Privacy Policy

Last updated: January 2025

1. Introduction

ScaleTapp DOOEL ("we," "our," or "us") operates the xExo Chrome extension and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using xExo, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account through OAuth authentication, we collect:

  • Your Twitter/X username and profile information
  • Your Google account email address (if using Google OAuth)
  • Unique user identifier from the OAuth provider

2.2 Voice Profile Data

To personalize AI-generated content, we collect and store:

  • Energy level preferences (0-100 slider value)
  • Signature phrases (up to 5 user-defined phrases)
  • Vocabulary preferences: blacklisted words, writing influences, abbreviations, custom spellings
  • Communication archetype usage patterns
  • User feedback on generated content (explicit ratings and edit history)

2.3 Tweet Content Analysis

When you use the reply generation feature, we temporarily process:

  • The text of tweets you choose to reply to
  • Full conversation thread context for context-aware responses
  • Tweet author information
  • Your generated reply variations

Note: We do NOT store the original tweet content after generating your reply. Tweet data is only used transiently for AI generation.

2.4 Usage Data

We collect information about how you interact with the Service:

  • Number of replies generated per session
  • AI token usage for quota management
  • Subscription tier and payment status
  • Feature usage statistics (archetypes, personas, expression styles)
  • Error logs and performance metrics

2.5 Technical Data

Automatically collected when you use the extension:

  • Browser type and version
  • Extension version
  • API request timestamps
  • IP address (for authentication and fraud prevention)

3. How We Use Your Information

We use the collected information for the following purposes:

  • AI Content Generation: Voice profile and preferences power personalized reply generation
  • Service Improvement: Feedback and edit patterns refine AI output quality
  • Quota Management: Usage tracking enforces subscription limits (Starter: 100, Pro: 1000, Unlimited)
  • Billing: Payment processing through Lemon Squeezy
  • Authentication: JWT tokens secure API access
  • Support: Troubleshooting and responding to user inquiries
  • Legal Compliance: Preventing fraud, abuse, and ToS violations

4. Data Storage and Security

4.1 Storage Locations

  • Chrome Sync Storage: Authentication tokens (synced across your devices)
  • Chrome Local Storage: Voice profile data (device-specific for privacy)
  • Backend Database (PostgreSQL): Account data, subscription info, usage logs
  • Third-Party Services: OpenAI API (transient processing), Lemon Squeezy (payment data)

4.2 Security Measures

We implement industry-standard security practices:

  • HTTPS encryption for all data transmission
  • JWT token-based authentication with expiration
  • API keys stored securely on backend (never exposed in extension)
  • Database encryption at rest
  • Regular security audits and updates

Note: No security system is impenetrable. While we use reasonable measures to protect your data, we cannot guarantee absolute security.

5. Third-Party Services

xExo integrates with the following third-party services that may collect and process your data:

5.1 OpenAI API

We use OpenAI's API (GPT-3.5/4) to generate AI replies. Your voice profile and tweet context are sent to OpenAI for processing. OpenAI's data usage is governed by their Privacy Policy.

5.2 Lemon Squeezy

Payment processing and subscription management are handled by Lemon Squeezy. They collect payment information, billing address, and transaction history. Review their Privacy Policy.

5.3 OAuth Providers

Twitter/X and Google OAuth are used for authentication. We only receive the minimal information necessary (username, email, user ID) as permitted by your OAuth consent.

6. Data Retention and Deletion

6.1 Retention Period

We retain your data for as long as your account is active and for the following periods after account deletion:

  • Voice Profile Data: Deleted immediately upon account deletion request
  • Account Information: Deleted within 48 hours of account termination
  • Usage Logs: Deleted within 48 hours (except as required for legal/billing compliance)
  • Billing Records: Retained for 7 years as required by tax regulations

6.2 How to Delete Your Account

To request account deletion, email us at f.gajtanovski@gmail.com with the subject "Account Deletion Request".

We will confirm deletion within 48 hours and remove all personal data from our systems (except billing records).

7. Your Rights (GDPR & Data Protection)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Restrict Processing: Limit how we use your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Revoke consent for data processing at any time

To exercise any of these rights, contact us at f.gajtanovski@gmail.com. We will respond within 30 days.

8. Cookies and Tracking

xExo does NOT use cookies or third-party tracking scripts on the website. The Chrome extension uses local storage (Chrome Storage API) to store authentication tokens and voice profiles locally on your device.

Twitter/X may use cookies on their platform independently of xExo. We do not control Twitter's cookies.

9. Children's Privacy

xExo is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, contact us immediately at f.gajtanovski@gmail.com.

10. International Data Transfers

ScaleTapp DOOEL operates from Macedonia. Your data may be transferred to and processed in countries outside your jurisdiction, including the United States (where OpenAI servers are located).

We ensure appropriate safeguards are in place for international data transfers, including standard contractual clauses and compliance with GDPR requirements.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by:

  • Updating the "Last updated" date at the top of this page
  • Posting a notice in the extension (for significant changes)
  • Sending an email notification (for material changes affecting your rights)

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

ScaleTapp DOOEL

Email: f.gajtanovski@gmail.com

Response Time: Within 48 hours

13. Data Controller

For the purposes of GDPR and other data protection laws, the data controller is:

ScaleTapp DOOEL

Registered in Macedonia

Contact: f.gajtanovski@gmail.com

This Privacy Policy is governed by the laws of Macedonia. Any disputes arising from this policy will be subject to the exclusive jurisdiction of Macedonian courts.