Privacy Policy

Last updated: [DATE]

The short version We collect only what we need to make Xlift work: who you are, the X accounts you connect, the brand voice you teach us, and the actions you take through us. We never sell your data. We use Google Gemini to draft replies and Stripe for billing. You can export or delete everything any time.

1. Who we are

Xlift ("we", "us") is operated by [LEGAL ENTITY NAME], registered at [BUSINESS ADDRESS]. You can reach us at [CONTACT EMAIL] for any privacy question.

This policy covers the Xlift Chrome extension, our website at xlift.ai, our backend API, and the dashboard.

2. What we collect

Account information

Identity: email, name, profile picture (from your Google sign-in or what you provide on signup).
Connection keys: long-lived API keys the dashboard generates so the extension can talk to our backend on your behalf.

X (Twitter) account data

When you connect an X account, the extension reads from your active X session and we store:

Your X handle, display name, and avatar URL — so you can pick which account to act as.
Your X session cookies / auth token, encrypted at rest and only used to perform the actions you ask Xlift to take. We never share these with third parties.
Conversations, replies, and DMs you draft, send, or schedule through Xlift, plus the contextual messages we read to generate suggestions.

Brand profile

What you teach Xlift about your brand: tagline, description, value proposition, audience, voice/tone preferences, sample posts, topics to engage with or avoid, hard rules, and the offer/link you want us to promote. All editable and deletable from the Brand Profile screen.

Activity and history

Actions performed through Xlift (replies sent, DMs delivered, posts scheduled), timestamps, and outcomes, so you can audit what we did on your behalf and so we can prevent rate-limit accidents.

Payment information

Plan, subscription state, and billing history. We do not store your credit card. Card data is handled directly by Stripe; we only see a payment-method token and the last four digits.

Technical data

Standard logs — IP address, browser/extension version, request timestamps, error traces — kept for security, debugging, and abuse prevention. No tracking cookies, no third-party analytics on the marketing site beyond what is disclosed in Section 7.

3. How we use your data

Run the product: connect to your X accounts and perform the actions you initiate.
Generate AI replies and posts matched to your voice and rules (see Section 5).
Billing via Stripe, and providing customer support.
Security and rate-limit safety — we use activity history to keep accounts under safe usage caps and to detect abuse.
Product improvement — we look at aggregated usage to decide what to build next. Brand profiles, drafts, and message content are not used to train any external model.

4. Legal basis (GDPR)

If you are in the EU/UK, our legal bases are:

Contract — to provide Xlift to you.
Legitimate interest — security, fraud prevention, product analytics in aggregate.
Consent — for anything we ask you to opt in to explicitly.
Legal obligation — tax, accounting, and law-enforcement requests.

5. AI processing

To generate reply and DM suggestions, your brand profile and the relevant conversation context are sent to Google Gemini (gemini-2.5-flash). Google processes these requests under its own terms and does not use Gemini API inputs to train its models (per Google's API data-use policy as of [DATE]).

You can supply your own Gemini API key in Settings → AI provider. When you do, your requests are billed to your Google account and use your project's privacy posture. We strongly recommend this for any sensitive use.

We never send your X session cookies or auth tokens to any AI provider.

6. Subprocessors

The third parties we share data with, strictly to provide Xlift:

Google Cloud / Firebase (Firestore, Authentication) — storage and identity. Region: [REGION].
Google Gemini API — AI generation (see Section 5).
Stripe — payment processing. Card data never touches our servers.
Railway — application hosting.
Apify — public X content scraping (no auth data shared).

We don't sell or rent your data to anyone, ever.

7. Cookies and tracking

The Xlift website (xlift.ai) uses only essential cookies needed for the dashboard session. We do not run third-party advertising, retargeting pixels, or behavioral analytics.

The Chrome extension uses chrome.storage.local on your machine to remember your sign-in, brand profile, settings, and history. This data never leaves your device unless an explicit sync action sends it to our backend.

8. Data retention

Active accounts: we keep your data as long as your account is active.
Closed accounts: within 30 days of account deletion we erase your brand profile, X session cookies, activity history, and personal identifiers. We may keep aggregated, anonymized usage data and minimal billing records (legally required) for up to 7 years.
Logs: 30 days for application logs, 1 year for security and audit logs.

9. Your rights

Regardless of where you live, you can:

Access the data we hold about you.
Correct anything inaccurate.
Export your brand profile and activity history.
Delete your account and all associated data.
Object to or restrict certain processing.
Withdraw consent where we relied on it.

To exercise any of these, email [CONTACT EMAIL]. We respond within 30 days.

EU/UK residents can also lodge a complaint with their data protection authority. California residents have the rights described under the CCPA, including the right to know and the right to delete; we do not "sell" personal information as that term is defined.

10. Security

X session cookies are encrypted at rest using a key held only by our backend. API access requires authenticated keys. Stripe handles all card data on PCI-DSS-compliant infrastructure. Even so, no system is perfectly secure — please use a strong account password and notify us immediately at [CONTACT EMAIL] if you suspect your access has been compromised.

11. International transfers

Our backend runs on Railway in [REGION]; our subprocessors (Google, Stripe) operate globally. If you are in the EEA/UK, transfers outside your region are protected by Standard Contractual Clauses or equivalent mechanisms.

12. Children

Xlift is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we'll delete it.

13. Changes to this policy

We'll post material changes here with a new "Last updated" date and notify active users by email at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance.

14. Contact

Privacy questions: [CONTACT EMAIL]
Postal: [BUSINESS ADDRESS]

This is a starting draft. Have a lawyer review before you go live, especially if you sell to EU/UK customers or in regulated industries. Replace every [PLACEHOLDER] with real values.