Skip to content

Privacy policy

Effective March 29, 2026 · xcarousel.com

At a glance

We collect only the data needed to provide the service

We never sell your personal information

You can delete your data at any time

Compliant with GDPR and CCPA

xcarousel ("we," "us," or "our") operates the website at xcarousel.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. If you do not agree with the terms of this policy, please do not access the Service.

Information we collect

Account information

When you sign up or log in via a supported third-party provider (Meta/Instagram, Google, LinkedIn, or TikTok), we receive your public profile information including your name, profile picture, and email address as permitted by the provider.

Instagram business data

If you connect your Instagram Business account, we access basic account information through instagram_business_basic. This may include your Instagram username, account type, and media count. We also request instagram_content_publish, which allows us to publish carousel content directly to your Instagram account on your behalf. Content is only published when you explicitly initiate it. We do not access your private messages, followers lists, or content beyond what is required.

Content you create

We store the carousels, slides, text, images, and other content you create within the Service. This content is yours and is stored solely to provide and improve the Service.

Usage data

We use Vercel Analytics, a privacy-friendly, cookieless analytics service, to collect anonymized usage data such as pages visited, features used, and general interaction patterns. This data does not identify you personally.

Technical data

Our servers automatically collect certain technical information when you visit our site, including your IP address, browser type, operating system, and referring URL. This information is used for security, performance monitoring, and debugging.

How we use your information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account
  • Enable you to create, edit, and export carousel content
  • Communicate with you about your account, updates, or support requests
  • Analyze usage patterns to improve the Service
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

Meta platform data

Our Service uses Meta Platform APIs to authenticate users and access Instagram Business account data. We are committed to the responsible use of this data:

  • We only request the minimum permissions necessary: public_profile, instagram_business_basic, and instagram_content_publish.
  • We do not sell, rent, or trade any data obtained from Meta Platform APIs.
  • We do not use Meta Platform data for advertising, data brokering, or any purpose unrelated to providing the Service.
  • Meta Platform data is retained only for as long as your account is active or as needed to provide the Service.
  • You can revoke our access at any time through your Instagram settings or your Facebook Business Integrations settings.

Data sharing

We do not sell, rent, or trade your personal information. We share data only with service providers who assist us in operating the Service:

  • Hosting & Infrastructure: Vercel (application hosting and analytics)
  • Database: Supabase (data storage)
  • Authentication: Meta Platforms, Google, LinkedIn, and TikTok (OAuth login)

These providers are contractually obligated to use your data only to perform services on our behalf and to maintain the confidentiality and security of your information.

We may also disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, protect our rights or safety, or investigate potential violations of our terms.

Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you request account deletion, we will delete your personal data within 30 days, except where we are required to retain certain information for legal, accounting, or compliance purposes.

Content you have created (carousels, slides) will be permanently deleted upon account deletion and cannot be recovered.

Your rights under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your personal data.
  • Restriction — request that we limit processing of your data.
  • Data Portability — request a copy of your data in a structured, machine-readable format.
  • Object — object to the processing of your personal data.
  • Withdraw Consent — withdraw consent at any time where we rely on consent as the legal basis.

Our legal basis for processing personal data is your consent (provided when you authorize the Meta login) and our legitimate interest in operating and improving the Service.

To exercise any of these rights, contact us at support@xcarousel.com. We will respond within 30 days.

Your rights under CCPA

If you are a California resident, the California Consumer Privacy Act provides you with the following rights:

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to Delete — request deletion of your personal information.
  • Right to Opt-Out of Sale — we do not sell personal information, so this right is satisfied by default.
  • Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise your rights, contact us at support@xcarousel.com.

Data deletion

You may request deletion of your data at any time by:

  • Emailing us at support@xcarousel.com with the subject line "Data Deletion Request"
  • Revoking access through your Instagram or Facebook account settings

Upon receiving a deletion request, we will delete all personal data associated with your account within 30 days. This includes your profile information, Instagram data, and all carousel content you have created. We will confirm the deletion via email.

If you revoke our access through Meta's platform, we will receive a data deletion callback and will process the deletion automatically.

Cookies & analytics

We use Vercel Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personally identifiable information. It provides us with anonymized, aggregated data about how visitors interact with our site.

We may use essential cookies strictly necessary for authentication and session management. These cookies are not used for tracking or advertising purposes.

Children's privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at support@xcarousel.com.

International data transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers operate. These countries may have data protection laws that differ from the laws of your country. By using the Service, you consent to the transfer of your information to these countries. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy.

Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Access controls limiting data access to authorized personnel
  • Regular security reviews of our infrastructure

While we strive to protect your information, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the effective date at the top of this page and, where appropriate, by sending you a notification. We encourage you to review this page periodically.

Contact us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at support@xcarousel.com.