Privacy Policy
Effective Date: May 10, 2026
Last Updated: May 10, 2026
Application: xu-crm
Developer: Ducism Media
Contact: ducreaction.work@gmail.com
1. Introduction
This Privacy Policy explains how xu-crm ("the Application", "we", "us", or "our") collects, uses, stores, and shares your information when you use our customer relationship management platform designed for Vietnamese content creators and celebrity talent management.
By using xu-crm, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Application.
2. Information We Collect
2.1 Account Information
When you sign up or sign in via Google, we collect:
- Email address — used as your account identifier and for communications
- Google profile name — displayed within the Application
- Profile photo URL — displayed within the Application
2.2 YouTube Data (via auth/youtube.readonly and auth/yt-analytics.readonly scopes)
- We read your YouTube channel information: channel name, subscriber count, video list, and basic metadata
- We read YouTube Analytics data for your channel: views, watch time, click-through rate (CTR), audience retention, traffic sources, and demographic breakdowns
- All YouTube data access is read-only — we never upload, modify, or delete any content on your YouTube channel
- We do not collect or access YouTube revenue or monetary data
2.3 Application Usage Data
- We collect anonymous usage analytics via PostHog to understand how users interact with the Application (page views, feature usage, session duration)
- PostHog analytics are configured to not collect personally identifiable information
- We use session cookies for authentication purposes only
3. How We Use Your Information
We use the information we collect to:
- Provide core Application functionality: content pipeline management, deal tracking, and YouTube analytics dashboards
- Retrieve YouTube data to display channel information and content performance analytics within the Application
- Generate reports: content performance summaries and analytics snapshots
- Send notifications: in-app alerts about token expiration, task assignments, and system status
- Improve the Application: analyze anonymous usage patterns to enhance features and fix issues
We do not use your data for:
- Advertising, retargeting, or interest-based marketing
- Training generalized artificial intelligence or machine learning models
- Credit assessment or lending decisions
- Any purpose not described in this Privacy Policy
4. Information Sharing
We do not sell, trade, or transfer your personal information or Google user data to third parties, except as described below:
4.1 Infrastructure Service Providers
We use the following service providers to operate the Application:
| Provider | Purpose | Data Accessed |
|---|---|---|
| Supabase | Database hosting and authentication | Account data, application data (encrypted at rest) |
| Vercel | Application hosting and deployment | HTTP request logs (anonymized) |
| PostHog | Anonymous usage analytics | Non-PII usage events |
| Upstash | Redis caching and rate limiting | Session tokens (encrypted), deduplication keys |
These providers process data solely on our behalf and are contractually obligated to protect your data.
4.2 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal processes.
5. Data Storage and Security
- All application data is stored in Supabase (PostgreSQL) with encryption at rest enabled
- All data transmission uses HTTPS/TLS encryption in transit
- Database access is protected by Row Level Security (RLS) policies — users can only access data within their own workspace
- OAuth tokens are stored encrypted in the database and are never exposed to client-side code
- We maintain audit logs for sensitive operations
- Access to production infrastructure is limited to authorized personnel
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| YouTube analytics snapshots | Until you delete your account or disconnect YouTube |
| Anonymous usage analytics | 12 months from collection |
| OAuth tokens | Until revoked, expired, or account deletion |
| Audit logs | 24 months from creation |
When you delete your account, we delete all your personal data and Google user data from our systems within 30 days. Anonymized, aggregated data that cannot be used to identify you may be retained for internal analytics purposes.
7. Your Rights and Controls
7.1 Access and Export
You can access all your data within the Application at any time. You can export your data using the built-in export features.
7.2 Deletion
You can request account deletion by contacting us at ducreaction.work@gmail.com. Upon deletion:
- All your personal data is permanently removed within 30 days
- All Google user data associated with your account is deleted
7.3 Revoke Google Access
You can revoke xu-crm's access to your Google data at any time by:
- Visiting your Google Account Permissions page
- Finding "xu-crm" in the list of connected apps
- Clicking "Remove Access"
After revoking access, xu-crm will no longer be able to access your Google services. Existing data already stored in xu-crm will remain until you delete your account.
7.4 Disconnect Individual Services
Within xu-crm Settings, you can disconnect YouTube channels without deleting your account.
8. Cookies and Tracking
xu-crm uses the following cookies and tracking technologies:
| Type | Purpose | Duration |
|---|---|---|
Session cookie (sb-*-auth-token) | Authentication — keeps you signed in | Session / 7 days |
| PostHog analytics | Anonymous usage analytics (no PII) | 12 months |
We do not use:
- Third-party advertising cookies
- Cross-site tracking pixels
- Fingerprinting technologies
9. Children's Privacy
xu-crm is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will promptly delete that information.
10. Google API Services Compliance
xu-crm's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We limit use of Google user data to providing and improving user-facing features that are prominent in the Application's interface
- We do not transfer Google user data to third parties except as described in Section 4 of this policy
- We do not use Google user data for serving advertisements
- We do not allow humans to read Google user data unless you provide affirmative consent, it is necessary for security purposes, or it is required by applicable law
11. International Data
xu-crm is operated from Vietnam. If you access the Application from outside Vietnam, your data may be transferred to and processed in Vietnam. By using the Application, you consent to this transfer.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last Updated" date at the top of this page
- For material changes, we will notify you via email at the address associated with your account
- Your continued use of the Application after changes are posted constitutes acceptance of the updated policy
We will never retroactively change this policy to permit broader use of Google user data without your explicit consent.
13. Contact Us
If you have any questions about this Privacy Policy, your data, or our privacy practices, please contact us:
- Email: ducreaction.work@gmail.com
- Application: xu-crm (https://celebsvietnam.com)
- Developer: Ducism Media
This Privacy Policy was last reviewed on May 10, 2026.