Privacy Policy
Effective July 2, 2026 · X to Stand
1. Introduction
This Privacy Policy describes how X to Stand ("we," "us," or "our") collects, uses, and shares information when you use X to Stand (the "Service") — including our website, progressive web app (PWA), and any related mobile applications.
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
2. Who We Are
X to Stand operates X to Stand, a personal quest journal that helps you track goals, time, achievements, and optional AI-assisted fantasy writing.
Website: https://xtostand.com
Privacy inquiries: support@xtostand.com
General support: support@xtostand.com
3. Information We Collect
We collect information in the following categories:
•
Account information: email address, authentication identifiers (Firebase UID), display name, and sign-in method (email/password or Google). Email/password accounts include verification status.
•
Profile information: bio, custom quest categories, app preferences (timer behavior, chronicle settings, timezone, Quest Helper options), onboarding status, and optional role flags used for service administration.
•
Quest and journal content: titles, descriptions, objectives, notes, completion chronicles, categories, tags, timer data (active time and session records), recurrence settings, progress state, and flags such as whether AI assisted a quest.
•
Reward images: photos you choose from your camera or photo library, compressed and stored as quest reward images when you use cloud sync.
•
Gameplay and progression data: experience points, level, rank, daily streaks, quest statistics, achievement progress, and XP event history.
•
AI usage metadata: daily request counts stored server-side for rate limiting (not visible to other users).
•
Technical data: authentication tokens stored locally to keep you signed in, PWA update preferences in session storage, and standard server logs from our hosting provider.
4. Demo Mode
If Firebase is not configured or you use Demo Mode, your data is stored only on your device (local storage). It is not transmitted to our servers, AI features are unavailable, and no account is created.
Clearing browser or app storage will permanently delete demo data.
5. How We Use Your Information
•
Provide, maintain, and improve the Service.
•
Authenticate you and sync your journal across devices when signed in.
•
Calculate progression, achievements, streaks, and quest statistics.
•
Send email verification messages for email/password accounts.
•
Process AI requests you initiate (title, backstory, objectives, bio, or chronicle generation).
•
Enforce rate limits and protect against abuse (App Check on web, server-side quotas).
•
Respond to support requests and legal obligations.
6. AI Features and Google Gemini
When you use optional AI features, the text you provide — such as quest titles, descriptions, notes, profile bio drafts, and completion summaries — is sent to Google's Gemini models to generate fantasy-themed suggestions.
We do not intentionally send your password or payment information to AI models. AI output is based on your input; review it before saving.
Free accounts are limited to approximately 40 AI requests per day unless a higher limit is granted by policy or administration. Usage is logged in a private server-side record tied to your account.
AI features are unavailable in Demo Mode and may be modified or discontinued.
7. Third-Party Services
We use trusted providers to operate the Service. They process data according to their own policies:
We do not sell your personal information. We share data with these providers only as needed to operate the Service.
•
Google Firebase (Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Hosting, App Check) — account and content storage.
•
Google Sign-In — OAuth authentication (profile and email scopes).
•
Google Gemini / Firebase AI — AI text generation when you request it.
•
Google reCAPTCHA v3 — App Check fraud prevention on web (may collect device/interaction signals).
•
Google Fonts — typography loaded on web (may receive IP address and browser data).
8. Analytics
We do not currently use active analytics or advertising trackers in the app. Firebase configuration may include a measurement ID for potential future use; if we enable analytics, we will update this policy.
9. Data Storage and Security
Cloud accounts store data in Google Cloud/Firebase infrastructure. The Service uses encrypted connections (HTTPS). Firestore security rules restrict access to your content, though authenticated users may read user profiles per current rules, and publicly visible quests would be readable if that feature is enabled in the future.
Reward images are stored in Firebase Storage under paths tied to your user ID. We compress images before upload but you should not upload sensitive documents as reward photos.
No method of transmission or storage is 100% secure. Use a strong, unique password and protect your device.
10. Data Retention
We retain your account and journal data while your account is active. If you sign out, data remains in the cloud until deleted.
Account self-service deletion is not yet available in the app. To request account and data deletion, email us at the privacy contact above. We will delete or anonymize your data within a reasonable period, subject to legal retention requirements.
Server logs and backups may persist for a limited time after deletion.
11. Your Rights and Choices
•
Access and update profile and quest data through the app.
•
Sign out at any time from Settings.
•
Request a copy or deletion of your data by contacting us (see Section 2).
•
If you are in the EEA, UK, or similar jurisdictions, you may have rights to access, rectify, erase, restrict, or port your data, and to object to certain processing. Contact us to exercise these rights.
•
California residents may have additional rights under the CCPA/CPRA; contact us to submit a request.
12. Children
The Service is not directed to children under 13 (or 16 where applicable). We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it.
13. International Transfers
Your information may be processed in the United States and other countries where our service providers operate. By using the Service, you consent to transfer of information to countries that may have different data protection laws than your own.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised policy with a new effective date. Continued use after changes constitutes acceptance. Material changes may be communicated through the app or by email where appropriate.
15. Contact Us
Questions about this Privacy Policy or our data practices: support@xtostand.com
General support: support@xtostand.com
This document describes current Service features and may be updated as we add functionality or pricing.