X Grower Privacy.

• Email address — when you sign up or sign in. Used to identify your account and enforce per-user quota.
• Authentication session tokens — issued by Supabase Auth, stored locally in chrome.storage.local on your device. Used to authorize API calls to our backend.
• “About Me” text and template settings — what you type in the popup to personalize your replies. Stored in chrome.storage.sync so it follows your Chrome profile across devices, and sent with each generation request so the AI can match your voice.
• Reply usage counters — how many replies you have generated today and this month. Stored server-side so we can enforce free/Pro quota.
• IDs of tweets you have replied to via the extension — stored locally on your device only. Used so the batch mode (Auto Burst) never double-replies to the same tweet.
• Tweet content, transiently — when you click a template button on a tweet, the text of that tweet is sent to our backend so the AI knows the context. We do not persist this text after the response is returned.

• Your direct messages on X.
• Tweets you have not explicitly clicked to reply to.
• Browsing history outside of x.com / twitter.com / growthhunt.ai / our Supabase project.
• Page contents from any other website you visit.
• Payment information (Pro is currently invite-only; no payment is collected).
• Advertising or tracking identifiers.

Your account and usage data lives in Supabase (Postgres + Storage), region ap-southeast-1. Authentication is brokered by Supabase Auth, with optional Google OAuth via chrome.identity. Reply generation runs on our Vercel backend at www.growthhunt.ai/api/xgrower/*, which calls MiniMax as the LLM provider. Tweet text passed to MiniMax is not retained beyond standard transient processing.

X (Twitter) rejects synthetic JavaScript click events (events with isTrusted=false) on its Reply send button as part of its anti-automation defense. To allow you to submit a draft you have reviewed, the extension briefly attaches the Chrome DevTools Protocol to your active x.com tab and dispatches a real input event on the Send button. The attachment is opened on each send, used for a single click sequence, and detached immediately.

chrome.debugger is never used to read page data, intercept network requests, or monitor your activity — only to dispatch a click on a button you have authorized the extension to press.

We do not sell your data. We share with:

• Sub-processors required to run the service: Supabase (database + auth), Vercel (hosting), MiniMax (LLM generation), Google (only if you choose Google Sign-In).
• Law enforcement only when legally required.

• Account data and usage counters: kept until you delete your account.
• Replied-tweet IDs: stored on your device; cleared when you uninstall the extension or clear extension storage.
• Tweet content sent for generation: not retained after the response is returned.

You can sign out from the popup at any time to clear your local session. You can uninstall the extension to remove all on-device storage. To delete your account and all server-side usage data, or to request a data export, email us at the address below — we will action requests within 30 days.

X Grower is not directed to users under 13. We do not knowingly collect data from children.

We may update this policy as the product evolves. Material changes will be announced via the extension popup or by email to registered users. The “last updated” date at the top reflects the most recent revision.

Questions about this policy: hello@growthhunt.ai.