Honest Privacy Policies
VOL. I  ·  EST. 2026  ·  "WE READ THE FINE PRINT SO YOU DON'T LIE ABOUT READING IT"
F
Verdict
EXHIBIT A

X (formerly Twitter).

Read the fine print. He did, then changed it.

Post-acquisition X rewrote the privacy policy to fold your posts, replies, images, and even your biometric ID-verification data into Grok's training pipeline §7.5. DMs aren't end-to-end encrypted for most users §9.4, the AI opt-out is a toggle most users will never find §13, and 'public means public, forever' is now policy §11.1. The TOS can change at any time, and continued use is consent §2.1.

Social media / 'everything app'
Analyzed: 2026-05-18
§2 · The short version

TL;DR — 8 answers.

The eight things you actually want to know, at a glance.

TL;DR — 8 answers F
YES Do they sell your data?
YES Are they tracking you on other sites?
YES Can your data train their AI?
~ Who can see what you do?
NO Can you delete everything?
NO Do they honor your opt-out?
~ Special handling for minors?
YES Been fined for this before?
§3 · The details

The questions, answered.

No legalese. Every answer the way your most cynical friend would put it.

YES
§9.4

Do they sell your data?

The full-firehose enterprise API is exactly that: every public post, sold to anyone with a checkbook.

YES
§5.3

Are they tracking you on other sites?

The X Pixel and embedded post widgets log impressions on millions of third-party pages, signed-in or not.

YES
§7.5

Can your data train their AI?

Default. Yes. Public posts, replies, images, and (per a 2025 policy revision) DMs in some regions all feed Grok. Opt-out exists in a toggle most users have never seen.

CONDITIONAL
§9.4

Who can see what you do?

Public posts: everyone, including data licensees and Grok. DMs: X employees and law enforcement on process. Premium+ ID: X plus their verification vendor.

NO
§11.1

Can you delete everything?

Deleting a post hides it. Copies live in archives, in Grok's training set, and in third-party licensees who've already pulled the firehose.

NO
§13

Do they honor your opt-out?

GPC: ignored. The 'Don't allow my posts to be used for Grok training' toggle was added under regulatory pressure, hidden under Settings > Privacy & Safety > Data sharing.

CONDITIONAL
§8

Special handling for minors?

Account requires 13+. Beyond that, minors get the same algorithmic feed as adults. No specific carve-out for AI training.

YES
§15.3

Been fined for this before?

USD 150M (FTC, 2022 - phone numbers used for ads). EUR 450K (Irish DPC, 2020 - breach). EU DSA investigation ongoing.

§3 · The privacy card

At a glance, honestly.

Eight signals, color-coded. Like a model card for a machine — except the machine is reading your data.

Privacy Card · X (formerly Twitter) · Analyzed 2026-05-18
F
Data sold / shared YES BAD
Cross-site tracking YES BAD
AI training YES opt-out: limited
Deletion right LIMITED MIXED
GPC honored NO BAD
Keeps forever? YES BAD
Child protections CONDITIONAL MIXED
Automated decisions YES human review: no
Collects
Identifiers, Public posts & engagement, Browsing & embeds, Biometric data, Government ID +5 more
Shares with
Advertisers, xAI (affiliate), Data licensees (full firehose API), Government on legal process +1 more
§5 · The label they should have shown you

The Privacy Label, honestly.

An Apple-style label for what's collected and a Cranor-style back-of-pack for what they do with it. Every cell links to the exact line in their policy.

X (FORMERLY TWITTER) — DATA COLLECTED
PER APPLE PRIVACY-LABEL TAXONOMY ↗
USED TO TRACK YOU
Data shared with third parties for cross-property tracking.
Identifiers §4.2
User ID · Device ID · Ad ID · IP address
Public posts & engagement §5.3
Posts · Replies · Reposts · Likes · Bookmarks
Browsing & embeds §5.3
X Pixel on third-party sites · Embedded post views
Biometric data §6.4
Faceprints (X Verify / ID upload) · Voice signatures (audio Spaces)
◐ LINKED TO YOU
Tied to your identity and stored against your account.
Government ID §6.4
Driver license / passport for Premium+ ID verification
Direct messages §9.4
DM content · DM metadata · Read receipts
Location §6.1
Approximate (IP) · Precise (per-grant) · Tagged in posts
Contact info & payment §4.2
Email · Phone · Billing (for Premium)
Inferred sensitive §8
Politics · Religion · Sexual orientation · Health
○ NOT LINKED TO YOU
Aggregated, supposedly anonymous.
Diagnostics §7.2
Crash data · Performance metrics
↓ BACK OF LABEL · WHAT THEY DO WITH IT (CRANOR FRAMEWORK)
Purposes
Grok & xAI model training, Advertising & ad measurement, Algorithmic feed ranking, Cross-product use across xAI / X corporate group, ID verification (Premium+ / X Verify). §7.5
5+ stated purposes. The interesting ones are buried in §7.
Sold or shared?
Yes. Advertisers, xAI (affiliate), Data licensees (full firehose API), Government on legal process, Successor entities on policy change. §9.4
"We don't sell data" is technically true and substantively false.
Retention
Indefinite, with caveats. §11.1
Public posts: 'as long as the service exists'. Deleted posts: removed from public view, retained for an undefined period for 'legal and safety' purposes. ID-verification data: retained for the life of the Premium subscription + an unspecified retention tail. Posts already used in Grok training: cannot be unwound.
User controls
Deletion: Limited · Opt-out: Limited §13
Delete works. Opting out of inference does not exist.
Honors GPC?
No. §13
Global Privacy Control browser signal: ignored.
Automated decisions
Yes. No human review. §8
For You algorithm · Ad targeting · Visibility filtering / 'freedom of speech, not reach' · Account locks & shadowbans. All algorithmic.
AI training on your data
Yes. EU opt-out only. §7.5
Your public posts/photos train commercial models.
Children's data
Under 13 blocked · 13–17 limited §8
Ad targeting paused for teens, but content profile still kept.
Breach disclosure
"As required by law." §15.3
Translation: the bare minimum legal window in your jurisdiction.
§5 · The receipts

The receipts, translated.

Five of the worst clauses, lifted verbatim. Strikethroughs are theirs. Marginalia is ours.

§7.5 §7.5
We may use the information we collect and publicly available information to help train our machine learning or artificial intelligence models for the purposes outlined in this policy.
GROK ATE THAT
§9.4 §9.4
Direct messages are not end-to-end encrypted by default; messages may be accessed by X personnel for safety, abuse, and legal-process reasons.
DMs ≠ PRIVATE
§6.4 §6.4
If you elect to verify your identity for X Premium+ or other features, we may collect a government-issued identification document and biometric information, including facial geometry derived from your selfie.
ID UPLOAD = FOREVER
§2.1 §2.1
We may update this policy from time to time. By continuing to access or use the Services after those revisions become effective, you agree to be bound by the revised policy.
OPT-OUT NOT INCLUDED
§11.1 §11.1
Public content that you share on the Services is, by its nature, public; we may retain copies in our systems even after you delete the underlying content for legal, safety, and research purposes.
DELETE = DECORATIVE
§6 · The deceptive design

Dark patterns spotted.

Tricks the policy and surrounding UX use to make you "consent" without really consenting.

01
Forced consent (continued-use clause)
§2.1
Policy changes apply retroactively to all of your existing data. Continuing to log in is treated as accepting whatever the new owner has decided this month.
"By continuing to access or use the Services after those revisions become effective, you agree to be bound by the revised policy.
02
Buried opt-out (Grok training toggle)
§13
The AI training opt-out was added under regulatory pressure and lives four taps deep: Settings > Privacy & Safety > Data sharing > Grok.
"You can adjust whether your data is used to train our machine-learning models in Settings > Privacy & safety > Data sharing.
03
Pre-checked consent (AI training default-on)
§7.5
Every user account, including pre-existing ones from before xAI existed, is opted into Grok training by default with no re-consent flow.
"By default, your data may be used to train our models; you may opt out at any time.
04
Bundled consent (X Premium ID verification)
§6.4
To get a blue check, you must hand over biometric data and a government ID, with no granular consent for how each is processed or retained.
"To complete verification, you must provide both a government-issued identification document and a live selfie.
05
Privacy-zuckering (DM 'privacy' framing)
§9.4
Marketing implies DMs are private. The policy says they're readable by X personnel and stored unencrypted unless both parties opt into encrypted DMs (Premium only, with caveats).
"Direct messages are not end-to-end encrypted by default.
06
Trick question (visibility filtering)
§8
'Freedom of speech, not reach' presents shadow-banning as policy clarity, but the criteria for visibility filtering are not disclosed and there is no appeal.
"Some posts may have their visibility reduced in feeds and search, in accordance with our content policies.
07
Re-prompting (Premium upsell + notifications)
§16.1
Notification settings reset toward defaults on app updates, and Premium-trial banners re-fire on a steady cadence regardless of dismissal.
"Your notification preferences will be revalidated periodically to ensure they remain current.
§7 · What you can actually do

Your rights, by where you live.

Same company, wildly different rights depending on your jurisdiction. Direct links to the specific opt-out / delete / access flows.

EU (GDPR)
DIFFICULTY: HARD
  • Right of access
  • Right to erasure
  • Right to data portability
  • Right to object to processing
  • Right against solely-automated decisions
REQUEST →

Source: §15.1

California (CCPA/CPRA)
DIFFICULTY: HARD
  • Right to know
  • Right to delete
  • Right to opt-out of 'sale/share'
  • Right to correct
  • Right to limit use of sensitive info
REQUEST →

Source: §15.2

Default (rest of world)
DIFFICULTY: NIGHTMARE
  • Account deletion (with 30-day reactivation window)
  • Whatever local law forces them to provide
REQUEST →

Source: §15.3

§8 · Receipts

The actual sources.

Every claim above is anchored to a line in the policy we analyzed. Click any section ID to view it in context.

ANALYZED BY: claude-opus-4-7  ·  PROMPT VERSION: honest-policy-v1.3  ·  ANALYZED AT: 2026-05-18T03:12Z
SOURCE: https://x.com/en/privacy  ·  POLICY VERSION: 2026-04-01  ·  SNAPSHOT HASH: sha256:3b5d7f9a1c3e5b7d9f1a3c5e7b9d1f3a5c7e9b1d3f5a7c9e1b3d5f7a9c1e3b5d
  • §2.1
    §2.1 — Policy changes & continued use
    "We may update this policy from time to time. By continuing to access or use the Services after those revisions become effective, you agree to be bound by the revised policy."
    Original → Snapshot →
  • §4.2
    §4.2 — Information we collect
    "We collect identifiers, contact information, billing information, and content you share on the Services, including posts, images, and direct messages."
    Original → Snapshot →
  • §5.3
    §5.3 — Information from third-party sites and embeds
    "We collect information about your interactions with our embedded posts and pixels on third-party sites that have integrated X content."
    Original → Snapshot →
  • §6.1
    §6.1 — Location
    "We may infer your approximate location from your IP address and collect precise location only when you have granted permission."
    Original → Snapshot →
  • §6.4
    §6.4 — Biometric and ID verification data
    "If you elect to verify your identity for X Premium+ or other features, we may collect a government-issued identification document and biometric information, including facial geometry derived from your selfie."
    Original → Snapshot →
  • §7.1
    §7.1 — Advertising purposes
    "We use the information we collect to deliver and personalize advertising on and off our services."
    Original → Snapshot →
  • §7.2
    §7.2 — Analytics & diagnostics
    "We use diagnostic and performance data to improve our services."
    Original → Snapshot →
  • §7.5
    §7.5 — AI & machine-learning models (Grok)
    "We may use the information we collect and publicly available information to help train our machine learning or artificial intelligence models for the purposes outlined in this policy."
    Original → Snapshot →
  • §8
    §8 — Algorithmic ranking, visibility filtering & inferences
    "Some posts may have their visibility reduced in feeds and search, in accordance with our content policies."
    Original → Snapshot →
  • §9.4
    §9.4 — Sharing, DMs, and the corporate group
    "Direct messages are not end-to-end encrypted by default; messages may be accessed by X personnel for safety, abuse, and legal-process reasons."
    Original → Snapshot →
  • §11.1
    §11.1 — Public content & retention
    "Public content that you share on the Services is, by its nature, public; we may retain copies in our systems even after you delete the underlying content for legal, safety, and research purposes."
    Original → Snapshot →
  • §13
    §13 — Your controls & choices
    "You can adjust whether your data is used to train our machine-learning models in Settings > Privacy & safety > Data sharing."
    Original → Snapshot →
  • §15.1
    §15.1 — EU rights (GDPR)
    "If you are located in the European Economic Area, you have specific rights under the GDPR."
    Original → Snapshot →
  • §15.2
    §15.2 — California rights (CCPA/CPRA)
    "If you are a California resident, you have specific rights under the CCPA."
    Original → Snapshot →
  • §15.3
    §15.3 — Other jurisdictions
    "Where required by applicable law, additional rights and protections may apply."
    Original → Snapshot →
  • §16.1
    §16.1 — Preference revalidation
    "Your notification preferences will be revalidated periodically to ensure they remain current."
    Original → Snapshot →