Privacy Policy

Last Updated: January 30, 2026

XYK LLC ("we," "us," or "our") operates the AncestryScan mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.

Please read this Privacy Policy carefully. By using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

1. Information We Collect

1.1 Personal Information You Provide

Account Information:

• Email address (if you sign in with Apple or Google)
• Display name (if provided by your sign-in provider)
• Unique user identifier

Facial Images:

• Photographs you upload for ancestry analysis
• We process these images to extract facial features for analysis

Payment Information:

• We do not directly collect or store payment card information
• Payments are processed through Apple's App Store and managed by RevenueCat
• We receive confirmation of purchases and credit balances

1.2 Information Collected Automatically

Device Information:

• Device type and model
• Operating system version
• Unique device identifiers

Usage Information:

• Features used within the App
• Analysis history and results
• Timestamps of activities
• Error logs and diagnostic data

Crash Reporting and Analytics:

• Crash reports and diagnostic data to identify and fix technical issues
• Anonymized usage analytics to understand feature adoption and improve the App
• Performance metrics including app launch times, response times, and error rates

1.3 Biometric and Sensitive Information

Facial Feature Data:

Our App analyzes facial photographs to estimate ancestry composition. This analysis extracts facial characteristics including but not limited to facial structure and proportions, skin tone observations, and eye, nose, and other facial feature characteristics.

Important: We use this information solely to provide our ancestry estimation service. We do not use facial data for identification purposes, and we do not sell or share raw facial images with third parties for their own purposes.

2. How We Use Your Information

We use the information we collect to:

• Provide Our Services: Process your photos and deliver ancestry analysis results
• Manage Your Account: Create and maintain your user account, track credits and purchase history
• Process Transactions: Fulfill purchases and manage your credit balance
• Improve Our Services: Analyze usage patterns to enhance the App's features and accuracy
• Communicate With You: Send service-related notifications and respond to inquiries
• Ensure Security: Detect, prevent, and address technical issues, fraud, or abuse
• Comply With Legal Obligations: Meet applicable legal requirements

3. How We Store and Protect Your Information

3.1 Data Storage

Analysis Results:

• Your ancestry analysis results are stored locally on your device
• Results are not uploaded to or stored on our servers after processing
• You control your local data and can delete it at any time

Account Information:

• Account data is stored securely using Google Firebase infrastructure
• Data is encrypted in transit and at rest

Facial Images:

• Uploaded images are processed in real-time for analysis
• Images are transmitted securely using encryption
• We do not permanently store your original photographs on our servers after analysis is complete
• Images may be temporarily cached during processing and are automatically deleted

3.2 Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Access controls and authentication
• Regular security assessments
• Secure cloud infrastructure (Google Cloud Platform)

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

4. Third-Party Services

We use the following third-party services to operate our App:

4.1 Google Firebase

• Purpose: User authentication, database storage, cloud functions
• Data Shared: Account information, usage data
• Privacy Policy: https://firebase.google.com/support/privacy

4.2 OpenAI

• Purpose: AI-powered facial analysis and ancestry estimation
• Data Shared: Facial images (for processing only)
• Privacy Policy: https://openai.com/privacy
• Note: Images sent to OpenAI are processed according to their API data usage policies and are not used to train their models

4.3 RevenueCat

• Purpose: In-app purchase management and subscription handling
• Data Shared: User identifiers, purchase history
• Privacy Policy: https://www.revenuecat.com/privacy

4.4 Apple Sign-In / Google Sign-In

• Purpose: Account authentication
• Data Shared: Authentication tokens, email (if permitted), name (if permitted)

5. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy:

• Account Information: Retained until you delete your account
• Analysis Results: Stored locally on your device until you delete them or uninstall the App
• Usage Analytics: Retained in anonymized/aggregated form for up to 24 months
• Payment Records: Retained as required by law and for accounting purposes

5.1 Account Deletion

You may delete your account at any time through the App settings. Upon deletion:

• Your account information will be permanently deleted from our servers
• Your locally stored analysis results will remain on your device until you delete them or uninstall the App
• Some information may be retained as required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance)

5.2 Biometric Data Retention Schedule

• Facial Images: Deleted immediately after processing is complete; not stored on our servers
• Derived Biometric Data: Facial geometry measurements used during analysis are not retained beyond the active processing session and are deleted within 24 hours
• Analysis Results (Text/Scores): Stored locally on your device only; never uploaded to or retained on our servers
• Destruction Method: All biometric data destruction is performed through automated secure deletion processes

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

6.1 Access and Portability

You have the right to request access to the personal information we hold about you and receive it in a structured, commonly used, machine-readable format (such as JSON or CSV). We will fulfill data portability requests within 30 days of receipt.

6.2 Correction

You have the right to request correction of inaccurate personal information.

6.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions.

6.4 Opt-Out

You may opt out of certain data collection by:

• Not uploading photos for analysis
• Using the App as a guest (limited functionality)
• Deleting your account

6.5 Do Not Track

Our App does not currently respond to "Do Not Track" signals.

To exercise these rights, please contact us at contact@xyklabs.com.

7. Children's Privacy

Our App is not intended for children under the age of 17. We do not knowingly collect personal information from children under 17.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at contact@xyklabs.com. If we discover that we have collected personal information from a child under 17, we will delete that information promptly.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that are different from the laws of your country.

We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy, including:

• Standard Contractual Clauses (SCCs): Where required, we rely on European Commission-approved Standard Contractual Clauses to provide adequate protection for data transferred outside the EEA
• Data Processing Agreements: We maintain Data Processing Agreements with our key third-party service providers, including Google Firebase, OpenAI, and RevenueCat, that include appropriate data protection obligations
• Security Measures: All international data transfers are protected by encryption in transit and at rest

By using the App, you consent to the transfer of your information to the United States and other countries where we and our service providers operate, subject to the safeguards described above.

9. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

9.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you.

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

9.3 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

9.4 Categories of Information

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (email, device ID, user ID)
• Biometric information (facial characteristics for analysis)
• Commercial information (purchase history)
• Internet/electronic activity (usage data)

9.5 Sale and Sharing of Personal Information

We do not sell or share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA. You have the right to opt out of the sale or sharing of your personal information. You also have the right to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Services.

To submit a CCPA request, please contact us at contact@xyklabs.com.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

10.1 Legal Basis for Processing

We process your personal information based on:

• Consent: For processing facial images and providing ancestry analysis
• Contract: To provide our services and manage your account
• Legitimate Interests: For security, fraud prevention, and service improvement

10.2 Additional Rights

• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority
• Right to restrict processing
• Right to object to processing

10.3 Data Protection Officer

For GDPR-related inquiries, please contact our Data Protection Officer at contact@xyklabs.com.

11. Biometric Data Notice

11.1 Illinois Residents (BIPA)

If you are an Illinois resident, the following applies under the Biometric Information Privacy Act (BIPA):

• Written Policy: This Privacy Policy serves as our written policy regarding the collection, retention, and destruction of biometric data, made publicly available as required by BIPA
• Informed Consent: Before any facial image is processed for ancestry analysis, you must provide affirmative informed consent through the in-app "I Consent" action presented prior to your first scan. No biometric data is collected or processed until this consent is obtained
• Purpose: Biometric data is collected and used solely to provide ancestry estimation services through facial feature analysis
• Retention and Destruction: Facial images are deleted immediately after processing is complete. Derived biometric data (facial geometry measurements) is not stored beyond the active processing session and is deleted within 24 hours. We employ automated secure deletion methods for all biometric data
• Disclosure: We do not sell, lease, trade, or otherwise profit from your biometric information. Biometric data is disclosed only to OpenAI for the purpose of processing your ancestry analysis, pursuant to a contractual agreement prohibiting further disclosure
• Right to Revoke: You may revoke your consent to biometric data collection at any time by ceasing to use the facial analysis feature. Previously collected biometric data will be deleted in accordance with our retention schedule
• No Conditioning: We do not condition the provision of services on your consent to the collection of biometric data beyond what is strictly necessary to provide the ancestry analysis service

11.2 Other State Biometric Laws

We comply with applicable biometric privacy laws in Texas, Washington, and other states that regulate the collection of biometric data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy in the App
• Updating the "Last Updated" date at the top of this policy
• Sending you a notification if the changes are significant

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the App after any modifications indicates your acceptance of the updated Privacy Policy.

13. Data Breach Notification Procedures

In the event of a data breach affecting your personal information:

13.1 Notification Timeline

• We will notify affected users within 72 hours of becoming aware of a breach involving personal data, consistent with GDPR requirements
• For California residents, notification will be made within the timeframe required under the CCPA and California Civil Code § 1798.82
• For Illinois residents, notification regarding biometric data breaches will comply with BIPA requirements

13.2 Notification Contents

Breach notifications will include:

• A description of the nature of the breach
• The categories and approximate number of individuals and data records concerned
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate potential adverse effects
• Contact information for obtaining further information

13.3 Notification Channels

We will notify affected users via:

• Email to the address associated with your account
• In-app notification upon next use of the App
• Prominent notice on our website if the breach affects a large number of users

13.4 Regulatory Notification

We will notify applicable regulatory authorities as required by law, including:

• Supervisory authorities under GDPR within 72 hours
• The California Attorney General if a breach affects more than 500 California residents
• Other state attorneys general as required by applicable state breach notification laws

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

XYK LLC
Email: contact@xyklabs.com

We will respond to your inquiry within a reasonable timeframe, typically within 30 days.

15. Additional Disclosures

15.1 Nature of Ancestry Estimates

Our ancestry analysis is based on AI-powered facial feature comparison and should be considered for entertainment and educational purposes only. Results are estimates and should not be relied upon for legal purposes, medical decisions, immigration or citizenship matters, or genealogical research requiring scientific accuracy.

15.2 Accuracy Limitations

Ancestry estimates based on facial features have inherent limitations and may not reflect your actual genetic ancestry. Many factors can influence results, including lighting, photo quality, and the limitations of visual phenotype analysis.

This Privacy Policy is effective as of January 30, 2026.