Privacy Policy

Effective date: April 13, 2026

Traction Loop (“we”, “us”, or “our”) operates gotractionloop.com. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it.

1. Information we collect

When you connect your X (Twitter) account, we collect:

• Your X username and X user ID
• Your email address (from Supabase Auth at sign-in)
• Your public tweet history (post content, engagement counts, timestamps)
• Engagement metrics returned by the X API (likes, replies, reposts, quotes, impressions, bookmarks)

We also collect information you provide directly, such as your answers to onboarding questions used to assign your creator archetype.

We collect standard server logs (IP address, browser type, pages visited) for security and debugging purposes.

2. How we use your information

• To analyse your post history and generate your traction audit
• To surface statistically significant patterns in your posting behaviour
• To compose and publish posts to X on your behalf when you explicitly request it
• To send transactional emails (audit-ready notifications, account updates)
• To process subscription payments via Stripe
• To improve the accuracy and relevance of our analysis over time

We do not sell your data. We do not use your post content to train third-party AI models beyond what is required to generate your personal audit.

3. X API data usage

We access your X account via OAuth 2.0 PKCE with the minimum scopes required: read access to your tweet timeline and metrics, and write access limited to publishing posts you explicitly approve through our interface. We do not access your X direct messages, follower lists, or any data beyond what is necessary to operate the service.

X OAuth tokens are stored encrypted using Supabase Vault. We never store your X password.

4. Data sharing

We share your data with the following third-party services, solely to operate the product:

• Supabase — database and authentication (EU/US infrastructure)
• Anthropic / OpenAI — LLM inference for audit generation (your post content is sent as context; it is not used to train their public models under their current API terms)
• Stripe — payment processing (we share your email and a customer ID; we never store full card details)
• Resend — transactional email delivery
• Railway / Vercel — hosting infrastructure

We do not share your data with any other third parties.

5. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your data within 30 days, except where we are required to retain it for legal or compliance reasons.

6. Security

We use industry-standard measures to protect your data: encrypted storage, HTTPS for all data in transit, row-level security on our database (meaning queries for one user’s data cannot return another user’s data), and encrypted token storage in Supabase Vault. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Your rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Revoke X OAuth access at any time via your X account settings
• Cancel your subscription at any time via the billing portal

To exercise any of these rights, email us at service@koalanda.com.

8. Cookies

We use session cookies to maintain your authenticated state. We do not use third-party tracking cookies or advertising cookies.

9. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by a notice on the site. Continued use of the service after changes are posted constitutes your acceptance of the updated policy.

10. Contact

Questions about this policy: service@koalanda.com