Privacy Policy

1. Data we collect

We collect the minimum data necessary to operate the Service. Here is what we collect and why:

X (Twitter) profile information

• Your X user ID, username, display name, and profile image URL
• Your profile bio (used for AI niche detection on signup)
• Account metadata (account creation date, follower count) for quality gating

OAuth tokens

• OAuth 2.0 access token and refresh token (used to perform actions on X on your behalf)
• Token expiry timestamps

Your tweets

• Recent tweets are fetched on signup for niche detection and periodically (every 15 minutes) for auto-detecting new posts to add to the engagement queue
• We store tweet ID, text, and URL for queued posts only

Comments and engagement data

• Comments you write through the platform
• AI quality scores for each comment
• Engagement history (which posts you engaged with, credits earned/spent, timestamps)

Subscription and billing

• Subscription tier, status, and billing period dates
• Stripe customer ID or Apple transaction ID (we do not store credit card numbers or payment details directly)

Technical data

• Session cookies for authentication
• iOS push notification device tokens (if you enable notifications)

2. Data we do not collect

• Your X password (we use OAuth 2.0 with PKCE — we never see it)
• Direct messages, private lists, or bookmarks
• Contacts, phone number, or email address
• Precise location or GPS data
• Device identifiers, advertising IDs, or tracking cookies

3. How we store your data

• All data is stored in a PostgreSQL database hosted by a trusted cloud provider with encryption at rest enabled.
• OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before storage. They are decrypted only when needed to make X API calls on your behalf.
• All communication between your device, our servers, and third-party APIs is encrypted in transit via HTTPS/TLS.
• Credit operations use database transactions with row-level locking to prevent inconsistencies.
• Session cookies are httpOnly, secure, and SameSite-protected.

4. How we use your data

• Posting engagement: We use your OAuth tokens to post replies (comments) on X on your behalf when you submit an engagement.
• Niche detection: Your bio and recent tweets are sent to our AI service to classify your content niche for better matching.
• Post detection: We periodically fetch your recent tweets via the X API to auto-detect new posts for the engagement queue.
• Quality scoring: Comments are evaluated by an AI quality gate before posting. Only the comment text and the target post context are sent — no personal information.
• Credit tracking: We track credits earned and spent to operate the reciprocal engagement system.
• Notifications: If enabled, we use your device token to send push notifications about engagement slots and credit updates.

5. Data sharing and third-party services

We do not sell, rent, or trade your personal data to advertisers, data brokers, or any third parties. We share data only with the following services, strictly as needed to operate the platform:

• X (Twitter) API: To post replies, fetch your tweets, and read your profile — using the permissions you explicitly granted via OAuth.
• OpenAI API: To score comment quality and optionally enhance comments. Only comment text and post context are sent — no personal identifiers, tokens, or profile data.
• Stripe: For web payment processing. Stripe receives your payment details directly — we only store a Stripe customer ID reference.
• Apple (App Store): For iOS in-app purchase processing. Apple manages payment details; we receive and verify transaction receipts.

6. Data retention

We retain your data for the following periods:

• Account data (profile, niche, settings): Retained for as long as your account is active. Deleted permanently when you delete your account.
• OAuth tokens: Retained while your account is active. Revoked and deleted when you log out, disconnect your X account, or delete your account.
• Engagement history (comments, credits, engagement records): Retained for as long as your account is active. Deleted permanently on account deletion.
• Queued posts: Posts are automatically expired after 24 hours in the engagement queue. Expired post records are retained for analytics but can be purged on account deletion.
• Subscription and billing records: Retained for as long as your account is active plus up to 12 months after account deletion for legal and accounting obligations.
• Server logs: Application logs that may contain anonymized request data are retained for up to 30 days for debugging and security purposes. Logs never contain OAuth tokens, passwords, or PII.

7. Your rights

You have the following rights regarding your data:

• Access: You can view your engagement history, credit balance, and profile data at any time from your dashboard and settings.
• Correction: You can update your niche and notification preferences from your settings page.
• Deletion: You can delete your account at any time from your account settings. All your data — including engagement history, credit balances, and stored OAuth tokens — will be permanently removed. See section 10 for details.
• Revocation: You can revoke X Engagement's access to your X account at any time from your X account settings, independently of deleting your X Engagement account.
• Data export: You can request a copy of your data by contacting us at support@x-engagement.com.

8. Lawful basis for processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following lawful bases as defined in Article 6 of the General Data Protection Regulation (GDPR):

Contract performance (Article 6(1)(b))

Processing necessary to perform the service you signed up for:

• Creating and maintaining your account (storing your X profile data, niche classification, and credit balance)
• Operating the reciprocal engagement system (matching posts, tracking credits earned/spent, delivering engagements)
• Posting replies on X on your behalf when you submit an engagement through the platform
• Auto-detecting your new posts via the X API to add them to the engagement queue
• Managing your subscription (processing payments via Stripe or Apple, tracking subscription tier and billing periods)
• Scoring comments through the AI quality gate to maintain platform quality standards

Consent (Article 6(1)(a))

Processing based on your explicit, freely given consent which you may withdraw at any time:

• Connecting your X account via OAuth 2.0 (you explicitly authorize access during the OAuth consent screen, and can revoke it at any time from your X settings)
• Push notifications on iOS (you grant permission through the system prompt, and can disable in device settings)
• Email notifications (opt-in via your notification settings, and can be disabled at any time)
• AI comment enhancement (opt-in per comment, with explicit approval before posting)
• Non-essential cookies (managed through our cookie consent banner)

Legitimate interests (Article 6(1)(f))

Processing necessary for our legitimate interests, balanced against your rights and freedoms:

• Security and fraud prevention: Detecting bot accounts, duplicate accounts, and suspicious engagement patterns to protect platform integrity
• Account quality gating: Checking account age and follower count on signup to prevent abuse and maintain service quality
• Abuse detection: Monitoring for spam comments, engagement velocity anomalies, and system gaming to protect all users
• Service improvement: Aggregated, anonymized analytics (engagement volumes, algorithm effectiveness, supply/demand metrics) to improve matching quality

Legal obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations:

• Retaining subscription and billing records for up to 12 months after account deletion for tax and accounting compliance
• Responding to lawful data access requests from regulatory authorities

Withdrawing consent and exercising your rights

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent: revoke OAuth access from your X account settings, disable notifications in your device or app settings, or contact us at support@x-engagement.com. You also have the right to lodge a complaint with your local data protection supervisory authority.

9. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights regarding your personal information.

We do not sell your personal information

X Engagement does not sell, and has never sold, your personal information to third parties. We do not share your personal information for cross-context behavioral advertising. Because we do not sell or share your data in ways covered by the CCPA, there is no need to opt out — but we provide this disclosure for transparency.

Your rights under CCPA/CPRA

As a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and any third parties with whom we share it.
• Delete: Request deletion of your personal information. You can do this directly from your account settings, or by contacting us.
• Correct: Request correction of inaccurate personal information we hold about you.
• Non-discrimination: Exercise any of these rights without receiving discriminatory treatment from us.

Categories of personal information collected

In the preceding 12 months, we have collected the following categories of personal information (as defined by the CCPA):

• Identifiers: X user ID, username, display name (collected from X via OAuth)
• Internet activity: Engagement history, comments written, posts queued, credit transactions (collected through use of the Service)
• Commercial information: Subscription tier, billing period, payment provider references (collected from Stripe or Apple)

We do not collect sensitive personal information as defined by the CCPA.

How to exercise your rights

To submit a verifiable consumer request, email support@x-engagement.com with the subject line "CCPA Request". We will verify your identity by confirming ownership of the X account associated with your X Engagement account. We will respond within 45 days as required by law.

10. Account deletion

You can delete your account at any time from your account settings. When you delete your account:

• Your OAuth tokens are revoked with X and permanently deleted from our database
• Your profile, niche data, and notification preferences are permanently deleted
• Your engagement history, credit balances, and credit transactions are permanently deleted
• Your queued posts are removed from the engagement queue
• Subscription and billing references may be retained for up to 12 months for legal and accounting purposes, after which they are purged
• Comments you posted on X through the Service remain on X as they were posted from your own X account — we cannot remove them after posting

11. Children's privacy

The Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Service or by posting a notice on our website. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact

For privacy questions or data requests, email support@x-engagement.com.