← Back to Home

Privacy Policy

Last Updated: October 12, 2025

At X Commenter AI ("we", "our", or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome extension and website.

By using X Commenter AI, you agree to the collection and use of information in accordance with this policy.

Information We Collect

1. Authentication Information

When you sign in with your X (Twitter) account, we collect:

  • X username and display name
  • Profile picture URL
  • X user ID
  • OAuth access tokens (encrypted and stored securely)

Note: We never see or store your X password. Authentication is handled directly by X via OAuth 1.0a.

2. Tweet Content

When you use our service to generate comments, we temporarily process the tweet text to create AI-powered responses. This content is:

  • Sent to our API for processing
  • Forwarded to OpenAI API for comment generation
  • Not permanently stored on our servers
  • Not used for training AI models

3. Usage Information

We collect usage statistics including:

  • Number of comments generated (for rate limiting)
  • Daily, weekly, and monthly usage counts
  • Timestamp of requests
  • Subscription tier information

This helps us enforce rate limits and prevent abuse.

4. Technical Information

Automatically collected when you use our service:

  • Browser type and version
  • Extension version
  • Error logs and diagnostics
  • IP address (for security and rate limiting)

How We Use Your Information

✨ Provide Our Service

Generate AI-powered comments based on tweet content you select

🔐 Authentication

Verify your identity and maintain your session

📊 Usage Tracking

Monitor usage to enforce rate limits (10/day free, 100/day premium)

🛡️ Security & Fraud Prevention

Detect and prevent abuse, spam, and unauthorized access

💬 Customer Support

Respond to your questions, requests, and feedback

📈 Service Improvement

Analyze usage patterns to improve features and performance

Data Storage & Security

🔒 How We Protect Your Data

  • Encryption: OAuth tokens encrypted with AES-256-GCM
  • Secure Storage: Data stored in PostgreSQL database on Railway with encryption at rest
  • HTTPS: All communication encrypted with TLS/SSL
  • Token Expiration: OAuth tokens expire and rotate automatically
  • Redis Cache: Temporary session data expires after 10 minutes
  • Access Control: Strict access controls and authentication

📍 Where We Store Data

  • Chrome Local Storage: JWT tokens and user preferences (device only)
  • Railway PostgreSQL: User accounts, usage statistics, subscription info
  • Railway Redis: Temporary OAuth tokens (10-minute TTL)
  • Location: United States (Railway servers)

Third-Party Services

We use the following third-party services:

🤖 OpenAI API

Used to generate AI-powered comments. Tweet content is sent to OpenAI for processing.

Privacy Policy: openai.com/privacy

🐦 X (Twitter) API

Used for OAuth authentication. We never see your X password.

Privacy Policy: twitter.com/privacy

🚂 Railway

Infrastructure provider hosting our database and API.

Privacy Policy: railway.app/legal/privacy

⚠️ Important Note:

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

Data Retention

  • Account Data: Retained while your account is active
  • Usage Statistics: Retained for rate limiting and analytics
  • OAuth Tokens: Stored until you sign out or revoke access
  • Session Data: Automatically deleted after 10 minutes (Redis TTL)
  • Tweet Content: Not permanently stored; processed and discarded

When you delete your account, we will delete or anonymize your personal information within 30 days.

Your Privacy Rights

You have the right to:

Access Your Data: Request a copy of the personal information we hold about you
Correct Your Data: Update or correct inaccurate information
Delete Your Data: Request deletion of your account and personal information
Revoke Access: Disconnect your X account anytime via X's app settings
Export Your Data: Request a machine-readable copy of your data
Object to Processing: Opt-out of certain data processing activities

To exercise any of these rights, contact us at support@xcommenter.com

Cookies & Tracking

Our extension uses Chrome's local storage (not cookies) to store:

  • JWT authentication tokens
  • User preferences (persona selection)
  • Extension settings

This data is stored locally on your device and can be cleared by uninstalling the extension or clearing Chrome's extension data.

Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date at the top
  • Notifying you via the extension (for major changes)

Continued use of our service after changes constitutes acceptance of the updated Privacy Policy.

International Users

Our servers are located in the United States. If you are accessing our service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

By using our service, you consent to the transfer of your information to the United States and the processing of your information in accordance with this Privacy Policy and U.S. law.

GDPR Compliance (EU Users)

If you are in the European Economic Area (EEA), you have additional rights under GDPR:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time

Legal Basis for Processing: We process your data based on:

  • Consent: You provide consent when signing in
  • Contract Performance: Processing necessary to provide our service
  • Legitimate Interests: Fraud prevention, security, service improvement

CCPA Compliance (California Users)

If you are a California resident, you have additional rights under CCPA:

  • Right to know what personal information we collect
  • Right to know if we sell or disclose your personal information
  • Right to opt-out of the sale of personal information
  • Right to deletion of personal information
  • Right to non-discrimination for exercising CCPA rights

✓ We Do Not Sell Your Data

We do not sell personal information as defined by CCPA. We do not share personal information with third parties for monetary compensation.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

We will respond to your inquiry within 30 days.

Summary

  • ✓ We collect only necessary data to provide our service
  • ✓ We encrypt and protect your OAuth tokens
  • ✓ We do NOT sell your data
  • ✓ You can delete your account anytime
  • ✓ We use OpenAI to generate comments (tweet content is sent to their API)
  • ✓ We comply with GDPR and CCPA regulations

This privacy policy was last updated on October 12, 2025

HomeTerms of ServiceContact