Privacy Policy

Account Information

• • Full name
• • Email address
• • Phone number
• • Date of birth (for age verification and personalized insights)
• • Malaysian Identity Card (IC) number (optional, for identity verification)
• • Password (encrypted and not accessible by Xeep staff)
• • Profile photograph (optional)
• • Gender
• • Height and weight

Payment Information

• • Credit card details (processed securely by HitPay, our payment processor)
• • Billing address
• • Subscription transaction history (including initial hardware delivery and recurring platform access fees)

Communication Data

• • Support inquiries and correspondence
• • Feedback and survey responses
• • Messages to our customer service team

Nine Primary Health Data Streams

Additional Data

• • Device usage patterns and interaction data
• • App navigation and feature usage
• • Notification settings and preferences
• • Dashboard customization preferences
• • Cycle tracking data (for applicable users)
• • Meal and nutrition logs (if you use this feature)
• • Symptom tracking and health notes

Additional Uses

• • To train and improve our artificial intelligence models and algorithms. This involves using your data as part of a larger, collective dataset to enhance the insights provided to all users.
• • Incorporate User-Generated Content, such as meal suggestions, into our central database to enhance the service for all users.

Your Privacy is Protected

While data contribution is mandatory, your privacy remains paramount:

• • All data is irreversibly anonymized using multi-layer protection (k-anonymity ≥20, differential privacy ε≤0.5, HIPAA Safe Harbor)
• • Cannot be traced back to you individually
• • Your identifiable personal data is never sold or shared
• • You retain the right to access, correct, and delete your identifiable data

Alternative Options

If you are uncomfortable with mandatory data contribution for research:

• • Consider standalone fitness trackers (Apple Watch, Garmin) at RM1,500-3,000 upfront
• • These devices don't require data sharing but lack AI insights and cost significantly more
• • You fully own your data but pay premium pricing

This mandatory data license is explicitly stated in our Terms of Service Section 5.4 and is a condition of creating a Xeep account.

Third-Party Service Provider Obligations

All our service providers are contractually obligated to:

• • Use your data only for the specified purposes
• • Implement appropriate security measures
• • Not share your data with others without authorization
• • Comply with PDPA and international data protection standards

What Gets Shared

We create anonymized datasets that CANNOT identify you and share them with:

• • Academic institutions (Malaysian universities) for health research
• • Healthcare providers for wellness program development
• • Government health agencies (Malaysian Ministry of Health) for public health insights
• • Pharmaceutical companies for clinical trial recruitment insights (not medical diagnosis)

How We Protect Your Privacy

1. 1. Remove ALL Identifiers: Name, email, IC number, phone, address, device serial number, Firebase UID
2. 2. Generalize Quasi-Identifiers: Date of birth → Age range (5-year buckets: 25-30, 31-35, etc.), Postcode → State/Region only (Selangor, KL, Penang, etc.), Exact timestamps → Time buckets (Morning, Afternoon, Evening)
3. 3. K-Anonymity (k≥20): Each record is indistinguishable from at least 19 other users
4. 4. Differential Privacy (ε≤0.5): Add calibrated statistical noise to aggregates
5. 5. Annual External Audit: Independent privacy experts test our anonymization quality

Re-identification Risk: Our target is <0.05% (less than 1 in 2,000 chance of re-identifying any individual).

We may disclose your information if required by Malaysian law or in response to:

• • Valid court orders or subpoenas
• • Law enforcement requests with proper legal basis
• • National security or public safety investigations
• • Regulatory inquiries from PDPA Commissioner or other authorities

User Notification: We will notify you within 7 days of any legal disclosure request unless legally prohibited from doing so. We publish the number of legal requests received annually in our Transparency Report.

If Xeep is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred to the acquiring entity. We will:

• • Notify you via email and prominent notice on our website 30 days before transfer
• • Ensure the acquiring entity commits to the same privacy protections
• • Provide you the option to delete your account before the transfer

While your account is active:

• • Personal information (Tier 1): Retained indefinitely
• • Health data (Tier 2): Retained indefinitely for historical analysis and XQ calculation
• • Technical logs: Retained for 1 year

When you delete your account:

Confirmation: You will receive an email confirmation when your account deletion is complete (approximately 60 days after request).

• • Audit Logs: Retained for 1 year for security auditing and fraud prevention
• • Legal Disputes: If you are involved in a legal dispute with Xeep, relevant records retained until dispute resolution plus 7 years
• • Consent Records: Your consent history retained for 7 years to demonstrate PDPA compliance

You can request:

• • A copy of all personal information we hold about you
• • Complete health data history (all 9 data streams)
• • Information about how we use your data
• • Categories of third parties receiving anonymized datasets
• • Access logs (who viewed your data, when)
• • Your consent history

You can request correction of:

• • Inaccurate personal details (name, email, phone, date of birth)
• • Profile information (height, weight, gender)
• • Manual entries (meal logs, symptom notes)

Cannot be Corrected:

• • Sensor-collected data (heart rate, SpO2, sleep) - reflects actual measurements
• • Historical XQ scores - calculated from sensor data
• • Anonymized datasets - already irreversibly de-identified

How to Delete Your Account:

• • In-app: Settings → Account → "Delete My Account"
• • Email: dpo@xeep.io with subject "Account Deletion Request"

Verification Required:

• • Password confirmation
• • Email confirmation link
• • Type "DELETE" to confirm (prevents accidental deletion)

Timeline: 30-day cooling-off period, then permanent deletion within 60 days total.

What Happens:

• • ALL identifiable data deleted (name, email, IC, health data, photos)
• • Transaction records retained 7 years (legal requirement)
• • Anonymized datasets CANNOT be deleted (no longer identifiable)

Export Your Data:

• • Button: Settings → Privacy → "Export My Data"
• • Formats: CSV (Excel-compatible), JSON (developer-friendly), PDF (human-readable)
• • Delivery: Secure download link within 48 hours
• • Contents: All health metrics, XQ scores, AI insights, account information

Transfer to Another Platform:

• • You can download and upload to another wellness platform manually
• • We do NOT provide direct API integration with competitor platforms

You can opt out of:

• • Marketing emails - Settings → Notifications or unsubscribe link
• • AI-powered personalized insights - Settings → Features (note: this may reduce platform functionality)
• • Specific third-party analytics cookies - Settings → Privacy → Cookie Preferences

You CANNOT opt out of:

• • Anonymized data creation and use for research - This is mandatory for all Xeep users
• • Essential services (XQ calculation, data sync, account security)
• • Legal compliance (transaction records, audit logs required by law)
• • Already-created anonymized datasets (anonymization is irreversible)

If you're not satisfied with how we handle your data:

If a Data Breach Occurs:

• • Detection and containment within 2 hours
• • User notification within 72 hours (PDPA best practice)
• • PDPA Commissioner notification (if user rights/freedoms affected)
• • Full incident investigation and remediation
• • Post-incident security improvements

Cyber Insurance: We maintain RM5 million cyber liability insurance coverage.

Responsible Disclosure: If you discover a security vulnerability, please report it to security@xeep.io. We do NOT take legal action against security researchers who report vulnerabilities responsibly.

Your data may be stored and processed outside Malaysia:

When we transfer data internationally, we ensure:

• • Adequacy: Destination country has adequate data protection laws
• • Contractual Protection: Standard Contractual Clauses (SCCs) with service providers
• • Encryption: All data encrypted in transit and at rest
• • User Consent: You consent to international transfers by using our services

If we expand to serve users in other countries (Singapore, EU, US), we will:

• • Update this Privacy Policy with specific provisions for those regions
• • Comply with GDPR (EU), CCPA (California), and other local laws
• • Provide 30 days notice of material changes

We use cookies and similar technologies. Key highlights:

Full Details: See our separate Cookie Policy at https://xeep.io/cookies

Xeep is intended for users aged 18 years and above only.

We do NOT knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at dpo@xeep.io. We will delete such information within 30 days.

Age Verification: We require date of birth during registration and will reject accounts for users under 18.

Our platform may contain links to third-party websites, apps, or services not operated by Xeep:

• • Research publications citing Xeep data
• • Health resources and educational content
• • Payment processor (HitPay) during checkout

We are NOT responsible for:

• • Privacy practices of third-party websites
• • Content or services provided by third parties
• • Data collected by third parties when you leave our platform

Recommendation: Review the privacy policies of any third-party services you access through Xeep.

We may update this Privacy Policy from time to time to reflect:

• • Changes in our data practices
• • New features or services
• • Legal or regulatory requirements
• • User feedback and industry best practices

12.1 How We Notify You

12.2 Version History

We maintain a complete version history of this Privacy Policy:

• • Current version: Always at https://xeep.io/privacy
• • Previous versions: Available at https://xeep.io/privacy/history
• • Change log: Summary of what changed in each version

Your Rights: If you do not agree with updated Privacy Policy, you may delete your account within 30 days of notification.

Security Issues

• • Vulnerability Reports: security@xeep.io
• • Security Incidents: security@xeep.io (monitored 24/7)

By creating a Xeep account or using our services, you acknowledge that you have:

• ✓ Read and understood this Privacy Policy in its entirety
• ✓ Consent to the collection, use, and sharing of your personal information as described
• ✓ Understand that anonymized data may be used for research and commercial purposes
• ✓ Agree to international data transfers to Firebase and other service providers
• ✓ Understand your rights under Malaysia PDPA and how to exercise them
• ✓ Acknowledge that Xeep Device and blood pressure measurements are NOT medical-grade
• ✓ Understand that data contribution for research is MANDATORY with no opt-out option
• ✓ Acknowledge that anonymized datasets become permanent Xeep assets even if you delete your account
• ✓ Understand you can withdraw consent for marketing, non-essential features, but NOT for anonymized research data

Your use of Xeep services constitutes acceptance of this Privacy Policy.

We are committed to radical transparency about data usage: