Privacy Policy

Zexr (“Zexr”, “we”, “us”) is a social-media growth platform for X (formerly Twitter) and Bluesky. This Privacy Policy explains what information we collect, how we use it, and the rights you have over it. It applies to zexr.app and any related Zexr services.

Information you provide

• Account details: email, display name, profile photo.
• Billing details: name, billing address, last four digits of your card. Full card numbers go directly to Stripe; we never see or store them.
• Content you create in Zexr: drafts, scheduled posts, threads, replies, automation configurations, niche selections, voice training preferences.
• Support correspondence and feedback you send us.

Information from connected accounts

When you connect an X or Bluesky account, Zexr stores OAuth access and refresh tokens, your handle, profile metadata, and a copy of posts, mentions, and direct-message events that we need to power scheduling, analytics, and automation features. Tokens are encrypted at rest. We never request or store your X or Bluesky password.

Information we collect automatically

• Usage analytics: pages viewed, features used, error logs, approximate location derived from IP, device and browser type.
• Cookies and similar technologies. See our Cookie Policy.

• Operate the service: publish your scheduled posts, ingest metrics, deliver mentions and DMs, run automations.
• Generate AI assistance: train your voice profile from posts you authorize, draft replies and content suggestions in your voice.
• Bill subscriptions, prevent fraud, enforce abuse policies, comply with legal obligations.
• Improve the product: analytics, A/B tests, and aggregate statistics. We do not sell your personal data.
• Communicate with you: transactional email (sign-in, billing, automation alerts), and product announcements you can opt out of.

Zexr uses third-party large language models (currently Anthropic Claude and OpenAI embedding models) routed through a managed LiteLLM proxy to power voice training, post generation, reply drafting, and analytics summaries. Inputs and outputs are transmitted securely to those providers solely to deliver the requested feature. We do not authorize providers to train their general models on your content. You retain ownership of all outputs Zexr generates for your account.

We share information only with the following categories:

• Infrastructure: Vercel (web hosting), Supabase (database, auth, file storage), Fly.io and Upstash (background workers, queues).
• Billing: Stripe (subscription processing, payment methods).
• AI: Anthropic, OpenAI (via the LiteLLM proxy at litellm.oppla.dev).
• Connected social platforms: X and Bluesky receive whatever content and actions you direct Zexr to perform on your behalf.
• Email delivery: Resend (transactional and product emails).
• Legal: regulators, law enforcement, or counterparties, only when required by valid legal process or to protect users.

We do not sell your personal data, and we do not authorize advertising profiling.

We retain account data for as long as your account is active. When you disconnect a social account, OAuth tokens are marked as disconnected and revoked at next refresh; ingested content is kept for analytics history unless you request deletion. When you close your Zexr account, we delete personal data within 30 days except where we are legally required to retain billing records.

Depending on where you live, you may have rights to access, port, correct, or delete personal data we hold about you, and to object to or restrict certain processing. EEA, UK, California, and similar residents have rights under GDPR, UK GDPR, and CCPA. To exercise any of these, email privacy@zexr.app. We respond within 30 days.

We use TLS in transit, encrypted column storage for OAuth tokens, scoped row-level security in our database, and least-privilege service-role access for background workers. No system is perfect; you are responsible for keeping your account credentials safe.

Zexr is operated from the United States. By using Zexr you consent to your information being transferred to and processed in the US and any region where our subprocessors operate. We use Standard Contractual Clauses where required for transfers from the EEA, UK, or Switzerland.

Zexr is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from minors.

We may update this policy. Material changes will be announced by email or in-product notice at least 14 days before they take effect.

Questions or requests: privacy@zexr.app.