XOMI AI Safety Rating Index

XOMI AI is an indie story-first companion app built by a single Vietnamese developer (legal entity NGO THANH XUYEN, registered at a residential address in Ho Chi Minh City). It launched quietly in early 2026 across iOS, Google Play, and the xomi.app web surface. Our review pulled from seven evidence sources collected on 2026-05-05: the published privacy policy and terms of service, both store listings with their privacy declarations, the Google Play Data Safety page, the xomi.app marketing site, and a Have I Been Pwned breach lookup. Two automated scans returned no data — Exodus Privacy 404’d because XOMI is too new to be indexed, and Blacklight was skipped because the in-product surface runs at chat.xomi.app rather than the marketing domain.

The single biggest finding is a documented gap between XOMI’s surfaces. The Google Play Data Safety page tells Android users that the app “doesn’t collect or share any user data.” The privacy policy at xomi.app/privacy lists email, hashed password, OAuth tokens, chat messages, device info, push notification tokens, analytics, and six third-party processors (Google Sign-In, Firebase Cloud Messaging, Resend, Amazon S3, Sentry, and the iOS and Play Store payment systems). The iOS App Privacy declaration agrees with the privacy policy: email, tracking identifiers, advertising-purpose Device ID, product interaction, crash data. Both can’t be true. Our read is that the Play Console entry is a developer oversight, not active deception, but the surface most Android users see first is wrong.

Age handling is the second hard gap. The Terms of Service set a 13-and-older floor with a parental-consent requirement for under-18s. The Play Store rates the app Teen (13+); the iOS App Store rates it 16+ for “Frequent Profanity or Crude Humor; Contains Advertising; Contains User-Generated Content.” There is no in-product age check, no parental-consent flow, no parental-control surface, and no documented multilingual moderation despite 10-language support that includes a Vietnamese folklore catalog with mature themes (revenge, affair, simulated-death rebirth narratives).

Counterweights kept the score off the floor. Have I Been Pwned shows zero known breaches for xomi.app. Android permissions are unusually tight (Camera, Microphone, network, Wake-lock — no location, contacts, SMS, or phone state). The privacy policy names no advertising partners or data brokers. There is no regulatory enforcement record at the FTC or in Vietnam. Account deletion permanently erases data, and an export-on-request mechanism is documented. The Terms of Service is in plain language and includes a clean disclosure that AI characters are fictional.

Pricing transparency is messy but not unsafe. The iOS in-app purchase listing prices XOMI Pro at $7.99/mo, while the Play Store and iOS description bodies advertise $4.99/mo. The binding price is whichever number the store’s purchase sheet shows at checkout. Public user reviews are absent from every surface checked — App Store, Play, Reddit, Trustpilot, X, YouTube, Quora, Product Hunt, AlternativeTo — which is why the experience score carries a low-confidence flag. The grade reflects an early-stage app whose paperwork is incomplete and inconsistent, not evidence of active harm.