Privacy Policy
Last updated: 2026-01-01.
In plain English: We collect what we need to run the service (your email, X tokens, usage counters). Tokens are AES-256-GCM encrypted. We don't sell data. On the marketing site we use limited third-party analytics (Google Analytics, Ahrefs) to understand traffic. We use one first-party cookie to keep you logged in on the app.
What we collect
- Account info — email, password (hashed with scrypt + per-user salt), display name.
- X account credentials — auth tokens and proxy strings you connect. Stored AES-256-GCM encrypted at rest.
- Usage — per-slot daily counters, module run history, system logs (no message bodies in long-term storage).
- Payments — handled by our payment processor. We retain transaction IDs and amounts; we never see card numbers.
- Server logs — standard request logs (IP, user-agent, path, response code) retained for ≤30 days for abuse detection.
- Marketing analytics — aggregate page views and traffic sources on the public website via Google Analytics 4 and Ahrefs (not applied to encrypted X tokens or private module payloads).
What we don’t collect
- We don't read your X DMs or private content beyond what is needed to execute the modules you've enabled.
- We don't share data with third parties for advertising. Period.
- We don't sell, rent, or trade your data.
How we use it
- To operate the service (run your modules, show your dashboard).
- To bill you and enforce plan limits.
- To detect abuse, prevent attacks, and respond to support requests.
- To send transactional email (account confirmation, password reset, plan expiry).
Sharing
We share data only with the minimum set of vendors needed to run the service:
- Hosting / database provider.
- Email delivery provider (transactional email).
- Payment processor.
- Analytics providers on the public marketing site (Google Analytics, Ahrefs) — page views and aggregate traffic metrics, not your X account tokens or module content.
Your rights (GDPR / CCPA)
You can request:
- A copy of your data (data export).
- Correction of inaccurate data.
- Deletion of your account (we retain billing records as required by law, typically 6 years).
- Withdrawal of consent for non-essential processing.
Email requests to [email protected].
Cookies
On the app (panel) we use a first-party session cookie (HttpOnly, SameSite=Strict) to keep you logged in.
On the public marketing site we also load Google Analytics 4 (G-BMVH69SWC2) and Ahrefs Analytics. These may set or read cookies / local storage identifiers to measure visits, referrers, and page performance. We do not use them to serve ads. You can block them via browser settings or extensions; core product functionality does not depend on them.
Data retention
- Account data — kept while your account is active, deleted on request.
- Usage counters and logs — auto-purged after 30 days.
- Billing records — retained as required by law (typically 6 years).
Security
X auth tokens and proxy credentials are AES-256-GCM encrypted at rest. Passwords are scrypt-hashed with a per-user salt. Session cookies are HttpOnly + SameSite=Strict. We use HTTPS throughout. See Security docs for details.
Contact
Privacy questions: [email protected] or Contact.