarget. If you want to know more on how exactly we achieve a personalised discovery experience without collecting data, continue reading:
For us, a privacy app is one that does not send any of the personal data (IP address, search requests, and so forth) from the app elsewhere for storage or processing. “What happens within the app, stays within the app.” We achieve this with decentralized or device-level computing, making it impossible for us to access personal data of our users.
Our News Reader is a search assistant; it finds interesting articles from the internet and curates them for users in a personalised stream while protecting their privacy. To tailor the content stream to user preferences, we built an AI that learns from user interactions (likes, dislikes and time users spend with each document) directly on their device. Thus, all their personal data always stays only on their device and is never sent to us.
On each device, different AI models work together, creating an AI assistant that performs multiple jobs to search the Internet for content most relevant to a specific user:
We forward the user’s search requests which are generated automatically by the Xayn AI for the news feed between their app and our Xayn content index, and vice versa.The index only includes URL and title of the articles which we use for the reranking. Whenever a user clicks on a document, the reader mode is activated and processes locally.
We must do this to provide users with the respective content. This index does neither log, store nor even analyse any of the user´s personal data and acts as a stateless service. The user’s personal data is not used at all once forwarded between their app and the index, and vice versa. In addition, we encrypt the information that travels from the app to the index and back and only those endpoints can decrypt this. If you care to learn more about the legal basis for this data processing, please refer to Art. 6 (1) lit. b) GDPR.
We work with the following service providers who assist us in providing our services:
Cloud-Service: 1&1 Ionos SE, Germany
CDN: KeyCDN / proinity LLC, Switzerland (according to an EU Commission decision, Switzerland, although outside the EU, offers an adequate level of data protection) –
A CDN is a geographically distributed network of proxy servers which we use to provide high availability and performance by distributing the service spatially relative to our users. For example, if you are located in Brazil, your end device might want to connect to a server in Brazil instead of Germany for performance reasons. Your device will establish an internet connection with the CDN proxy servers when you use the App, and solely for this purpose KeyCDN for a few moments processes your IP address and other meta data. However, KeyCDN does not store your IP address or any personal data of you.
Hosting of our Website:
Webflow, Inc., USA
Your device will establish an internet connection with the Webflow servers when you access our website, and solely for this purpose Webflow for a few moments processes your IP address and other meta data. However, Webflow does not store your IP address or any personal data of you. We concluded so-called EU Standard Contractual Clauses with Webflow.
Bug Reporting and Logging:
Instabug, Inc, USA.
We use this service if you share a bug report with us. A bug report includes all information you include (screenshot where you can pixelate certain areas, your description of the bug, your e-mail address). We log certain performance metrics and the last 100 steps you took to allow for better bug reporting. This log data is stored on device and only shared with us when you decide to file a bug report. Any transfer of limited personal data to the US contained in your bug report is subject to contractual guarantees with Instabug (i.e., standard contractual clauses approved by the EU Commission).
Amplitude Inc., USA.
Analytics may sound mystical, but it is an absolute essential part of our growth journey as a company. Only when we understand app usage patterns best can be build the best user experience for you, which helps to spread our cause even further! We therefore engage in product analytics throughout the beta phase. As we later go into production, we pledge to not associate usage data with any personal identifiers and do not use any tracking functionality of these tools. Any transfer of personal data to the US is subject to standard contractual clauses approved by the EU Commission but do not apply hereby, as we keep personal data on the device.
AppsFlyer Inc., USA
Efficient marketing allows us to spread our mission to more people, which is why we're using mobile attribution service Appsflyer. However, in order to protect your privacy throughout that process, we only use cryptographic strings instead of personal user data to match ad campaigns with actual installs and allows us to optimise for success. This is powered by Apple's SKAdNetwork library and a win-win for both users and us.
Although we do not store any of your personal data, we must inform you that you may exercise your right to information, rectification, erasure and, if applicable, restriction of processing and data portability at the address mentioned below. If you as a data subject believe any of your rights have been infringed, you may file an appeal with the competent data protection authority.
Like most other companies, we are dependent on social media profiles in order to distribute and promote our products. We are aware of the critique social media platforms face with regard to data privacy. Therefore, we decided not to access any of the analytics data the platform operators provide to us. For example, we are not interested in knowing any demographic information of the users clicking on twitter links. We know that this might not be clever from a marketing perspective, but our decision has to be seen in the light of our goal to provide privacy preserving technologies.
This being said, we operate the following social media websites:
The operators of the social media platforms (e.g. Twitter) are involved in the operation of the websites just listed. They are also responsible (controllers) within the meaning of data protection law. We cannot influence the data processing carried out by the platform operators and are dependent on the information the respective providers give us. To the extent we can exert influence and have a part in determining data processing, we aim to ensure that the operators of the social media platforms treat the data in a manner appropriate to data protection.
Data processed by us
The data you disclose using our social media pages, such as comments, videos, pictures, likes, public news, and so forth are published by the social media platform. We may comment on or delete content if this is necessary (e.g., in case it violates laws). In some cases, we share your content on our site (e.g., when you compliment us publicly) and communicate with you through the social media platforms (e.g., when you contact us on such platforms). We use the social media platforms for marketing purposes. The legal basis for all those processing activities is our legitimate interest in operating a social media profile and to market our App (Art. 6 (1) lit. f) GDPR). If we process your personal data on the basis of our legitimate interests (Art. 6 (1) lit. f) GDPR), you may object to the processing and use of your data. In this case, we will no longer use your data unless our interests prevail.
Data processed by the operators of social media platforms
Social media platform operators use web tracking methods. Web tracking can be performed regardless of whether you are logged in or registered with the social media platform. We cannot influence the web tracking methods of the social media platform and, for example, cannot switch such tracking off. We cannot rule out that the provider of the social media platform may use data, for example to evaluate habits, personal relationships, preferences, etc. In this area of tracking, we have no influence on the processing of data by the platform operator.
We have entered into an agreement with LinkedIn Ireland Unlimited Company regarding joint responsibility for the processing of data (a Controller Addendum). This agreement determines which data processing activities we are responsible for when you visit our LinkedIn website and which are the responsibility of LinkedIn. You can view the agreement under: https://legal.linkedin.com/pages-joint-controller-addendum
Xayn is growing and we’re looking for you to join our mission. Find out how you can come work for us.