Privacy Policy

Last updated 2026-05-01

1. Introduction

This Privacy Policy describes how Xi collects, uses, shares, and protects information when you use the service at xiexperiments.com. When this policy says “we,” “us,” or “Xi,” it means the operator of the service. For questions about this policy or about the personal data we hold, contact us at xiexperiments.app@gmail.com.

2. What we collect

Account information

When you sign up, our authentication provider creates an account for you. We receive and store the basics needed to identify you in the service: your email address, a display name, an avatar URL (if your sign-in provider has one), and the identifiers that link your Xi account to that provider.

Workspace and experiment content

We store the experiments, hypotheses, success and kill thresholds, tags, time-box settings, metric definitions, metric values, notes, and learnings you record. We also store workspace settings and the roles of members in each workspace.

You decide what to log. If you choose to track lifestyle or health-related metrics (for example, sleep scores, mood, training load), that content lives inside your workspace under your control. See Sensitive content below for important context.

Notification and push preferences

We store your notification preferences (which alerts you want, when you want them, your do-not-disturb hours) and, if you opt in to browser push notifications, the push subscription endpoint your browser issues. The endpoint is a token used to deliver pushes; it is not your identity.

Connected integrations

If you connect your Google Analytics account so Xi can pull a metric on your behalf, we store the OAuth tokens needed to make those requests (encrypted at rest) and a record of the configuration you chose. We only fetch the metric data you point us at.

Product analytics events

On the production site at xiexperiments.com, we use a product-analytics provider to understand how the service is used so we can improve it. The events we capture today are limited to lifecycle actions: when an experiment is committed, shipped, killed, extended, revisited, or deleted; when a metric log is added; when a learning is recorded; when a Google Analytics connection is added or removed; and when an account or workspace is deleted. These events include the identifier of the user or workspace that performed the action so we can group them per account.

Product analytics is not loaded outside production, so previews and local development do not send these events.

Site analytics on the marketing site

The marketing pages of the site use Google Analytics 4 to record aggregate visit data (pages, referrers, broad geography, device type). We use this only to understand how people find the service.

Server logs

Our hosting provider keeps standard server logs of requests to the service, including IP addresses, user agents, timestamps, and request paths. We use these for security, abuse prevention, debugging, and operations. They are retained on the hosting provider’s standard timelines.

3. How we use information

We use the information described above to:

• Provide the service: store your experiments, run your contracts to verdict, surface your archive.
• Authenticate you and protect your account.
• Send notifications you have asked for (in-app, push, or email).
• Operate the optional Google Analytics connector at your request.
• Detect, prevent, and respond to security or abuse problems.
• Understand how the service is used and improve it.
• Comply with legal obligations and enforce our Terms.

We do not sell personal information, and we do not run targeted advertising on the service.

4. Legal bases

For users in the European Economic Area, the United Kingdom, and other jurisdictions with similar laws, the legal bases on which we process your personal data are:

• Performance of a contract— to deliver the service you signed up for. The content you choose to record in your experiments (titles, hypotheses, metric values, notes, learnings) is processed on this basis: you provide it as the input to the service, and we process it only to operate the service for you.
• Legitimate interests— to keep the service secure, to detect abuse, and to understand and improve how it is used. Where we rely on this basis, we balance our interests against your rights.
• Consent— for things you opt in to, such as push notifications and the Google Analytics connector. You can withdraw consent at any time from your settings.
• Legal obligation— where we have to process data to comply with applicable law.

Where the content you choose to log includes special-category personal data under Article 9 GDPR(or its UK equivalent) — for example, information about health, mental state, sex life, biometrics, or similarly sensitive categories — we process it solely as the data you have made manifestly public to us as part of using the service you requested, and only to the extent needed to deliver that service. See Sensitive content for what this means in practice and where the responsibility sits.

5. Sharing and sub-processors

We share personal data with a small number of service providers who run pieces of the platform on our behalf. They are bound by their own terms and data-protection commitments and process data only as needed to operate the service. Today we use:

• Clerk— authentication and identity (account sign-up, sign-in, OAuth for the MCP endpoint).
• Neon— managed Postgres database that stores your workspace and experiment content.
• Vercel— hosting, request handling, and runtime logs.
• PostHog— product analytics, processed in the United States. Loaded only on the production hostname.
• Google— Google Analytics 4 for marketing-site measurement, and the Google Analytics Data API for the optional metric connector when you turn it on.
• Browser push services— Apple, Google, and Mozilla push services deliver any browser push notifications you opt in to.

We may add or change sub-processors as the product evolves. When we do, we will keep this list up to date. We may also disclose information when we are required to by law, to enforce our Terms, or to protect the rights, property, or safety of users or others.

6. AI agents and MCP

Xi exposes a remote Model Context Protocol (MCP) endpoint. When you connect an AI client (for example, Claude) over OAuth, you authorize that client to read and write inside your workspace within the scope you granted.

Once your data is accessed by an AI client, Xi cannot control how that client uses it.The data the agent reads or writes leaves Xi and enters the AI client’s environment. From that point on, what happens to the data is governed by the policies of the AI client and the model provider behind it — not by this Privacy Policy.

Third-party AI providers may process your data under their own terms.That can include sending it to their own model infrastructure, applying their own retention and abuse-monitoring rules, and, in some configurations, using it to improve their services. Before connecting an AI client to Xi, review the provider’s privacy policy and choose a configuration whose data practices you are comfortable with.

You can revoke an AI client’s access at any time from your settings or your AI client. Revoking access stops further reads and writes through Xi, but it cannot recall data that the client has already received.

7. International transfers

Our sub-processors may store and process data in the United States and in other countries. Where personal data is transferred from the EEA, the UK, or other regulated regions to a country without an adequacy decision, we rely on the safeguards put in place by those sub-processors (such as the EU Standard Contractual Clauses).

8. Retention

We retain account and workspace data while your account is active. When you delete your account from your profile settings, we delete the personal data we hold about you, with brief retention for backups, security investigations, and legal needs. Deleting a workspace removes the experiments, logs, learnings, and other workspace content associated with it.

Server logs and aggregated analytics are kept on the standard timelines of the providers that produce them.

9. Your rights

Depending on where you live, you may have some or all of the following rights over your personal data:

• Access— ask for a copy of the personal data we hold about you.
• Correction— ask us to fix data that is wrong or incomplete.
• Deletion— ask us to delete your data. You can do this yourself by deleting your account in profile settings.
• Portability— ask for a structured copy of the data you provided.
• Restriction or objection— ask us to limit how we process your data, or object to processing based on legitimate interests.
• Withdraw consent— for processing that depends on your consent.
• Lodge a complaint— with your local data protection authority.

California residents have similar rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect about them and the right to deletion. We do not sell personal information and do not share it for cross-context behavioral advertising.

To exercise any of these rights, write to xiexperiments.app@gmail.com. We may need to verify your identity before responding.

10. Cookies and similar technologies

The service uses a small number of cookies and similar technologies:

• Session cookies set by our authentication provider to keep you signed in. These are necessary for the service.
• Analytics cookies and local storage set by Google Analytics on the marketing site, and by our product-analytics provider on the production app, to record the events described in section 2.

You can clear cookies and local storage from your browser at any time. Disabling cookies that are necessary for sign-in will stop the service from working.

11. Children

The service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.

12. Sensitive content and special-category data

Xi is a tool for honest self-experimentation. People often log lifestyle and health-adjacent metrics: sleep, mood, training, food. That content stays inside your workspace, but Xi is not a medical device, an electronic health record, or a clinical-grade store. Do not log information whose disclosure would harm you.

Some of what you may choose to log can amount to special-category personal data under Article 9 of the GDPR (or its UK equivalent), including data revealing:

• health, including physical and mental health;
• psychological or emotional states (such as mood, anxiety, stress);
• behavioral patterns that, in context, reveal any of the above; or
• other categories specifically protected by applicable law.

You decide what to log. Xi does not ask for, infer, or require special-category data. If you enter such data into your workspace, you do so on your own initiative, and you are providing it to us as the input the service needs to operate.

Our processing basis.We process whatever you record only to deliver the service you asked for — storing your experiments, computing verdicts against the contract you wrote, and showing the data back to you. We do not sell special-category data, we do not use it to train third-party models, and we do not analyze it for any purpose other than running the service for you.

Your responsibility.Where applicable law requires a specific lawful basis or additional safeguards for the data you log — for example, where you record information about another person, where you operate in a regulated context, or where Article 9 otherwise applies — you are responsible for ensuring that basis exists (such as obtaining informed consent or meeting another statutory condition) before you input the data into Xi. The acceptable-use rules in our Terms also apply.

13. Security

We use industry-standard practices to protect personal data: TLS in transit, access controls on our infrastructure, encryption at rest for OAuth tokens, and reliance on our authentication provider for credential storage. No system is perfectly secure, and we cannot guarantee absolute security. If we ever become aware of a breach affecting your data, we will notify you in line with applicable law.

14. Changes to this Policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the “Last updated” date at the top of this page and, where appropriate, give notice in the product or by email.

15. Contact

Questions about privacy at Xi? Write to xiexperiments.app@gmail.com.

This Privacy Policy is written as plainly as we can manage. It is not legal advice. If you need formal advice on how it applies to you, consult a qualified attorney in your jurisdiction.