XC-ESC and its global affiliates value your privacy. This Privacy Policy (the “Policy”) explains how we collect, use, share, and protect your Personal Data when you use our (i) websites (“Sites”), (ii) devices (“Devices”), (iii) mobile or desktop software (“Applications”), or (iv) any other products, programs, or services we provide (together, the “Service”). New or additional features we launch are covered by this Policy unless we provide a separate notice.
We operate globally. Your Personal Data may be processed in the countries/regions where you use the Service and where we, our affiliates, or service providers operate, subject to Applicable Law. References to “xc-esc”, “we”, “us”, or “our” refer to the data controller identified in this Policy, including its affiliates involved in operating the Service. “You” refers to any individual whose Personal Data we process.

1. INTRODUCTION AND SCOPE

This Policy describes: (a) what we collect, (b) how we use it, (c) how we share it, and (d) your rights and choices (including under GDPR and U.S. state privacy laws; see Section 13). It does not cover anonymous, aggregated, or de-identified data unless it is linked back to you.

2. WHO WE ARE & DATA RESPONSIBILITY

We act as the “Controller” of your Personal Data (the entity that decides how and why your data is used). The primary controller responsible depends on the website or service you are using.

3. HOW TO CONTACT US

Your feedback and resolving complaints efficiently are important to us. If you have questions about your data rights:
Email: xcesc@xc-esc.com
Tel:(+86) 0755-22183636

4. PERSONAL DATA WE COLLECT

We collect only what we need to provide and improve the Service. We do not collect Social Security Numbers, biometric identifiers (e.g., fingerprints/facial templates), or health information as part of our standard Services, and we do not collect precise geolocation unless you enable a feature that requires it. If we need sensitive data for a specific feature or to meet legal obligations, we will provide additional notice and, where required, obtain your consent, and use it only for that purpose.

Categories

  • Identity Data: name/preferred name; usernames/display names; user ID; avatar/profile image (if provided); and, where required by law or for certain transactions, government-issued identifiers.
  • Contact Data: mailing address, email, phone, billing address.
  • Credentials & Settings: login credentials/tokens; account preferences and settings. Passwords are stored in hashed form.
  • Financial & Services Data: purchase, payment method type, transaction history, returns, warranty claims. Payments are processed by third-party payment providers (we generally do not store full card numbers).
  • Device & Content Data: device identifiers (e.g., serial number), firmware/app versions, crash/error logs; content you create/upload or that is generated/uploaded from your Device when you use enabled features (e.g., fire-detection photos).
  • Usage Data: pages/features used, time spent, interaction logs, referrers, and (where enabled) usage metadata for features such as chat and local networking (including WiFi).
  • Technical Identifiers: IP address (approximate location), browser/device details, time zone, server/request logs.
  • Profile Data: profile fields you choose to share (e.g., bio/interests).
  • Marketing & Communications Data: marketing preferences and related interactions.
  • Children: not directed to children; we do not knowingly collect children’s data; contact us to delete if collected.
  • Sensitive Data (“*”): processed only with stricter safeguards and, where required, consent.
  • Aggregated/de-identified data: may be used for analytics; treated as Personal Data if re-linked to you.

5. CONSEQUENCES OF NOT PROVIDING DATA

Where we need to process specific data either by law or under the terms of a contract (for example, fulfilling a physical shipping order or activating device software), and you fail to provide required fields, we may be unable to accept the order or fully activate features dependent on specific input (for example, warranty activation or verification of ID/serial-number mismatches). If active Services exist and required data is not provided or maintained, we may need to suspend or cancel affected Services where delivery becomes commercially unviable or impossible. We distinguish required (“Mandatory”) information from strictly voluntary (“Recommended only”) information at the point of collection.

6. METHODOLOGY FOR COLLECTION

We collect Personal Data from multiple sources:

  1. Direct Interactions (Information you give us): you enter data when creating/registering an account, subscribing to newsletters/alerts, requesting support or troubleshooting, providing feedback, signing agreements, or participating in competitions, surveys, or promotions. Such Personal Data may include Identity Data, Contact Data, Financial Data, Services Data, Profile Data, Content Data, Usage Data, Marketing and Communications Data, and/or Technical Data that you provide to us from time to time.
  2. Automated Technologies (Information collected via use): browsing and use of the Service generate technical data (for example through cookies, server logs, web beacons, pixels, embedded scripts, and standard mobile SDKs). We may also engage in behavioral tracking via cookies, web beacons, pixels, server logs, SDKs, and similar technologies. You can opt out of behavioral tracking at any time by enabling the “Do Not Track” (DNT) setting in your browser and/or by refusing cookies in your browser settings. If you disable cookies, certain features of the Services may not function properly.
  3. Data via Third Parties & Public Sources: where permitted by law, we may receive or enrich information from:
  • Linked Sign-on partners and providers: our Services may allow you to log in through a third-party social network or authentication service, such as Youtube, Apple, Google, and Facebook. When you use these single sign-on services, we do not receive your login credentials. Instead, we receive authentication tokens and any Personal Data you choose to share through the relevant third-party service (for example, Identity Data, Contact Data, and Profile Data, depending on your settings with that third party).
  • Analytics partners: such as Google Analytics and similar tools that provide aggregated reporting.

7. HOW WE USE YOUR PERSONAL DATA: PURPOSES & LEGAL BASES

We use Personal Data in accordance with applicable law. For transparency (including GDPR Article 13 / CCPA obligations), below are the main purposes for which we process Personal Data and the lawful basis we rely on:

  1. To Enable Service Functionality & Delivery (Contract Performance): we process Identity Data, Contact Data, Financial Data, and Services Data to fulfill our contract with you, including processing orders, payments, shipments, enabling device usage, and providing core software features. If you do not provide required data here, we may not be able to deliver products or full functionality.
  2. To Manage Relationship, Notifications, and Support (Contract or Legitimate Interests): we process Contact Data and Profile Data to notify you about changes to terms or products (including software updates and bug alerts) and to provide troubleshooting and customer support (including warranty and account issues).
  3. Operations: Security & Business Integrity (Legitimate Interests and sometimes Legal Obligation): we analyze Usage Data and Technical Identifiers to maintain systems, detect and prevent fraud and misuse, investigate violations of terms, and prevent automated traffic that may affect Service performance.
  4. Analysis (Growth) Improvement (Legitimate Interests; with privacy controls): we use analytics (often aggregated) to improve features and user experience, including models guiding Service logic, subject to applicable privacy controls and legal requirements.
  5. Marketing & Advertising Recommendations (Legitimate Interests or Consent): we may send newsletters, offers, or product recommendations. Where required, we rely on consent for certain marketing-related tracking. Where required, we rely on your consent for certain marketing-related tracking, and you can opt out at any time through the unsubscribe link in our promotional emails, via the “Cookie Settings” link, by enabling browser-based controls such as Do Not Track (DNT), or by contacting us. If you wish to completely deactivate or delete your account, please contact us in accordance with Section 3. For a fuller mapping of purposes, data categories, and legal bases, see Annex.

8. WHO WE SHARE WITH

To provide the Service and achieve the purposes described above, we may share Personal Data with authorized parties that need it.

  1. Structured Shared Network (Inter-company group transfers): for efficiency, data may flow among affiliated corporate organizations (“XC-ESC Entities”) worldwide for joint administrative and operational purposes, subject to appropriate confidentiality and safeguards.
  2. External Processors (Vendors): we use vendors under contractual obligations to protect Personal Data. Categories include:
    • Hosted Cloud/IT Platforms: hosting providers and IT tools supporting online store and Service functions.
    • Payment & Anti-fraud Processors: checkout facilitators and payment processors (including Stripe, Affirm, Afterpay, PayPal, and Google Pay) that process payments in accordance with applicable security standards.
    • Supply Chain Logistic Providers: warehouse and courier partners to deliver products, using the minimum contact and address details necessary for delivery.
    • Business Tools / Analytics: tools we use to manage communications and to assist us with user analytics (if you have not opted out) (for example, Google Analytics reporting suites ), subject to applicable law and your settings.
  3. By choosing to participate, you consent to the processing of your Personal Data as described in this Section, and you may withdraw your consent at any time. To deliver the services you request, we may share with the assigned Host the minimum necessary Personal Data (such as your name, contact details, booking information, and a brief description of your device or issue). Hosts are contractually required to process your Personal Data only on our documented instructions and within the agreed scope, to implement appropriate security measures, and to delete or return the data after completing the service or if you withdraw your consent. Hosts may use this data only to (i) contact you; (ii) perform the scheduled service: (iii) provide necessary post-service support; and (iv) limited marketing purposes related only to XC-ESC products or services (for example, relevant offers, recommendations, or purchase guidance). We take reasonable steps to select, contract with, and oversee these Hosts, but we are not liable for any unauthorized processing or breaches caused by a Host’s acts or omissions beyond our reasonable control, except to the extent that applicable data protection laws require us to remain responsible as the controller. Nothing in this paragraph limits any non-excludable rights you may have under such laws. While Hosts operate under our instructions, their local operating environments (for example, their own devices or premises) are not fully within XC-ESC’s direct technical control.
  4. Legal / Safety Imperatives: where required by law or necessary to protect rights, safety, and property, data may be disclosed to regulators, governmental tax authorities, law enforcement (valid court orders/warrants), or parties involved in corporate transactions (such as mergers or asset sales). We may disclose Personal Data to enforce or apply our terms (including for billing and collection purposes). If necessary, we may also disclose or exchange information with other companies and organizations for fraud protection and credit risk reduction, and to protect the rights, property, or safety of us, our customers, or others.
    Categories of Personal Data disclosed. The categories of Personal Data we may disclose include Identity Data, Contact Data, Financial Data, Services Data, Marketing and Communications Data, Profile Data, Usage Data, Technical Identifiers, Device Data, and Content Data, depending on the nature of the Service and the recipients described above.
    International Transfers: we may transfer data across borders, including outside the EEA/UK. Where required, we use safeguards recognized by relevant jurisdictions (such as Standard Contractual Clauses (“SCCs”) or equivalent mechanisms) to help ensure continued protection. You may request further information about the safeguards we use for international transfers by contacting us as set out in Section 3.
    Marketing / Ads Opt-outs: sharing with advertising networks (if applicable) typically depends on your cookie choices. See Section 12 for cookie controls and opt-out options.

9. DATA SECURITY

We use technical and organizational safeguards designed to protect Personal Data, including:

  • Pseudonymisation and encryption: removing direct identifiers from certain internal analysis datasets where appropriate; using encryption and other safeguards to protect Personal Data in transit and at rest.
  • Access controls: limiting access to personnel with a legitimate business need, under role-based controls.
  • Incident response: procedures to assess and notify relevant authorities and affected individuals where required by law.
  • Your responsibility: you are responsible for keeping your account credentials confidential and using strong passwords.

Public areas. If the Services include public or interactive areas (for example, forums or message boards), any information you submit there may be viewed by any user and should be treated as public.
Transmission over the internet. The transmission of information via the internet is not completely secure. While we use reasonable safeguards, we cannot guarantee the security of Personal Data transmitted to or through our Services; any transmission is at your own risk.

10. HOW LONG WE KEEP YOUR DATA

XC-ESC retains Personal Data only for the period necessary to provide you with XC-ESC Products or Services and for achieving XC-ESC’s legitimate and essential business purposes, such as making data-driven business decisions about new features and offerings, complying with our legal obligations, or resolving disputes.      We apply retention periods across the following key categories:

  • Data Retained until Request Us to Remove It. It’s your right to request that we delete certain of your personal information. For example, we will retain your Surveys, Research, and Promotions Data until you withdraw consent or opt-out to honor your preferences and comply with marketing regulations.
  • Legal / Admin / Tax Laws: sales transactional records (for example invoice history) may be retained for the minimum period required by applicable tax and accounting laws.
  • Legal defense windows: we retain necessary records for the duration of applicable statutes of limitations so we can establish, exercise, or defend legal rights if disputes arise.
  • Active utility period: certain technical and transient logs (for example crash logs) may be retained for shorter periods and deleted, anonymized, or otherwise securely destroyed when no longer needed, subject to legal requirements.

We will not keep your Personal Data longer than necessary for the purposes stated in this Policy. When it is no longer needed, we will delete it or irreversibly anonymize it unless a longer retention period is required by law.

11. YOUR RIGHTS & CONTROLS

Depending on your jurisdiction (for example EU/EEA, UK, or certain U.S. states), you may have rights regarding your Personal Data. We honor applicable rights unless an exception applies. You may have the right to request:

  • Access (“Right to Know”): confirmation of whether we process your Personal Data and, if so, a copy together with certain related information.
  • Correction / Rectification: correction of inaccurate or incomplete data.
  • Deletion (“Erasure”): deletion of Personal Data, subject to legal exceptions (for example required tax records or active warranty obligations).
  • Data Portability: where applicable, receive certain Personal Data in a structured, commonly used, machine-readable format and/or request transmission to another controller.
  • Restrict or Object to Processing: restriction of processing in certain circumstances or objection to certain processing, including direct marketing.
  • Withdraw Consent: where we rely on consent (for example optional cookies or certain uploads), you can withdraw consent at any time for future processing.
  • Automated decision-making: you have the right not to be subject to a decision based solely on automated processing (including profiling) where that decision produces legal effects concerning you or similarly significantly affects you, unless permitted under applicable law with appropriate safeguards. We do not rely on solely automated decisions producing such effects without providing a possibility of human review.
  • Lodge a Complaint: if you are in the EEA/UK, you may lodge a complaint with your local data protection supervisory authority

How to exercise your rights: contact us using the details in Section 3, or use self-service tools (such as delete-account functions) where available.

  • No fees usually required: requests are generally free, but we may charge a reasonable fee or refuse requests where permitted by law if they are manifestly unfounded or excessive.
  • Response time: we normally respond within one month (30 days) after verifying your identity. Where legally permitted, we may extend for complex requests (up to 60 days total) and will notify you.

12. COOKIES

We use cookies and similar technologies on our Sites and Applications to (i) operate core functions (such as account login, security, and checkout), (ii) measure performance and improve the Service, and (iii) where permitted by Applicable Law and your choices, support marketing and advertising.
Your choices. You can manage cookie preferences via the “Cookie Settings” link in the footer of our Sites (where available), and you may also use browser/device controls (including “Do Not Track” signals where supported). If you disable certain cookies, parts of the Service may not function properly.
Third-party technologies. Some third parties may place cookies/pixels/SDKs on our Sites or in our Applications to provide content, analytics, or advertising. Their use of these technologies is governed by their own policies. Where required, we provide cookie controls and honor opt-out mechanisms described in our Cookies Policy. “Our cookie list is maintained and published based on periodic scans of our Sites and Applications; please refer to our Cookies Banner for the up-to-date list.

13. ADDITIONAL REGIONAL STATE NOTICES

United States State Privacy Notice.
These disclosures supplement the main body of this Policy for residents of certain U.S. states (this “U.S. State Privacy Notice”). For details on how we collect, use, disclose, and otherwise process Personal Data, please read the main body of this Policy. Capitalized terms not defined here have the meanings given elsewhere in this Policy or under applicable U.S. state privacy laws (“State Privacy Laws”). If there is any conflict between this U.S. State Privacy Notice and the rest of this Policy, this U.S. State Privacy Notice controls only for covered U.S. state residents and their Personal Data.
Covered U.S. States. This U.S. State Privacy Notice applies to residents of the following states (as applicable, now or in the future): California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.
Nevada Residents. Nevada provides a limited right to opt out of certain sales of personal information. Although we do not currently “sell” Personal Data in a manner that triggers Nevada’s opt-out requirements, Nevada residents may submit an opt-out request using the contact details in Section 3.

Personal Data Disclosures, “Sales,” And Targeted Advertising

We disclose the categories of Personal Data we collect to the categories of recipients described in Section 8 (Who We Share With). In particular, we may disclose Identifiers (e.g., name, email address, online identifiers), Commercial/Transaction Information (e.g., purchases), Approximate Geolocation (e.g., derived from IP address), and Internet/Network Activity (e.g., device information, logs, analytics data) to advertising, marketing, and analytics partners (e.g., ad networks, agencies, social media networks) for advertising and measurement purposes, including direct marketing, subject to your choices and Applicable Law.

Under certain State Privacy Laws, these disclosures may be considered the “sale” of Personal Data or the “sharing”/processing of Personal Data for “targeted advertising” (also called cross-context behavioral advertising). You can opt out where required (see Sections 11–12 and “Your Additional U.S. Privacy Rights” below).
We do not sell the Personal Data of individuals we know to be under 16 years of age and we do not share such information for targeted advertising purposes.

Sensitive Personal Data

Certain data elements may be considered “Sensitive Personal Data” under some State Privacy Laws, such as account credentials (email address and password; passwords are stored in hashed form) and, where enabled, precise geolocation. Payment card details are generally collected and processed by our third-party payment providers.
We use or disclose Sensitive Personal Data only as reasonably necessary and proportionate to: provide the products and services you request; verify and improve our services; detect and prevent security incidents, fraud, and unlawful activity; ensure the physical safety of individuals; perform services on behalf of the business; and for short-term, transient use. We do not use Sensitive Personal Data to infer characteristics about you, and we do not sell Sensitive Personal Data or share it for targeted advertising.
Depending on your state of residency and subject to legal limitations, you may be able to limit or control our processing of Sensitive Personal Data.

De-Identified Information

We may create or receive de-identified information that cannot reasonably be linked to an individual or household. Where we maintain de-identified information, we keep it in de-identified form and do not attempt to re-identify it except as permitted or required by law.

Automated Decision-Making And Profiling

We do not conduct automated processing of Personal Data for decisions that produce legal or similarly significant effects. As a result, we do not provide a right to opt out of such decision-making under State Privacy Laws.

Your Additional U.S. Privacy Rights

Depending on your state of residency and subject to legal limitations and exceptions, you may have the right to:

  • Know/Access: confirm whether we process Personal Data about you and access it; in some states, receive additional details about our processing (including categories collected, sources, purposes, disclosures, and whether we “sell”/“share” for targeted advertising).
  • Portability: receive a portable copy of certain Personal Data where required by law.
  • Correction: correct inaccuracies in your Personal Data.
  • Deletion: request deletion of your Personal Data (subject to exceptions such as legal compliance, security, fraud prevention, and completing transactions).
  • Opt-out of targeted advertising: direct us not to use/share Personal Data for targeted advertising, where applicable.
  • Opt-out of “sales”: direct us not to “sell” Personal Data as defined by applicable law.
  • Control of Sensitive Personal Data: in some states, limit certain processing of Sensitive Personal Data.

EEA/UK Privacy Supplement If you are located in the EEA, the UK, or Switzerland, this Section supplements the Policy.

If there is any conflict, this Section prevails for those jurisdictions. Where GDPR/UK GDPR applies, our legal bases include performance of a contract, legal obligation, legitimate interests, and consent (see Section 7 and Annex). Where we rely on legitimate interests, you may object as described in Section 11. International transfers: where we transfer Personal Data outside the EEA/UK, we use lawful transfer mechanisms such as adequacy decisions and Standard Contractual Clauses (or equivalent mechanisms), as applicable. You may also have the right not to receive retaliatory or discriminatory treatment for exercising these rights, subject to Applicable Law.

14. UPDATES & CHANGES

Technologies and laws evolve. If we make material changes that reduce protections or materially affect your rights, we will provide prominent notice where required (for example by email or account notices) before changes take effect. Minor administrative or clarifying changes may be effective upon posting. We encourage you to review this Policy periodically by checking the “Last updated” date above.