Privacy
What information we collect, how we use it, who we share it with, where it lives, how long we keep it, and the rights you have over it.
This Privacy Policy explains how Vinay Maheshwari, the sole-proprietor operating TraceTxn ("TraceTxn", "we", "us"), collects, uses, shares, and protects personal information when you (1) visit our website, (2) sign up for a workspace, or (3) use the TraceTxn platform (collectively, the "Service").
When you sign up, we collect your name, email address, and workspace details (business name, country, currency preferences). We also store an authentication record from your chosen sign-in method (Google sign-in or email + password).
As you use TraceTxn, we record activity needed to run the Service, orders you create, evidence events, audit-log entries, sub-processor jobs (e.g. emails queued for delivery), and feature interactions. This usage data is scoped to your workspace.
When you connect Stripe, we store the credentials you provide (encrypted at rest), the Stripe account identifier, and event metadata returned by Stripe (session ids, charge ids, dispute ids, status timestamps). We never receive or store card numbers.
When subscription billing is active, the payment instrument itself is handled by our subscription processor; we store only the billing email, last 4 digits, brand, country, and the processor's opaque customer identifier, never full card data.
We collect device, browser, IP address, request timestamps, and rough geo-location (country/region) for security, fraud-prevention, and observability, including failed login attempts and bot-protection challenge results.
We use a small number of essential cookies (session cookies, CSRF tokens, bot-protection tokens) needed to operate the Service. We do not use third-party advertising cookies or cross-site trackers.
We use personal information to:
Where the EU/UK GDPR applies, we rely on these lawful bases:
We rely on the following service providers (sub-processors) to run the Service. They process personal information only under our instructions and equivalent confidentiality and security obligations.
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Application hosting + compute | United States / EU |
| MongoDB Atlas | Primary database (workspace data, audit logs, evidence chain) | United States / EU |
| Google Firebase | Authentication (Google + email/password sign-in) | United States |
| Stripe | Subscription billing (TraceTxn fees), tenant payment processing uses your own Stripe account | United States / Ireland |
| Google Workspace (SMTP) | Transactional email delivery | United States |
| Cloudflare | DNS, CDN, bot protection (Turnstile) | Global |
We notify customers of material sub-processor changes through this page and, where you have a signed DPA, via the notification channel set out in it.
The sub-processors above operate primarily in the United States, Ireland, and the European Union. When personal information is transferred from your region to another, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses, where applicable) and require equivalent confidentiality and security obligations.
Depending on where you live, you may have the right to access, correct, export, restrict processing of, or delete your personal information; to object to certain processing; and to lodge a complaint with your local data-protection authority.
To exercise these rights for personal information we hold about you as a TraceTxn operator, email [email protected] from the email address associated with your workspace. We respond within 30 days.
For requests about your customers' personal information that we process on your behalf, please direct those requests to your workspace owner, they are the controller of that data.
We use technical and organisational safeguards to protect personal information, encryption in transit, encryption at rest for credentials, scoped access controls, audit logging, tenant isolation at the data layer, and bot protection on public forms.
No system is impenetrable. We commit to investigating and, where appropriate, notifying you of personal-data breaches without undue delay, in line with applicable law.
More detail is on our Security page.
The Service is intended for business use and not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, email [email protected] and we will delete it.
We may update this Privacy Policy. The "Last updated" date above reflects the current version. Material changes are announced by email at least 14 days before they take effect; continued use of the Service after the effective date constitutes acceptance.
Questions about this Policy or our handling of personal information? Email [email protected].