Back to home

Privacy Policy

Last updated: May 19, 2026

1. Overview

This Privacy Policy explains how Xholic ("Xholic," "we," "us," or "our") collects, uses, stores, and shares information when you use xholic.ai, the Xholic web application, the Xholic browser extension for Google Chrome, and any related services (collectively, the "Services").

By using our website, browser extension, or any of our Services, you agree to the data practices described in this policy.

2. Information We Collect

We may collect the following categories of information:

  • Account and contact data: such as your email, name, and profile metadata when you sign up.
  • Social platform data: limited data from your 𝕏 account when you connect via OAuth, based on permissions you authorize.
  • Usage data: device, browser, page views, interactions, and service performance data.
  • Billing data: subscription plan, billing status, transaction metadata, and limited payment-related information provided by our payment processors. We do not store full payment card numbers ourselves.
  • Support communications: messages and related metadata when you contact us.
  • Browser extension data: when you use the Xholic browser extension on x.com, we collect data described in Section 3 ("Browser Extension") below.
  • Smart Scheduler data: scheduled post text, drafts, schedule slots, timezone, post status, posted tweet identifiers and URLs, automation rule settings, automation outcomes, failure messages, retry metadata, and related scheduler activity.

3. Browser Extension

The Xholic browser extension operates on x.com (formerly Twitter) to provide AI-powered reply suggestions, content discovery, and collection management. This section describes the extension's data practices in detail.

3.1 Data Collected by the Extension

  • Tweet content and metadata: when you interact with a tweet (e.g., open the reply panel or save a tweet), the extension reads the tweet text, author username, and tweet identifier from the page to provide contextual features.
  • Your 𝕏 username: the extension reads your logged-in 𝕏 username from the page for account verification purposes.
  • Reply text: when you compose or insert a reply using our suggestions, the text of that reply is transmitted to our servers for tracking and analytics.
  • Authentication token: a session token is securely passed from the Xholic web application to the extension and stored locally in Chrome's storage API to authenticate API requests.
  • Extension lifecycle telemetry: the extension creates an installation identifier and sends installation, update, account-linking, and uninstall signals to help us understand extension adoption and reliability. This may include extension version, install/link/uninstall timestamps, and a server-issued uninstall URL token.

3.2 Permissions and Why We Need Them

  • Host permission (x.com): required to inject the content script that reads tweet data and provides in-page reply features. The extension only runs on x.com and does not access any other websites.
  • activeTab: used to interact with the currently active x.com tab when you trigger an action.
  • sidePanel: used to display the Xholic side panel within Chrome for reply suggestions and collection management.
  • storage: used to store your authentication session token locally on your device using Chrome's storage API. No browsing history or unrelated data is stored.

3.3 Cross-Origin Communication

The extension communicates with the Xholic web application (app.xholic.ai) to receive your session token after you sign in. This communication uses Chrome's externally connectable messaging API and is restricted to verified Xholic domains. No third-party websites can send messages to the extension.

3.4 AI and Machine-Learning Processing

Tweet content you interact with through the extension may be sent to our servers and processed by AI and machine-learning models (including third-party large language model providers) to generate personalized reply suggestions, content recommendations, and engagement insights. We do not use your data to train third-party AI models. AI-generated suggestions are provided for your review and are never posted automatically.

3.5 Local Storage and Data Minimization

The extension stores only your session token and a random installation identifier locally using Chrome's storage API. Tweet data and reply suggestions are fetched on demand and are not persisted in the browser. You can remove all locally stored data by uninstalling the extension or clearing extension storage.

4. Smart Scheduler and Posting Automation

Smart Scheduler lets you save drafts, queue posts, choose recurring or custom posting times, publish approved posts, and configure automation rules such as auto-retweet or auto-delete conditions. To provide these features, we process the post text you submit, your selected schedule slots and timezone, post status, posted tweet identifiers and URLs, automation rule configuration, metrics needed to evaluate those rules, retry state, failure logs, and related operational metadata.

When Smart Scheduler publishes a post or runs a configured automation, Xholic sends the necessary request to 𝕏 through the authorized platform integration. We may record whether the action succeeded, failed, was skipped, or requires your attention so the scheduler can show accurate history and reliability alerts.

5. How We Use Information

We use information to:

  • Provide, maintain, and improve Xholic features.
  • Personalize discovery, recommendations, and content suggestions.
  • Generate AI-powered reply suggestions and content insights based on tweet context.
  • Save drafts, schedule approved posts, publish scheduled posts, and run automation rules you configure.
  • Operate signup, trial, and onboarding flows.
  • Measure website usage, diagnose performance, and improve our marketing site and product experience.
  • Process subscriptions, payments, invoices, and account support.
  • Monitor security, detect abuse, and prevent fraud.
  • Comply with legal obligations and enforce our terms.

5.1 Website Analytics and Cookies

On xholic.ai, we use analytics cookies and similar technologies to understand traffic sources, site usage, conversion activity, and performance. This helps us improve the website, marketing pages, and onboarding flow.

For visitors located in the European Economic Area (EEA), the United Kingdom, and Switzerland, we ask for consent before enabling non-essential analytics technologies on the website. For visitors in other regions, analytics may be enabled without a consent banner where permitted by applicable law. You can change your website cookie preference at any time through Cookie Settings.

6. Data Sharing

We do not sell your personal data. We may share data with trusted providers that help us operate the service (such as hosting, analytics, payment processing, AI model providers, and customer support tooling), and when required by law.

Our website analytics stack currently includes Google Tag Manager and Google Analytics 4 for traffic and conversion measurement, Microsoft Clarity for usability and session insights, and PostHog for landing and product analytics. When enabled, these providers may receive device, browser, page, referral, and interaction data and may set or read cookies or similar identifiers on your device.

When you purchase a subscription, payment processing is handled by our third-party payment providers. Their use of your information is governed by their own terms and privacy policies.

When you use Smart Scheduler, relevant post content, scheduling instructions, and automation requests may be sent to 𝕏 or its APIs as needed to publish approved posts, check metrics, or run configured actions. Those interactions remain subject to 𝕏's own terms and privacy practices.

Tweet content processed for AI-generated suggestions may be sent to third-party large language model providers solely for the purpose of generating responses. These providers are contractually prohibited from using your data for any other purpose, including training their models.

7. International Data Transfers

Your data may be transferred to and processed in countries other than the one in which you reside, including the United States and other jurisdictions where our service providers operate. When we transfer data internationally, we rely on appropriate legal mechanisms such as Standard Contractual Clauses (SCCs) or equivalent safeguards to protect your data.

8. Data Retention

We keep data for as long as needed to provide the service, meet legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on data type and operational needs.

We may retain certain billing, transaction, security, and compliance records after account closure where reasonably necessary for legal, tax, audit, fraud prevention, or enforcement purposes.

9. Security

We use reasonable technical and organizational safeguards to protect data, including encrypted connections (TLS) for all data in transit, restricted access controls, and secure token storage. However, no system is 100% secure, and we cannot guarantee absolute security.

10. Your Rights and Choices

Depending on your location, you may have the following rights under applicable data protection laws (including the GDPR, CCPA/CPRA, and similar regulations):

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data, subject to legal retention obligations.
  • Portability: request a machine-readable export of your data.
  • Restriction or objection: request that we limit or stop processing your data in certain circumstances.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.
  • Non-discrimination: we will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law.

You can also manage website analytics consent directly through on the website.

You may also disconnect linked accounts, unsubscribe from marketing communications, and uninstall the browser extension at any time. Deleting your account or cancelling a subscription does not eliminate records we are required or permitted to retain for billing, compliance, dispute resolution, or security purposes.

11. Lawful Basis for Processing (EEA/UK/Switzerland)

If you are located in the European Economic Area or the United Kingdom or Switzerland, we process your personal data on the following legal bases:

  • Performance of a contract: to provide the Services you have requested, including AI-powered features and browser extension functionality, scheduled publishing, and configured automation rules.
  • Legitimate interests: to improve our Services, ensure security, and prevent fraud, where those interests are not overridden by your rights.
  • Consent: where you have given explicit consent, such as allowing analytics cookies on xholic.ai, connecting your 𝕏 account, or installing the browser extension.
  • Legal obligations: to comply with applicable laws, regulations, and lawful requests.

12. Children's Privacy

Xholic is not intended for children under 13 (or the minimum age required by your jurisdiction). We do not knowingly collect data from children. If we learn that we have collected personal data from a child under 13, we will delete it promptly.

13. Policy Changes

We may update this policy over time. We will post updates on this page and revise the "Last updated" date. If we make material changes, we will provide prominent notice through the Services or by email.

14. Contact

For privacy-related questions or to exercise your data rights, contact us at [email protected] .

Also see our Terms of Service.