Last updated: March 7, 2026
XCT Live ("the Service") respects your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.
Account Information: When you register, we store your chosen username and a hashed version of your passphrase. We generate a unique API key for authentication. We do not collect your email address.
Xbox Account Data: If you link your Xbox account, we store your gamertag, Xbox User ID (XUID), avatar URL, and an encrypted Microsoft refresh token. This token is used to access your Xbox achievement data and profile information.
Collection Data: If you upload your Xbox collection export, we store your library, play history, scan history, account list, and order/purchase history. This data is only accessible through your authenticated API key.
CDN Sync Data: If you participate in CDN Sync, your contributed CDN package entries are stored in the shared database with your contributor username attached.
Server Logs: Standard web server logs may include IP addresses, request timestamps, and user agents. These are used for security monitoring and are not shared with third parties.
We do not sell, rent, or share your personal data with third parties. Your collection data is private to your account. CDN Sync contributions are shared with other CDN Sync participants by design.
Data is stored on secured servers. Xbox refresh tokens are encrypted at rest using Fernet symmetric encryption. Passphrases are hashed before storage. While we take reasonable measures to protect your data, no system is completely secure.
When you sign in with Xbox, the Service accesses your data through Microsoft's OAuth2 authorization flow. We only request the scopes necessary for the features you use. Your Microsoft password is never transmitted to or stored by the Service. You can revoke access at any time by disconnecting your Xbox account in the Service or removing the app from your Microsoft account permissions.
The Service uses browser localStorage to store your API key, username, gamertag, and display preferences. No tracking cookies or third-party analytics are used.
Your data is retained as long as your account is active. If you request account deletion, all associated data (collection, tokens, profile) will be removed from our servers.
You have the right to:
The Service is not directed at children under 13. We do not knowingly collect data from children under 13.
We may update this policy at any time. Material changes will be noted by updating the "Last updated" date at the top of this page.
For privacy-related questions or data deletion requests, reach out via the XCT community channels or GitHub repository.