Privacy Policy
Last updated: April 27, 2026
This document describes what data Growany for X collects, where it is stored, and what it is used for. It is written to satisfy Chrome Web Store’s User Data FAQ and to be readable by humans.
TL;DR
- Sign-in is required to use Growany’s follow / like / reply / post actions. We authenticate you via Firebase Authentication (Google or email/password).
- Your activity log, touched-users de-dup table, and preferences sync to the Growany backend so they survive across devices. AI features (keyword suggestions, auto-post drafts) call a configured AI provider server-side.
- We never sell your data, never use it for advertising, never share it with anyone except the explicit subprocessors listed below.
What we store locally
The extension caches a few things in chrome.storage.local inside your own browser to keep the UI fast and to debounce uploads. They are mirrored to the cloud whenever you are signed in (see Cloud sync below) so the cloud row remains the source of truth.
| Key | Purpose |
|---|---|
| growany.activity.v1 | Local log of every follow / like / reply / post Growany performed for you, capped at 5000 rows. Powers the History page. |
| growany.touched.v1 | The set of X handles and post IDs Growany has already engaged, so it doesn't re-engage them. |
| growany.counters.v1 | Per-hour and per-action usage counters used to enforce the action caps you see in Settings (Free has lifetime caps; Pro/Max have daily caps). |
| growany.prefs.v1 | Recent keywords (max 8), language filter, recent competitor handles. |
| growany.cloudAuth.v1 | If you sign in: your Firebase ID token + refresh token + the email/uid we received from Firebase. Cleared on Sign out. |
| growany.cloudSync.v1 | Timestamps of the last successful incremental sync push, so we only upload deltas. |
| growany.idbMigration.v1.done | One-time flag: whether the legacy IndexedDB → storage.local migration has run on this machine. |
You can wipe each of these from the History → Settings tab:
- Reset local counters — clears
growany.counters.v1(does not reset the Free lifetime cap, which is enforced server-side) - Clear touched users — clears
growany.touched.v1 - Clear all (in History toolbar) — clears
growany.activity.v1 - Sign out — clears
growany.cloudAuth.v1and stops cloud sync immediately
You can also wipe everything by removing the extension from chrome://extensions.
Cloud sync
Sign-in is required to use Growany. The extension authenticates you via Firebase Authentication (Google or email/password). After that:
- The extension periodically calls our backend API to push incremental changes to:
activity_logs— the same rows you see in the local History pagetouched_users— handles / post IDs the extension has engagedusers.brand_bio— only when you edit it from the dashboard
- The backend persists those rows in a Postgres database, keyed to your Firebase UID.
- AI requests (
/ai/keywords,/ai/derive-niche,/ai/draft-post) are issued from the backend to Microsoft Azure OpenAI. The prompt typically includes your X handle, name, bio, and recent activity context; it never includes your Firebase tokens, email, or any other identifier. - Subscription billing is handled by Stripe. Only Stripe sees your card; we store only
stripe_customer_idandstripe_subscription_id.
Free tier accounts may still sign in to use the dashboard, but cloud sync of activity & touched data is reserved for Pro / Max tiers.
Subprocessors
| Provider | Data shared | Purpose |
|---|---|---|
| Google Firebase Authentication | email, OAuth provider id (if Google sign-in), refresh token | sign-in |
| Stripe | name, email, billing address, card details (entered on Stripe Checkout) | subscription billing |
| Microsoft Azure OpenAI Service | prompt text only — your X handle, name, bio, brand description, recent post snippets | LLM responses for AI features |
| Cloud hosting (typically GCP Cloud Run + Cloud SQL) | everything above, at rest | running the backend & database |
No other third party receives your data.
Permissions used and why
| Permission | Used for |
|---|---|
| storage | The local stores listed above. |
| sidePanel | Showing the Growany UI in Chrome's right-hand side panel. |
| tabs / activeTab | Navigating the active tab to x.com/search?... and dispatching START to the content script. |
| scripting | Injecting the content script that performs follow / like / reply / post clicks. |
| alarms | Scheduling the auto-post tick and incremental cloud sync. |
| Host: https://x.com/*, https://twitter.com/* | The content script only runs on these two origins. |
| Host: Growany API URL | Calls to /auth, /me, /sync, /ai/*, /billing/*. |
We do not request the broad <all_urls> host permission for content scripts. The History page is exposed via web_accessible_resources so the side panel can open it in a normal Chrome tab.
Network activity
The extension talks to:
https://identitytoolkit.googleapis.com/*(Firebase Authentication) for sign-in and refresh-token exchange.- The Growany backend API (URL configured at build time via
VITE_GROWANY_API_URL) for/auth,/me,/sync,/ai/*,/billing/*. Each request carries a short-lived Firebase ID token in theAuthorizationheader.
The backend in turn calls the LLM provider for AI requests and Stripe for billing webhooks; no other outbound calls are made from your browser.
Data retention
- Local stores live until you clear them (Settings tab) or remove the extension.
- Cloud rows are kept while your account exists. You can request deletion at any time — see Contact below — and the dashboard will gain a self-serve “Delete account” button before public release.
Contact
Questions or concerns: open an issue on the project repository, or email the maintainer at the address listed in the Chrome Web Store listing once the extension is published.
Growany is an independent tool. It is not affiliated with, endorsed by, or sponsored by X Corp / Twitter.