📹Download🗄Save Tweet🖼Images🎞GIF📊ER💰Revenue🔥ViralHooks📸Screenshot🔢Counter𝔸Fonts#Hashtags📈Trends🕐Best Time🎯Search📖Operators

Privacy Policy

Last updated: June 22, 2026

Short version: we run no user accounts, store nothing about you on our servers, and only collect anonymous usage statistics through Google Analytics 4 — and only if you accept the cookie banner. Reject the banner and zero analytics cookies are set.

1. Who we are (data controller)

XTapDown is an independent, free creator toolkit for X (formerly Twitter). It is part of the Tapdown family of creator tools. For data protection law purposes, the data controller is the operator of xtapdown.com. You can reach the operator at legal@xtapdown.com. XTapDown is not affiliated with X Corp., Twitter, Inc., or any of their subsidiaries.

2. What we collect

XTapDown is built to collect as little as possible. We do not require an account and we never ask for your name, email, or any other personal identifier to use any tool on this site.

We collect:

  • Anonymous usage analytics (only with your consent) — page views, tool used, country, device type, referrer. Collected via Google Analytics 4 with IP anonymization.
  • Request logs (always) — when you paste a tweet URL into a downloader, our server briefly fetches the public tweet metadata so it can return it to you. The log entry is retained for at most 24 hours for abuse and rate-limit purposes, then deleted. The entry contains the requested URL and your IP address; it is not linked to any analytics profile.
  • Locally stored preferences — your country choice for trends/best-time, your consent decision, and any UI preferences you set. Stored in your browser's localStorage; never sent to us.

We do not collect: account data, payment data, contact lists, location below country level, anything from logged-out X sessions, anything from inside private or protected accounts. We have no access to those and could not collect them even if asked.

3. Why we collect it (lawful basis under GDPR)

  • Consent (Art. 6(1)(a) GDPR): analytics cookies, marketing cookies, preference cookies.
  • Legitimate interest (Art. 6(1)(f) GDPR): short-lived request logs needed to operate and protect the service from abuse. We have weighed this against your rights and consider it minimal.
  • Legal obligation (Art. 6(1)(c) GDPR): retaining DMCA / copyright counter-notice correspondence for the period required by applicable law.

4. How long we keep it

  • Request logs: 24 hours, then automatic deletion.
  • Analytics data: Google Analytics 4 default retention (14 months) unless you withdraw consent earlier.
  • DMCA / takedown records: 3 years from the date of the notice, per US 17 U.S.C. § 512(c) recordkeeping practice.
  • localStorage data on your device: until you clear it through your browser, or for the lifetime of that browser profile.

5. Who else sees this data (processors and third parties)

We share data only with the infrastructure providers needed to operate the site:

  • Vercel Inc. (USA) — hosting and edge delivery. Standard server access logs.
  • Google LLC (USA) — Google Analytics 4, only after consent. Configured with IP anonymization and Consent Mode v2 (denied-by-default).
  • X Corp. — when you paste a tweet URL, we fetch the public metadata from X's public syndication endpoint. We send X only the tweet ID; we do not send your IP or any of your data to X.

We do not sell, rent, or share your data with advertisers, data brokers, or marketing platforms. We never run third-party advertising scripts on this site.

6. International data transfers

Our hosting and analytics providers operate primarily from the United States. Where personal data is transferred outside the European Economic Area or the United Kingdom, the transfer is covered by the EU-US Data Privacy Framework (Google, Vercel) and/or Standard Contractual Clauses (Art. 46(2)(c) GDPR).

7. Your rights

Under GDPR (EU/UK), KVKK (Türkiye), CCPA/CPRA (California), and equivalent laws you have the right to:

  • Access — request a copy of any data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete data (the “right to be forgotten”)
  • Restriction — ask us to limit processing
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interest
  • Withdraw consent — at any time, by clicking the cookie icon in the footer or clearing your browser's localStorage
  • Complaint — lodge a complaint with your local supervisory authority

To exercise any of these rights, email legal@xtapdown.com. We respond within 30 days. There is no fee.

8. Cookies

We use cookies and similar storage only with your consent. The full list, what each cookie does, and how long it lasts is on the Cookie Policy page.

9. Children's privacy

XTapDown is not directed at children under 13 (16 in some EU member states). We do not knowingly collect data from children. If you are a parent or guardian and believe your child has used the site, email us and we will delete any related data.

10. Türkiye (KVKK) and Germany (Impressum) notes

Users in Türkiye: a Turkish-language KVKK Aydınlatma Metni is available at /kvkk. Users in Germany, Austria, and Switzerland: legal identification information is at /impressum.

11. Changes to this policy

We may update this policy as the service changes. Material changes will be reflected in the “Last updated” date above. If consent categories change, the cookie banner will prompt you to re-consent.

12. Contact

Privacy questions, rights requests, or anything else: legal@xtapdown.com.