Privacy — xO

This is an early-access version of xO. The platform is in active development. The policy below describes our current practices; we'll update it as features land.

1. What we collect

When you create an account we store:

Email address (required), display name and avatar URL (optional)
A salted bcrypt hash of your password (we never store the password itself)
If you sign in with Google: your Google account ID and profile picture
If you enable two-factor authentication: an encrypted TOTP secret and the hashes of your recovery codes
Security events on your account (login, password change, 2FA, session activity) with IP address and browser user agent

For the self-custody xO Wallet, your seed phrase and private keys are stored only on your device, encrypted with your wallet password. xO never sees them.

2. Cookies

We use a single first-party session cookie (xo2_session) to keep you signed in. It is httpOnly, sameSite=lax, and secure in production. We do not use third-party tracking cookies.

3. Third parties

Hosting: Vercel (US-based; transactional data flows through their infrastructure)
Database: Vercel Postgres / Neon
Email: Resend (verification and password reset emails)
Google OAuth: if you choose Google sign-in, Google authenticates you
Have I Been Pwned: we check passwords against breach databases using anonymized k-anonymity (we send the first 5 chars of a SHA-1 hash; we never send the password itself)
Public blockchain RPCs: wallet balance/transaction queries hit public node providers

4. Your rights

You can update your profile, change your password, enable/disable 2FA, revoke individual sessions, and unlink Google from your account settings. To delete your account entirely, email us — we'll add a self-service option soon.

5. Security

Passwords are bcrypt-hashed (cost 12). Session tokens are sha256-hashed in our database — only the raw token in your cookie is valid, and that token never leaves your browser. TOTP secrets are AES-256-GCM encrypted at rest.

6. Contact