Privacy Policy

Information We Collect

We collect information you provide directly, such as name, email, phone number, ZIP code, age, gender, and smoking status when you request a quote or contact us. We also collect usage data and cookies as described in our Cookie Policy.

If you choose to sign in with Google or voluntarily connect YouTube, TikTok, Instagram, or Facebook accounts to publish marketing videos, we receive and store OAuth access tokens (and refresh tokens where applicable) only within the scope you authorize. See "Social Media OAuth Tokens" below.

How We Use Your Information

We use your information to provide insurance quotes, connect you with licensed advisors, improve our services, and comply with legal obligations. We do not sell your personal information to third parties.

Information Sharing

We may share your information with licensed insurance brokers and carriers to fulfill your quote requests. We require these partners to protect your information and use it only for the purposes we specify.

Your Rights

You may request access, correction, or deletion of your personal information. California residents have additional rights under the CCPA. See our Do Not Sell page for opt-out options.

Contact

For privacy questions or requests regarding OAuth token access or deletion, contact cs@xisun.io. We will respond within the timeframes required by applicable law.

Social Media OAuth Tokens

This section describes how we handle OAuth tokens (access credentials and refresh credentials) when you authorize us to publish to third-party social platforms and when you sign in with Google.

1. What we collect and when. (a) Member sign-in: If you use Google OAuth to sign in to www.xicover.com, Google may provide access and refresh tokens (where applicable) to maintain your session, along with identifier information you have made available through your Google account (such as name, email, and profile image). (b) Social publishing authorization: If you voluntarily connect a YouTube, TikTok, Instagram, or Facebook account through the member center or an authorized administrative workflow, we receive access tokens, refresh tokens (if the platform issues them), and platform account identifiers (such as channel or Page IDs) only after you expressly consent on that platform’s OAuth consent screen. We never ask for your social media account password.

2. Purposes (use limitation). We use OAuth tokens solely to provide features you request, including: (i) maintaining or refreshing your sign-in session; (ii) uploading, publishing, or managing marketing videos and related metadata (titles, descriptions, etc.) that you generate through our platform and elect to publish through your connected account; (iii) prompting you to re-authorize when tokens expire; and (iv) security monitoring, troubleshooting, and legal compliance as necessary. We do not sell, rent, or use OAuth tokens for cross-context behavioral advertising or any purpose unrelated to this policy.

3. Storage and security (encryption). Access tokens, refresh tokens, and (where applicable) browser-session credentials used for social publishing are encrypted at the application layer with AES-256-GCM before being written to our database. The encryption key (SOCIAL_TOKEN_ENC_KEY) is stored only in production server environment variables, isolated from application source code and public repositories, and is not exposed in the front end or routine logs. Data in transit is protected with TLS/HTTPS. Tokens associated with Google sign-in are stored in protected database account records consistent with industry authentication practices. Role-based internal access controls limit which systems and personnel can access decrypted tokens.

4. Retention. We retain OAuth tokens only as long as needed for the purposes above: while the connection remains active and the token is valid and not revoked by the platform; when you disconnect, delete your account, we reasonably determine authorization has ended, or law requires deletion, we delete or irreversibly clear the token fields. Historical publishing records (without active tokens) may be retained longer where required for legal or operational needs.

5. Deletion and revocation. You may stop our use of tokens by: (a) using “Disconnect” or equivalent controls in the member center social account settings—we will delete the corresponding database record and encrypted tokens; (b) emailing cs@xisun.io with your registered email and the platform to disconnect—we will verify your identity before fulfilling access/deletion requests; (c) revoking our app in your Google, YouTube, or Meta account security or connected-apps settings—revocation may prevent further publishing on our side, and you should still use (a) or (b) to confirm deletion on our systems. When a member account is closed or deleted, broker-linked social bindings cascade-delete with the user record where applicable.

6. Sharing and third parties. We do not sell or rent OAuth tokens. To perform publishing you request, our servers transmit decrypted tokens to the relevant platform APIs (such as Google/YouTube, TikTok, or Meta) only as needed to execute your instructions; those transfers are governed by each platform’s terms and privacy policies. Infrastructure providers (such as database or storage hosts) process data only under contract and may not use your tokens for their own marketing.

7. Your rights. In addition to the rights described elsewhere in this policy, you may request information about whether we hold your OAuth tokens, request deletion or restriction of processing, and exercise rights under applicable privacy laws (including the CCPA for California residents) by contacting cs@xisun.io.