← Back to Home

Privacy Policy

Effective Date: January 20, 2026

1. Introduction

Xylophone ("Company," "we," "us," or "our") is committed to protecting the privacy and security of personal information. This Privacy Policy ("Policy") describes our practices regarding the collection, use, storage, disclosure, and protection of personal information obtained through: (i) our corporate website located at xylophonexyz.com; and (ii) any software applications, platforms, systems, or digital services developed, operated, or maintained by Xylophone on behalf of third-party clients for which Xylophone provides authentication, identity management, or user account services (collectively, the "Service").

Xylophone operates as a software development agency engaged in the design, development, deployment, and maintenance of software applications and related technical infrastructure on behalf of third-party clients (each, a "Client"). In connection with such engagements, Xylophone may serve as the provider of authentication, identity verification, session management, and user account administration services ("Identity Services") for Client applications. When providing Identity Services, Xylophone processes personal information as a data processor or service provider on behalf of the applicable Client, who serves as the data controller or business with respect to such information.

This Policy applies to all personal information processed by Xylophone in its capacity as a provider of Identity Services, irrespective of the Client application through which such information is collected. By accessing or using the Service, creating an account, or otherwise providing personal information to Xylophone, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with the terms of this Policy, you must discontinue use of the Service immediately.

2. Categories of Personal Information Collected

The Company adheres to data minimization principles and collects only such personal information as is strictly necessary for the provision of Identity Services. The categories of personal information collected are set forth below:

2.1 Authentication Credentials

Upon Account creation or authentication, the Company collects one of the following identifiers:

  • Email Address: Utilized for Account authentication, delivery of one-time passcodes (OTPs), and transmission of security-related communications.
  • Telephone Number: Utilized for Account authentication via SMS, delivery of one-time passcodes (OTPs), and transmission of security-related communications.

The foregoing information is processed through Auth0, Inc. ("Authentication Provider"), pursuant to a data processing agreement, to facilitate secure user authentication and identity verification services.

2.2 Session and Technical Data

The Company deploys session management technologies, including cookies and similar identifiers, to maintain authenticated session state, preserve user preferences, and enable seamless interaction with the Service across multiple requests. Session identifiers are cryptographically generated and do not contain personally identifiable information in cleartext.

2.3 Analytics and Usage Data

The Company may collect anonymized, aggregated analytics data for the purpose of service optimization and improvement. Such data may include, without limitation:

  • Pages accessed and duration of page views;
  • Browser type, version, and configuration;
  • Device type and operating system;
  • Referring URL and navigation paths; and
  • Generalized geographic location (country or regional level only).

Analytics data is collected and processed in aggregate form and is not linked to individual user identities. Such data does not constitute "personal information" under applicable privacy laws to the extent it cannot reasonably be used to identify a specific individual.

3. Categories of Information Not Collected

For purposes of transparency and in furtherance of the Company's commitment to data minimization, the following categories of information are expressly excluded from the Company's data collection practices:

  • Financial Information: The Company does not collect, process, or store payment card data, bank account information, or any other financial account credentials;
  • Government Identifiers: The Company does not collect Social Security numbers, national identification numbers, passport numbers, driver's license numbers, or similar government-issued identifiers;
  • Biometric Data: The Company does not collect fingerprints, facial recognition data, voiceprints, retinal scans, or any other biometric identifiers;
  • Protected Health Information: The Company does not collect health records, medical history, or information subject to the Health Insurance Portability and Accountability Act (HIPAA);
  • Precise Geolocation: The Company does not collect precise geolocation data (i.e., GPS coordinates or location data sufficient to identify a specific address); and
  • Data for Commercial Sale: The Company does not sell, rent, lease, or otherwise commercialize personal information to third parties for marketing, advertising, or any purpose unrelated to the provision of Identity Services.

The Company's data collection is strictly limited to the categories enumerated in Section 2 and is undertaken solely for the purposes described in Section 4.

4. Purposes of Processing; Legal Bases

The Company processes personal information solely for the following specified, explicit, and legitimate purposes:

  • Authentication and Identity Verification: To verify your identity through transmission of one-time passcodes (OTPs) via email or SMS, thereby enabling secure access to Client applications for which the Company provides Identity Services. Legal Basis: Performance of contract; legitimate interests.
  • Account Security and Fraud Prevention: To protect your Account from unauthorized access, detect suspicious activity, and transmit security alerts regarding potential compromise of your credentials. Legal Basis: Legitimate interests; compliance with legal obligations.
  • Session State Management: To maintain authenticated session state across interactions with the Service, enabling seamless user experience without repeated authentication. Legal Basis: Performance of contract; legitimate interests.
  • Service Analytics and Improvement: To analyze aggregated, anonymized usage data for purposes of optimizing Service performance, identifying technical issues, and improving user experience. Legal Basis: Legitimate interests.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests. Legal Basis: Compliance with legal obligations.

The Company does not process personal information for purposes incompatible with the foregoing, nor does the Company engage in automated decision-making or profiling that produces legal or similarly significant effects on data subjects.

5. Electronic Communications

By providing your telephone number or email address in connection with Account registration or authentication, you expressly consent to receive electronic communications from the Company as described herein. The Company is committed to transparency regarding its communication practices.

5.1 Scope and Purpose of Communications

Electronic communications transmitted by the Company are strictly limited to the following categories:

  • One-time passcodes (OTPs) and verification codes necessary to complete authentication and access the Service;
  • Security notifications pertaining to your Account, including alerts regarding unauthorized access attempts, credential changes, or suspicious activity; and
  • Critical service announcements that materially affect the availability or functionality of the Service.

Exclusions: The Company does not transmit marketing communications, promotional materials, advertising content, newsletters, or any communications unrelated to authentication, security, or critical service functionality without separate, affirmative consent.

5.2 Message Frequency and Carrier Charges

The frequency of communications is contingent upon your authentication activity. Messages are transmitted exclusively upon User-initiated login attempts or in response to security events requiring immediate notification. The Company does not engage in recurring automated messaging programs. Standard message and data rates imposed by your wireless carrier or internet service provider may apply; the Company assumes no responsibility for such charges.

5.3 Revocation of Consent; Opt-Out Mechanisms

You may revoke your consent to receive electronic communications at any time through the following mechanisms:

  • SMS Communications: Transmit the keyword "STOP" in reply to any SMS message. A single confirmation message will be sent acknowledging your opt-out request. For assistance, transmit "HELP" or contact the Company at the address provided in Section 13.
  • Email Communications: Utilize the unsubscribe mechanism included in any email communication, or submit a written opt-out request to the Company.
  • Account Settings: Modify your communication preferences through the Account settings interface, where available.

Consequences of Opt-Out: You acknowledge that revocation of consent may materially impair or preclude your ability to access features requiring authentication via SMS or email, including Account login. The Company disclaims liability for any loss of access resulting from your opt-out election.

6. Cookies and Tracking Technologies

The Company employs cookies and similar technologies in connection with the Service. This Section 6 describes the types of cookies used and your choices regarding their deployment.

  • Strictly Necessary Cookies: Session cookies essential for authentication, session management, and security functionality. These cookies are required for the Service to function and cannot be disabled without impairing core functionality.
  • Analytics Cookies: Cookies that collect anonymized, aggregated data regarding usage patterns and Service performance. Such cookies do not identify individual users and are used solely for service optimization.

Exclusions: The Company does not deploy cookies for behavioral advertising, cross-site tracking, retargeting, or any purpose unrelated to the provision of Identity Services and service analytics.

Your Choices: Most web browsers permit you to control cookie deployment through browser settings. You may configure your browser to reject cookies or alert you when cookies are being sent. However, disabling strictly necessary cookies will impair the functionality of the Service and may prevent authentication. The Company disclaims liability for any degradation of functionality resulting from your cookie configuration choices.

7. Third-Party Service Providers; Data Transfers

In connection with the provision of Identity Services, the Company engages certain third-party service providers ("Sub-processors") to perform specific functions on its behalf. The Company maintains written agreements with all Sub-processors that impose data protection obligations substantially similar to those set forth in this Policy.

  • Auth0, Inc. (Okta): Identity and access management platform providing authentication infrastructure. Auth0 processes email addresses and/or telephone numbers to facilitate secure user authentication. Auth0's data processing practices are governed by Auth0's Privacy Policy.
  • Twilio Inc.: Cloud communications platform providing SMS delivery services for transmission of one-time passcodes and security notifications. Twilio's data processing practices are governed by Twilio's Privacy Policy.

Sub-processors are authorized to process personal information solely to the extent necessary to perform the contracted services and are prohibited from using such information for any other purpose.

International Data Transfers: Sub-processors may process personal information in jurisdictions outside your country of residence, including the United States. Where such transfers occur, appropriate safeguards are implemented, including Standard Contractual Clauses approved by applicable data protection authorities, to ensure that personal information receives an adequate level of protection.

8. Data Security

The Company implements and maintains appropriate technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Such measures include, without limitation:

  • Encryption of data in transit using Transport Layer Security (TLS) protocols;
  • Encryption of sensitive data at rest;
  • Access controls limiting personnel access to personal information on a need-to-know basis;
  • Regular security assessments and vulnerability testing; and
  • Engagement of third-party authentication providers (Auth0) that maintain SOC 2 Type II certification and employ industry-leading security practices.

Notwithstanding the foregoing, no method of transmission over the Internet or electronic storage is completely secure. While the Company strives to use commercially acceptable means to protect personal information, the Company cannot guarantee absolute security and expressly disclaims any warranty, express or implied, to that effect. You acknowledge that you provide personal information at your own risk.

9. Data Retention

The Company retains personal information only for so long as necessary to fulfill the purposes for which it was collected, as described in this Policy, or as required to comply with applicable legal obligations, resolve disputes, and enforce agreements.

Active Accounts: Personal information associated with your Account is retained for the duration of your Account's existence and for a reasonable period thereafter to facilitate Account recovery, should you choose to reactivate.

Account Deletion: Upon receipt of a valid Account deletion request, the Company shall delete or anonymize your personal information within thirty (30) calendar days, except to the extent retention is required: (a) to comply with applicable laws, regulations, or legal process; (b) to enforce the Company's agreements; (c) to resolve disputes; or (d) for legitimate business purposes such as fraud prevention and security.

Anonymized Data: Aggregated, anonymized data that does not identify individual users may be retained indefinitely for analytics and service improvement purposes.

10. Data Subject Rights

Subject to applicable law and certain limitations, you may exercise the following rights with respect to your personal information:

  • Right of Access: You may request confirmation as to whether the Company processes your personal information, and if so, request access to such information along with supplementary details regarding processing activities.
  • Right to Rectification: You may request correction of inaccurate personal information or completion of incomplete information.
  • Right to Erasure: You may request deletion of your personal information in certain circumstances, including where processing is no longer necessary for the purposes collected.
  • Right to Restriction: You may request restriction of processing in certain circumstances, such as while accuracy of information is being verified.
  • Right to Data Portability: You may request receipt of your personal information in a structured, commonly used, machine-readable format, and request transmission to another controller where technically feasible.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw such consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right to Opt-Out: You may opt out of electronic communications as described in Section 5.3.

Exercising Your Rights: To exercise any of the foregoing rights, please submit a verifiable request to the Company using the contact information provided in Section 13. The Company will respond to verified requests within the timeframes required by applicable law.

Non-Discrimination: The Company will not discriminate against you for exercising any of your privacy rights.

11. Children's Privacy

The Service is not directed to, and the Company does not knowingly collect personal information from, children under the age of thirteen (13) years, or such higher age as may be specified under applicable law (e.g., sixteen (16) years under GDPR for certain processing activities).

If the Company becomes aware that it has collected personal information from a child under the applicable age threshold without verifiable parental consent, the Company will take commercially reasonable steps to delete such information promptly. If you believe that the Company has collected personal information from a child in violation of applicable law, please contact the Company immediately using the information provided in Section 13.

Parents or legal guardians who believe their child has provided personal information to the Company may exercise their rights on behalf of such child by contacting the Company as described herein.

12. Modifications to This Policy

The Company reserves the right to modify, amend, or update this Policy at any time in its sole discretion. In the event of material changes to this Policy, the Company will provide notice by: (a) updating the "Effective Date" at the top of this Policy; (b) posting the revised Policy on the Service; and (c) where required by applicable law, providing additional notice such as email notification or in-app messaging.

Your continued use of the Service following the posting of a revised Policy constitutes your acknowledgment and acceptance of such changes. If you do not agree to the revised Policy, you must discontinue use of the Service.

The Company encourages you to review this Policy periodically to remain informed about our data practices. The Policy version currently in effect shall govern the Company's processing of your personal information.

13. Contact Information; Data Protection Inquiries

For questions, concerns, or complaints regarding this Policy, our data practices, or to exercise your data subject rights, please contact the Company at:

Xylophone

Privacy Inquiries: privacy@xylophonexyz.com

SMS Assistance: Reply HELP to any SMS message

Website: xylophonexyz.com

The Company will endeavor to respond to all legitimate inquiries within a reasonable timeframe and in accordance with applicable law.

Supervisory Authority: If you are located in the European Economic Area or United Kingdom, you have the right to lodge a complaint with your local data protection supervisory authority if you believe that the Company's processing of your personal information violates applicable law.