Privacy Policy

Xenopic ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data when you use our dynamic X (Twitter) banner service.

2.1 Information from X (Twitter) OAuth

When you sign in with your X account, we receive and store:

• Your X user ID (numeric identifier)
• Username and display name
• Email address (if provided by X)
• Profile image URL
• OAuth access tokens (stored encrypted)

2.2 Profile Backups

When you create a profile backup, we store a snapshot of your X profile including your name, bio, location, website URL, profile image URL, banner image URL, and follower/following counts. This data is stored until you delete the backup or your account.

2.3 Third-Party Integration Data

When you connect third-party services, we collect data necessary for widget display:

• GitHub: Public repository activity, contribution data, and OAuth tokens (stored encrypted)
• Stripe: MRR metrics and API keys (stored encrypted). We do not access your customers' payment information.
• VeloSano: Fundraising page data and progress

2.4 Usage Data

We collect information about how you use the Service, including widget configurations, banner settings, cron update frequency, and coin transactions. This data is used solely to provide and improve the Service.

We use your information for the following purposes:

• To authenticate you and maintain your session
• To generate and update your X profile banner
• To display widget data (follower counts, GitHub activity, Stripe metrics, etc.)
• To process profile backup and restore operations
• To manage your subscription and coin balance
• To process referral bonuses
• To communicate service updates or issues

4.1 Encryption

All OAuth credentials (X, GitHub, Stripe) are encrypted at rest using industry-standard encryption before being stored in our database. Credentials are only decrypted when making authorized API calls on your behalf.

4.2 Session Management

We use JWT (JSON Web Tokens) for authentication. Access tokens are short-lived, and refresh tokens are stored as hashed values. Session cookies are set as httpOnly to prevent client-side access.

4.3 Database

Your data is stored in a MongoDB database. We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, or destruction.

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• X (Twitter) API: We send banner images and profile updates to X on your behalf using your authorized credentials
• Stripe: Payment processing for subscriptions is handled by Stripe. We do not store your payment card details.
• SocialData API: We use SocialData to fetch your public X profile information for backup and comparison features
• Legal requirements: We may disclose information if required by law or to protect our rights

We use the following cookies and browser storage:

• Authentication cookies: httpOnly cookies containing JWT access and refresh tokens for session management
• Theme preference: Local storage to remember your light/dark mode choice

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

You have the following rights regarding your data:

• Access: View your stored data through the Settings page
• Correction: Your profile data is updated automatically from X on each login
• Deletion: Delete your account and all associated data from the Settings page
• Revocation: Disconnect third-party integrations at any time, or revoke Xenopic's access from your X account settings
• Export: Your profile backup contains a copy of your X profile data

When you delete your account:

• Your personal information (name, email, profile image) is immediately anonymized
• Your OAuth credentials are revoked and deleted
• Your widgets, banner settings, and external data are cleared
• Your profile backup is deleted
• An anonymized account record is retained to prevent referral system abuse
• Banner updates cease immediately

The Service is not intended for users under the age of 13 (or the minimum age required by X's Terms of Service in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete that information.

We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the revised policy.

If you have questions or concerns about this Privacy Policy or your data, please reach out through our support channels or contact us on X.