Privacy Policy

Last Updated: October 7, 2025

This Privacy Policy explains how Leibow Ventures UG (haftungsbeschränkt), Amsterdamer Str. 13, 13347 Berlin, Germany ("we," "our," "us") collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable European data protection laws.

1. Introduction and Scope

This Privacy Policy applies to all users of Xora ("Service", "Platform"), whether you access it through our website, mobile applications, or other interfaces. By using our Service, you consent to the data practices described in this policy.

We are committed to transparency and give you control over your personal data. You have the right to access, correct, delete, or export your data at any time.

2. Data We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, we collect:

Account Information: Email address, password (hashed with bcrypt), username, display name
Profile Information: Profile image (from OAuth providers or auto-generated)
OAuth Data: When you sign in with Google or X, we receive your email, user ID, and profile information from those services
User-Generated Content: Topics you submit for AI generation, tweets you create or customize
Payment Information: Processed by Stripe (we do not store credit card details)
Communication Data: Messages sent to our support team

2.2 Information Collected Automatically

When you use Xora, we automatically collect:

Usage Data: Pages viewed, features used, time spent on platform, interactions with content
Technical Data: IP address, browser type, device information, operating system, referral source
Session Data: Login/logout times, authentication method, session duration
Credit Transactions: Purchase history, credit usage, transaction timestamps

2.3 Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyze platform usage. You can control cookie preferences through our cookie consent modal. We use:

Essential Cookies: Required for authentication, session management, and core functionality
Analytics Cookies: Google Analytics and Amplitude for understanding user behavior (only with consent)
Preference Cookies: Remember your settings and choices

We do not use cookies for advertising or targeted marketing.

3. How We Use Your Data

We process your personal data for the following purposes:

Purpose	Legal Basis (GDPR)
Provide and operate the Service	Contract performance (Art. 6(1)(b) GDPR)
Process payments and manage credits	Contract performance (Art. 6(1)(b) GDPR)
Send transactional emails (verification, password reset)	Contract performance (Art. 6(1)(b) GDPR)
Improve service quality and user experience	Legitimate interest (Art. 6(1)(f) GDPR)
Analytics and usage statistics	Consent (Art. 6(1)(a) GDPR)
Prevent fraud and ensure security	Legitimate interest (Art. 6(1)(f) GDPR)
Comply with legal obligations	Legal obligation (Art. 6(1)(c) GDPR)

4. Third-Party Services and Data Sharing

We integrate with trusted third-party services to provide our platform. These services process your data on our behalf and are bound by strict data protection agreements.

4.1 Authentication Providers

Google OAuth: Receives email, user ID, and profile information when you sign in with Google
X (Twitter) OAuth: Receives X user ID, username, handle, and profile image when you sign in with X

4.2 Payment Processing

Stripe: Processes all payment transactions. We do not store credit card information. View Stripe's Privacy Policy.

4.3 Email Services

Resend: Sends transactional emails (verification, password reset, welcome emails). View Resend's Privacy Policy.

4.4 AI Services

Groq: Processes AI generation requests. Your topics and contexts are sent to Groq's API for content generation. Groq does not store your personal data beyond processing requests.

4.5 Analytics Services (With Your Consent)

Google Analytics: Analyzes website traffic and user behavior. Data is anonymized where possible. View Google's Privacy Policy.
Amplitude: Tracks product usage and user journeys for service improvement. View Amplitude's Privacy Policy.

4.6 Data Hosting

Heroku (Salesforce): Hosts our application and database (PostgreSQL) in secure data centers.

4.7 No Data Selling

We do not sell, rent, or trade your personal data to third parties for marketing purposes. Ever.

5. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Active Accounts: Data retained while your account is active
Deleted Accounts: Personal data deleted within 30 days of account deletion (except as required by law)
Fraud Prevention: When you delete your account, we retain your OAuth provider ID (a random identifier from Google or X) to prevent abuse of free credit offers. This identifier cannot be used to identify you personally and is stored solely for fraud prevention purposes.
Anonymized Data: Generated tweets and credit transactions may be retained in anonymized form for analytics
Legal Retention: Financial records retained for 10 years per German tax law (§147 AO)
Backup Data: Deleted from backups within 90 days

6. Your Rights Under GDPR

As a user in the European Union, you have the following rights:

6.1 Right to Access (Art. 15 GDPR)

You can access all personal data we hold about you through the Settings → Export Data feature. You'll receive a complete JSON export including your profile, tweets, credit history, and account information.

6.2 Right to Rectification (Art. 16 GDPR)

You can update your personal information (email, username, display name, profile image) at any time through the Settings page.

6.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can delete your account and all personal data through Settings → Delete Account. This action is permanent and irreversible. All PII is immediately removed from our systems.

6.4 Right to Data Portability (Art. 20 GDPR)

Export your data in JSON format through Settings → Export Data. This includes all personal data in a structured, machine-readable format.

6.5 Right to Restrict Processing (Art. 18 GDPR)

6.6 Right to Object (Art. 21 GDPR)

You can object to data processing based on legitimate interest. Contact us to exercise this right.

6.7 Right to Withdraw Consent

You can withdraw cookie consent at any time through your browser settings or by clearing cookies. Email notification preferences can be updated in Settings → Notifications.

6.8 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you can lodge a complaint with your local supervisory authority:

Germany: Berlin Commissioner for Data Protection and Freedom of Information (www.datenschutz-berlin.de)
EU: Find your local authority at EDPB Member List

7. Data Security

We implement industry-standard security measures to protect your data:

Encryption: All data transmitted via HTTPS/TLS encryption
Password Security: Passwords hashed with bcrypt (12 rounds, industry standard)
Session Management: HTTP-only, secure cookies with CSRF protection
Access Control: Strict access controls and authentication requirements
Database Security: PostgreSQL with encrypted connections and backups
Rate Limiting: Protection against brute-force attacks and abuse
Regular Updates: Security patches applied promptly

However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically the United States (where our cloud hosting and some third-party services are located).

We ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Third-party services certified under EU-US Data Privacy Framework (where applicable)
GDPR-compliant data processing agreements with all service providers

9. Children's Privacy

Xora is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@xora.wtf, and we will delete it.

10. Email Communications and Notifications

We send the following types of emails:

10.1 Transactional Emails (Cannot be Disabled)

Email Verification: Sent when you sign up with email/password
Password Reset: Sent when you request a password reset
Welcome Email: Sent to Google OAuth users upon first login
Security Alerts: Critical account security notifications

10.2 Optional Emails (Can be Disabled in Settings)

Low Credit Warnings: Notify when credits are running low
Weekly Summary: Weekly digest of your activity and new features
Product Updates: Important product announcements and updates

Manage your email preferences in Settings → Notifications.

11. Cookie Policy

We use cookies to provide essential functionality and improve your experience. Upon your first visit, a cookie consent modal will appear, allowing you to accept or decline non-essential cookies.

11.1 Cookie Categories

Strictly Necessary Cookies: Required for authentication and core functionality (cannot be disabled)
Analytics Cookies: Google Analytics, Amplitude (requires consent)
Preference Cookies: Remember your settings and choices

11.2 Cookie Management

You can change your cookie preferences at any time by:

Clearing your browser cookies and revisiting the site (consent modal will reappear)
Using browser settings to block or delete cookies
Using browser extensions for cookie management

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in:

Our data practices
Legal or regulatory requirements
New features or services
Third-party integrations

Important: When new technologies or tracking tools are introduced, this Privacy Policy will be updated accordingly. If the update materially affects how we process your data, we will notify you via email and/or a prominent notice on our platform.

The "Last Updated" date at the top of this page indicates the most recent revision. We encourage you to review this policy periodically.

13. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at privacy@xora.wtf or visit https://xora.wtf.

Data Protection Representative: Dmytro Boguslavskyy

By using Xora, you acknowledge that you have read and understood this Privacy Policy and consent to the data practices described herein.