Last updated: March 13, 2026

Privacy Policy

This Privacy Policy explains how X-ROR ("we," "us," or "our"), operated via x-ror.fun, collects, uses, and protects your personal data when you use our website and services. We are committed to protecting your privacy and being transparent about our data practices.

By using X-ROR, you agree to the practices described in this policy. If you do not agree, please do not use our services.

1. Information We Collect

1.1 Information You Provide Directly

• Account information: name, email address, and password when you create an account.
• Profile information: avatar image and Instagram username if you choose to connect your Instagram account.
• Payment information: billing details processed through our payment provider LiqPay. We do not store your full credit card number on our servers.
• Communications: any information you provide when contacting us for support.

1.2 Information Collected Automatically

• Usage data: pages visited, features used, download history, and interaction patterns.
• Device and browser data: IP address, browser type, operating system, device identifiers, and screen resolution.
• Cookies and similar technologies: see our Cookie Policy for details.
• Session data: login timestamps, session duration, and authentication tokens (including passkey/WebAuthn credentials).

1.3 Information from Third Parties

• Instagram: publicly available profile data when you use our download, stories, analyzer, or influencer search features.
• Payment provider (LiqPay): transaction confirmations and billing status.

2. How We Use Your Information

We use your personal data for the following purposes:

• To provide, maintain, and improve our services (downloads, stories, profile analysis, hashtag generation, influencer search).
• To create and manage your account and authenticate your identity.
• To process payments and manage your subscription (Free, Basic, or Pro plans).
• To send you service-related communications (email verification, password resets, security alerts).
• To monitor usage patterns and enforce usage limits based on your plan.
• To detect and prevent fraud, abuse, and security threats.
• To comply with legal obligations.

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on the following legal grounds:

• Performance of a contract: processing necessary to provide you with our services and manage your account.
• Legitimate interests: improving our services, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
• Consent: where you have given explicit consent, such as for non-essential cookies or marketing communications.
• Legal obligation: processing required to comply with applicable laws.

4. Data Sharing and Third-Party Services

We do not sell your personal data. We may share data with the following categories of service providers:

• LiqPay (payment processing) — processes your payment information securely. See LiqPay User Agreement, Personal Data Policy, and Terms of Service.
• Cloudinary (image hosting) — stores user avatar images on our behalf.
• Hosting providers: our servers and infrastructure providers that store and process data on our behalf.
• Email delivery services: for sending transactional emails (verification, password resets).

We may also disclose your information if required by law, court order, or to protect our rights and safety.

5. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection. When we transfer data from the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data remains protected.

6. Data Retention

We retain your personal data for as long as necessary to:

• Provide our services and maintain your account.
• Comply with legal, accounting, or reporting requirements.
• Resolve disputes and enforce our agreements.

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain certain information.

6.1 Specific Retention Periods

• Account data: retained until you delete your account, then removed within 30 days.
• Usage logs (IP addresses, action history): automatically deleted after 90 days.
• Session data (IP address, device info): automatically deleted after 90 days of inactivity.
• Bookmarks: retained until you delete them or your account.
• Payment records: retained for the period required by applicable tax and accounting laws.

7. Your Rights

7.1 Rights for All Users

Regardless of where you are located, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and personal data.
• Object to certain types of processing.

7.2 Additional Rights for EEA Users (GDPR)

If you are in the EEA, you additionally have the right to:

• Data portability: receive your data in a structured, machine-readable format.
• Restrict processing: request that we limit how we use your data.
• Withdraw consent: where processing is based on consent, you can withdraw it at any time.
• Lodge a complaint: with your local data protection authority if you believe your rights have been violated.

7.3 Rights for California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know: what personal information we collect, use, and disclose.
• Right to delete: request deletion of your personal information.
• Right to opt-out: of the sale of personal information. We do not sell your personal information.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at [PRIVACY_EMAIL]. We will respond within 30 days (or 45 days for CCPA requests, with notice of extension if needed).

8. Children's Privacy

X-ROR is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact us at [PRIVACY_EMAIL].

9. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS/TLS), hashed passwords, and secure session management (including passkey/WebAuthn support). However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33).
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34).
• Provide details of the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach.
• For California residents, we will notify you in accordance with California Civil Code §1798.82.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification. Your continued use of X-ROR after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

• Email: [PRIVACY_EMAIL]
• Website: x-ror.fun