Privacy Policy

1. Controller

The data controller for personal data processed by XpressPurge is:

Krzysztof Woźniczek - IT services
ul. Graniczna 2ea/19
54-610 Wrocław, Poland
NIP: 6391914982

Email: chris@xpresspurge.com

If you are in the European Economic Area, United Kingdom, or Switzerland, you may contact us at the email above about your data protection rights.

2. Summary

In plain language:

• Core filtering works locally in your browser.
• You can use XpressPurge without creating an account.
• Your rules, presets, local hidden-post log, and local analytics are stored in browser storage by default.
• We do not sell personal data.
• We do not store your full payment card details.
• Paid checkout and invoices are handled by Creem as merchant of record.
• Account login, license activation, backend entitlement checks, and device management use Supabase.
• Diagnostic exports are optional and intended to avoid private post content.
• Optional browser sync may store selected rules, presets, and settings in your browser provider's sync storage.

3. Information Processed Locally in Your Browser

The extension may process the following data locally on your device:

Rules and presets

This includes keywords, phrases, handles, domains, media/post-content selections, engagement thresholds, rule actions, preset names, preset descriptions, enabled/disabled states, and timestamps.

X post information needed for filtering

When you browse X, the content script reads visible post elements in your browser so it can apply your rules. Depending on the page and rule type, this may include post text visible on the page, author handle, link domains in visible posts, whether a visible post contains images, videos, quotes, or external links, visible engagement metrics such as replies, reposts, likes, or views, and a local post fingerprint, usually based on a status URL or a fallback derived from handle and text.

This information is used to decide whether a post should be visible, hidden, dimmed, boosted, or logged locally.

Hidden-post log and analytics

The extension may keep a local hidden-post log and local analytics, including local post fingerprint, matched rule IDs, reason for hiding, timestamp, undo state, author handle if available, short preview text, daily hidden and boosted counts, and counts by rule, rule type, and preset.

These logs and analytics are stored locally in browser storage or IndexedDB unless you export them or enable a feature that intentionally syncs related data.

Settings and extension state

This includes the master Filtering toggle, active presets, theme preference, hide behavior, browser sync preference, privacy flags, Show-only mode, popup layout preferences, entitlement state, license token metadata, and extension version/browser metadata where needed.

4. Information Sent to Our Backend

Core local filtering does not require sending post content, rules, hidden logs, or analytics to our backend.

Information may be sent to our Supabase backend when you use paid/account features, including:

• email address used to claim a purchase or sign in with a magic link;
• checkout request ID, source, selected plan, checkout status, and masked payment-related metadata;
• Creem customer ID, order ID, subscription ID, product ID, and webhook event data;
• license plan, activation status, entitlement status, and expiry status;
• one-time activation code hash;
• hashed device ID;
• browser name and extension version for activated devices;
• refresh token hash and session expiry;
• device activation count and device limit;
• support or diagnostic information you choose to send.

We store hashes of device IDs, activation codes, and refresh tokens where the current implementation requires verification without storing the raw value.

5. Payments and Billing Data

Paid checkout is handled by Creem, operated by Armitage Labs OÜ, as merchant of record.

Creem may collect and process billing information such as name, email address, billing address, payment details, tax location, order details, invoice details, subscription status, refund status, chargeback status, and fraud-prevention data.

We receive limited payment-related information from Creem that is needed to activate and manage your license, such as checkout ID, order ID, subscription ID, customer ID, product ID, plan, status, and customer email.

We do not store your full payment card number.

Creem's processing is also governed by Creem's own terms and privacy notices.

6. Account and Authentication Data

If you use paid features, you may authenticate with a Supabase magic link. Supabase may process your email address, authentication session data, IP address, browser/device metadata, and related security logs as part of authentication and backend operations.

We use account data to:

• verify ownership of a paid checkout;
• issue extension activation codes;
• activate and refresh paid entitlements;
• show plan and device status;
• enforce device limits;
• provide billing portal access;
• prevent fraud and unauthorized sharing.

7. Optional Browser Sync

If you enable browser sync, selected data may be stored through your browser provider's extension sync storage. The current implementation may sync rules, presets, active preset IDs, Filtering enabled/disabled state, hide behavior, Show-only mode, and updated timestamp.

Browser sync is provided by your browser provider, such as Google, Mozilla, Microsoft, or Brave, depending on your browser and account settings. Their privacy policies apply to their sync infrastructure.

Browser sync is optional. You can keep XpressPurge local-only.

Our use of browser sync storage complies with the respective browser store policies, including the Chrome Web Store User Data Policy's Limited Use requirements.

8. Import, Export, and Diagnostics

You can export configuration data to a JSON file. Exports may include settings, rules, presets, and shared packs. Exports are controlled by you and stored wherever you save or share them.

Imports reset paid entitlement and billing fields to default free/local values. A JSON import cannot grant Pro access.

Diagnostic exports are optional. They are designed to include technical information such as generated time, extension version, browser user agent, current host, and selector status. They are intended not to include private post content. However, if you send us screenshots, support messages, or other files, those materials may contain information you choose to provide.

9. Website Data and Cookies

When you visit our website, we may process standard technical information such as IP address, browser type, device type, pages visited, referring URL, timestamps, and security logs.

If the website uses cookies or similar technologies, they may be used for essential site functionality, checkout/account flows, security, analytics, or preferences. Non-essential analytics or marketing cookies should be used only where permitted by applicable law and your consent choices.

If you add website analytics, advertising pixels, live chat, or email marketing tools later, update this Privacy Policy before launch.

10. How We Use Information

We use information to:

• provide local filtering, presets, analytics, logs, and extension features;
• process paid checkout and activate licenses;
• authenticate users and claim purchases;
• refresh entitlements and enforce plan limits;
• prevent fraud, abuse, unauthorized license sharing, and security incidents;
• provide support and respond to user requests;
• debug and improve selector compatibility and extension reliability;
• comply with legal, tax, accounting, consumer protection, and payment obligations;
• maintain backups, logs, and audit records where needed.

11. Legal Bases for Processing

If GDPR or similar law applies, we rely on the following legal bases:

• Contract: to provide the Service, paid plans, authentication, license activation, account features, billing-related access, and support.
• Legitimate interests: to secure the Service, prevent abuse, debug issues, improve reliability, enforce device limits, and operate local-first extension functionality in a privacy-respecting way.
• Consent: where required for optional cookies, marketing communications, or optional features that require consent.
• Legal obligation: to comply with tax, accounting, consumer protection, dispute, fraud, and regulatory requirements.

12. How We Share Information

We may share information with:

• Supabase: backend hosting, database, authentication, edge functions, and operational infrastructure.
• Creem: merchant-of-record checkout, payments, subscriptions, tax, invoicing, refunds, disputes, fraud prevention, and customer portal.
• Browser providers: if you enable browser sync or install through a browser store.
• Service providers: hosting, security, support, email delivery, analytics, or other providers we use to operate the Service.
• Legal and compliance recipients: courts, regulators, law enforcement, tax authorities, payment dispute parties, or professional advisers where required or appropriate.
• Business transfer recipients: if we are involved in a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate protections.

We do not sell personal data.

13. International Transfers

We are based in Poland, and our providers may process data in other countries. If personal data is transferred outside the European Economic Area, we rely on appropriate safeguards where required, such as Standard Contractual Clauses, data processing agreements, adequacy decisions, or other lawful transfer mechanisms.

Supabase and Creem may maintain their own subprocessors and transfer mechanisms. Their terms and privacy documentation apply to their processing.

14. Retention

We keep personal data only as long as reasonably necessary for the purposes described in this Privacy Policy.

Typical retention periods:

• Local extension data: until you delete it, reset the extension, clear browser storage, or uninstall the extension.
• Account/profile data: while your account or paid license remains active, and for a reasonable period afterward.
• Checkout, invoice, tax, refund, chargeback, and payment records: as required for legal, accounting, tax, fraud-prevention, and dispute purposes.
• Extension activation and session records: while needed to operate the license and device-management system, plus a reasonable security/audit period.
• Support messages and diagnostics: as long as needed to resolve the issue and maintain reasonable support records.
• Security logs: for a limited period reasonably necessary to protect the Service.

If you request deletion, we will delete or anonymize personal data unless we must keep it for legal, tax, dispute, fraud-prevention, security, or legitimate business reasons.

15. Your Rights

Depending on your location, you may have rights to:

• access your personal data;
• correct inaccurate data;
• delete data;
• restrict processing;
• object to processing;
• receive a portable copy of data;
• withdraw consent;
• complain to a data protection authority.

If you are in Poland, you may contact the Polish data protection authority, the President of the Personal Data Protection Office (UODO). If you are in another EU/EEA country, you may contact your local supervisory authority.

To exercise rights, contact chris@xpresspurge.com. We may need to verify your identity before responding.

16. California and Other Regional Privacy Rights

We do not sell personal information. We do not knowingly share personal information for cross-context behavioral advertising.

If regional privacy laws such as the California Consumer Privacy Act apply to you, you may have additional rights to know, access, correct, delete, or opt out of certain uses of personal information. Contact us at chris@xpresspurge.com to make a request.

17. Security

We use reasonable technical and organizational measures designed to protect personal data, including:

• local-first processing for core filtering;
• Row Level Security policies in Supabase tables;
• service-role-only writes for webhook-controlled billing tables;
• hashing of activation codes, device IDs, and refresh tokens where used for backend verification;
• signed entitlement tokens;
• HTTPS for backend communication;
• separation of public extension configuration from server secrets;
• not storing full payment card details.

No method of transmission or storage is completely secure. You are responsible for keeping your browser, device, email account, and activation codes secure.

18. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us so we can take appropriate action.

19. X Content and Sensitive Information

XpressPurge may process visible X post content locally in your browser to apply your rules. We do not intentionally collect or send your feed content to our backend for core filtering.

Because your rules may include keywords, handles, domains, or phrases that reveal interests or preferences, you should avoid entering sensitive information into rules unless you are comfortable storing that information in your browser and, if enabled, browser sync.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify users, such as by updating the website, extension, or account page.

The updated Privacy Policy will apply from the "Last updated" date unless a later effective date is stated.

21. Contact

For privacy questions or requests, contact:

Krzysztof Woźniczek - IT services
Email: chris@xpresspurge.com
Address: ul. Graniczna 2ea/19, 54-610 Wrocław, Poland
Website: xpresspurge.com

22. Third-Party References

You can review relevant third-party provider documents here:

• Creem Terms
• Creem Privacy Notice
• Supabase Privacy and Legal Documents