Last updated March 2026
Privacy policy
I. General Information
ZeroID Labs Ltd. («we», «us») appreciate you visiting our website kash.bot and its subdomains, and your interest in our organization. Protecting your personal data is very important to us. In this Privacy Notice, we explain how we collect your personal data when you use our websites or any other websites, pages, features, or content we own or operate, obtain services from us, interact with us in relation with a contract, communicate with us, when you use any API that we developed or third-party applications relying on such an API, and related services or otherwise deal with us, what we do with your personal data, for what purposes and on what legal foundation we do so, and what rights you have on that basis. We use the word «data» here interchangeably with «personal data».
«Personal data» means any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; «sensitive personal data» is a subset of personal data and revealing e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a natural person's sex life or sexual orientation. «Processing» means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
If you provide information to us about any person other than yourself, you must ensure that the data is accurate and that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it in accordance with this Privacy Notice.
This Privacy Notice is aligned with the EU General Data Protection Regulation («GDPR»). However, the application of these laws may depend on each individual case.
II. Name and Address of the Responsible Person
Unless we tell you otherwise in an individual case, the responsible person for processing your data under this Privacy Notice («Controller») is:
ZeroID Labs Ltd.
Wareham Road, BH166FA
Poole, Dorset
United Kingdom
III. Categories of Data We Process
1. Overview
The processing of personal data is limited to data that is required to operate a functional website and for the provision of content and services. The processing of personal data of our users is based on the purposes agreed or on a legal basis and in accordance with the applicable terms in the Terms of Use. We only collect personal data that is necessary to implement and process our tasks and services or if you provide data voluntarily. Depending on the reason and purpose of the processing, we process different data about you.
2. Technical Data
When you use our websites, webpages, features, or content or other online offerings we own or operate, we collect the anonymized IP address of your terminal device and other technical data in order to ensure the functionality and security of these offerings. This data includes logs with records of the use of our systems which do not enable assignment to a specific user. We generally keep Technical Data until it is no longer necessary for the purpose for which it was collected.
In order to ensure the functionality of these offerings, we may also assign an individual code to you or your device. Technical data as such does not permit drawing conclusions about your identity. However, technical data may be linked with other categories of data (and potentially with your person) in relation with access controls or the performance of a contract.
Technical data includes
● Anonymized IP address
● Page view information and session information such as date of visit, length of visit, first visit, and user engagement
This may help us provide an appropriate layout of the website or, for example, to display a sub-page for your region. We know through which provider you access our offerings (and therefore also the region) because of the IP address, but usually this does not tell us who you are. However, this changes for example when you create a user account, because personal data can then be linked with technical data (for example, we can know the browser you use to access an account through our websites).
3. Communication Data
When you get in contact with us via a contact form, e-mail, telephone, chat, or by letter or other means of communication, such as answering a survey or applying for community initiatives via Google Forms, we collect the data exchanged between you and us, including your contact details and the metadata of the communication. If we have to confirm your identity, for example in relation to a request for information, a request for press access, etc., we collect data to identify you (for example a copy of an ID document). We generally keep Communication Data until it is no longer necessary for the purpose for which it was collected.
Communication data includes
● Correspondence, such as your queries, feedback, questionnaire and other survey responses, and information you provide to our support teams.
4. Master Data
Master data is the basic data that we need, in addition to contract data (see below), for the performance of our contractual and other business relationships or for marketing and promotional purposes, such as name and contact details, and information about, for example, your role and function, your bank details, your date of birth, user history, powers of attorney, signature authorizations and declarations of consent. We process your master data if you are a user or other business contact or work for one (for example as a contact person of the business partner), or because we wish to address you for our own purposes or for the purposes of a contractual partner (for example as part of marketing and advertising, for invitations to events, for vouchers, newsletters, etc.). We receive master data from you (for example when you buy something on our websites), from parties you work for, or from third parties such as contractual partners, associations, and address brokers, and from public sources such as public registers or the internet (websites, social media, etc.). We generally keep Master Data until it is no longer necessary for the purpose for which it was collected.
Master data is not comprehensively collected for all contacts. Rather, the collection of master data depends on the individual case and purpose of the processing. In general, it may include:
● your full name
● address
● anonymised IP address
● e-mail address
● telephone number and other contact details
● gender
● date of birth
● nationality
● data about related persons
● social media profiles
● photos and videos
● copies of ID cards
● details of your relationship with us (e.g., user, supplier, visitor, service provider or service recipient, etc.)
● details of your status, allocations, classifications, and mailing lists
● blockchain network addresses
● details of interactions with you and your blockchain network addresses
● official documents (e.g., excerpts from the commercial register, permits)
● payment information (e.g., bank details, account number and credit card data) ● declarations of consent and opt-out information.
With regard to users, suppliers and partners, master data also includes information about the role or function in the company, qualifications and information about superiors, co-workers, and information about interactions with these persons.
5. Behavioral and Preference Data
Depending on our relationship with you, we try to get to know you better and to tailor our products, services and offerings to you. For this purpose, we collect and process data about your behavior and preferences. We do so by evaluating information about your behavior and we may also supplement this information with third-party information, including from public sources. Based on this data, we can for example determine the likelihood that you will use certain services or behave in a certain way. The data processed for this purpose is already known to us (for example where and when you use our services), or we collect it by recording your behavior (for example how you navigate our websites). We anonymize or delete this data when it is no longer relevant for the purposes pursued. This period may be longer as for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. We describe how tracking works on our websites in Section XIII.
Behavioral data includes information-tracking technologies. We, and third parties we authorize, may collect information about the use of our services. We may share your information with service providers who help facilitate business and compliance operations such as marketing and technology services. Our contracts require these service providers to only use your information in connection with the services they perform for us and in compliance with applicable laws. This information may include anonymized IP addresses, the accessed websites, the date the websites were accessed, the sub-pages accessed from the accessed websites, the time spent on the websites, and the frequency with which the websites are accessed.
Preference data provides information on your needs, which products or services you might be interested in. We obtain this information by analyzing existing data, such as behavioral data, so that we get to know you better and can better tailor our products, services and offerings to you. Such data also contributes to a general improvement of our products, services and offerings. We combine this data with other data we obtain from third parties, such as address brokers, administrative offices and publicly available sources (e.g., the internet), such as information about your household size, income bracket and purchasing power, shopping behavior, contact data of relatives, and anonymous information from statistical offices.
Behavioral and preference data may be analyzed on a personally-identifiable basis (for example to show you personalized advertising), but also on a non-identifiable basis (for example for market research or product development). Behavioral and preference data may also be combined with other data (for example, motion data may be used for contact tracing as part of a health protection concept).
6. Other Data
We also collect data from you in other situations. For example, data that may relate to you (such as files, evidence, etc.) is processed in connection with administrative or judicial proceedings. We do not access the webcams or microphones of our visitors without explicit consent. However, if you visit us at our premises or participate in any of our events we may obtain or create photos, videos and sound recordings in which you may be identifiable. We may also collect data about who enters certain buildings, and when or who has access rights (including in relation with access controls, based on registration data or lists of visitors, etc.), who participates in events or campaigns (e.g., competitions), and who uses our infrastructure and systems and when. We generally keep such data until it is no longer necessary for the purpose for which it was collected.
Much of the data set out in this Section is provided to us by you, e.g., through forms, in relation with communication with us, in relation with contracts, when you use the website, etc. You are not obliged or required to disclose data to us except in individual cases, for example within the framework of binding health protection concepts (legal obligations). If you wish to enter into contracts with us or use our services, you must also provide us with certain data, in particular master data, contract data and registration data, as part of your contractual obligation under the relevant contract. When using our websites, the processing of technical data cannot be avoided. If you wish to gain access to certain systems or buildings, you must also provide us with registration data. However, in the case of behavioral and preference data, you have the option of objecting or not giving consent.
We provide certain services to you only if you provide us with registration data, because we or our contractual partners wish to know who uses our services or has accepted an invitation to an event, because it is a technical requirement or because we wish to communicate with you. If you or the person you represent (for example your employer) wishes to enter into or perform a contract with us, we must collect master data, contract data and communication data from you, and we process technical data if you wish to use our websites or other electronic offerings for this purpose. If you do not provide us with the data necessary for the conclusion and performance of the contract, you should expect that we may refuse to conclude the contract, that you may commit a breach of contract or that we will not perform the contract. Similarly, we can only submit a response to a request from you if we process communication data and – if you communicate with us online – possibly also technical data. Also, the use of our websites is not possible without us receiving technical data.
7. Data From External Sources
We may get information about you from other sources, including public databases, as required or permitted by applicable law. We may combine the information collected from these sources with the
information we get from you and/or from third parties to comply with our legal obligations and limit the use of the Services in connection with fraudulent or other illicit activities.
The categories of personal data that we receive about you from third parties include, in particular, information from public registers, information that we receive in relation with administrative and legal proceedings, information in relation with your professional functions and activities (so that we can, for example, conclude and process transactions with your employer with your assistance), information about you in correspondence and meetings with third parties, credit information (where we conduct business with you in a personal capacity), information about you that persons related to you (family, advisors, legal representatives, etc.) share with us so that we can conclude or perform contracts with you or involving you (for example references, your delivery address, powers of attorney, information about compliance with legal requirements such as those relating to fraud prevention and the combating of money laundering and terrorist financing, export restrictions, information from banks, insurance companies, sales and other contractual partners of us about your use or provision of services (for example payments, purchases, etc.), information from the media and the internet about the use or provision of services by you (for example payments made, purchases made, etc.), information from the media and the internet about you (where appropriate in a specific case, e.g. in the context of an application, marketing/sales, press review, etc.), your address and potentially interests and other socio-demographic data (especially for marketing and research purposes) and data in relation with the use of third-party websites and online offerings where such use can be linked to you).
IV. Purposes of the Processing
We process your data for the purposes explained below. Further information is set out in Sections XIII et seq. for online services. These purposes and their objectives represent interests of us and potentially of third parties. You can find further information on the legal basis of our processing in Section V.
Communication
We process your data for communication purposes, in order to communicate with you, in particular, when you contact us, in order to respond to your queries or when you exercise your rights. For this purpose, we use in particular communication data, master data and registration data to enable us to communicate with you and provide our services or respond to requests. We keep this data to document our communication with you, for training purposes and quality assurance.
Performance of a Contract
We process your data for entering into a contract with you, perform and administer it. In particular, we process communication data, master data, and contract data about you. This might include data about third parties, e.g., if you use our services for the benefit of a third party. This also includes data about potential users, that we receive from communication with you, on a trade fair, conference or any other business event. Regarding the conclusion of a contract, we use this data to assess your creditworthiness and to open up a business relationship with you. Administering and performing the contract with you
might involve third parties, such as logistic companies, advertising service providers, banks, insurance companies or credit information providers in order to provide our services to you.
Safety or Security Reasons
We process your data to protect our IT and other infrastructure (e.g., employees, buildings). For example, we process data for monitoring, analysis and testing of our networks and IT infrastructures, including access controls.
Compliance with Law
We process your data to comply with legal requirements, e.g., health security concepts, money laundering and terrorist financing, tax obligations etc., and we might have to request further information from you to comply with such requirements or as otherwise required by law and legal authorities from time to time.
Risk Management, Corporate Governance and Business Development
We process your data as part of our risk management and corporate governance in order to protect us from criminal or abusive activity. As part of our business development, we might sell businesses, parts of businesses or companies to others or acquire them from others or enter into partnerships or other arrangements and this might result in the exchange and processing of data, if necessary.
V. Legal Basis for Processing your Data
Where we ask for your consent, we process your data based on such consent. You may withdraw your consent at any time with effect for the future by providing us written notice (e-mail sufficient); see our contact details in Section II. If you would like to withdraw your consent for online tracking, please see Section XI. Withdrawal of your consent does not affect the lawfulness of the processing that we have carried out prior to such withdrawal, nor does it affect the processing of your data based on other processing grounds. Where we do not ask for your consent, we process your data on other legal grounds, such as:
● a contractual obligation;
● a legal or regulatory obligation;
● a vital interest of the data subject or of another natural person;
● to perform a public task; and/or
● a legitimate interest, which includes compliance with applicable laws and regulations and the marketing of our products and services, the interest in better understanding our markets and in managing and further developing our company, including its operations, safely and efficiently.
VI. Disclosure of Data to Third Parties and Social Plug-ins
In order to perform our contracts, fulfill our legal, regulatory and contractual obligations, protect our legitimate interests and the other purposes and legal grounds set out above, we may disclose your data to third parties, in particular to the following categories of recipients:
Service Providers
We may share your information with service providers and business partners around the world with whom we collaborate to fulfill the above purposes (e.g. IT providers, shipping companies, advertising service providers, security companies, banks, insurance companies, telecommunication companies, credit information agencies, address verification providers, legal advisers) or who we engage to process personal data for any of the purposes listed above on our behalf and in accordance with our instructions.
Contractual Partners Including Customers
In case required under the respective contract we share your data with other contractual partners. If we sell or buy any business or assets, we may disclose your data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.
Legal Authorities
If legally obliged or entitled to make disclosures or if it appears necessary to protect our interests, we may disclose your data to courts, law enforcement authorities, regulators, government officials or other legal authorities, locally or abroad, including in criminal investigations and legal proceedings (including alternative dispute resolution mechanisms).
Social Plug-ins
Our websites use social plug-ins to social media sites such as Twitter and Discord and integrate them as follows.
When you visit our websites, the social plugins are deactivated, i.e., no data is transmitted to the operators of these networks. If you want to use one of the networks, click on the respective social plug-in to establish a direct connection to the server of the respective network. If you have a user account on the network and are logged in when you activate the social plug-in, the network can associate your visit to our websites with your user account. If you want to avoid this, please log out of the network before activating the social plug-in. A social network cannot associate a visit to our websites until you have activated an existing social plug-in.
When you activate a social plug-in, the network transfers the content that becomes available directly to your browser, which integrates it into our websites. In this situation, data transmissions can also take place that are initiated and controlled by the respective social network. Your connection to a social network, the data transfers taking place between the network and your system, and your interactions on that platform are governed solely by the privacy policies of that network. The social plug-in remains active until you deactivate it.
If you click on the link to or activate a social plug-in, personal data may reach providers in countries outside the European Economic Area that, from the point of view of the European Economic Area (EEA), may not guarantee an adequate level of protection for the processing of personal data in accordance with EU standards. Please remember this fact before clicking on a link or activating a social plug-in and thereby triggering a transfer of your data.
VII. Transfer of Data Abroad
As we have explained in Section VI, we disclose data to other parties, not all of them located in our jurisdiction of incorporation or in the European Economic Area. Your data may be processed in our jurisdiction of incorporation, in the European Economic Area (EEA) and in exceptional circumstances also in countries outside the EEA and around the world, which includes countries that do not provide the same level of data protection as our jurisdiction of incorporation and/or the EEA and are not recognized as providing an adequate level of data protection. We only transfer data to these countries when it is necessary for the performance of a contract or for the exercise or defense of legal claims, or if such transfer is based on your explicit consent or subject to safeguards that assure the protection of your data, such as the European Commission approved standard contractual clauses.
VIII. How Long We Keep your Data
We only process your data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of complying with legal retention requirements and where required to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. Upon expiry of the applicable retention period, we will destroy your data in accordance with applicable laws and regulations.
IX. Security of your Data
We take appropriate organizational and technical security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. However, we and your personal data can still become victims of cyber-attacks, cybercrime, brute force, hacker attacks and further fraudulent and malicious activity of third parties, including but not limited to viruses, forgeries, malfunctions and interruptions, which are out of our control and responsibility.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and/or any applicable regulator of a breach where we are legally required to do so. We further maintain safeguards designed to protect the personal information we maintain against unauthorized access or disclosure. No system can be completely secure. Therefore, although we take steps to secure your information, we cannot guarantee that your information, searches, or other communication will always remain secure.
X. Use of Wallets and Tokens
Users can link their wallets to our websites in order to view on-chain transactions, but there is no registration process. We do not provide custody services for users in regards to $KASH tokens or other blockchain-based tokens (e.g. Stablecoins) and have no access to wallets that you operate with or link to our websites. You are solely responsible for all activity relating to any of your blockchain wallets and network addresses.
XI. Your Rights
You have various rights in relation with our processing of your personal data, depending on the applicable data protection law:
Right of Access
You have the right to request a copy of the personal data that we hold about you. There are exceptions to this right, so that access may be denied if, for example, making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information.
Right to Rectification
We aim to keep your personal data accurate, current, and complete. We encourage you to contact us to let us know if any of your personal data is not accurate or changes, so that we can keep your personal data up to date.
Right to Erasure
You have the right to require us to erase your personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data has been unlawfully processed.
Right to Restriction
You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Right to Data Portability
You have the right to ask that we transfer the personal information you gave us to another controller or to you, in certain circumstances.
Right to Withdraw Consent
Where we process data based on your consent, you have the right to withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your
information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.
Complaints
If you believe that your data protection rights might have been breached, please let us know or contact the applicable supervisory authority.
XII. Right to Object
Under applicable data protection law, you have the right to object at any time to the processing of personal data pertaining to you under certain circumstances, in particular where your data is processed in the public interest, on the basis of a balance of interests or for direct marketing purposes.
If you would like to exercise the above mentioned rights, please contact us at [email protected] or using the contact details provided under Section II, unless otherwise specified or agreed. Please note that we need to identify you to prevent misuse, e.g., by means of a copy of your ID card or passport, unless identification is possible otherwise.
XIII. Tracking Tools
We use tracking tools to ensure a tailored design and the continuous optimization of our websites. We also use the tracking tools to statistically record the use of our websites and evaluate it for the purpose of optimizing the content we show you.
Like many companies online, we use services provided by Google and other companies that use tracking technology. These services rely on tracking technologies and web beacons to collect directly from your device information about your browsing activities, your interactions with websites, and the device you are using to connect to the Internet. There are a number of ways to opt-out of having your online activity and device data collected through these services, which we have summarized below:
● Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
● Using privacy plug-ins or browsers.
XIV. X (Twitter) Platform Data — Collection, Use, and Sharing
1. OVERVIEW AND SCOPE
We integrate with the X platform (formerly known as Twitter, operated by X Corp.) via the X Application Programming Interface (the "X API"). This Section governs how we collect, access, process, store, use, share, and delete data obtained through the X API, including data relating to X users and third-party content available on the X platform ("X Data" or "X Content").
This Section applies to:
Users of our products and services who connect their X accounts to our platform ("Connected Users");
X users whose publicly available content or profile data is accessed through the X API in the course of using our products or services; and
Any other individuals whose personal data we may process in connection with our X API integration.
This Section supplements and forms part of our general Privacy Policy. In the event of any conflict between this Section and our general Privacy Policy with respect to X Data, this Section shall control. Our privacy practices relating to X Data are designed to be, at minimum, as protective as those set forth in X's Privacy Policy, as required by the X Developer Agreement.
2. LEGAL BASIS AND REGULATORY FRAMEWORK
Our collection and processing of X Data is undertaken in compliance with all applicable data protection and privacy laws, including without limitation:
The EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR");
The UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR");
The California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.) ("CCPA/CPRA"); and
The X Developer Agreement and Policy, the X Developer Policy, the X Privacy Policy, the X Terms of Service, and all related X platform guidelines, rules, and display requirements (collectively, the "X Policies"), as each may be amended from time to time.
Where we act as a data controller (or equivalent) with respect to X Data, we process such data on one or more of the following lawful bases (as applicable under the relevant legal framework):
Processing Activity
Lawful Basis
Connecting and authenticating a user's X account
Consent (Art. 6(1)(a) GDPR / equivalent)
Delivering core service features enabled by X integration
Contract performance (Art. 6(1)(b) GDPR / equivalent)
Monitoring and enforcing compliance with platform rules
Legitimate interests (Art. 6(1)(f) GDPR / equivalent)
Analytics and service improvement
Legitimate interests (Art. 6(1)(f) GDPR / equivalent), subject to a balancing test
Compliance with legal obligations
Legal obligation (Art. 6(1)(c) GDPR / equivalent)
Where we process special categories of personal data (as defined under the GDPR or equivalent) derived or obtained from X Data, we shall rely on explicit consent or another applicable derogation under Article 9 GDPR (or its national law equivalent), and such processing shall be strictly limited to the circumstances described in Section 6 below.
3. DATA WE COLLECT VIA THE X API
Depending on the features you use and the permissions you grant, we may collect the following categories of X Data through the X API:
3.1 Account and Profile Data
When you connect your X account to our products or platforms, we may collect:
X user ID and username (handle);
Display name and profile biography;
Profile image URL;
Account verification status;
Account creation date;
Follower and following counts;
X Premium or subscription status (where available via the API);
Linked website URL; and
Language preferences.
3.2 Content Data
Subject to the permissions granted by you and applicable X API access tiers, we may collect:
Posts ("tweets") published by you, including text, media attachments, and associated metadata;
Reposts, quote posts, replies, and likes attributable to your account;
List memberships and direct message metadata (subject to explicit consent and applicable API permissions);
Bookmarks and other engagement data; and
Publicly available content from other X users where relevant to the services we provide to you.
3.3 Interaction and Engagement Data
Impressions, engagement metrics, and reach statistics associated with your posts;
Audience demographic data (where made available through the API on an aggregated, non-identifiable basis); and
Mention and tagging data.
3.4 Location Data
We do not independently collect or store standalone geographic or location data from X Content except as an inseparable component of a post where location was voluntarily and expressly shared by the user at the time of posting, and only to the extent necessary for the delivery of the applicable service feature. We do not aggregate, cache, or otherwise store location data derived from X Content on a standalone basis. Any use of location data in our services complies fully with X's geo guidelines.
3.5 Technical and Authentication Data
OAuth tokens and access credentials used to authenticate API calls (stored in encrypted form);
API request and response logs (retained for a limited period for security and debugging purposes); and
Rate limit and usage metadata.
3.6 Data We Do Not Collect
We do not collect, and our products and services are not designed to access:
X Direct Message content (unless you have explicitly authorized such access and applicable API permissions permit it);
Any data from protected/private X accounts, except where the account holder has expressly authorized our application;
Biometric data via X; or
Non-public personal data from X beyond what you have expressly authorized.
4. HOW WE USE X DATA
We use X Data solely for the following purposes, consistent with the X Policies and applicable law:
4.1 Service Delivery
To provide, operate, and maintain the features and functionality of our services that depend on X integration, including the kash.bot website.
4.2 Authentication
To verify your identity and securely link your X account to our platform using OAuth 2.0 (or OAuth 1.0a where applicable) in accordance with X's authentication guidelines.
4.3 Analytics and Reporting
To generate analytics, performance reports, and insights based on your X account activity for your use within our platform. Where such analytics involve data from other X users, we process only aggregate and de-identified information and do not store individual user identifiers beyond what is technically necessary.
4.4 Product Improvement
To improve our products and services, diagnose technical issues, and develop new features, on the basis of our legitimate interests and, where required, with your consent. We do not use X Data to build or improve any AI or machine learning foundation model or frontier model, in accordance with the X Developer Agreement.
4.5 Legal and Compliance Purposes
To comply with our legal obligations, enforce our Terms of Use, respond to lawful requests from public authorities, and protect the rights, property, or safety of our users, our company, or others.
4.6 Prohibited Uses
We explicitly do not use X Data for any of the following purposes:
Surveillance or intelligence gathering: We do not use X Data to investigate, track, or monitor X users or their content, or to engage in any form of surveillance, including monitoring protests, rallies, community organizing meetings, or other sensitive events;
Sensitive inference: We do not derive, infer, or store inferred information about any individual's health or medical conditions; negative financial status; political affiliation or beliefs; racial or ethnic origin; religious or philosophical beliefs; sex life or sexual orientation; trade union membership; or immigration status, from X Content;
Off-X matching or profiling: We do not associate X usernames, user IDs, or other X identifiers with records held in external databases, customer records, device identifiers, or other off-platform identifiers, except with express user consent for a specific disclosed purpose (such as linking a user's X account to their account on our platform solely for the purpose of service authentication and delivery);
Discriminatory profiling: We do not use X Data for any unlawful or discriminatory purpose or in any manner inconsistent with users' reasonable expectations of privacy;
Benchmarking X: We do not use the X API to measure or analyze the performance, availability, functionality, or usage of X for benchmarking or competitive purposes;
Spam or platform manipulation: We do not use the X API to create spam, engage in automated manipulation, send unsolicited messages, perform bulk follows, or otherwise violate X's Platform Manipulation and Spam Policy or Automation Rules; and
AI training: We do not use X Content to fine-tune, train, or otherwise develop foundation models, frontier AI models, or any other machine learning model for commercial or non-commercial use, consistent with the X Developer Agreement.
5. AUTOMATED DECISION-MAKING AND CONTENT DISPLAY
5.1 Display Requirements
Where we display X Content within our platform, we do so in compliance with X's Display Requirements, which include, among other things:
Displaying the X username, profile picture, and timestamp associated with a post;
Including post engagement metrics (where displayed);
Maintaining the integrity of the content and not misrepresenting its source or context; and
Linking back to the original post on X.
5.2 Automated Actions
If our products or services perform automated actions on X on your behalf (such as scheduled posting, automated replies, or direct messaging), we do so only:
With your prior explicit consent for each category of action;
In compliance with X's Automation Rules; and
In a manner that allows you to revoke such permissions at any time.
We always respect an X user's request to opt out of being contacted by our automated systems and will cease any automated contact upon such request.
5.3 Rights Regarding Automated Processing
Where we engage in automated processing of X Data that produces decisions with significant effects on you, you have the right to: (i) obtain human review of the relevant decision; (ii) express your point of view; and (iii) contest the decision, in each case to the extent required by applicable law.
6. SENSITIVE DATA
We treat the following categories of X Data as sensitive personal data and apply heightened protection standards accordingly:
Any data from which political opinions, religious beliefs, health information, sexual orientation, racial or ethnic origin, or trade union membership may be derived or inferred;
Location data capable of identifying a specific individual's precise or habitual location; and
Data relating to minors.
We do not intentionally collect or process such data via the X API. If we inadvertently receive such data, we will delete it promptly and will not use it for any purpose. We do not and will not derive, infer, or store inferences about sensitive personal data from X Content, regardless of whether such inferences are expressly stated or merely implied by a user's posts or interactions.
7. DATA SHARING
7.1 General Principle
We do not sell, rent, or trade X Data. We share X Data only in the limited circumstances described in this Section.
7.2 Service Providers and Sub-processors
We may share X Data with trusted third-party service providers who process data on our behalf under binding data processing agreements that (i) restrict use to the purposes for which data is shared, (ii) require appropriate technical and organizational security measures, and (iii) prohibit further disclosure without our authorization.
7.3 X's Requirements on Third-Party Sharing
To the extent we share X Content with any third party, such sharing is subject to the following conditions, consistent with the X Developer Policy:
The third party must have agreed to X's Terms of Service, Privacy Policy, Developer Agreement, and Developer Policy before receiving X Content;
X Content shared with third parties remains subject to all applicable X Policies; and
We do not share X Content with any third party for surveillance, sensitive profiling, or AI training purposes.
7.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, X Data may be transferred as part of that transaction. We will provide notice of any such transfer through our website or by direct communication, and the acquiring entity will be required to comply with this Privacy Policy or obtain fresh consent from affected individuals.
7.5 Legal Disclosures
We may disclose X Data to competent public authorities, law enforcement agencies, or courts when required to do so by applicable law, regulation, or valid legal process, or where we reasonably believe such disclosure is necessary to protect the rights or safety of our company, our users, or others.
7.6 Aggregate and De-identified Data
We may share aggregated or de-identified data derived from X Data that does not identify any individual and cannot reasonably be used to re-identify any individual. Any such data does not include personal identifiers such as user IDs, usernames, or other X identifiers, consistent with the X Developer Policy.
8. DATA RETENTION
We retain X Data only for as long as necessary to fulfil the purposes set out in this Section, subject to any longer retention period required by applicable law.
Data Category
Retention Period
OAuth tokens and API credentials
Duration of the user's connected account, plus 90 days following disconnection for de-authorization processing
Post and content data
Until the user disconnects their X account and requests deletion
Analytics and engagement data
5 years in aggregate form; underlying personal data deleted after 1 year
API access logs
90 days for security and debugging purposes
Data held for legal compliance
Duration of the applicable statutory or regulatory obligation
We honor X's deletion and de-authorization signals. When an X user deletes a post or revokes a developer's access, we will delete the corresponding data from our active systems within 30 days and from our backup systems within a reasonable additional period thereafter. We do not store deleted X content.
9. SECURITY
We implement appropriate technical and organizational measures to protect X Data against unauthorized access, disclosure, alteration, or destruction. These measures include, without limitation:
Encryption of OAuth tokens and API credentials at rest and in transit (using TLS 1.2 or higher);
Access controls limiting X Data access to authorized personnel on a need-to-know basis;
Regular security assessments, penetration testing, and vulnerability management;
Incident response procedures consistent with applicable breach notification requirements; and
Vendor security assessments for all sub-processors handling X Data.
In the event of a personal data breach involving X Data, we will notify affected individuals and/or supervisory authorities as required by applicable law (e.g., within 72 hours under the GDPR) and will cooperate with X as required.
10. INTERNATIONAL DATA TRANSFERS
X Data may be transferred to and processed in countries other than your country of residence. Where we transfer personal data internationally, we do so on the basis of:
Adequacy decisions by the European Commission or relevant supervisory authority;
Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by appropriate transfer impact assessments;
Binding Corporate Rules (where applicable);
The UK International Data Transfer Agreement (IDTA) or addendum to SCCs (for UK data transfers); or
Other approved transfer mechanisms under applicable law.
11. YOUR RIGHTS
Subject to applicable law, individuals whose personal data we process as X Data may exercise the following rights by contacting us at [email protected]:
Right
Description
Access
Request a copy of the X Data we hold about you
Rectification
Request correction of inaccurate X Data
Erasure / Deletion
Request deletion of your X Data (subject to legal retention obligations)
Restriction
Request that we restrict processing of your X Data pending resolution of a complaint or accuracy dispute
Portability
Receive X Data you have provided to us in a structured, machine-readable format
Objection
Object to processing based on legitimate interests or for direct marketing purposes
Withdraw Consent
Where processing is based on consent, withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal)
Disconnect X Account
Revoke our API access to your X account at any time via X's application permission settings at [x.com/settings/connected_apps], or directly through our platform settings
Lodge a Complaint
File a complaint with your local data protection authority
Please note that disconnecting your X account through X's native settings will immediately revoke our API access. We also recommend revoking access through our own platform settings to ensure full de-authorization. We will respond to all verified rights requests within the timeframe required by applicable law.
California Residents: In addition to the rights above, California residents have the right to know the categories of personal information sold or disclosed for a business purpose, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising privacy rights. We do not sell X Data as defined under the CCPA/CPRA.
12. RELATIONSHIP WITH X
12.1 Independent Controllers
We are an independent data controller with respect to X Data we process. We are not an agent, employee, or joint venture partner of X Corp. X Corp. is a separate and independent data controller with respect to data on its own platform. This Privacy Policy does not govern X's privacy practices, and we encourage you to review X's Privacy Policy to understand how X processes your data.
12.2 Our Developer Obligations
As a developer authorized to access the X API, we are bound by the X Developer Agreement and Policy. Our privacy practices relating to X Data are designed to be no less protective of individuals than X's own Privacy Policy, as required by the X Developer Agreement.
12.3 Compliance with X Policies
We review the X Policies on a regular basis and will update our practices and this Section promptly in the event of any material change to the X Developer Agreement, Developer Policy, or related guidelines. If we are at any time unable to comply with the X Policies, we will immediately cease access to the X API and the use of all X Content.
13. COOKIES AND TRACKING IN CONNECTION WITH X
If we use X's embedded widgets, social plugins, or tracking pixels on our website or application, these technologies may allow X to collect data about your activity on our platform, subject to X's own Privacy Policy. We do not use X's embedded features on our platform.
14. CHANGES TO THIS SECTION
We may update this Section from time to time to reflect changes in our practices, applicable law, or the X Policies. Your continued use of our services after the effective date of any update constitutes your acknowledgment of the revised Section. Where changes require fresh consent under applicable law, we will seek such consent before processing your data under the updated terms.
15. CONTACT AND DATA PROTECTION OFFICER
For questions, complaints, or requests relating to X Data, please contact [email protected].
XV. Age Limitations
To the extent prohibited by applicable law, we do not allow use of the Services and Sites by anyone younger than 18 years old. If you learn that anyone younger than 18 has unlawfully provided us with personal data, please contact us at [email protected] and we will take steps to delete such information, close any such accounts, and, to the extent possible, prevent the user from continuing to use the Services.
XVI. Updating and changing this Privacy Notice
Due to continuous development of our websites and the content available thereon, changes in law or regulatory requirements, we might need to change this Privacy Notice from time to time. Our current privacy notice can be found at our website and can be saved and printed out by you.