Privacy Policy
Last updated: March 1, 2026
- We collect only what's needed to provide the service
- We never sell your personal data
- We only process public Twitter/X data — no DMs or private accounts
- You can delete your data anytime
- We use strong encryption and security practices
1. Information We Collect
We collect information in the following categories:
Account Information: Name, email address, company name, and billing details when you create an account.
Usage Data: API call logs, endpoints accessed, request timestamps, IP addresses, and error rates. This helps us improve performance and detect abuse.
Device & Browser Data: Browser type, operating system, device identifiers, and referring URLs collected automatically through standard web technologies.
Payment Information: Credit card details are processed by our payment provider (Stripe) and are never stored on our servers.
2. How We Use Your Information
We use collected information to:
- •Provide, maintain, and improve the Services
- •Process payments and manage subscriptions
- •Monitor API usage and enforce rate limits
- •Send transactional emails (billing, security alerts, service updates)
- •Detect and prevent fraud, abuse, and security threats
- •Generate anonymized, aggregated analytics
- •Comply with legal obligations
We do NOT use your data to:
- •Sell personal information to third parties
- •Create advertising profiles
- •Train AI models on individual user data
3. Data We Process from Twitter/X
XCROP processes publicly available data from Twitter/X, including:
- •Public tweets, retweets, and quote tweets
- •Public user profiles and follower counts
- •Engagement metrics (likes, replies, retweets)
- •Trending topics and hashtags
We do NOT access:
- •Private messages or DMs
- •Protected/private accounts
- •Deleted content (removed from our systems within 24 hours)
- •Non-public user information
4. Data Sharing & Third Parties
We share data only in these limited circumstances:
- •Service Providers: Stripe (payment processing), Resend (transactional email), Vercel (hosting), and PostgreSQL database providers — all bound by data processing agreements
- •Legal Requirements: When required by law, subpoena, or court order
- •Business Transfers: In the event of merger, acquisition, or asset sale
- •With Your Consent: When you explicitly authorize sharing
We never sell your personal data to advertisers, data brokers, or other third parties.
5. Data Security
We implement industry-standard security measures:
- •TLS 1.3 encryption for all data in transit
- •AES-256-GCM encryption for sensitive data at rest (credentials, tokens)
- •API keys stored as salted bcrypt hashes
- •Database access restricted by role-based permissions and network firewalls
- •Regular security audits, dependency scanning, and vulnerability assessments
- •Automated monitoring, alerting, and incident response procedures
No system is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. Report security vulnerabilities to [email protected].
6. Data Retention
We retain data according to these policies:
- •Account data: Retained while your account is active + 30 days after deletion
- •API logs: Retained for 90 days, then anonymized
- •Billing records: Retained for 7 years per legal requirements
- •Aggregated analytics: Retained indefinitely (non-personal)
You can request data deletion at any time through your dashboard or by contacting support.
7. Your Rights (GDPR / CCPA)
Depending on your jurisdiction, you have the right to:
- •Access: Request a copy of your personal data
- •Rectification: Correct inaccurate or incomplete data
- •Deletion: Request deletion of your personal data ("right to be forgotten")
- •Portability: Receive your data in a machine-readable format
- •Restriction: Limit how we process your data
- •Objection: Object to certain types of processing
- •Opt-out: Opt out of non-essential communications
To exercise these rights, email [email protected] or use the settings in your dashboard. We respond within 30 days.
8. Cookies & Tracking
We use minimal cookies:
- •Essential cookies: Session management, authentication (required)
- •Analytics cookies: Anonymous usage patterns via privacy-respecting analytics (optional)
We do NOT use:
- •Third-party advertising cookies
- •Cross-site tracking pixels
- •Browser fingerprinting
You can manage cookie preferences through your browser settings.
9. International Data Transfers
XCROP is based in the United States. If you access our Services from outside the US, your data may be transferred to and processed in the US.
For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection for international transfers.
10. Children's Privacy
The Services are not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without verified parental consent, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
11. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via:
- •Email notification to registered users
- •Dashboard banner notification
- •Updated "Last updated" date on this page
Continued use of the Services after changes constitutes acceptance.
12. Contact Us
For privacy-related inquiries:
- •Email: [email protected]
- •Data Protection Officer: [email protected]
- •Address: XCROP Inc., Wilmington, Delaware, USA
For EU users, you also have the right to lodge a complaint with your local Data Protection Authority.