privacy policy
tl;dr. reciproq runs locally on your device. we never see, read, store, or transmit the text of your replies. the only data that leaves your browser is a small set of anonymous counters, and only if you opt in to cross-device sync.
who we are
reciproq is a chrome extension built by julielabs, an independent maker. contact: hello@reciproq.xyz.
what reciproq does
reciproq blocks the X (formerly Twitter) compose-tweet flow until you've replied to a configurable number of other people's posts that day. the block is enforced locally in your browser. the extension reads the URL of the page you're on (must be x.com or twitter.com) and watches for the network request that fires when you submit a reply or a tweet. that's how it counts.
what we collect
the list below is exhaustive. if a field is not on this list, reciproq does not collect it.
stored locally on your device (always)
| field | what it is | why |
|---|---|---|
reply_count_today | integer. count of replies you've submitted today. | powers the lock/unlock decision. |
reply_threshold | integer (5–30). your chosen daily threshold. | user preference. |
day_bucket | date string in your local timezone. | resets the counter at local midnight. |
tz | your IANA timezone string (e.g., America/New_York). | decides when "midnight" is. |
onboarded | boolean. whether you've seen the first-run screen. | avoids re-showing onboarding. |
these never leave your device unless you sign in for cross-device sync.
sent to our server (only if you sign in for cross-device sync)
sign-in is optional, off by default, and uses a one-time magic link. if and only if you sign in, the following are sent:
| field | what it is | why |
|---|---|---|
user_id | random UUID. not your name, email, or X handle. | identifies you across devices. |
reply_hash | SHA-256 hash of your reply text. one-way, irreversible. | de-dupes replies across devices so you can't double-count by replying to the same post twice. |
char_count | integer. length of your reply. | lets us enforce a minimum character gate (so a one-word "lol" doesn't count). |
timestamp | UTC timestamp of the event. | for daily bucketing across timezones. |
event_type | one of reply_submitted, tweet_blocked, tweet_allowed. | for the cross-device counter and aggregate metrics. |
tz | your IANA timezone. | so midnight resets are consistent across your devices. |
what is never sent, ever
- the text of your replies (only the SHA-256 hash, which is irreversible)
- the text of the post you're replying to
- your x handle or username
- your email address (the magic-link flow does not persist email after the link expires)
- IP address logs (dropped at the edge, not retained beyond rate-limiting)
- any cookies on x.com or any third-party tracker
- cross-site browsing history
magic-link sign-in
if you choose to enable cross-device sync, you'll enter an email address. the email is used only to send the magic link and is not stored in our database after the link expires (15 minutes). the user_id UUID we keep is unlinked from your email.
what we don't do
- no advertising or ad tracking.
- no selling of user data. ever.
- no sharing of user data with third parties for marketing, profiling, or training models.
- no use of
reply_hashdata to reconstruct or infer reply content. - no fingerprinting via canvas, audio, font, or device characteristics.
- no analytics SDKs (no google analytics, mixpanel, segment, etc.) in the extension itself.
the landing page at reciproq.xyz uses privacy-friendly aggregate analytics (plausible or cloudflare web analytics) that do not use cookies and do not identify individuals.
where data is stored
- local data: in
chrome.storage.localon your device. never transmitted. - synced data (signed-in users only): supabase (postgresql) hosted in the EU. encrypted at rest. access restricted to the developer via row-level security on
user_id.
how long we keep it
- local data: until you uninstall or clear extension data.
- synced data: until you ask us to delete it, or 12 months of inactivity (whichever comes first).
how to delete your data
- local data: uninstall reciproq, or visit
chrome://extensions→ reciproq → "site access" → "clear extension storage." - synced data: email hello@reciproq.xyz with "delete my data" and your
user_id(visible in the extension popup → settings). we delete within 7 days and email confirmation.
permissions we request
see the full breakdown at /permissions. short version:
storage— save your threshold and today's counter locally.alarms— reset the daily counter at local midnight.webRequest— see when X's "post tweet" network request fires so we can block it. we never read or modify request bodies.- host access to
*.x.comand*.twitter.com— reciproq's entire job is to operate on X.
children
reciproq is not directed at children under 13 (or 16 in the EU/UK). don't use it if you're under that age.
changes to this policy
if we change anything, we update the date at the top and post a note in the extension popup the next time you open it. material changes (anything that expands what we collect) require explicit re-consent before they take effect.
your rights
EU/UK GDPR applies to all synced data. you have the right to access, correct, delete, port, and restrict processing of any synced data tied to your user_id. email hello@reciproq.xyz to exercise any of these rights.
for privacy questions, reports, or disputes: hello@reciproq.xyz.