What we collect, why, and what we don’t do.

TalkToApp is operated by Juan Carlos Buruchaga, an independent developer. Contact: hello@talktoapp.ai. This policy covers the TalkToApp Chrome extension and the backend at talktoapp.ai.

x.com has no public API you can plug Claude into. To let Claude read your timeline, the extension uses your already logged-in browser session.

When Claude asks a question, our backend sends the question to the extension. The extension makes the request from your browser (using the auth headers x.com is already sending in that tab) and sends the answer back. Your auth headers never leave your browser: they live in the extension’s in-memory storage and are attached to the fetch only when the tab actually executes it.

That’s how an MCP server like ours works on a site that wasn’t built for it. We’re not bypassing anything; we’re using the access you already have, with your permission, without copying the credentials to our server.

Reading your timeline is one thing. Posting under your name is another. When Claude wants to post, reply, or follow someone on your behalf, TalkToApp opens a draft in a new tab with the content pre-filled — and stops there. You read what Claude wrote and click Post / Reply / Follow yourself, or close the tab.

We don’t do this through a hidden background script and we don’t click buttons for you. It’s a deliberate choice: x.com’s terms don’t allow third-party automation of writes, and the Chrome Web Store policy is the same. More importantly, you should always be the last person to see what goes out under your name. Reads execute through your session; writes wait for your click.

• Your email (when you redeem a beta invite). Used to identify your account and grandfather you into the beta-lifetime tier.
• Per-install identity— a random user ID and a secret we generate on first install so the backend can recognize your install. Stored in your browser’s local storage and on our server.
• MCP query logs — the tool name (e.g. get_home_timeline), the endpoint that was called, timestamp, latency, and status code of each call Claude makes through us. We do not log the arguments Claude passes (search terms, usernames, tweet IDs), and we do not log the response (tweets, timelines, profiles). The data flows through our server in memory and goes straight back to Claude without being persisted.
• OAuth client metadata when you connect Claude (or another MCP client) — the client name and its registered redirect URIs. Standard OAuth bookkeeping.

• Serving the MCP.When Claude asks “what did Elon post today?”, we use your captured token to call x.com on your behalf, transform the response, and return it to Claude.
• Account & billing. Email + tier so we know who you are when you sign in to the dashboard, and who’s grandfathered into beta-lifetime if we charge later.
• Operations.Latency and error logs help us notice when something’s broken. Aggregated, never tied to message content.

• We don’t store the data Claude reads through us. The tweets, timelines, search results, and user profiles that come back from x.com are passed straight through our server back to Claude. Not written to disk, not cached, not analyzed. The database literally does not have a column for them.
• We don’t sell your data. Not now, not later.
• We don’t use your data, your tokens, or your queries to train AI models — ours or anyone else’s.
• We don’t automate posts, replies, or follows. When you ask Claude to post, reply, or follow someone, we open a draft in a new tab with the content pre-filled. You read it and click the publish button yourself. Nothing goes out under your name unless you click.
• We don’t read your direct messages. The extension doesn’t hook into the DM endpoints.
• We don’t share your data with third parties except the infrastructure providers strictly needed to run the service (see below).
• We don’t track you across the web. The extension only activates on x.com.

Everything is stored on a single server we operate on Google Cloud (us-west1). The database is SQLite, encrypted at rest by the host volume. Email delivery (the welcome email when you redeem an invite) goes through Resend. That’s the full vendor list:

• Google Cloud — hosting, network, storage.
• Resend — transactional email (welcome / password reset only). Your email address is the only thing they see.

We do not use third-party analytics, ad networks, or session-replay tools.

• Account & email: kept while your account exists. Deleted on request.
• x.com auth headers: kept in the extension’s in-memory storage. Cleared when you close the browser. Never written to disk on your machine, never sent to our server. If you uninstall the extension, they go with it.
• MCP query logs: retained for 180 days for debugging and abuse detection, then deleted.
• OAuth tokens: per the OAuth 2.1 spec — access tokens expire in 1 hour, refresh tokens in 60 days. Expired tokens are purged hourly.

You can ask us to do any of the following. Email hello@talktoapp.ai from the address you signed up with — we respond within 7 days.

• Delete everything. We wipe your account, your captured tokens, your query logs, and your invite binding. Irreversible.
• Export your data. We’ll send you a JSON dump of what we have on you.
• Stop the extension cold. Uninstall it from chrome://extensions — the extension stops capturing immediately. Existing server-side data still exists until you ask us to delete it.

If you’re in the EEA or the UK and feel we’re mishandling your data, you also have the right to complain to your local data protection authority.

For transparency, here’s every Chrome permission the extension requests and what it’s actually used for. If you see one in the Chrome Web Store listing that we don’t list here, that’s a bug — please tell us.

• Host access to x.com / twitter.com: read your timeline and posts when Claude asks for them.
• Storage:remember your install identity locally so you don’t re-authenticate every popup open.
• Cookies:set a short-lived intent cookie on talktoapp.ai during the OAuth dance with Claude. Without it, Claude’s connect flow breaks.
• Tabs: detect whether x.com is open so we can route requests to your active session.
• Alarms:keep the service worker alive so the connection to our backend doesn’t drop while you’re mid-conversation with Claude.

TalkToApp is not intended for users under 13. We don’t knowingly collect data from anyone under 13. If you are a parent or guardian and believe we have, email us and we’ll delete it.

If we change anything substantive — what we collect, what we do with it, who we share it with — we’ll bump the date at the top and email everyone on the beta list before the change takes effect. Cosmetic edits (typos, clearer wording) don’t trigger an email.

Anything at all: hello@talktoapp.ai. You’ll get a real reply, usually within 24 hours.