Legal
Privacy Policy
At Xgrowkit, your privacy is important to us. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal information.
1. Who We Are
Xgrowkit operates the website at https://xgrowkit.com and the application at https://app.xgrowkit.com. We are the data controller for the personal information collected through our Service. If you have any questions about this policy, contact us at hello@xgrowkit.com.
2. Information We Collect
We collect the following categories of information:
2.1 Information you provide directly
- Email address — when you join the waitlist or create an account
- Account credentials — managed securely via our authentication provider
- Billing information — collected and processed by our payment provider (Polar.sh). We do not store credit card numbers on our servers.
2.2 Information from X (Twitter)
When you connect your X account via OAuth 2.0, we access:
- Your X user ID and display name
- Your recent public posts (for voice profile generation)
- Basic analytics data for posts published through our Service
- Your X OAuth access and refresh tokens (encrypted at rest)
We do not access your direct messages, contacts, follower/following lists, or any data beyond what is necessary for the Service.
2.3 Usage and technical data
- Pages visited and features used within the app
- Device type, browser, and operating system
- IP address and approximate location (country/region level)
- Referral source (how you found Xgrowkit)
- Error logs and crash reports
2.4 Content you create
- Posts and drafts you create or approve within Xgrowkit
- Your voice profile data (derived from your X post history)
- Scheduling preferences and posting slots
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve the Service
- Generate AI content drafts based on your personal voice profile
- Publish posts to your X account as scheduled by you
- Send you your waitlist confirmation and launch notification email
- Process payments and manage your subscription
- Provide customer support and respond to your enquiries
- Monitor and analyze usage to improve the Service
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not use your data to train general AI models. Your post history is used solely to generate content suggestions for your own account within the Service.
We do not sell your personal data to third parties. We do not use your data for advertising purposes.
4. Data Security and Encryption
Security is a core part of how Xgrowkit is built. We implement the following measures to protect your data:
- AES-256-GCM encryption at rest — all sensitive fields, including OAuth tokens and credentials, are encrypted using AES-256-GCM before being stored in our database. This is the same standard used by financial institutions and government systems.
- TLS encryption in transit — all data transferred between your browser and our servers is encrypted via HTTPS/TLS.
- Minimum data collection — we collect only what is needed to provide the Service. We do not collect or store your X password.
- OAuth 2.0 authentication — X account access is handled via OAuth 2.0, meaning we never see or store your X login credentials.
- Access controls — internal access to production data is restricted, logged, and audited.
Despite these measures, no system is perfectly secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable data protection laws.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data — retained until you delete your account
- Waitlist data — retained until you unsubscribe or request deletion
- X OAuth tokens — deleted within 24 hours of revoking access or deleting your account
- Post content and drafts — retained until you delete them or your account
- Analytics data — retained for up to 24 months for trend analysis, then aggregated or deleted
- Billing records — retained for 7 years as required by financial regulations
6. Sharing Your Information
We do not sell, trade, or rent your personal data. We share data only with the following third-party service providers, strictly to operate the Service:
- Supabase — database and authentication infrastructure
- Polar.sh — payment processing and subscription management
- Resend — transactional email delivery (waitlist confirmation, launch notifications)
- Vercel — hosting and infrastructure
- X (Twitter) — the platform we publish your content to on your behalf
Each provider processes data only as necessary to provide their service to us and is bound by their own privacy and security obligations.
We may also disclose your information if required to do so by law, court order, or to protect the rights and safety of Xgrowkit, our users, or the public.
7. Cookies and Tracking
We use minimal cookies necessary for the Service to function:
- Session cookies — to keep you logged in during a session
- Authentication cookies — to maintain your login state securely
- Analytics — we use privacy-friendly analytics (Google Analytics 4 and Umami) to understand aggregate usage patterns. This data is anonymized and not linked to individual users.
We do not use advertising cookies, tracking pixels, or third-party remarketing cookies.
8. Your Rights
You have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Deletion— request deletion of your personal data ("right to be forgotten")
- Portability — request your data in a structured, machine-readable format
- Objection — object to processing of your data in certain circumstances
- Withdrawal of consent — withdraw consent where processing is based on consent
To exercise any of these rights, email us at hello@xgrowkit.com. We will respond within 30 days. We may need to verify your identity before processing your request.
9. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected such data, please contact us at hello@xgrowkit.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
We encourage you to review this policy periodically to stay informed about how we protect your information.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Xgrowkit
Email: hello@xgrowkit.com
Website: https://xgrowkit.com
We aim to respond to all privacy-related enquiries within 5 business days.