Skip to main content
Back to home
Legal

Privacy policy

What ClimbX collects, why we need it, where it lives, and the rights you have over it.

Last updated: 2026-05-14

Who we are

ClimbX (“we”, “us”) is operated by D. Smidstrup Holding ApS (CVR 45751937), trading as Random Code, Havnegade 12, 3. 1, 5000 Odense C, Denmark. Contact us at daniel@danielsmidstrup.com. We are the data controller for your personal data under the EU General Data Protection Regulation (GDPR).

What we collect

  • X profile data:returned by X's OAuth flow when you sign in - your X user id, handle, display name, profile image URL, public follower / following counts, and verified-type (free / Premium / Business).
  • X access tokens: a bearer token and refresh token issued by X when you authorize ClimbX. Encrypted at rest and used only to call the X API on your behalf.
  • Your recent X posts:text, engagement metrics (likes, replies, impressions, views), and posting time. We use these to learn your voice and to compute your analytics. We re-fetch a small window periodically. We do not store your X DMs, drafts you didn't publish, or anyone else's posts beyond the public cohort outliers we surface as examples - and those are stored without any link to your account.
  • Account data you provide: onboarding answers (goal, niches, aspirational creators), drafts you write, posts you schedule, chats you have with the AI assistant, and bookmarks you save.
  • Usage data: the actions you take in the app (page views, button clicks), AI credit consumption, and the number / cost of API calls we make on your behalf. We use this to operate the service, enforce plan limits, and bill correctly.
  • Payment data: handled by Stripe, our payment processor. We never see your card number. We receive only the minimum needed for support - your email, plan, and payment status.

How we use your data

  • To run the drafting, voice-coach, and analytics features when you use them.
  • To enforce plan limits (AI credits, scheduled-post quotas).
  • To display your usage and analytics on your dashboard.
  • To send transactional emails (receipts, security notices, plan changes).
  • To produce aggregated, anonymized baselinesacross users so we can surface “what works in your niche at your size band.” Baselines require at least 30 users with identifiers stripped - no individual post or identity is ever surfaced to another user.

We do not sell your data. We do not share it with third parties for advertising. We do not train external AI models on your content.

Legal bases (GDPR)

  • Contract performance (Art. 6(1)(b)): to deliver the ClimbX service you signed up for. Without your X data, we cannot do the work.
  • Legitimate interests (Art. 6(1)(f)): to improve the service via aggregated analytics, to prevent abuse, and to bill accurately.
  • Consent (Art. 6(1)(a)): for any future marketing emails, only after you opt in. Service and billing emails are not marketing and do not require consent.

Where your data lives

All account data is stored in EU data centers. Specifically, we host on Supabase (eu-west region, Dublin, Ireland) and deploy the app on Vercel's EU edge. We do not transfer your personal data outside the EEA for primary storage.

Two processors operate outside the EU but only handle data under EU adequacy decisions or Standard Contractual Clauses:

  • OpenAI (United States) - powers the AI chat and draft-generation features. We send the text of your drafts and your conversation messages so the model can respond. Your X handle and personal identifiers are not included in the prompts. OpenAI does not train its public models on API traffic.
  • X Corp.(United States) - we call X's API on your behalf using the OAuth tokens you authorize. See X's own privacy policy for how X handles its side of that relationship.
  • Stripe (United States) - processes your subscription payments and calculates VAT. We never receive your card number.
  • Rewardful (United States) - runs our affiliate program. If you arrive through an affiliate link, Rewardful records the referral so the affiliate who sent you is credited. Transfers outside the EU are covered by Standard Contractual Clauses.

Third-party services

  • Database: Supabase, EU region (eu-west).
  • Hosting: Vercel (EU edge).
  • AI processing: OpenAI (US), via the official OpenAI API.
  • Payments: Stripe handles billing, payment processing, and VAT calculation (Stripe Tax).
  • Transactional email: Resend (EU region).
  • Product analytics: Vercel Analytics (cookieless, no personal data).
  • Affiliate tracking: Rewardful (US) - referral attribution for our affiliate program.

Cookies

Strictly necessary: a Supabase Auth session cookie to keep you signed in, plus a small set of preference cookies (theme, last visited page). These fall under the ePrivacy exemption.

Attribution and affiliate: if you reach ClimbX through an affiliate link or a marketing campaign, we set a first-party cookie that remembers where you came from (so we can understand which channels work), kept for up to 90 days. Our affiliate partner Rewardful also sets a referral cookie, kept for up to 60 days, so the affiliate who referred you is credited if you subscribe. These support our affiliate program and basic acquisition reporting only - they are not used for advertising and your data is never sold.

We do not use third-party advertising cookies, and our product analytics (Vercel Analytics) is cookieless.

Data retention and deletion

Account data (X profile, drafts, scheduled posts, chats, bookmarks, usage counters, billing records) is retained while your account is active.

When you ask us to delete your account, we erase your personal data within 30 days by anonymizing it. In practice that means three things:

  • Deleted outright: your drafts, scheduled posts, your own posts and their metrics, chat history, bookmarks, saved library, and your X access tokens. Gone, not recoverable.
  • Stripped of identifiers: your account record, X profile (handle, name, avatar, X user id), and sign-in identity are emptied so the remaining row cannot be linked back to you. We keep no key that re-connects it.
  • Kept only where the law requires: billing and invoice records are retained for as long as tax law requires (typically 5 years in Denmark), and aggregated, anonymized baselines persist because, with identifiers stripped, they cannot be linked back to you.

If you held a founding-member spot, the spot stays counted toward the first-100 cohort but is shown anonymously - without your name or avatar.

Posts we analyze from otherpublic X accounts (the “cohort” outlier corpus) are public content from accounts you do not own. They are stored without any link to your account and are not your personal data, so your deletion does not affect them.

Your rights (GDPR)

Under GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct data that is inaccurate
  • Deleteyour account - we anonymize your data as described under “Data retention and deletion” above
  • Export your data in a machine-readable format
  • Restrict certain processing
  • Object to processing based on legitimate interests
  • Withdraw consent for any consent-based processing

To exercise these rights, email daniel@danielsmidstrup.com. We aim to respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (in Denmark: Datatilsynet).

Children

ClimbX is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.

Changes

We may update this policy. Material changes will be posted here with an updated date and announced by email or in-app banner with at least 30 days notice.

Contact

D. Smidstrup Holding ApS - daniel@danielsmidstrup.com

Need a Data Processing Agreement? Email the address above and we will provide one on request.