Privacy Policy

1. Introduction

X Trust Radar ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our trust verification service for X (formerly Twitter) accounts.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, we collect:

• Email Address: Required for account authentication via magic links. We use Supabase for authentication, which handles email delivery.
• Account Information: Your user ID, account creation date, and credit balance are stored in our database.
• Payment Information: Payment card details are processed securely through Stripe. We do not store or have access to your full payment card numbers, CVV codes, or expiration dates. Stripe handles all payment processing in compliance with PCI DSS standards.
• Communication Data: If you contact us via email or support channels, we collect the content of your communications and contact information.

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• IP Addresses: We track IP addresses to enforce free lookup limits (3 per hour per IP). IP addresses are stored in server memory only and are cleared on server restart. They are not persisted to our database long-term.
• Usage Data: We track which usernames you verify, when verifications occur, and whether cached or fresh data was used. This helps us improve service performance and prevent abuse.
• Device and Browser Information: We may collect information about your device, browser type, and operating system for security and compatibility purposes.
• Session Data: We use cookies and session storage to maintain your authentication state and preserve search results during your session.

2.3 Public Data from Third Parties

When you request a verification, we fetch publicly available data about X accounts from twitterapi.io, a third-party data provider. This includes:

• Account metadata (username, display name, profile picture, bio)
• Account statistics (follower count, following count, tweet count)
• Account status (verification status, account type, creation date)
• Engagement metrics (likes, media posts, favorites)

This data is publicly available on X and is not considered personal information under privacy laws. However, we process it to generate trust reports, which are cached in our database for 24 hours to improve service performance.

2.4 Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal bases:

• Contract Performance: Processing necessary to provide the Service, including account management, credit tracking, and verification processing.
• Legitimate Interests: Processing for security, fraud prevention, service improvement, and enforcing usage limits (free lookups).
• Consent: Where you have provided explicit consent, such as for optional marketing communications (if applicable).
• Legal Obligations: Processing required to comply with legal obligations, such as tax record keeping under German law.

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Process verification requests, manage your account, track credits, and deliver trust reports.
• Process Payments: Handle credit purchases through Stripe, verify transactions, and grant credits upon successful payment.
• Enforce Usage Limits: Track free lookups by IP address to prevent abuse and ensure fair access to the Service.
• Improve Service Quality: Analyze usage patterns, optimize caching strategies, and enhance the trust scoring algorithm.
• Ensure Security: Detect and prevent fraud, unauthorized access, and other security threats.
• Communicate with You: Send authentication emails, respond to support requests, and notify you of important service updates.
• Comply with Legal Obligations: Maintain records as required by law, including tax records under German GoBD requirements.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Storage and Security

Your data is stored securely using Supabase, a cloud database platform. We implement appropriate technical and organizational measures to protect your personal information in accordance with GDPR Article 32 (Security of Processing), including:

• Encryption of data in transit (TLS/SSL) and at rest
• Row-Level Security (RLS) policies to restrict database access
• Secure authentication using Supabase's built-in auth system
• Regular security assessments and updates
• Access controls limiting data access to authorized personnel only

Data Location: Data is stored within the European Economic Area (EEA) where possible. When data is processed outside the EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements.

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

5. Data Sharing and Third-Party Services

We share your information with the following third-party service providers:

5.1 Supabase

We use Supabase for authentication and database storage. Supabase processes your email address, user ID, and account data. Supabase's privacy policy: https://supabase.com/privacy

5.2 Stripe

We use Stripe for payment processing. Stripe receives payment card information and transaction details. We only receive confirmation of successful payments and metadata (user ID, credit amount). Stripe's privacy policy: https://stripe.com/privacy

5.3 twitterapi.io

We use twitterapi.io to fetch publicly available X account data. We send the username you request to verify; twitterapi.io returns account metadata. twitterapi.io's privacy policy: https://twitterapi.io/privacy

5.4 Other Disclosures

We may disclose your information in the following circumstances:

• Legal Requirements: When required by law, court order, or government regulation
• Protection of Rights: To protect our rights, property, or safety, or that of our users or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)
• With Your Consent: When you have provided explicit consent for specific disclosures

6. Your Privacy Rights

Under applicable data protection laws (GDPR, CCPA, and others), you have the following rights:

6.1 Right to Access (GDPR Article 15, CCPA)

You have the right to request a copy of your personal data that we hold. This includes information about what data we have, why we have it, and who we share it with.

6.2 Right to Rectification (GDPR Article 16)

You have the right to request correction of inaccurate or incomplete personal data. You can update your email address and account information through the Service interface or by contacting us.

6.3 Right to Erasure (GDPR Article 17, "Right to be Forgotten")

You have the right to request deletion of your personal data. We will delete your account and associated data within 30 days, subject to legal retention requirements (e.g., tax records must be retained for 10 years under German law).

6.4 Right to Restrict Processing (GDPR Article 18)

You have the right to request that we limit how we use your personal data in certain circumstances, such as when you contest the accuracy of the data.

6.5 Right to Data Portability (GDPR Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another service provider.

6.6 Right to Object (GDPR Article 21)

You have the right to object to processing of your personal data based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

6.7 Right to Withdraw Consent (GDPR Article 7)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.8 CCPA-Specific Rights (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

6.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@xtrustradar.com. We will respond to your request within 30 days (or as required by applicable law).

We may need to verify your identity before processing your request to protect your privacy and security.

7. Data Retention

We retain your personal data only for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request, subject to legal retention requirements.
• Payment Records: Retained for 10 years as required by German tax law (GoBD - Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff). This includes transaction records, invoices, and payment metadata.
• IP Addresses (Free Lookups): Stored in server memory only, cleared on server restart. Not persisted to database long-term. Used solely for enforcing usage limits.
• Verification Results: Public verification data (X account metadata and trust reports) is cached in our database for 24 hours to improve service performance. This data is publicly accessible and not considered personal information.
• Communication Records: Support emails and communications are retained for up to 3 years for customer service and legal purposes.

After the retention period expires, we will securely delete or anonymize your personal data, except where we are required to retain it for legal compliance.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Required for authentication and session management. These cookies enable the Service to function and cannot be disabled.
• Session Storage: Used to preserve search results and user preferences during your session. Cleared when you close your browser.
• Local Storage: Used to store cookie consent preferences and free lookup counts (as a cache, server is authoritative).

We do not use tracking cookies, advertising cookies, or analytics cookies that track you across websites. For more details, see our Cookie Policy.

You can control cookies through your browser settings. However, disabling essential cookies may prevent the Service from functioning properly.

9. Children's Privacy

Our Service is not intended for children under the age of 16 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete that information.

10. Data Breaches

In the event of a data breach that may affect your personal information, we will:

• Notify the relevant supervisory authority (in Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) within 72 hours as required by GDPR Article 33
• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms, as required by GDPR Article 34
• Document all breaches and our response measures
• Take immediate steps to contain and remediate the breach

We maintain incident response procedures and regularly review our security measures to prevent breaches.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

Our service providers may process data in various locations:

• Supabase: Data centers in the EEA and United States. See Supabase's data residency information for details.
• Stripe: Processes payments globally. See Stripe's privacy policy for data location details.
• twitterapi.io: May process data in various locations. See their privacy policy for details.

We ensure all transfers comply with GDPR and applicable German data protection laws. If you have questions about specific data transfers, please contact us.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Updating the "Last updated" date at the top of this page
• Posting a notice on our Service
• Sending an email notification (for significant changes)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service and request deletion of your account.

13. Supervisory Authority

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. In Germany, this is:

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Str. 153
53117 Bonn, Germany
Website: www.bfdi.bund.de

If you are located in another EU member state, you may also lodge a complaint with your local data protection authority.

14. Contact Information

For questions about this Privacy Policy, to exercise your privacy rights, or to report a privacy concern, please contact us at:

Privacy Inquiries: privacy@xtrustradar.com

General Support: support@xtrustradar.com

(Note: Update these email addresses with your actual contact information before production deployment)