Xabi

Privacy Policy

Last updated: 2 May 2026 (version 2026-05-02)

Data Controller

Xabi is an open-source project maintained by Zeeshan Ali Khan, who acts as the data controller for personal data processed by the hosted Xabi backend at xabi.fly.dev. To contact the controller about this policy, your data, or to exercise any of the rights described below, open an issue (or a private security advisory for sensitive matters) at github.com/zeenix/xabi-issues.

What We Collect

Xabi records audio from your microphone only when you tap the detect button. This audio is used solely to identify the spoken language.

How We Process Data

  • Audio is processed using the ECAPA-TDNN model for language detection.
  • Detection audio is not stored on our servers after the response is returned.
  • No audio data is sent to third-party services for detection.
  • Detection history is stored locally on your device only.

Feedback Reports

If you choose to report an incorrect detection and tick the consent box in the report dialog:

  • Your voice recording is uploaded and stored on our servers to improve the language detection model.
  • The detected and expected languages, the confidence score, the timestamp of submission, and a one-way HMAC-SHA256 hash of your IP address are stored alongside the recording. The raw IP address is not retained at rest; the hash exists only to enforce the "one report per day" limit.
  • The version identifier of the privacy text shown above is recorded with each submission so we can prove which text you agreed to.
  • You can preview the recording before submitting.
  • Reports are limited to one per day per client.
  • Submitted recordings are used solely for improving language detection and are not shared with third parties.

Important: Recording someone without their consent is illegal in many countries. Only submit recordings of your own voice or recordings made with consent.

Legal Basis

For users in the EEA / UK, the legal basis for processing feedback-report audio and the associated metadata is your explicit consent under Art. 6(1)(a) and Art. 9(2)(a) GDPR, given by ticking the consent box in the report dialog. You may withdraw consent at any time by deleting the submission from the My reports page (or by asking the controller to do so); withdrawal does not affect the lawfulness of processing prior to withdrawal.

The transient audio sent to /api/detect is processed under our legitimate interest in providing the detection service (Art. 6(1)(f)) and is discarded immediately after the response is returned.

Retention

Feedback reports (audio + metadata) are retained for up to 365 days from submission, after which they are deleted automatically by a daily retention sweep. You can delete a report sooner from the My reports page.

Where Your Data Is Stored

The hosted backend runs on Fly.io and stores feedback-report audio in a Tigris S3-compatible bucket. The primary storage region is in the United States. Submitting a report therefore involves a transfer of personal data outside the EEA / UK; the controller relies on your explicit consent (Art. 49(1)(a) GDPR) as the transfer mechanism. Self-hosted deployments may use different infrastructure; if you are using a third-party deployment, that operator is the controller for your submissions.

Data We Don't Collect

  • No user accounts or personal information.
  • No analytics or tracking.
  • No advertising identifiers.

Your Rights (GDPR)

If you are in the EEA or UK, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to lodge a complaint with your local supervisory authority.

Detection audio is not retained, so there is nothing to access or erase from that flow. For feedback reports, you can review and delete each submission at any time from the My reports page; deleting a report there removes it from our servers as well as from your device. If you can no longer access the device that submitted a report, see the note on lost devices below. Local detection history can be cleared by clearing your browser data or uninstalling the app.

To exercise your right of access (Art. 15) and data portability (Art. 20), use the Export (JSON) button on the My reports page. The export contains the full metadata and audio for every report you have submitted from this device, in a structured, machine-readable JSON format. This is the same set of personal data we hold about you in the reports store.

Lost device. Reports are not tied to an account and your IP address is stored only as a one-way hash, so the only identifier linking a report to you is the server-issued report ID held on the device that submitted it. If you no longer have access to that device, we have no way to identify which reports are yours and therefore cannot fulfil an access, portability or erasure request for those reports (GDPR Art. 11(2)). Reports are in any case deleted automatically after the retention period stated above.

← Back to app