Legal
Xinglet-specific terms and privacy. Last updated May 11, 2026.
Xinglet is an Excelano application. Use of xinglet.com is governed by the Excelano Master Terms and Privacy Statement, together with the xinglet-specific provisions below. The xinglet-specific provisions control where they conflict with the master.
Xinglet Terms
1. The service
Xinglet lets registered users create individual web pages ("xinglets"), edit them in a code editor, preview them in a sandboxed frame, share them with other users or invited email addresses, and download the resulting HTML file. Each xinglet is a single HTML document. The service is currently provided free of charge and is in active development.
2. Accounts
To create or edit xinglets, you must register an account. Registration requires a working email address, which is verified by a confirmation link before the account becomes active. You may sign in using a password you set or using your Microsoft account (personal Microsoft accounts and work or school accounts both work). You are responsible for keeping your credentials secure and for activity that occurs under your account. Notify Excelano promptly at the address in the Contact section if you suspect unauthorized access.
3. Your content
You retain all rights in the HTML content you create in your xinglets ("Your Content"). By using the service, you grant Excelano a limited, non-exclusive, royalty-free license to host, store, copy, transmit, and display Your Content solely for the purpose of operating the service, including delivering Your Content to viewers you have authorized through the sharing controls. This license ends when Your Content is removed from the service, except for residual copies that may persist in backups for a reasonable period.
You are responsible for Your Content. Do not include in a xinglet anything you do not have the right to publish, anything that infringes another person's rights, or anything you would not want others (including potential viewers you share to) to see. Do not store passwords, API keys, personal data of third parties, or other secrets in xinglet content. Xinglet content is HTML and runs as code; you are responsible for the consequences of what you choose to include.
4. Acceptable content
You agree not to use a xinglet to publish or transmit content that is illegal, infringing, defamatory, harassing, or invasive of another's privacy; that contains malware, exploits, or code designed to harm users or other systems; that is sexual content involving minors; that is intended to deceive users (phishing, impersonation, fraudulent solicitation); or that is bulk unsolicited content. Excelano may remove content and suspend or terminate accounts that violate this section, with or without notice.
5. How sharing works
Each xinglet has one creator. The creator may share with other users or with email addresses that do not yet have an account, granting one of three roles: creator (the original author; sharing rights), editor (may edit content), or viewer (may view only). When you share a xinglet to an email address, that email is stored as a pending invitation and is revealed to the invitee if they register an account at xinglet.com using that email. Authorized viewers can see Your Content; how they handle what they see is outside Excelano's control. The creator may revoke access at any time.
Shared xinglets are rendered in a sandboxed iframe with a null origin. This is a security measure for the viewer (the content runs without access to xinglet.com cookies or storage); it does not change the fact that you, as the creator, control what the viewer sees.
6. Service availability
Xinglet is provided without any service-level commitment. The service may be temporarily or permanently unavailable, may lose data, or may be discontinued. You should treat your xinglets as ephemeral and keep your own copies of anything you want to preserve. The Download button on the editor produces a standalone HTML file you can save locally.
7. Beta status
Xinglet is early-stage software. Features, data models, and URLs may change without notice. Bugs are expected. Feedback is welcome; see the Contact section.
8. Account termination and deletion
You may stop using xinglet.com at any time. To delete your account and associated data, send a request from the email address on the account to the address in the Contact section; deletion is currently handled manually and will be completed within a reasonable period. Excelano may suspend or terminate accounts that violate these Terms or the Acceptable Content section, or for operational reasons such as wind-down of the service.
9. Incorporation of master terms
The Excelano Master Terms (sections covering acceptable use, intellectual property, disclaimer of warranties, limitation of liability, indemnification, governing law, and miscellaneous provisions) are incorporated by reference and apply to your use of xinglet.com. In particular, the service is provided "as is" without warranty, and Excelano's liability for use of this free service is limited as described in the master Terms.
Xinglet Privacy
1. Information stored when you register
When you create an account, the service stores: your email address (used as your login identifier and for service email); an optional full name if you provide one or it is supplied by Microsoft sign-in; a randomly generated user UUID; and timestamps for account creation and email verification. If you set a password, only a bcrypt hash of that password is stored, never the password itself. If you sign in with Microsoft, the service stores Microsoft's stable user identifier so that subsequent sign-ins recognize you; the service does not store Microsoft access or refresh tokens after the sign-in flow completes.
2. Information stored as you use the service
Each xinglet you create or edit is stored as an HTML document along with its title, a generated URL identifier, and creation and update timestamps. Sharing actions are stored as permission records linking your account (or an invited email address) to a xinglet with a role of creator, editor, or viewer. Email confirmation and password-reset tokens are stored as SHA-256 hashes, never as raw tokens, with short expirations (24 hours for confirmation, 1 hour for reset) and a consumed-at marker so each token can be used only once.
3. Session cookies
When you sign in, the service sets a session cookie named auth_sid. The cookie is HTTP-only, sent only over HTTPS in production, and used solely to keep you signed in. Signing out removes the session. No advertising, analytics, or tracking cookies are used.
4. Server logs
The web server records standard request data (IP address, timestamp, user-agent, requested URL, response status) for security and operational purposes. Application errors and selected security events are logged with limited context to allow diagnosis. Logs are retained for up to ninety (90) days.
5. Microsoft sign-in
If you choose to sign in with Microsoft, you are redirected to Microsoft to authenticate. Microsoft transmits to Excelano a verified email address, a display name (when available), and a stable user identifier. The flow uses OpenID Connect with PKCE; the ID token is verified using Microsoft's published signing keys. Your use of Microsoft sign-in is also subject to Microsoft's privacy policy at privacy.microsoft.com. Excelano does not request access to your calendar, mailbox, files, or other Microsoft resources.
6. Auto-linking
If you have an existing xinglet account using a password and later sign in with Microsoft using the same verified email, the service links the two so that they refer to the same account. This is the only condition under which sign-in methods are merged.
7. Transactional email
The service sends email for account confirmation, password reset, share notifications, and invitation notifications. Email is delivered via Resend (resend.com). When email is sent on your behalf or about your account, the recipient address and message contents are transmitted to Resend for delivery. Resend's privacy practices are described at resend.com/legal/privacy-policy.
8. What is not collected
Xinglet.com does not use third-party analytics, advertising trackers, social-network pixels, or session-replay services. The service does not sell user data and does not share user data with advertisers.
9. Visibility to other users
Email addresses you invite to a xinglet are visible to the recipient if they register and accept the share. Display names of users you share with may appear in the share-management view of a xinglet you co-own or co-edit. The content of a xinglet is visible to its creator, its editors, and its viewers, on whatever schedule the creator's sharing decisions establish.
10. Data retention and deletion
Account and xinglet records are retained until you delete your account or specifically request deletion. Soft-deleted records (flagged to_be_removed) are removed in a periodic cleanup. Backups may retain copies for a reasonable period after deletion. To delete your account and data, contact Excelano from the account's email address using the Contact section below.
11. Your rights
You may request that Excelano confirm what personal information is stored about you, export your xinglet content (the Download button in the editor exports each xinglet as a standalone HTML file), correct inaccurate information, or delete your account. See the Contact section.
12. Security
Xinglet.com is served over HTTPS. Passwords are stored as bcrypt hashes. Confirmation and reset tokens are stored hashed and expire on a short window. CSRF tokens are required on state-changing requests. User-supplied HTML is rendered exclusively inside a sandboxed iframe with a null origin so that it cannot read xinglet.com cookies, contact xinglet.com APIs from inside the frame, or be navigated by other origins. These measures reduce risk; they do not eliminate it. Do not store secrets or sensitive personal data of others inside a xinglet.
13. Children's privacy
Xinglet.com is not directed to children under the age of 13. Excelano does not knowingly collect personal information from children under 13. If you believe a child has registered an account, contact Excelano and the account will be removed.
14. International users
Excelano is based in the United States and data is processed there. If you access the service from outside the United States, your information is transferred to and processed in the United States.
15. Changes
This page may be updated. The "Last updated" date at the top reflects the current version. Material changes will be announced on the site or by email to registered users.
Contact
For legal, privacy, or account-deletion requests, contact Excelano at hello@excelano.com. See the master Excelano legal contact section for mailing details.