Legal

Privacy Policy

Effective: July 1, 2025·Last updated: July 1, 2025

At Xgrowkit, your privacy is important to us. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal information.

1. Who We Are

Xgrowkit operates the website at https://xgrowkit.com and the application at https://app.xgrowkit.com. We are the data controller for the personal information collected through our Service. If you have any questions about this policy, contact us at hello@xgrowkit.com.

2. Information We Collect

We collect the following categories of information:

2.1 Information you provide directly

  • Email address — when you join the waitlist or create an account
  • Account credentials — managed securely via our authentication provider
  • Billing information — collected and processed by our payment provider (Polar.sh). We do not store credit card numbers on our servers.

2.2 Information from X (Twitter)

When you connect your X account via OAuth 2.0, we access:

  • Your X user ID and display name
  • Your recent public posts (for voice profile generation)
  • Basic analytics data for posts published through our Service
  • Your X OAuth access and refresh tokens (encrypted at rest)

We do not access your direct messages, contacts, follower/following lists, or any data beyond what is necessary for the Service.

2.3 Usage and technical data

  • Pages visited and features used within the app
  • Device type, browser, and operating system
  • IP address and approximate location (country/region level)
  • Referral source (how you found Xgrowkit)
  • Error logs and crash reports

2.4 Content you create

  • Posts and drafts you create or approve within Xgrowkit
  • Your voice profile data (derived from your X post history)
  • Scheduling preferences and posting slots

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service
  • Generate AI content drafts based on your personal voice profile
  • Publish posts to your X account as scheduled by you
  • Send you your waitlist confirmation and launch notification email
  • Process payments and manage your subscription
  • Provide customer support and respond to your enquiries
  • Monitor and analyze usage to improve the Service
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your data to train general AI models. Your post history is used solely to generate content suggestions for your own account within the Service.

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

4. Data Security and Encryption

Security is a core part of how Xgrowkit is built. We implement the following measures to protect your data:

  • AES-256-GCM encryption at rest — all sensitive fields, including OAuth tokens and credentials, are encrypted using AES-256-GCM before being stored in our database. This is the same standard used by financial institutions and government systems.
  • TLS encryption in transit — all data transferred between your browser and our servers is encrypted via HTTPS/TLS.
  • Minimum data collection — we collect only what is needed to provide the Service. We do not collect or store your X password.
  • OAuth 2.0 authentication — X account access is handled via OAuth 2.0, meaning we never see or store your X login credentials.
  • Access controls — internal access to production data is restricted, logged, and audited.

Despite these measures, no system is perfectly secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable data protection laws.

AES-256-GCM encryption at rest
TLS for all data in transit
OAuth 2.0 — no passwords stored
Minimum necessary data only
Tokens never logged or exposed
No third-party data selling

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data — retained until you delete your account
  • Waitlist data — retained until you unsubscribe or request deletion
  • X OAuth tokens — deleted within 24 hours of revoking access or deleting your account
  • Post content and drafts — retained until you delete them or your account
  • Analytics data — retained for up to 24 months for trend analysis, then aggregated or deleted
  • Billing records — retained for 7 years as required by financial regulations

6. Sharing Your Information

We do not sell, trade, or rent your personal data. We share data only with the following third-party service providers, strictly to operate the Service:

  • Supabase — database and authentication infrastructure
  • Polar.sh — payment processing and subscription management
  • Resend — transactional email delivery (waitlist confirmation, launch notifications)
  • Vercel — hosting and infrastructure
  • X (Twitter) — the platform we publish your content to on your behalf

Each provider processes data only as necessary to provide their service to us and is bound by their own privacy and security obligations.

We may also disclose your information if required to do so by law, court order, or to protect the rights and safety of Xgrowkit, our users, or the public.

7. Cookies and Tracking

We use minimal cookies necessary for the Service to function:

  • Session cookies — to keep you logged in during a session
  • Authentication cookies — to maintain your login state securely
  • Analytics — we use privacy-friendly analytics (Google Analytics 4 and Umami) to understand aggregate usage patterns. This data is anonymized and not linked to individual users.

We do not use advertising cookies, tracking pixels, or third-party remarketing cookies.

8. Your Rights

You have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion— request deletion of your personal data ("right to be forgotten")
  • Portability — request your data in a structured, machine-readable format
  • Objection — object to processing of your data in certain circumstances
  • Withdrawal of consent — withdraw consent where processing is based on consent

To exercise any of these rights, email us at hello@xgrowkit.com. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected such data, please contact us at hello@xgrowkit.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

We encourage you to review this policy periodically to stay informed about how we protect your information.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Xgrowkit

Email: hello@xgrowkit.com

Website: https://xgrowkit.com

We aim to respond to all privacy-related enquiries within 5 business days.