- We don't sell your data. We don't have tracking, ads, or analytics.
- Your X.com login lives in your own Chrome โ we never see it.
- Your API key stays in
chrome.storage.localon your machine. - Our server stores public tweets we crawled and the replies we generated for you.
- You can request data export or full deletion any time via Telegram.
1. Who this covers
This Privacy Policy applies to the X Engage Chrome Extension
(Chrome Web Store ID: published version) and the backend service it talks to
at api.xengage.io.vn. The "Service" means both together.
The Service is operated by an independent developer (currently: @ducnv_be) and is not affiliated with, sponsored by, or endorsed by X Corp. or any of its subsidiaries.
2. What the extension stores
The X Engage extension stores the following in chrome.storage.local
on your own device. None of this leaves your machine unless explicitly noted:
| Key | What it is | Sent to server? |
|---|---|---|
| apiUrl | Backend endpoint (constant) | โ |
| apiKey | Your personal API key | Only as X-API-Key header on requests |
| botTabId | Chrome tab ID the bot operates on | No |
| runningSince | Timestamp the bot last started | No |
| repliedIds (in-memory) | List of recently-replied items, deduplication only | No |
The extension also injects scripts into x.com and
twitter.com tabs to:
- Read tweet text, author handle and tweet URL from the rendered page.
- Paste reply text into the X compose box and click the Reply button.
- Upload media (image / video) and click Tweet for repost actions.
The extension does not read your X password, your DMs, your private notifications, your bookmarks, your followers list, or any other X data not displayed in the public tweet view.
3. What our server stores
The backend service stores the following per user account:
- Your API key (hashed-equivalent โ stored as-is to identify requests).
- Your X handle if you provided one when registering.
- Your Telegram chat ID if you linked Telegram via
/start <key>. - Crawled tweets โ public tweet text, author handle, tweet ID, media URL, view count. Only tweets matching the configured trending keywords.
- AI-generated content โ rewritten captions and reply text generated by DeepSeek for those tweets.
- Action records โ which items the extension marked as replied or posted, and a timestamp.
- Server logs โ a 30-day rotating buffer of basic request logs (path, status code, user ID prefix). No request bodies.
- X passwords, OAuth tokens, or session cookies.
- DMs, private notifications, or any non-public X data.
- Browser history outside of the tweets you process.
- Payment information (handled by external billing provider when applicable).
4. What we share with third parties
The service makes outbound calls to three third parties:
- DeepSeek (api.deepseek.com) โ public tweet text is sent so the AI can rewrite it into a reply. DeepSeek's privacy policy applies to that interaction.
- RapidAPI / twitter241 (twitter241.p.rapidapi.com) โ used to crawl public trending tweets. No personal data of yours is sent.
- Cloudflare Tunnel โ the API runs behind Cloudflare; standard HTTPS proxy logs (IP, request path, response code, kept ~30 days by Cloudflare).
We do not sell, rent or trade your data to anyone. We do not run ad networks or analytics scripts on the extension or the dashboard.
5. Your X (Twitter) account
Your X login lives in your own Chrome browser. The extension uses your already-authenticated session the same way a human clicking the Reply button would. Specifically:
- We never see your password.
- We never send your X cookies to our server.
- X's Terms of Service apply to your account. You are responsible for staying within X's rate limits and automation rules. We provide configurable delays to help; ultimate compliance is yours.
6. Your rights ยท data export ยท deletion
You can at any time:
- Export โ request a JSON dump of every row associated with your API key. Message our Telegram bot with
/export. - Delete โ ask the admin to wipe all your data. Send
/deleteto the Telegram bot or email the contact below. Deletion is irreversible and completes within 72 hours. - Disable โ stop the bot at any time from the extension popup. No data is sent while stopped.
- Uninstall โ removing the extension from Chrome wipes everything stored locally (apiKey, runningSince, etc.).
7. Security
- All traffic between the extension and the server uses HTTPS (TLS 1.3 via Cloudflare).
- API keys are 32-character random hex tokens generated server-side.
- Per-user data is isolated by API key โ one user cannot read another user's items.
- The server runs on a single VPS with daily SQLite backups kept for 14 days.
- We patch dependencies regularly. Disclosed vulnerabilities can be reported to the contact email below.
8. Cookies and tracking
The extension itself sets no cookies and uses no analytics. The marketing landing page (the page you're reading) sets no third-party cookies, has no Google Analytics, no Facebook Pixel, no Hotjar โ none.
The only "tracking" that exists is on the server side: which items each API key processed. That's necessary for the service to function (sending the right replies back to the right user).
9. Children
The Service is not directed at users under 18. Do not use it if you are under 18. We will delete any account we discover to be operated by a minor.
10. Changes to this policy
We may update this policy. The current version and "Last updated" date are shown at the top. Material changes will be announced via the Telegram bot to all linked users at least 14 days before taking effect.
11. Contact
X Engage is provided "as is" without warranty. We do our best but software has bugs. By using the Service you accept this Privacy Policy.