5.4 Mi Push

MiPush provides developers with message-pushing services to client applications in real time by establishing a long, stable and reliable connection between the cloud server and the client.

MiPush supports notification bar messages and pass-through messages and also provides two message delivery channels: API and the Push Operation Platform. MiPushSDK supports Android, iOS clients*, and mainstream server languages, which can help developers better meet complex business needs according to their business logic.

*Note: No longer supports new application access, only supports existing applications

5.4.1 Developer Privacy Compliance Requirements

Mi protects the personal information of end users by regulating developers through the MiPush Technology Terms of Service and MiPush Technology Service Data Protection Appendix:

• Developers must agree to MiPush collecting, storing, using, disclosing and protecting personal information in accordance with Xiaomi Privacy Policy when using MiPush services.

• Developers must develop and publish their privacy policies and obtain the consent of end users. Moreover, the standards under such policies must be no lower than the privacy protection standards of MiPush.

• Xiaomi strongly recommends that developers include the key provisions from Xiaomi Privacy Policy in their product privacy policies for end users to ensure that end users agree to MiPush services collecting and using their data. Developers must not use MiPush services without end-user consent.

• Xiaomi requires developers to comply with all laws, regulations, policies and industry standards applicable to MiPush services and which concern end users' personal information.

5.4.2 Device Identification Method

MiPush does not use the device identifier (e.g., IMEI) directly to identify the device, but processes the user's personal information through technical methods such as de-identification. MiPush hashes the three device identification parameters (device identifier, serial number and Android ID) on the device and uploads the generated string to the server. The server maps the to a randomly generated ID which is returned to the client. MiPush uses this random ID as the unique identifier of the device.

MiPush also collects country codes to detect whether a device is located in a different area. The combination of the field and the device identifier is only used to determine the database cluster to which the device should be connected.

5.4.3 Data Minimization

MiPush is only used as a message channel and does not extract or use the contents of the message, user behaviour or preferences. MiPush's original data, intermediate data and statistical results is not be provided to Xiaomi's partners, nor will such partners be allowed to access the data in any form. MiPush only provides developers with background statistics including time and message dimensions, excluding any personal user information.

5.4.4 Data Transmission Security

When the mobile App initiates a registration request to the MiPush server for the first time, the device's information (the device identification field is irreversibly hashed) will be sent to the server, and the server will then return the random ID and message content key. HTTPS is used to encrypt the data in transit during this process.

MiPush services require developers to use the encrypted HTTPS channel to send the message content to the server. Communication between various server modules is encrypted using the AES-128 algorithm. After the message is encrypted by a symmetric encryption algorithm, the ciphertext is pushed to the device through AES-128 encrypted channel established between the server and the device, to achieve double encryption.

5.4.5 Data Deletion

Once the message is successfully delivered, the message content will be deleted from the server. If the message is not delivered due to abnormal circumstances, the server will keep the message content for seven days. MiPush services provide developers with a user data deletion interface that can be invoked to delete the MiPush registration information of the App. If the device is not connected to the network within 90 days, the message content related to the device will also be deleted from the server. If the developer stops accessing MiPush services or requests to stop the push services, Xiaomi will delete all relevant App information according to the developer's instructions.