1. Who we are and our role
retweet.gg(the “Service”, “we”, “us”) is operated from the United Kingdom and provides software that lets you sign in with X, pull the accounts that engaged with a tweet, and draw a verifiable winner. Our role under data protection law depends on the data:
- For your own account and sign-in data, we act as a controller — we decide why and how it is processed to run the Service.
- For an Entry List you pull (the public X accounts that retweeted or engaged with a tweet you choose), you decide the purpose and we act as your processor, handling that data on your instructions to run your giveaway.
- We do not use your data to build advertising profiles, and we do not sell or rent personal data to anyone.
- Third parties you interact with directly (such as X, our payment processors, and public blockchains) act as independent controllers in their own right for the data you give them; this policy does not govern their processing.
2. Key terms
- “Controller” means the party that decides the purposes and means of processing personal data.
- “Processor” means a party that processes personal data on behalf of a controller.
- “Sub-processor” means a third party we engage to help process data.
- “Personal data” means information relating to an identified or identifiable person.
3. Data we process
We deliberately keep data collection lean. When you connect X via OAuth we receive basic public profile information, and we generate the records needed to run draws and Credits.
- X profile basics: your handle, display name, numeric user ID, avatar URL, and (where available) follower/following counts and verification status.
- An OAuth access token that lets us read the public data needed to operate the Service on your behalf. We never receive your X password.
- Giveaway data you create: the tweet links you paste, the settings you choose, and the Entry Lists we pull for you — which contain the public handles and IDs of the accounts that engaged with the tweet.
- Draw records: the commit hash, revealed seed, entry count, and selected winner(s) — some of which is published as a public, verifiable Proof and may be written to a public blockchain.
- Transaction records: Credit purchases, subscriptions, signup bonus, referrals, amounts, and timestamps.
- Limited technical data: IP address, device and browser type, and basic logs used for security and abuse prevention.
4. How and why we use it
We process personal data to provide the Service you ask for and to run it safely and lawfully. Our lawful bases under the UK GDPR are: performance of our contract with you; our legitimate interests in operating, securing, and improving the Service and preventing abuse; your consent where we ask for it; and compliance with legal obligations.
- To authenticate you and confirm you control the connected X account.
- To pull entrants for a tweet you choose, de-duplicate them, and build a clean Entry List.
- To run a provably-fair Draw and publish the Proof so results can be independently verified.
- To operate Credits, subscriptions, referrals, and pricing.
- To detect and prevent bots, fraud, chargeback abuse, and misuse of the Service.
- To provide support and send essential service notices about your account.
5. Public proofs and on-chain data
Provable fairness only works if a Draw can be checked in the open. As a result, some data is public by design and cannot be treated as private:
- A Draw generates a public verify page that can include the entry count, the winning handle, and the commit and revealed seed, so anyone can re-run the result.
- The commit for a Draw may be written to a public blockchain. Data on a public blockchain is permanent and immutable — it cannot be edited, deleted, or anonymized by us or by anyone.
- Entry Lists are built from information that is already public on X. If you run a giveaway, you are responsible for how you handle and display the public data of the people who entered it.
6. Your responsibilities as controller
Because you are the controller for the Entry Lists you pull and the giveaways you run, you are responsible for having a lawful basis for that processing and for meeting any obligations you owe to the people whose data is involved. We will assist you where reasonable, and as your processor we will:
- Process that personal data only on your instructions and as needed to provide the Service or to comply with law.
- Ensure people authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (see Section 10).
- Assist you, so far as reasonable, with data-subject requests and with your own security, breach-notification, and impact-assessment duties.
- On termination, delete or return the personal data we process for you, except where law requires us to retain it or where it is permanently recorded on a public blockchain.
7. Where we act as a controller
For a limited set of matters we determine the purpose of processing ourselves and therefore act as an independent controller, confined to what we need to run a safe, lawful business:
- Security, fraud-prevention, and abuse-detection logs.
- Billing and transaction records we are legally required to keep for tax and accounting.
- Aggregated or de-identified statistics that no longer identify any individual.
- Responding to lawful requests from authorities and enforcing our terms.
8. Sub-processors and third parties
We engage vendors to help deliver the Service, each bound to protect data and use it only as needed. We remain responsible to you for their performance as sub-processors. They include:
- X (via OAuth) for sign-in and authorization — X is an independent controller for its own platform data.
- Our data-retrieval provider, which fetches the public accounts that engaged with a tweet so we can build an Entry List.
- Stripe for card payments. Stripe receives the payment details you enter and acts as an independent controller for them; we receive only a confirmation and limited metadata.
- Our crypto payment provider for on-chain purchases (for example USDT and SOL), which processes wallet and transaction data.
- Public blockchains used to publish the commit for a Draw — data recorded there is public and permanent.
- Hosting, database, and infrastructure providers (such as Google Firebase) used to deliver and secure the Service.
9. International transfers
Some of our providers process data outside the United Kingdom. Where we transfer personal data internationally, we rely on appropriate safeguards (such as UK adequacy regulations, the UK International Data Transfer Agreement, or Standard Contractual Clauses) so that it remains protected to the standard UK law requires.
10. Security
We use encryption in transit, scoped access tokens, and access controls to protect data. We never store your X password or full card numbers. No system is perfectly secure, but we work to minimize what we collect and store and to limit who can access it. If a breach affects you, we will act as required by UK law and assist the relevant controller with any notification obligations.
11. Data retention
We keep personal data only as long as your account is active or as long as needed to provide the Service, and afterwards only as required to comply with legal, tax, and anti-fraud obligations. When you delete your account, we remove or anonymize your profile data while retaining the minimum records the law requires. Data already published as a public Proof or written to a public blockchain cannot be deleted.
12. Your rights
Under the UK GDPR you have rights over your personal data, including to access, correct, erase, restrict, or object to processing, and to data portability. Because we often act as a processor, where a request concerns data we process on someone's behalf we may direct it to, or fulfill it in coordination with, the relevant controller.
- Access, correct, export, or delete your account data by contacting us.
- Revoke our X authorization at any time from your X settings; this disables the features that rely on it.
- Object to or restrict certain processing where the law gives you that right.
- Opt out of non-essential communications; essential service notices may still be sent.
To exercise any of these rights, email team@retweet.gg. If you are unhappy with how we handle your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
13. No sale of data; no third-party ads
We do not sell or rent personal data, and we do not share it for third-party advertising or cross-context behavioral advertising. We share data only with the sub-processors and for the purposes described in this policy, or where required by law.
14. Children
retweet.gg is not intended for anyone under 18. We do not knowingly process data from children. If you believe a child has provided data, contact us and we will delete it.
15. Changes and contact
We may update this policy and will revise the “Last updated” date above when we do. For any privacy question or request, contact team@retweet.gg.