Privacy and control are essential

X takes privacy seriously, and we expect everyone using X Content and the X API to do the same. Any use of the X developer platform, X API, or X Content in a manner that is inconsistent with peoples’ reasonable expectations of privacy may be subject to enforcement action, which can include suspension and termination of API and X Content access.

Your commitment to privacy and control must extend to all uses of X Content and all aspects of the service that you build using our API. To that end, the people using your service must understand and consent to how you use their data, and how you access X on their behalf. This can be accomplished through providing people with a clear, comprehensive, and transparent privacy policy, as well as ensuring that you get express and informed consent from each person using your service before taking any action on their behalf. Please note that a person authenticating into your service does not by itself constitute consent.

 

Consent & permissions

In particular, you must get express and informed consent from people before doing any of the following:

  • Taking any actions on their behalf. This includes (but is not limited to): 
    • Posting content to X
    • Following/unfollowing accounts
    • Modifying profile or account information
    • Adding hashtags or any other content to Posts
  • Republishing content accessed by means other than via the X API or other X tools
  • Using someone’s X Content to promote a product or service

  • Storing non-public content such as Direct Messages (DMs), or any other private or confidential information

  • Sharing or publishing protected content, or any other private or confidential information

If your service allows people to post content to X you must do the following before publishing:

  • Show exactly what will be published

  • Make it clear to people using your service what geo information (if any) will be added to the content

If your service allows people to post content to both your service and X, you must do the following before publishing:

  • Obtain permission to post the content

  • Explain where you will post the content

You must respect the protected and blocked status of all X Content. You may not serve content obtained using one person’s authentication token to a different person who is not authorized to view that content.

  • Protected accounts: A protected account’s content is only available to people who have been approved by the owner to follow that account. So, if you run a service that accesses protected accounts, you may only do so to serve such content to the specific people with permission to view that content.

  • Blocked accounts: People on X are able to block access to their accounts for any reason they choose. Commingling information obtained from tokens (or any other API-based action) to bypass this choice is not permitted.

As Direct Messages (DMs) are non-public in nature, services that provide DM features must take extra steps to safeguard personal privacy. You may not serve DM content to people who are not authorized to view that content. If your service provides DM functionality you must also:

  • Notify people if you send read receipt events for DMs. You can do this by providing a notice directly in your service, or by displaying read receipts from other participants in a conversation.

  • Get consent before configuring media to be sent in a DM as "shared" (i.e. reusable across multiple DMs). If you do allow media in a DM to be “shared,” you must provide a clear notice that this content will be accessible to anyone with the media’s URL.

 

Content compliance

If you store X Content offline, you must keep it up to date with the current state of that content on X. Specifically, you must delete or modify any content you have if it is deleted or modified on X. This must be done as soon as reasonably possible, or within 24 hours after receiving a request to do so by X or the applicable X account owner, or as otherwise required by your agreement with X or applicable law. This must be done unless otherwise prohibited by law, and only then with the express written permission of X.

Modified content can take various forms. This includes (but is not limited to): 

  • Content that has been made private or gained protected status

  • Content that has been suspended from the platform

  • Content that has had geotags removed from it

  • Content that has been withheld or removed from X

 

Off-X matching

We limit the circumstances under which you may match a person on X to information obtained or stored off-X. Off-X matching involves associating X Content, including a X @handle or user ID, with a person, household, device, browser, or other off-X identifier. You may only do this if you have express opt-in consent from the person before making the association, or as described below.

In situations in which you don’t have a person’s express, opt-in consent to link their Xidentity to an off-X identifier, we require that any connection you draw be based only on information that someone would reasonably expect to be used for that purpose. In addition, absent a person’s express opt-in consent you may only attempt to match your records about someone to a X identity based on:

  • Information provided directly to you by the person. Note that records about individuals with whom you have no prior relationship, including data about individuals obtained from third parties, do not meet this standard; and/or

  • Public data. “Public data” in this context refers to:

    • Information about a person that you obtained from a public, generally-available resource (such as a directory of members of a professional association)

    • Information on X about a person that is publicly available, including:

      • Posts

      • Profile information, including an account bio and publicly-stated location

      • Display name and @handle

 

Your privacy policy

You must display your service’s privacy policy to people before they are permitted to download, install, or sign up to your service. It must disclose at least the following information:

  • The information that you collect from people who use your service

  • How you use and share that information (including with X)

  • How people can contact you with inquiries and requests regarding their information

Your privacy policy must be consistent with all applicable laws, and be no less protective of people than X’s Privacy Policy and the privacy policy of our other services and corporate affiliates. You must cease your access to the X API and the use of all X Content if you are unable to comply with your and/or X’s Privacy Policy.

 

Using geo-data

Use of geo data comes with additional restrictions due to the sensitive nature of this information. If your service adds location information to Posts, you must disclose to people:

  • When you add location information

  • Whether you add location information as a geotag or annotations data

  • Whether your location information is listed as a place, or as geographic coordinates

If your application allows people to Post with their location you must comply with X’s geo guidelines in full. 

Any use of location data or geographic information on a standalone basis is prohibited. You may not (and may not permit others to) store, aggregate, or cache location data and other geographic information contained in X Content, except as part of a Post. For example, you may not separate location data or geographic information out from Posts to show where individuals have been over time. Heat maps and related tools that show aggregated geo activity (e.g., the number of people in a city using a hashtag) are permitted.

 

X passwords

You may not store X passwords, or request that people provide their X password, account credentials, or developer application information (including consumer key) to you directly. We suggest the use of Sign-in with X as the authentication tool to link your service and people on X.