Xiippy Privacy Policy

Effective as of Jan 10, 2019

Xiippy is the World's first and only 1-step checkout platform that includes privacy-preserving end-to-end encrypted smart receipts and reward points.

Design Philosophy & Zero Knowledge

Xiippy is committed to client service and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information or your business' data.

Xiippy sits between retailers, consumers, POS developers and banks and delivers value to all these parties in unique ways. The most inherent difference we are making is the fact that we make it possible for real owners of information to benefit from such information without having to share them with us or with 3rd parties and that's what forms the core philosophy behind privacy-by-design and regulative frameworks like GDPR and CCPA.

We have designed and built the Xiippy platform to materialize what these regulative frameworks intend to achieve on a zero-trust setting, which means, we have designed this platform in such a way that you, as our users, clients or customers, will not need to trust us to have access to your personal or protected information but yet, our platform will remain capable of adding value to all owners of information. This, however, has not been easy at all. We have had to invest new concepts along the way and go through complex cryptography to reach this goal, adopting edge computing and client-side encryption and decryption of data to deprive ourselves, and hence the entire universe, of having access to your personal information or your business' private data.

For consumers, Xiippy only maintains purchase history and receipts on users' private devices, with encryption-at-rest applied to the local databases of all our apps. No consumer purchase history is EVER saved on our servers and infrastructure in plain and readable format to us. If the user chooses to, for the purpose of portability and multi-device access, a copy of receipts are first encrypted with keys only known to the user and unknown to us and then uploaded to our infrastructure, which in return, can be downloaded by our apps on other devices and decrypted with keys that are only accessible to the real owner of the data.

For business owners, Xiippy only mains an encrypted version of seller's copy of the receipts on its servers to make them available in our Business Owner's dashboard. The keys used for this encryption process are unknown to us too. These keys are generated by the POS stations and derived from private keys only know to the business owners. All processing and demonstration of data is done at client side through our web-based Business Owner's dashboard without us maintaining any plain format data on our servers.

These aspects are the unique characteristics of our platform; a zero-knowledge fashion of providing service to data owners without having access to the data ourselves. In this sense, this policy mostly outlines what happens with the information we DO maintain from you, not the information we maintain zero knowledge of.

Information We Collect

There are three basic ways we collect information:

Information You Choose to Give Us

When you interact with our services, we collect the information that you choose to share with us. For example, most of our services require you to set up a basic Xiippy account, so we may optionally need to collect a few important details about you, such as: a unique user name you’d like to go by, a password, an email address, a phone number, and your date of birth. Xiippy also allows you to start using our apps by choosing to sign up anonymously which in return will create an account using random identifiers and maintaining registration details on your private devices. If chosen to start using our apps anonymously, you bear the risk of being dependent on your current device to maintain registration and should you change your device, we may not be able to identify you again unless you do go through a proper process to get an account based on your real personal details like email address or phone numbers.
To make it easier for others to identify you anynomously, e.g. a retailer to become aware that you are a returning customer or an existing loyalty card to be linked to you, we may calculate anonymised transaction or user identifiers that can remain the same in future interactions between you and the same entities but they remain almost impossible to be linked back to your real identity. This means, if you choose to not use our payment option and only use Xiippy to receive your receipts and rewards points, it will remain nearly impossible even for Xiippy to identify you the real owner of such anynomised identifiers is. The fundamental method used by Xiippy is to make such identifiers dependent upon private cryptographic keys that it securely saves in the Key Chain storage of your private device without having access to them on our infrastructure. This in return protects your privacy even in unlikely data breach incidents. One important aspect of our innovation and patents relates to these calculations.
At the moment, the Xiippy payment platform does not receive your personal credit card or bank card numbers directly from you and in return, it receives a card token from ApplePay or GooglePay on your personal device, should you choose to use our payment platform. These tokens are random looking strings that are meaningless and are not your real credit card numbers and in most cases, they are temporary and once-off, which means they won't be usable for more than one transaction, and that is the transaction-at-hand, the one for them such tokens are generated. Tokens make it possible to avoid having to handle real credit card and financial information and our payment platform uses them to protect your information and avoid having to handle financial details fundamentally.

It probably goes without saying, but we’ll say it anyway: When you contact Xiippy Support or communicate with us in any other way, we’ll collect whatever information you volunteer. 

Information We Get When You Use Our Services

When you use our services, we collect information about which of those services you’ve used and how you’ve used them. We might know, for instance, that you saw a specific ad for a certain period of time. Here’s a fuller explanation of the types of information we collect when you use our services (to learn about how you can control some of this information, be sure to read the aptly titled Control over Your Information section below):

Usage Information.

We collect information about your activity through our services. For example, we may collect information about:

Content Information. 

We collect information about the content you provide us, such as the feedback you may provide a retailer as a result of having a transaction with them.

Device Information. 

We collect device-specific information, such as the hardware model, operating system version, advertising identifiers, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information (including the mobile phone number should you choose to provide it to us).

Location Information.

When you use our services we may collect information about your location. With your consent, we may also collect information about your precise location using methods that include GPS, wireless networks, cell towers, Wi-Fi access points, and other sensors, such as gyroscopes, accelerometers, and compasses. This information may be used to generate personalized relevant contents (e.g. applicable offers you have be eligible to) and reminders (e.g. warranty reminders if you are close-by to a certain retail outlet).
In almost all cases, we do not maintain such information on our infrastructure (having used edge computing on your phone to drive personalization, i.e. your phone only receiving contents from our infrastructure) but if such information is saved on our infrastructure, we inform you and get your consent before we do so. 


Information Collected by Cookies and Other Technologies. 

Like most online services and mobile applications, we may use cookies and other technologies, such as web beacons, web storage, and unique advertising identifiers, to collect information about your activity, browser, and device with the purpose of providing personalized experiences for you. We may also use these technologies to collect information when you interact with services we offer through one of our partners, such as commerce partners. Most web browsers are set to accept cookies by default. If you prefer, you can usually remove or reject browser cookies through the settings on your browser or device. Keep in mind, though, that removing or rejecting cookies could affect the availability and functionality of our services.

Log Information. 

We also collect log information when you use our website. That information includes, among other things:

Information We Collect from Third Parties

We may collect information that other users provide about you or your business when they use our services. We may also obtain information from other companies that are owned or operated by us, or any other third-party sources, and combine that with the information we collect through our services.

How We Use Information

The data we collect is used to provide you with an amazing set of products and services that we are always trying to improve. But we do a lot more as well, such as:

We do also store some information locally on your device. For example, private cryptographic keys, that are under NO CIRCUMSTANCES sent to our infrastructure in form or shape readable and accessible to us.

How We Share Information

We may share information about you in the following ways:

With all Xiippy users and the general public.

We may share the following information with all Xiippy users as well as the general public:

With our affiliates. 

We may share information with entities within the Xiippy family of companies.

With third parties.

We may share your information with the following third parties:

With third parties as part of a merger or acquisition.

If Xiippy gets involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of our business to another company, we may share your information with that company before and after the transaction closes.

In the aggregate or after de-identification.

We may also share with third parties, such as advertisers, aggregated or de-identified information that cannot reasonably be used to identify you.

Control over Your Information

We want you to be in control of your information, so we provide you with the following tools.

Access and Updates.

We strive to let you access and update most of the personal information that we have about you. There are limits though to the requests we’ll accommodate. We may reject a request for a number of reasons, including, for example, that the request risks the privacy of other users, requires technical efforts that are disproportionate to the request, is repetitive, or is unlawful. You can access and update most of your basic account information right in the apps or dashboards by visiting the app’s or dashboard's Settings pages. If you need to access, update, or delete any other personal information that we may have, you can put in a request when contacting us. Because your privacy is important to us, we may ask you to verify your identity or provide additional information before we let you access or update your personal information. We will try to update and access your information for free, but if it would require a disproportionate effort on our part, we may charge a fee. We will of course disclose the fee before we comply with your request.

Revoking Permissions. 

If you change your mind about our ongoing ability to collect information from certain sources that you have already consented to, such as your location services, you can simply revoke your consent by changing the settings on your device if your device offers those options. Of course, if you do that, certain services may lose full functionality.

Account Deletion.

While we hope you’ll remain a lifelong Xiippy user, if for some reason you ever want to delete your account, contact us and inform us of your intention. During this period of time, your account will not be visible to other parties.

Analytics and Advertising Services Provided by Others

We may let other companies use cookies, web beacons, and similar tracking technologies on the services. These companies may collect information about how you use the services and other websites and online services over time and across different services. This information may be used to, among other things, analyze and track data, determine the popularity of certain content, and better understand your online activity.

Additionally, some companies may use the information they collect on our services to deliver targeted advertisements on behalf of us or other companies, including on third-party websites and apps. Xiippy does not currently respond to do-not-track signals that may be sent from your device. If we do so in the future, we will provide information about that practice in an updated version of this privacy policy.

Locality

Although we welcome Xiippy users from all over the world, keep in mind that no matter where you live or where you happen to use our services, we operate our services from Australia. This means that we may collect your personal information from, transfer it to, and store and process it in Australia and/or other countries whose local data-protection and privacy laws may offer fewer protections than those in your country of residence or from any country where you use or access the services.

Children

Our services are not intended for—and we don’t direct them to—anyone under 13. And that’s why we do not knowingly collect personal information from anyone under 13.

Revisions to the Privacy Policy

We may change this privacy policy from time to time and the latest effective date of any new version of the policy is always visible on this page.