Privacy Policy

We collect only what the service needs to function:

• Account details — the email address and password you sign up with. Passwords are stored only as a salted hash (bcrypt); we never store them in plaintext.
• X (Twitter) connection — when you connect your X account via OAuth 2.0, we store your X username/handle, your numeric account id, and the access/refresh tokens X issues. Tokens are encrypted at rest. We never receive your X password.
• Your content — the posts, threads, and images you add to your rotation library, tweets you import from your own history, and any captions or edits you make.
• Usage & activity — posting logs (what was sent and when), rotation settings, and basic diagnostic events.
• Payment information — handled by Stripe. We store your subscription tier and status and a Stripe customer reference; we do not store your full card number — Stripe does.
• Support & affiliate data — messages you send us, bug reports, and, if you join the affiliate program, payout-related details you provide.

• To operate the service — rotating and posting your content to X on the schedule you set.
• To process payments and manage your subscription (via Stripe).
• To send transactional email — verification, password reset, receipts, and important service notices.
• To generate or translate content only when you use an AI feature (see "Service providers").
• To provide support, investigate abuse, and keep the service secure and reliable.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not use it for third-party advertising.

We share data with the following processors strictly to run the service. Each receives only what it needs:

• X / Twitter — to publish your posts and read your public tweet history via the official X API.
• Stripe — payment processing and subscription billing.
• Cloudflare R2 — storage of images you upload for your posts.
• xAI (Grok) and our AI content provider — when you use AI generation or translation features, the relevant content you submit is sent to these providers to produce the result. AI features are optional.
• Email delivery provider — to send the transactional emails described above.
• MongoDB Atlas — our database host.
• Railway — application hosting.
• Sentry — error monitoring and diagnostics.

We may also disclose information if required by law, to protect our rights or users' safety, or as part of a merger or acquisition (with notice where required).

We use a first-party session cookie to keep you logged in. We do not use third-party advertising or cross-site tracking cookies.

We keep your data for as long as your account is active. When you delete your account, we remove your stored posts, settings, and X access tokens from our database, and revoke our access to your X account. Some records (e.g. payment/tax records held by Stripe, or backups) may persist for a limited period as required by law or our providers' retention schedules. You can disconnect your X account at any time from Settings, or from X's own Connected Apps screen.

Depending on where you live (e.g. under GDPR, UK GDPR, CCPA/CPRA, or PIPEDA), you may have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise any of these, contact us at privacy@rotatingposts.online. We will respond within the timeframe required by applicable law.

We protect your data with industry-standard measures: OAuth 2.0 with PKCE for X authentication, encryption of access tokens at rest, hashed passwords, and access controls on our systems. No system is perfectly secure, but we work to keep your data safe and to limit what we collect in the first place.

Our providers may process and store data in countries other than yours, including the United States. Where required, we rely on appropriate safeguards for such transfers.

Rotating Posts is not directed to children and is intended only for users who meet X's minimum age requirement. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

We may update this policy as the service evolves. Material changes will be reflected by an updated "Last updated" date and, where appropriate, a notice in the app or by email.

Questions about privacy or this policy? Email privacy@rotatingposts.online.