Privacy Policy

Last updated: April 28, 2026 · Effective date: April 28, 2026

This Privacy Policy explains how Xitik ("we", "us", "our") collects, uses, shares and protects personal data when you use the Xitik desktop application, the website at xitik.com and related services (collectively, the "Service"). It applies to visitors, registered users and paying subscribers worldwide and is designed to satisfy the EU GDPR, UK GDPR, the California Consumer Privacy Act (CCPA/CPRA) and other applicable data-protection laws.

1. Data Controller

The data controller responsible for personal data processed in connection with the Service is:

Xitik
Email: [email protected]
A postal address is available on written request to the email above.

For paid subscriptions, Whop Inc. acts as the Merchant of Record (MoR) and is the joint data processor / sub-controller for billing, payment, tax and chargeback information. Whop's privacy policy can be reviewed at whop.com/privacy.

For data-protection requests please email the address above with the subject line "Privacy Request".

2. What We Collect

Category	Examples	Source
Account data	Email address, hashed password, account creation date, language preference, plan tier (free / pro / vip), subscription status.	You provide directly when registering.
Authentication & security data	Login timestamps, IP address, current-session token, device session metadata, email verification codes (one-time, short-lived).	Generated by your use of the Service.
Subscription & billing metadata	Plan, subscription start/end, last paid plan, referral code, Whop user/membership IDs, partial card data and country (returned by Whop checkout).	Whop, our payment provider.
Service-usage data	Daily watch-time seconds (how long the live-translation window is open), host you viewed, error logs, app version, anonymous performance metrics.	Generated by your use of the Service.
Audio & subtitle data	Short audio chunks (≤30 s) captured from your computer's playback for transcription; transcribed text and machine-translated subtitle text.	Captured by the desktop app on your device, sent transiently to our processors (Groq, OpenAI) for inference, then discarded.
Communications	Emails you send to support, content of welcome/verification emails sent through Resend.	You provide directly / generated by the Service.

What we do not collect or sell. We do not record your screen, do not store the underlying livestream video, do not retain audio chunks beyond the few seconds needed for inference, do not perform behavioural advertising profiling, and do not sell or rent your personal data to anyone.

3. How We Use Your Data

Provide the Service: authenticate you, run AI ASR and translation, deliver subtitles, enforce daily quotas and single-device login, sync your subscription state.
Billing: verify subscription status returned by Whop webhooks, apply referral rewards, prevent fraud and chargeback abuse.
Communicate with you: send transactional emails (verification codes, billing receipts, important service notices). We do not send marketing email without your prior consent.
Improve the Service: aggregate, anonymised statistics about usage, errors and latency. We do not use the content of your subtitles to train models.
Security and compliance: rate-limiting, abuse detection, audit logs, complying with legal obligations.

4. Legal Bases (GDPR / UK GDPR)

Contract: processing necessary to provide the Service you signed up for (Art. 6(1)(b)).
Legitimate interests: fraud prevention, security, service improvement, low-volume transactional logging (Art. 6(1)(f)).
Legal obligation: tax, accounting, responding to lawful requests (Art. 6(1)(c)).
Consent: marketing email or non-essential cookies, where applicable (Art. 6(1)(a)). You can withdraw consent at any time.

5. Audio Processing — Important Detail

The Xitik desktop application captures audio output of livestreams that you choose to play on your own computer using the Windows audio loopback API. Audio is split into chunks of up to 30 seconds and sent over an encrypted (HTTPS) connection to our AI processors for speech-recognition (Groq) and translation (OpenAI). Once a transcription/translation has been returned, the audio chunk is not persisted on our servers. We do not retain raw audio outside of the few seconds required for inference. Audio of private conversations is not the intended use of the Service and you must not capture audio you are not authorised to capture.

6. Sharing & Sub-Processors

We share personal data only with vetted sub-processors that support the Service:

Sub-processor	Purpose	Data shared	Region
Whop Inc.	Payment provider: hosted checkout, payments, billing, refunds, chargeback handling.	Email, billing address (collected by Whop), userId reference.	USA / global
Groq Inc.	AI speech-recognition (ASR) inference on transient audio chunks.	Audio chunks (≤30 s).	USA
OpenAI, L.L.C.	AI translation of recognised text.	Recognised text strings.	USA
Resend (Mailrise Inc.)	Transactional email delivery (verification, welcome).	Email address, message content.	USA
Cloud infrastructure provider	Hosting of the API and database.	All Service data, encrypted at rest and in transit.	Asia-Pacific

We may also disclose personal data to law enforcement or other authorities when required by valid legal process and within applicable legal protections.

7. International Data Transfers

Some of our sub-processors are located outside the country where you reside (e.g. the United States). Where required, transfers of personal data outside the EEA, the UK, or other restricted regions are protected by Standard Contractual Clauses or equivalent safeguards entered into with each sub-processor. By using the Service you acknowledge that your data may be processed in those locations.

8. Cookies & Local Storage

The Xitik website uses a small number of strictly necessary cookies and browser localStorage entries to remember your sign-in token, language preference and last-selected plan. We do not set advertising cookies or third-party analytics cookies that would track you across other websites without your consent. The desktop application does not use browser cookies.

9. Data Retention

Account data: kept while your account exists, plus up to 12 months after deletion for fraud-prevention and tax records.
Audio chunks: retained only for the few seconds necessary for AI inference, then discarded.
Subtitle text: not stored server-side beyond the live subtitle pipeline; transient logs are pruned within 30 days.
Billing records: retained for 7 years where required by tax law.
Email verification codes: single-use, expire within 10 minutes.

10. Your Rights

Subject to applicable law you have the right to:

Access the personal data we hold about you;
Request correction of inaccurate data;
Request deletion of your data ("right to be forgotten");
Restrict or object to certain processing;
Receive a copy of your data in a portable format;
Withdraw consent where processing is based on consent;
Lodge a complaint with your local data-protection authority.

For California residents: you also have the right to know, delete, correct and limit the use of sensitive personal information, and the right to opt out of "sale" or "sharing" of personal data. We do not sell or share your personal data as those terms are defined under the CCPA/CPRA.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We will not discriminate against you for exercising any of these rights.

11. Security

We implement industry-standard technical and organisational measures including TLS in transit, Argon2 password hashing, JWT-based session tokens with single-device enforcement, scoped API keys, rate-limiting, restricted server access, and audit logging. No system is perfectly secure: if you believe your account has been compromised, contact us immediately at [email protected].

12. Children

The Service is not intended for individuals under 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, please contact us and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice with reasonable advance notice. The "Last updated" date above always reflects the current version.

14. Contact

Questions about this Policy or your personal data:
Xitik
Email: [email protected] · Telegram: @Hermesboss