Yes, Twitter/X business accounts and developer apps need a privacy policy. If you run Twitter Ads, access the X API, operate bot accounts, use conversion tracking pixels, create tailored audiences, or sell products through X Commerce features, you are collecting personal data. Privacy laws and X's own developer agreement and advertising policies require you to disclose these practices in a published privacy policy.
When You Need a Privacy Policy for Twitter/X
X (formerly Twitter) has its own privacy policy that covers data X collects through the platform. However, X's policy does not cover data that you, as a business, developer, or advertiser, collect from users through your own tools and activities. If you engage in any of the following, you need your own privacy policy:
Running Twitter Ads (promoted tweets, followers, or trends)
X's advertising platform requires advertisers to comply with applicable privacy laws. When you run promoted content, X collects engagement data on your behalf including click-through behaviour, conversion tracking, and audience targeting data. You are responsible for disclosing how this advertising data is used.
Using the X API to access user data
The X API provides access to tweets, user profiles, follower relationships, engagement metrics, and (with elevated access) direct messages. X's Developer Agreement requires all API users to have a privacy policy that explains what data is collected, how it is used, and how users can contact you about their data.
Operating bot accounts or automated tools
Bot accounts that reply to users, process mentions, aggregate tweet data, or send automated direct messages are collecting and processing personal data. X's automation rules require bots to identify themselves, and privacy laws require disclosure of data processing activities.
Using conversion tracking or website tags
The X Pixel (formerly Twitter Website Tag) tracks visitor behaviour on your website after they interact with your tweets or ads. This includes page views, sign-ups, purchases, and other conversion events. Like all tracking pixels, this sets cookies and collects personal data that must be disclosed.
Selling through X Commerce features
X Commerce features including product catalogs, shop spotlights, and in-app purchasing involve customer data collection. Product interactions, purchase data, and customer contact information are processed through these features and must be covered by your privacy policy.
Creating tailored audiences from customer lists
When you upload email lists or device IDs to X for tailored audience targeting, you are sharing personal data with X for advertising purposes. X's tailored audience policies require that you have consent to use this data and that your privacy policy discloses this practice.
Without a privacy policy, you risk
X Ads account suspension, rejection of promoted campaigns, X API access revocation, developer app suspension, GDPR fines up to €20 million, CCPA penalties of $7,500 per violation, and loss of user trust. X actively reviews developer compliance and can revoke API access without warning. Learn the full breakdown of what happens without a privacy policy.
Does this apply to personal Twitter/X accounts?
Personal accounts used purely for personal tweeting (no ads, no API access, no commerce, no automation) generally do not need their own privacy policy because X's policy covers platform-level data collection. However, the moment you start running ads, accessing the API, or engaging in commercial activities, the requirement applies.
What about X Premium subscribers who use advanced features?
X Premium (formerly Twitter Blue) subscribers who use advanced analytics, longer posts, or creator monetization features are engaging in activities that may involve additional data collection. If you monetize your account through subscriptions, tips, or Super Follows, you are collecting financial data from your subscribers and need a privacy policy.
Data Sources on Twitter/X
Every data type your X presence might collect or facilitate.
The data your Twitter/X presence handles depends on which features, APIs, and external tools you use. Here is a comprehensive breakdown by source:
| Data Source | Data Collected | Who Controls It |
|---|---|---|
| X API | Tweet content, user profiles, follower lists, engagement metrics, media attachments, location data (if enabled) | You (controller for collected data), X (platform provider) |
| Twitter Ads | Impression data, click-through rates, engagement metrics, audience demographics, promoted tweet interactions | Joint controller (you and X) |
| Conversion Tracking | Page views, sign-ups, purchases, cart events, button clicks, IP addresses, browser data, device IDs | Joint controller (you and X) |
| X Commerce | Product page views, purchase events, customer names, shipping addresses, payment details, order history | You (controller), X (processor) |
| Website Cards | Click-through data, landing page visits, card engagement metrics, referring tweet data | Joint controller (you and X) |
| Direct Messages | Usernames, message content, shared media, contact details, timestamps | X (platform), you (business use) |
| Lists | Curated user profiles, list membership data, follower overlap analysis | X (platform), you (curator) |
| Spaces | Speaker and listener identities, audio recordings (if saved), participation timestamps, engagement data | X (platform), you (host) |
| Communities | Member profiles, post content, membership data, moderation logs, engagement metrics | X (platform), you (community admin) |
The critical distinction: X Analytics provides aggregated engagement data that X controls. But API data access, conversion tracking, tailored audiences, and commerce data involve personal data that you collect, control, or jointly control with X. These are what your privacy policy must cover.
Did you know?
The X API v2 returns a unique user ID for every account. Even if you only collect tweet text and engagement counts, the user IDs attached to that data are personal data under GDPR because they can be used to identify specific individuals. This means any X API usage that retrieves user-related data triggers privacy policy requirements, regardless of whether you store usernames or display names.
X API and Developer Requirements
What X requires from every developer who accesses its API.
The X Developer Agreement and Policy impose specific requirements on anyone who accesses the X API. These are contractual obligations enforced through X's developer platform. Violating them can result in API access revocation, app suspension, or permanent ban from the developer program.
Privacy policy requirement for all API users
X's Developer Agreement requires every application that accesses the X API to have a privacy policy. This policy must be accessible via a working URL and must clearly describe what X data you collect, how you use it, how you store it, and how long you retain it. The privacy policy URL is a required field when registering a developer app on the X Developer Portal.
Data use restrictions and display requirements
The X API Terms of Service restrict how you can use the data you access. You cannot sell raw X data, you must display tweets according to X's display requirements, and you must delete data when users delete their tweets or accounts. Your privacy policy must reflect these restrictions and explain your data retention practices honestly.
User consent for elevated API access
Certain API endpoints (such as Direct Messages, email addresses, and offline access) require explicit user consent through OAuth. Your privacy policy must explain what permissions your app requests and why. Users must understand what data your app will access before they authorize it.
Rate limits and data storage obligations
X imposes rate limits on API calls and requires developers to handle data responsibly. If you cache or store X data locally, your privacy policy must disclose this storage, the retention period, and how users can request deletion of their data from your systems.
Academic Research and Enterprise API tiers
Higher API access tiers (Academic Research, Enterprise) come with additional obligations. Academic researchers must describe their research purpose and data handling in their privacy policy. Enterprise users must comply with stricter data governance requirements outlined in their enterprise agreement.
Can X actually revoke my API access for not having a privacy policy?
Yes. X regularly audits developer applications and can suspend or revoke API access for policy violations, including missing or inadequate privacy policies. The privacy policy URL is a required field during app registration, and X reviews it during the application approval process. Revocation can happen without advance notice.
Does using a third-party Twitter client count as API usage?
If you are building or operating a third-party client that accesses the X API, yes. The same developer requirements apply whether you are building a mobile app, web dashboard, analytics tool, or social media management platform. The privacy policy requirement applies to every application that authenticates with the X API.
Twitter Ads and Conversion Pixel
Advertising on X creates significant data disclosure obligations.
X's advertising platform (Twitter Ads, now X Ads) allows businesses to promote tweets, accounts, and trends. The platform also provides conversion tracking through the X Pixel and supports tailored audience targeting from customer lists. Each of these features involves personal data collection that must be disclosed in your privacy policy.
Promoted tweets and account campaigns
When you run promoted content on X, the platform collects engagement data including impressions, clicks, retweets, replies, follows, and profile visits. This data is tied to individual user accounts. X shares aggregated campaign analytics with you, but the underlying data involves personal data processing by both you and X as joint controllers.
X Pixel (conversion tracking)
The X Pixel (formerly Twitter Website Tag) is a JavaScript snippet installed on your website that tracks visitor actions after they click on or view your X ads. It collects page URLs, conversion events (purchases, sign-ups, downloads), IP addresses, browser information, and device identifiers. Under GDPR, installing the X Pixel requires cookie consent because it sets tracking cookies on visitors' browsers.
Tailored Audiences from customer lists
X allows you to upload email lists, phone numbers, or device advertising IDs to create tailored audiences for ad targeting. X hashes the data and matches it against its user database. Your privacy policy must disclose that you share customer data with X for advertising purposes and that you have consent to do so.
Tailored Audiences from web activity
Beyond customer lists, you can create tailored audiences based on website visitors tracked through the X Pixel or mobile app users tracked through X's Mobile Measurement Partners. These audiences are built from tracking data that must be disclosed in your privacy policy with the appropriate cookie consent mechanisms.
For a detailed comparison of social media advertising requirements across platforms, see the Facebook page privacy policy guide and the LinkedIn privacy policy guide.
Did you know?
The X Pixel fires on every page load where it is installed, not only when a user arrives from an X ad. This means it tracks all website visitors, including those who arrive from Google, email campaigns, or direct navigation. Under GDPR and the ePrivacy Directive, this requires cookie consent from every visitor, not just those who clicked an X ad. Your privacy policy and cookie banner must account for this broader tracking scope.
X Commerce Features
Selling products through X creates data obligations for every transaction.
X Commerce allows businesses to showcase and sell products directly through their X profiles. Features include product catalogs, shop spotlights, live shopping events, and product drops. Whether transactions complete within X or on your external store, commerce activities involve personal data collection that your privacy policy must address.
Shop spotlight and product catalogs
Product catalogs synced with your X profile generate interaction data when users browse, save, or share products. While the catalog itself contains product information, user engagement data (which users viewed which products, how long they browsed, what they saved) is collected by X and can be used for remarketing. Your privacy policy should disclose this product interaction tracking.
In-app purchasing and checkout
When customers purchase through X's in-app checkout, X processes the payment and collects customer names, shipping addresses, email addresses, and payment details. As the merchant, you receive order details and customer contact information. Your privacy policy must explain how you handle this order data, retention periods, and whether you use it for marketing.
External store links from product cards
If product cards link to your external online store (Shopify, WooCommerce, BigCommerce), the full e-commerce data collection happens on your platform. This includes customer accounts, order history, payment processing, shipping integrations, and analytics. Your privacy policy must cover all of these data flows from the X referral through checkout.
Post-purchase communications and remarketing
Order confirmation emails, shipping notifications, review requests, and marketing follow-ups all involve using customer data collected during the transaction. If you add X Commerce purchasers to an email list or retarget them with X Ads, each additional use of their data must be disclosed in your privacy policy with the appropriate lawful basis.
Bot Account Requirements
Automated accounts have unique privacy obligations on X.
X allows automated accounts (bots) for legitimate purposes such as customer service, content curation, news updates, and utility functions. However, bot accounts that interact with users or process user data have specific privacy obligations under both X's policies and privacy laws.
Bot identification and transparency
X requires bot accounts to clearly identify themselves as automated. Your bot's bio should state that it is automated and link to a privacy policy. Users who interact with your bot should know they are communicating with an automated system, what data the interaction generates, and how that data is used.
Data collected through bot interactions
When users mention, reply to, or DM your bot, the bot receives usernames, tweet content, timestamps, and potentially location data. If your bot processes these interactions (such as a customer service bot that logs support tickets), you are collecting personal data that must be disclosed in your privacy policy.
Automated data aggregation
Bots that monitor hashtags, track mentions, aggregate sentiment data, or compile user statistics from public tweets are processing personal data at scale. Even though individual tweets may be public, systematic collection and analysis of user behaviour constitutes data processing under GDPR.
Automated DM responses
Bots that send automated welcome DMs, process support requests through DMs, or engage in conversational commerce through direct messages are collecting conversation data. Under GDPR, automated decision-making that affects individuals (such as triaging support requests) has additional disclosure requirements.
Did you know?
A bot that monitors a branded hashtag and collects every tweet mentioning it is performing systematic data collection under GDPR Article 4. Even though tweets are public, the act of compiling them into a database for analysis creates a processing activity that requires a lawful basis (typically legitimate interests) and must be disclosed in your privacy policy. The GDPR does not have a blanket exemption for publicly available data.
X Developer Agreement Terms
Key contractual obligations from X's developer terms.
The X Developer Agreement and Developer Policy contain specific privacy-related obligations that go beyond what general privacy laws require. These are contractual terms that X enforces through its developer platform. Your privacy policy must align with these requirements.
Data deletion obligations
When a user deletes a tweet or deactivates their account, X requires you to delete that data from your systems within 24 hours (or as soon as reasonably possible). Your privacy policy must state that you honour user deletions from the X platform and explain your data retention and deletion practices.
Purpose limitation for X data
X restricts what you can do with data obtained through the API. You cannot use X data for surveillance, profiling for eligibility decisions (credit, employment, housing), or building tools that are used to harm or discriminate against users. Your privacy policy must accurately reflect the purposes for which you use X data.
User consent and transparency requirements
X requires that users of your application understand and consent to your data practices before you access their X data. This means your privacy policy must be presented to users before they authenticate your app through OAuth. Burying your privacy policy in a terms of service document is not sufficient.
Data security and breach notification
X requires developers to implement reasonable security measures to protect X data. In the event of a data breach involving X data, you must notify X promptly. Your privacy policy should outline your security practices and breach notification procedures.
Common Twitter/X Privacy Mistakes
These assumptions are widespread among X business accounts and developers. All of them are wrong.
"X's privacy policy covers my app or business"
X's privacy policy covers data that X collects through its platform, such as tweets, likes, follows, and browsing behaviour within the app. It does not cover data you collect through the X API, your developer applications, conversion tracking on your website, or customer data from X Commerce. When your app fetches user data through the API and stores it in your database, X's privacy policy says nothing about how your database handles that data. You need your own policy for that.
"Tweets are public, so no privacy policy is needed"
While most tweets are publicly visible, systematically collecting, storing, and analyzing them constitutes data processing under GDPR. Public availability does not eliminate privacy obligations. When you scrape tweets, build datasets from user profiles, or aggregate engagement data for analytics, you are processing personal data. The GDPR applies to any systematic processing of personal data, regardless of whether that data was publicly posted. Your privacy policy must disclose this collection and its purposes.
"My bot just retweets, it doesn't collect data"
A bot that retweets content is accessing the X API, receiving tweet data (including the author's username, user ID, tweet content, and metadata), and making decisions about which tweets to amplify. Even if your bot does not store this data permanently, the act of processing it through your application constitutes data processing. If your bot uses criteria to select tweets (such as monitoring specific hashtags or users), you are systematically processing personal data and need a privacy policy.
"I only use the free API tier, so requirements are lighter"
X's Developer Agreement applies equally to all API tiers: Free, Basic, Pro, and Enterprise. The privacy policy requirement, data deletion obligations, and purpose limitations are the same regardless of which tier you use. A free-tier app that accesses user data has identical privacy obligations to an enterprise-tier application. The only differences between tiers are rate limits and available endpoints, not compliance requirements.
"Conversion tracking is X's responsibility"
While X provides the technical infrastructure for the X Pixel, you are the one who installs it on your website and decides which conversion events to track. Under GDPR, you and X are joint controllers for the data collected through the pixel. This means you are responsible for obtaining cookie consent from your website visitors, disclosing the pixel in your privacy policy, and providing opt-out mechanisms. X's cookie consent does not extend to your website.
How to Create a Privacy Policy for Twitter/X
Six steps from audit to publication.
Creating a privacy policy for your Twitter/X presence is straightforward once you map out your data collection points. Follow these steps:
Audit every data collection point in your X ecosystem
List every tool and integration connected to your X presence: X API access level, Twitter Ads Manager, X Pixel installations, developer apps, bot accounts, X Commerce features, third-party social media management tools (Hootsuite, Buffer, Sprout Social), and any analytics platforms. For each, note what personal data it collects.
Identify which privacy laws apply to your users
Check your Twitter Analytics for audience geography. If any users are in the EU or UK, GDPR applies. Users in California trigger CCPA and CalOPPA. X's global reach means most accounts have a geographically diverse user base, meaning GDPR, CCPA, and CalOPPA apply at minimum.
Map data types to purposes and lawful bases
For each type of personal data, document the purpose and GDPR lawful basis. API data for analytics = legitimate interests. Conversion tracking for ad optimization = consent (cookie-based). Tailored Audiences from customer lists = consent. Bot interaction data for customer service = legitimate interests. Map every data flow.
Name every third-party service and processor
GDPR requires naming specific services. Write 'X Corp. (for API data and advertising)' not 'social media partners'. Name your hosting provider, database service, analytics tools, email marketing platform, and any third-party tools that receive or process X data from your applications.
Generate your privacy policy
Use a structured privacy policy generator that asks about your specific X business setup and produces a customized document. This covers API usage, advertising, conversion tracking, commerce, bot operations, and cookie consent in a single, coherent policy. Our generator handles this in under 60 seconds for $4.99.
Publish and link from every touchpoint
Host your privacy policy on a dedicated URL. Link to it from your X profile bio or website field, X Developer Portal app settings, X Ads Manager, bot account bio, external website footer, and any landing pages linked from tweets. Set a reminder to review and update it every 6 months.
For guidance on GDPR-specific sections, see the GDPR privacy policy template. For other social media platforms, see the TikTok privacy policy guide and the Instagram privacy policy guide.
Generate Your Twitter/X Privacy Policy
Answer a few questions about your X business setup and get a customized, compliant privacy policy covering API usage, advertising, conversion tracking, commerce, and bot operations in under 60 seconds.
Structured around widely accepted GDPR requirements. Not legal advice.
Frequently Asked Questions
Do Twitter/X business accounts need a privacy policy?
Yes. If you run Twitter Ads, use the X API, operate bot accounts, use conversion tracking, or collect user data through X Commerce features, you are collecting or facilitating the collection of personal data. Privacy laws (GDPR, CCPA, CalOPPA) and X's own developer and advertising policies require you to have a privacy policy.
Does X require a privacy policy for Twitter Ads?
Yes. X's advertising policies require advertisers to comply with all applicable privacy laws and to have a privacy policy that discloses data collection practices. When you run promoted tweets, use conversion tracking pixels, or create tailored audiences, you must disclose these practices in a published privacy policy.
What data does the X API collect?
The X API provides access to tweet content, user profiles, follower lists, engagement metrics, direct messages (with appropriate permissions), and real-time streaming data. Developers who access this data are responsible for disclosing what they collect, how they store it, and how long they retain it. Even user IDs alone constitute personal data under GDPR.
Do Twitter bot accounts need a privacy policy?
Yes. Bot accounts that interact with users, collect mentions or replies, process direct messages, or aggregate tweet data are collecting personal data. X's automation rules require bots to clearly identify themselves, and privacy laws require disclosure of any personal data processing. Your bot's bio should link to a privacy policy.
Does X's privacy policy cover my business or developer app?
No. X's privacy policy covers data that X collects through its platform. It does not cover data you collect through the X API, your developer applications, Twitter Ads conversion tracking, or third-party integrations. You need your own privacy policy to disclose your specific data handling practices outside the X platform.
Do I need a privacy policy for X Commerce features?
Yes. X Commerce features including product catalogs, shop spotlights, and in-app purchasing involve customer data collection. Whether transactions happen within X or on your external store, customer names, payment details, and order information are being processed. Your privacy policy must cover how you handle this commerce data.
Where should I link my Twitter/X privacy policy?
Link to it from your X profile bio or website field, your X Ads Manager account, your developer app settings on the X Developer Portal, your bot account's bio, your external website footer, and any landing pages linked from your tweets. The privacy policy should be hosted on a dedicated URL that you control, not as a tweet or thread.
Related Resources
Privacy Policy for Instagram
Instagram business account compliance
Privacy Policy for Facebook
Facebook page compliance guide
Privacy Policy for TikTok
TikTok business account guide
Privacy Policy for LinkedIn
LinkedIn company page compliance
Small Business Privacy Policy
Compliance guide for small businesses
GDPR Privacy Policy Template
EU and UK compliance template
What Happens Without One
Fines, platform bans, and legal risks
Generate Your Privacy Policy
Customized policy in under 60 seconds