Privacy policy

Last updated: 2026-04-27

// what we collect

Account email — required for sign-in (email OTP) or returned by an OAuth provider when you link Google/Microsoft/LinkedIn/GitHub/X.
OAuth identity — the provider name, the provider-side user id, your verified-or-unverified email, display name, and avatar URL (where available).
Profile preferences — theme, default sort, default depth, default-types — all settings YOU set in `/me/profile`.
Sessions — a sha256-hashed session id, your IP and User-Agent at sign-in, expiry and last-used timestamps.
Reading state — articles you've liked or marked read, plus any user-tags you create.
Audit log — every authentication attempt and admin action: actor id, IP, User-Agent, action, target. Retention: 90 days.

No third-party tracking cookies. No ad networks. No fingerprinting libraries.
No browsing-history correlation outside this site.
No PII fed into the LLM classifier — only article bodies sourced from public RSS feeds and NVD records.

Postgres at Neon, region eu-west-2 (London). Encryption at rest is AES-256 (Neon default). Transit is TLS 1.3.

Static assets and SSR cache live in Cloudflare R2 + the CF edge network.

Magic-token rows (OTPs) are pruned daily after 24 hours.
Rate-limit buckets are pruned after 30 days.
Audit log is pruned after 90 days.
Sessions auto-expire 7 days after last use, with a 90-day absolute cap.
You can request a full data export or hard delete at any time by emailing privacy@xfilai.com (or via API endpoints planned for Phase 7).

Session cookies: HttpOnly, Secure (production), SameSite=Lax, Domain-scoped to xfilai.com.
Session token: 256-bit random, sha256-hashed before storage — DB compromise alone cannot impersonate you.
OTPs: 6 digits, sha256-hashed, 10-minute TTL, 3-attempt cap, timing-safe verification.
OAuth: state cookie + PKCE (S256), one-shot, 10-minute TTL.
CSP, HSTS (preload), X-Frame-Options DENY, parameterised SQL, SSRF-defended outbound fetch.
Failed sign-in attempts trigger an alert via Pushover to the operator.

Privacy + security: privacy@xfilai.com

Vulnerability disclosure: security@xfilai.com