Privacy Policy

1. Who we are

XCraft ("we", "us", "our") is operated by George Kal. Our application is available at app.xcraft.app and our marketing site at xcraft.app. For privacy-related questions, contact us at [email protected].

2. What data we collect

When you use XCraft, we collect the following data:

Account and profile data

• Your X (Twitter) username, display name, profile picture, and verified status, obtained through X OAuth 2.0 sign-in
• Your email address (from your X account)
• Profile fields you provide: bio, target audience, topics, and voice description

Content and usage data

• Posts and replies you create, schedule, or draft within XCraft
• Your historical X posts (fetched for voice analysis and performance insights)
• News sources and RSS feeds you follow
• AI generation and posting usage counts

Authentication tokens

• X OAuth 2.0 access and refresh tokens, used to post on your behalf and read your post history. These are stored securely in our database and never exposed to your browser directly

Payment data

• We store your Polar customer ID and subscription ID for billing purposes. Payment card details are processed and stored exclusively by Polar (our payment processor) and never touch our servers

3. How we use your data

• Voice analysis. Your post history and writing style are analyzed to build a voice profile so AI-generated content matches your tone and style
• Content generation. Your voice profile, selected news context, and example posts are sent to AI model providers to generate drafts in your voice
• Posting and scheduling. Your X OAuth tokens are used to publish posts, replies, and scheduled content to X on your behalf
• Performance insights. Your post engagement data is analyzed to provide actionable growth recommendations
• Billing and quotas. Usage counters track AI generations and posts to enforce plan limits

4. Third-party services

We share data with the following third-party services as necessary to operate XCraft:

AI model providers

• OpenRouter (openrouter.ai): Your voice profile, content context, and example posts are sent to generate AI drafts. OpenRouter routes requests to various language model providers (such as MiniMax, OpenAI, Anthropic, Google, and others depending on your model selection). See OpenRouter's privacy policy
• Notion AI (optional): If you configure Notion as your AI provider, prompts are sent through Notion's inference API using your own Notion credentials

X (Twitter) platform

• X API v2: Used to publish posts and replies on your behalf using your OAuth tokens
• twitterapi.io: Used server-side to search public tweets and fetch your post history for analysis. Your X OAuth tokens are never shared with this service

Analytics

• Umami (umami.is): Privacy-focused web analytics for our marketing site. Self-hosted on Hetzner in Frankfurt, Germany. Umami does not use cookies, does not collect IP addresses or personal data, and is fully GDPR-compliant without requiring a cookie consent banner. See Umami's privacy information

Media storage

• Cloudflare R2: When you schedule posts with media attachments, uploaded images are temporarily stored on Cloudflare R2 (EU region) until the post is published to X. Media files are automatically deleted after publishing. See Cloudflare's privacy policy

Payment processing

• Polar (polar.sh): Handles subscription billing as our Merchant of Record. Polar processes payments, manages invoices, and handles refunds. See Polar's privacy policy

5. Where your data is stored

Our application servers and database are hosted in the European Union. Your data is stored and processed within EU infrastructure.

When you use AI generation features, your prompts are transmitted to third-party AI providers whose servers may be located outside the EU. Only the data necessary for generation (voice profile, content context, and example posts) is transmitted.

6. Cookies and local storage

XCraft does not use tracking cookies or advertising pixels. No cookie consent banner is required.

Our marketing site (xcraft.app) uses Umami, a privacy-focused, GDPR-compliant analytics tool. Umami does not use cookies, does not collect personal data, and does not track users across sites. It only records anonymous, aggregated page view and event data. Our Umami instance is self-hosted on Hetzner in Frankfurt, Germany (EU).

We use browser localStorage to store your theme preference (dark/light mode) and a local copy of your settings for faster loading. This data never leaves your browser.

Our marketing site is hosted on Cloudflare Pages, which may set minimal functional cookies as part of its CDN infrastructure.

7. Data retention

We retain your data for as long as your account is active. Cached data (such as fetched tweets and trending results) is periodically refreshed and older entries are replaced.

If you wish to have your data deleted, contact us at [email protected] and we will remove your account and associated data within 30 days.

8. Your rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Withdraw consent for data processing

To exercise any of these rights, contact us at [email protected].

9. Security

We take reasonable measures to protect your data, including:

• All connections use HTTPS encryption
• OAuth tokens are stored server-side and never exposed to the browser
• API keys for third-party services are kept server-side only
• Database access is enforced with row-level security so users can only access their own data

10. Children

XCraft is not intended for anyone under the age of 16. We do not knowingly collect data from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of XCraft after changes constitutes acceptance of the updated policy.

12. Contact

For any questions about this Privacy Policy or your data, contact us at [email protected].