4.2 Mi Account
4.2.1 Introduction
Mi Account is a general authentication and authorization service provided by Xiaomi.
With Mi Account, you can log in and access Xiaomi's products and services, such as the MIUI system on your smartphone, Mi Store, Mi Home, Xiaomi Cloud, Mi Pay, etc. Once you log in to a Xiaomi mobile phone with your Mi Account, the device will be associated with your account to provide you with better service and support. Mi Account also supports OAuth 2.0 protocol, which allows you to use other companies' apps that are integrated with Xiaomi's ecosystem, e.g. Mi Band and Yeelight devices.
Mi Account is designed to protect your privacy and security. We are diligent in collecting only the data that is necessary to provide you with the best possible experience. We also adopt standard industry practices to protect the security of your account, such as two-factor authentication.
Mi Account is available in all markets.
4.2.2 Data Inventory
| Category | Type | Identification Qualifier | Purpose | Data Encryption In-transit | Data Encryption At-rest | Data Retention |
|---|---|---|---|---|---|---|
| Identifiers | Mi Account ID | Identified | App Functionality | HTTPS | Plain | Per user's request |
| Android ID | Identified | App Functionality | HTTPS | SHA-1 | Per user's request | |
| Contact Info | Email Address | Identified | App Functionality | HTTPS | AES-128 | Per user's request |
| Phone Number | Identified | App Functionality | HTTPS | AES-128 | Per user's request | |
| Country | Identified | App Functionality | HTTPS | Plain | Per user's request | |
| Usage Data | Product Interaction | Pseudonymized1 | App Functionality | HTTPS | Not stored | N/A |
| Other Data | Profile Data (nickname, profile photo, gender) | Identified | App Functionality | HTTPS | Plain | Per user's request |
| Device Model | Identified | App Functionality | HTTPS | Plain | Per user's request | |
| Accelerometer Data and Network Information | Pseudonymized | App Functionality | HTTPS | Not stored | N/A | |
| Account Passwords | Identified | App Functionality | HTTPS | Compound encryption with secret password and salt per account | Per user's request |
Note:
- Note: Pseudonymized means that the data is not linked with users. If data is linked with an app instance level identifier or a random identifier, such as Firebase Instance ID, and random ID, it will be classified as pseudonymized. We follow the Best practices for unique identifiers to create and use unique identifiers.
4.2.3 Data Collection and Usage
1) Account Registration and Login
Mi Account can be accessed in two ways:
System settings in the smartphone: go to Settings > Mi Account
Mi Account website: go to https://account.xiaomi.com
To create a Mi Account, we require you to provide your phone number or email address and a password, and may also request that you select your country or region, which determines where your data is stored in Mi Account. After creating a Mi Account, you will be assigned a unique Mi Account ID and the data is encrypted on our server.
When you log in to a Xiaomi smartphone with your Mi Account, that device will be directly linked to it. You can view and manage the smartphones that are linked to your account on the "Manage devices" tab.
2) Account Profile
In addition to basic account information, such as your phone number or email address and password, you have the option to add more personal details to your account profile. This includes a nickname, profile photo, and gender. For security purposes, we may also require you to set up a recovery phone number or email, in case you forget your password.
3) Security Status Check
We have implemented standard industry practices to help enhance the security level of your account.
Login Environment Check
When you log in to MIUI using your Mi Account, we collect the hashed Android ID, IP address, and device model to ensure that you are accessing your account in a secure environment. This is particularly important when you log in from a new device or location, which may pose a higher risk. In such cases, we will send a verification code to your phone or email to confirm your identity. If you have enabled 2-step verification, we will push a confirmation dialogue to your other devices instead of sending a verification code.
Human-Machine Check
To verify whether a login request is from a human or a robot, we collect accelerometer data and network environment data in your vicinity. This information is not associated with your identity and is deleted after the verification process is completed. If the results are inconclusive, we may use Google reCaptcha for additional verification. The reCaptcha is subject to the Google Privacy Policy and Terms of Use.
4) OAuth 2.0 Authorization
Mi Account supports the OAuth 2.0 protocol, allowing you to log in to third party products or services using a generated UnionID to represent you. This UnionID is a unique string of numbers, letters, and symbols. When you use this method to log in, we only share your UnionID, profile photo, and nickname with the service provider. Each service provider receives a different UnionID, ensuring your privacy and preventing tracking. You can manage authorizations in the "Accounts & Permissions" tab.
To learn more about how Mi Account collects and processes your personal information, see Mi Account Privacy Policy.
4.2.4 Manage Your Privacy
1) Access and Correct Your Data in Mi Account
Mi Account gives you an easy way to access and correct the data you have provided to Xiaomi:
You can edit your profile data on the Personal Info tab.
The Mi Account Help Center lets you: (i) reset your passwords; (ii) change your recovery phone number; (iii) freeze or unfreeze an account; or (iv) block or unblock an account.
If you want to change the country of your account, you can submit your request in Privacy Support.
2) Delete Your Account
Your Mi Account can be deleted via the Privacy tab.
Once an account is deleted, all the data linked to the account will be deleted or anonymized. In most cases, the data will be deleted. If we choose to anonymize the data, the processed data cannot be re-linked to you, nor will we try to do so.
4.2.5 Conclusion
Privacy and security protections continue to be the primary goals of product design at Xiaomi. The following privacy principles are deeply integrated into Mi Account:
Provide transparency and control to Mi Account data.
Consider security when designing Mi Account.
Minimize the amount of data collected by Mi Account.