Privacy Policy (Datenschutzerklärung) for X Fact-Checker

Last Updated: 2024-10-26

Thank you for using the X Fact-Checker browser extension ("the Extension"). Your privacy and security are our top priorities. This Privacy Policy explains what data I process, how it is handled, and for what purpose, in compliance with the General Data Protection Regulation (GDPR / DSGVO) and Chrome Web Store policies.

1. Data Controller (Verantwortlicher)

For any privacy-related questions or to exercise your rights, please mail me at: mail@carlo-schmidt.com

2. Scope of this Policy

This policy applies exclusively to the X Fact-Checker extension. It does not cover the data practices of X.com (formerly Twitter) or Google, which operate under their own privacy policies.

3. How the Extension Works and What Data is Processed

Our goal is to be fully transparent about how your data is handled. The Extension only processes data when you explicitly activate it by clicking the "Fact-Check" button on a tweet.

1. Initiation: When you click the "Fact-Check" button on the X.com website, the Extension collects the following data from that specific tweet:
   • The full text content of the tweet.
   • The direct URL to the image within the tweet (if an image exists).
2. Secure Transmission to Our Server: This collected data is sent over a secure, encrypted HTTPS connection to our server, which is hosted at api@carlo-schmidt.com.
   Server Location: Our servers are located within the European Union (Germany).
3. Processing on Our Server: On our server, the following automated processing occurs:
   • The server fetches the image from the provided URL.
   • The server sends the tweet text and the fetched image to the Google Gemini API for analysis. No other data about you or your account is sent.
   • The server receives the analysis result (the fact-check explanation and classification) from the Google Gemini API.
4. Displaying the Result: The server sends this analysis result back to the Extension in your browser, again over a secure HTTPS connection, where it is displayed to you.

4. Purpose and Legal Basis for Processing (Zweck und Rechtsgrundlage)

• Purpose: The sole purpose of processing this data is to provide the core, user-facing feature of the Extension: to analyze a tweet's content and provide a fact-check verification from an AI model.
• Legal Basis (GDPR): The legal basis for this processing is your explicit consent (Art. 6(1)(a) GDPR). By clicking the "Fact-Check" button, you consent to the data processing flow described in Section 3 for that specific request. You can withdraw this consent at any time by uninstalling the extension or simply by not using the feature.

5. Data Storage and Retention (Speicherung und Aufbewahrungsdauer)

• Local Browser Storage: The Extension does not store any data in your browser's local storage.
• Server-Side Caching: To improve performance, reduce costs, and prevent redundant processing for identical tweets, I store the following data on our server:
  • The tweet text and image URL of the request.
  • The generated fact-check explanation and classification result.
  Retention Period: This cached data is stored on my server until not being requested for a contiuous period of at least 12 months after which it will be deleted
  Storage Security: All cached data is stored securely at rest using modern encryption standards.

6. Data Sharing and Third-Party Sub-Processors

I do not sell, rent, or trade your data. I only share data with the following third-party service (sub-processor) as essential for the Extension's functionality:

• Google (Gemini API): I send tweet text and images to Google's Gemini API for analysis. This is a necessary step to generate the fact-check. Your data is subject to Google's own privacy policies and terms.

7. Data Security

I am committed to protecting your data. All data transmitted between your browser, our server, and third-party APIs is encrypted in transit using industry-standard Transport Layer Security (TLS/HTTPS). Data stored on our servers is also encrypted at rest.

8. Your Rights Under GDPR (Ihre Rechte)

• Right of Access (Art. 15 GDPR): You can request information about the data I have stored concerning your requests.
• Right to Erasure (Art. 17 GDPR): You can request the deletion of cached data related to specific requests you have made.
• Right to Rectification (Art. 16 GDPR): As I only cache source tweet data, rectification would involve making a new request with a corrected tweet.
• Right to Restrict Processing (Art. 18 GDPR): You have the right to request a restriction on the processing of your data.
• Right to Object (Art. 21 GDPR): You can object to the processing of your data.

To exercise these rights, please contact us at the email address provided in Section 1. Since I do not collect personal identifiers like usernames, you may need to provide the specific tweet text or URL for me to locate and manage the corresponding cached entry.

You also have the right to lodge a complaint with a supervisory authority (Aufsichtsbehörde).

9. Changes to This Privacy Policy

I may update this Privacy Policy to reflect changes in our practices or for other operational, legal, or regulatory reasons. I encourage you to review it periodically.