Privacy Policy

Last updated: February 2026

The short version

  • We never store your tweets or tweet content.
  • Your Twitter archive is parsed entirely in your browser — the file never leaves your device.
  • We store only your encrypted authentication tokens (so we can delete tweets on your behalf) and basic profile info (username, avatar).
  • We cannot read your DMs, email, phone number, or password.
  • You can revoke access anytime from Twitter Settings → Security → Apps.
  • We do not sell, share, or monetize your data in any way.

What data we collect

Account information

When you connect your Twitter account, we receive and store:

  • Your Twitter user ID, username, display name, and profile picture URL
  • OAuth access and refresh tokens (encrypted with AES-256-GCM)
  • Your plan status (free or pro) and payment reference
  • Aggregate counters: total tweets deleted and accounts unfollowed

Job data

When you start a deletion or unfollow job, we store:

  • Tweet IDs or user IDs to process (not the tweet content itself)
  • Job progress (how many items processed, failed, remaining)
  • Job status and timestamps

What we do NOT collect

  • Your tweet text, images, or media
  • Your direct messages
  • Your email address or phone number
  • Your Twitter password
  • Your browsing activity outside of Delete Tweets

How your archive is handled

When you upload your Twitter archive (.zip file), the following happens:

  1. The file stays in your browser. It is never uploaded to our servers.
  2. JavaScript parses the archive locally using the JSZip library running in your browser.
  3. Only tweet IDs are extracted and sent to our server so we can call Twitter's delete API.
  4. After deletion is complete, you can revoke our access and the tweet IDs are no longer needed.

How we protect your data

  • Token encryption: Your Twitter OAuth tokens are encrypted at rest using AES-256-GCM with a server-side key. Even if our database were compromised, your tokens would be unreadable.
  • Row-level security: Our database uses Supabase row-level security policies. You can only access your own data.
  • HTTPS everywhere: All data in transit is encrypted via TLS.
  • No third-party tracking: We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts.

Twitter OAuth permissions

When you connect your account, Twitter's OAuth screen shows you exactly what permissions we are requesting:

  • tweet.read: So we can show you a list of your tweets before deletion.
  • tweet.write: So we can delete your tweets when you click "Start Deleting."
  • follows.read: So we can show you who you're following.
  • follows.write: So we can unfollow accounts when you click "Start Unfollowing."
  • users.read: So we can display your profile info (name, avatar) in the dashboard.
  • offline.access: So we can refresh your access token without requiring you to re-authorize every 2 hours.

We do not request permission to post tweets, send DMs, or access your email.

Payment data

Payments are processed by Stripe. We never see or store your credit card number. Stripe handles all payment processing, and we only receive a confirmation that payment was successful along with a payment reference ID.

Revoking access

You can revoke our access to your X account at any time:

  1. Go to Twitter → Settings → Security and account access → Apps and sessions → Connected apps
  2. Find "Delete Tweets" (or "XClean") and click "Revoke app permissions"

Once revoked, we can no longer perform any actions on your account. Your encrypted tokens become useless.

Data deletion

Want us to delete all data we have about you? Revoke access (above) and email us. We will delete your profile, job history, and encrypted tokens from our database.

Contact

Questions about this policy? Reach out at privacy@deletetweets.org