xiboplayerxiboplayer
CA

Privacy policy

Short version. The xiboplayer software itself does not phone home, has no telemetry, and sends no data to us. This page covers the limited data we collect through the project website and our communications channels.

Effective date: 2026-04-15. Last updated: 2026-04-15.

Who we are

The xiboplayer open-source project ("xiboplayer", "we", "us") — AGPL-3.0-or-later licensed, based in Catalonia (European Union).

ContactAddress
General / privacy questionshello@xiboplayer.org
Security disclosuressecurity@xiboplayer.org
Source codegithub.com/xibo-players
Websitexiboplayer.org

PGP keys for both mailboxes are on the Security page.

What this policy covers

This policy applies to:

  • The website at xiboplayer.org and its subdomains (www, dl, images)
  • Direct correspondence with project maintainers (email)
  • Contributions and discussions on our GitHub organisation (github.com/xibo-players)

This policy does not cover:

  • The open-source xiboplayer player software once you've installed it. The player operates entirely between your device and your own digital signage CMS — no traffic flows to us, ever.
  • Third-party Xibo CMS instances (those have their own operators and policies).
  • Third-party services you choose to use alongside xiboplayer (the Xibo CMS, Cloudflare R2 if you self-host, etc).

What we collect, why, and for how long

When you visit the website

We use server logs for security and operational purposes. These are kept for 30 days and contain:

  • IP address (truncated after 24 hours)
  • User-Agent header
  • Requested URL
  • Response status + size
  • HTTP referrer

Logs are stored on our server in the European Union (Frankfurt). They are never sold, shared, or used for tracking across sites.

We do not use:

  • Third-party analytics (no Google Analytics, no Facebook Pixel, no Hotjar)
  • Advertising trackers
  • Marketing cookies
  • Cross-site tracking of any kind

A first-party cookie is set only to remember your light/dark mode preference if you change it. No personal data, no tracking ID.

When you submit the demo form

If you fill in the demo-request form on /demo we collect:

  • Your name
  • Your email address
  • Your company name (optional)
  • Approximate display count (optional)
  • Your free-text message

We use this only to reply to your enquiry. We do not add you to any mailing list, do not share with third parties, and do not retain the data after the conversation has reached a natural end (typically deleted within 12 months of the last reply).

When you email us directly

We retain email correspondence for as long as the project relationship is active. You can request deletion at any time.

When you participate on GitHub

GitHub Issues, Discussions, and Pull Requests on github.com/xibo-players/* are public, and your participation there is governed by GitHub's privacy policy. We do not capture additional data beyond what GitHub displays publicly.

When you download a package

Package downloads from dl.xiboplayer.org produce server log entries (see "When you visit the website" above). The download itself happens over a CDN (Cloudflare R2 — see Cloudflare's data processing addendum).

Vulnerability reports

If you submit a vulnerability report to security@xiboplayer.org, we keep the correspondence indefinitely as part of our security record. You can request that personal identifiers be redacted from public advisories.

Legal basis (GDPR Art. 6)

  • Server logs: legitimate interest in operating and securing the website (Art. 6(1)(f))
  • Demo form: pre-contractual measures at your request (Art. 6(1)(b))
  • Email correspondence: legitimate interest + consent (Art. 6(1)(a)/(f))
  • GitHub interactions: governed by your GitHub account, GitHub is the controller for that platform

Data sharing

We do not sell, rent, or trade your personal data. We share it only with:

  • Our hosting provider — Hetzner (Germany, Frankfurt) for the website + email
  • Cloudflare — CDN for downloads and DNS, processor under our DPA
  • GitHub — when you interact via GitHub (you've already consented to GitHub's terms)

That is the complete list.

International transfers

We host in the European Union by default (Frankfurt primary, Madrid secondary). The CDN (Cloudflare) and GitHub may process data in other jurisdictions including the United States. We rely on EU Standard Contractual Clauses + the EU-US Data Privacy Framework adequacy decision for those transfers.

Your rights under GDPR

You can:

  • Access the data we hold about you
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Port your data to another provider
  • Withdraw consent at any time
  • Complain to a competent data protection authority — for project-related processing in Catalonia, you can address APDCAT for matters within its competence, or AEPD for matters under its competence; or to your own national data protection authority if you reside elsewhere in the EU

To exercise any of these rights, email hello@xiboplayer.org. We will respond within 30 days.

Data we don't have

Because of how the project is built, there are categories of data we structurally cannot collect even if asked:

  • Which CMS your xiboplayer installation talks to
  • What content your displays show
  • How many displays you operate
  • When your displays come online or go offline
  • Anything about end users who watch your displays

The player communicates only with the CMS you configure. We never see that traffic.

Cookies

We set one first-party cookie:

CookiePurposeLifetime
xp-color-modeRemember your light/dark mode choice1 year

That's it. No analytics cookies, no advertising cookies, no third-party cookies set by our site.

Children

The project is not directed at children under 16. We do not knowingly collect personal data from children.

Changes to this policy

If we make material changes, we will update the "Last updated" date at the top of this page and announce significant changes via the project blog and hello@xiboplayer.org. The previous version is preserved in the project's git history for transparency.

Contact

PurposeAddress
Privacy questions / data-subject requestshello@xiboplayer.org
Security disclosuressecurity@xiboplayer.org (see Security page)
General contactGitHub Discussions

PGP keys for both addresses are listed on the Security page.