Privacy Notice

Effective 18 June 2026

01 · Who We Are

FanXP (“FanXP”, “we”, “us”) is operated by Rosegold Technologies Limited, a private company registered in England and Wales (Companies House #17181202), 38 Charlotte Street, London. For any privacy question, contact support@rosegold.app.

02 · What This Notice Covers

This notice applies to:

  • our marketing site (fanXP.fun), and
  • the FanXP web app, which connects to your YouTube account through Google Data Portability and shows you a per-channel “Experience Points” (XP) leaderboard of the channels you watch.

03 · The Data We Process

Marketing site

  • Email address: only if you give it to us to be notified when your results are ready, or to join an updates list (see §8).
  • Server logs and aggregated, cookieless analytics.

The FanXP app

When you choose Sign in with Google, you grant FanXP access to a set of Google Data Portability scopes. These are export-only. FanXP can request a copy of the listed YouTube data and cannot change anything in your Google account. The scopes are:

ScopeWhat it lets us export
dataportability.myactivity.youtubeYour YouTube watch and search history
dataportability.youtube.subscriptionsYour channel subscriptions
dataportability.youtube.commentsComments you’ve posted
dataportability.youtube.live_chatLive-chat messages you’ve sent

To produce your leaderboard we process:

  • Google OAuth tokens (an access token and a refresh token) — used solely to request, check on, and download your data-portability archive into a private session.
  • The downloaded archive: Google prepares it on its side; we download the file(s), read them, and compute your scores.

What we derive: your per-channel Experience Points and the breakdown behind them.

What we never request or receive: Gmail or any email content, Google Drive or files, photos, location, contacts, or anything outside the four YouTube scopes above.

Google API Services User Data Policy (Limited Use)

FanXP’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use your Google data only to provide and improve the user-facing features described here, we do not sell it, and we do not use it for advertising.

Eligibility

Google offers Data Portability APIs to personal Google accounts in the EEA, Switzerland, and the UK. Any accounts outside of these regions will require a user to manually export and upload their data from Google Takeout.

04 · Lawful Bases (UK/EU GDPR)

  • Consent Art. 6(1)(a) for connecting your Google account, running the export, and sending you any email you request.
  • Legitimate interest for aggregated analytics and keeping the service secure.
  • Legal obligation for handling support and compliance requests.

You can withdraw consent at any time by disconnecting or cancelling the export (see §8–9).

05 · Digital Markets Act

Google’s Data Portability API is a mechanism provided under the Digital Markets Act (Art. 6(9)) that lets you move your own data to a third party you choose. FanXP acts as an authorized third party: access is scoped and user-initiated, we practise data minimization, and we are an independent controller of the data you bring to us — Google does not direct what we do with it, and we don’t send it back to Google.

06 · Sub-processors

Sub-processorPurpose
GoogleOAuth sign-in, Data Portability API, YouTube Data API
ResendSending your results email and managing the opt-in updates list
RailwayRunning the app and its temporary session storage

07 · International Transfers

Processing takes place primarily in the UK/EEA. Where a sub-processor processes data in the US or elsewhere, transfers are covered by Standard Contractual Clauses and/or Data Privacy Framework certification.

08 · Retention

  • Your session data — the OAuth tokens, the parsed YouTube archive, and the XP we derive from it is held in a private, per-session store while you use FanXP, and is deleted when you disconnect, or automatically 24 hours after you connect — whichever comes first (the “Disconnect” action erases the tokens, history, and everything else we hold for that session immediately).
  • Notification email — used to send your link and not otherwise kept, unless you opt in.
  • Opt-in updates list — kept (with Resend) until you unsubscribe.
  • Server logs — 30 days.

09 · Your Rights

You have the right to access, correct, delete, restrict, port your data, and to withdraw consent. For session data, Disconnect deletes it immediately. For anything else (e.g. the updates list), email support@rosegold.app; we aim to respond within 30 days.

10 · Security

We use TLS encryption in transit, AES-256 encryption of your session data at rest (your tokens and archive are stored encrypted), least-privilege access, and isolated per-session processing so one person’s data is never mixed with another’s.

11 · Children

FanXP is for users 18 and over. We don’t knowingly process data from minors and will delete it if we discover it.

12 · Data Protection Officer

We are not legally required to appoint a DPO. support@rosegold.app is the contact point for all data matters.

13 · Changes to This Notice

We’ll update this notice as the product evolves and revise the Effective Date. Material changes will be communicated through the site.

14 · Contact

Rosegold Technologies Limited · 38 Charlotte Street, London · support@rosegold.app

Back to the start