The minimum data we need, for the minimum time.

OffX is a non-profit service that posts tweets on your X account when you send an SMS to our Twilio number. This policy explains what we collect, why, where it lives, and how to erase it.

What we store

• Your X user ID and handle. Received from X OAuth. Used to post on your behalf and show you your account in the dashboard.
• Your X access + refresh token. Encrypted at rest. Used only to POST tweets you requested over SMS.
• Your phone number (E.164). The lookup key when Twilio delivers us an inbound SMS. Never shared.
• A log of your SMS-tweets. We keep the posted body, the tweet ID, and the status (posted, failed, rate-limited). Used for abuse prevention and user support. Retained for 30 days then hashed.

What we do not store

• Your X password. Ever. OAuth only.
• Your location, contacts, or device identifiers.
• Analytics about who reads your tweets.
• Unverified phone numbers after 24 hours.

Where it lives

Data is stored in a Supabase (Postgres) instance in the EU region, encrypted at rest, behind row-level security. Secrets are kept in Vercel's environment variables. SMS transits Twilio under their standard encryption.

Your rights

You can revoke OffX at any time from /dashboard. That deletes your row and revokes the X OAuth grant. You can also revoke directly from X under Settings → Apps & sessions. If you prefer to email us, write to privacy@offlinex.org; we answer within 72 hours and delete within 7 days.

Changes to this policy

We will announce any material change in a tweet from @OffXorg, with a 14-day notice before it takes effect. If you disagree, revoke before the deadline.