Privacy

Privacy Policy

What information we collect, how we use it, who we share it with, where it lives, how long we keep it, and the rights you have over it.

Last updated · 2026-05-31Effective · 2026-05-31
01

Overview

This Privacy Policy explains how Vinay Maheshwari, the sole-proprietor operating TraceTxn ("TraceTxn", "we", "us"), collects, uses, shares, and protects personal information when you (1) visit our website, (2) sign up for a workspace, or (3) use the TraceTxn platform (collectively, the "Service").

02

Information we collect

Account information

When you sign up, we collect your name, email address, and workspace details (business name, country, currency preferences). We also store an authentication record from your chosen sign-in method (Google sign-in or email + password).

Workspace usage

As you use TraceTxn, we record activity needed to run the Service, orders you create, evidence events, audit-log entries, sub-processor jobs (e.g. emails queued for delivery), and feature interactions. This usage data is scoped to your workspace.

Payment processor metadata

When you connect Stripe, we store the credentials you provide (encrypted at rest), the Stripe account identifier, and event metadata returned by Stripe (session ids, charge ids, dispute ids, status timestamps). We never receive or store card numbers.

Billing information

When subscription billing is active, the payment instrument itself is handled by our subscription processor; we store only the billing email, last 4 digits, brand, country, and the processor's opaque customer identifier, never full card data.

Technical data

We collect device, browser, IP address, request timestamps, and rough geo-location (country/region) for security, fraud-prevention, and observability, including failed login attempts and bot-protection challenge results.

Cookies

We use a small number of essential cookies (session cookies, CSRF tokens, bot-protection tokens) needed to operate the Service. We do not use third-party advertising cookies or cross-site trackers.

03

How we use information

We use personal information to:

  • provide, secure, and operate the Service;
  • authenticate sign-in, maintain workspace membership, and apply role-based permissions;
  • process subscription payments, send invoices, and meet tax/accounting obligations;
  • send transactional email (sign-up confirmation, password reset, billing notices, security alerts), these are necessary for the Service and cannot be opted out of while your account is active;
  • detect, investigate, and prevent fraud, abuse, and security incidents;
  • comply with legal obligations and enforce our Terms of Service;
  • improve the Service, primarily through aggregated metrics (latency, error rates, feature adoption) rather than individual profiling.
05

How we share information

We share personal information only as needed to provide the Service:

  • Sub-processors (listed below), hosting, database, authentication, email delivery, payment processing, bot protection.
  • Within your workspace, members of your workspace see data your role permits them to see. Workspace owners see all workspace data.
  • Legal compliance, when required by law, valid legal process, or to protect rights, property, or safety.
  • Business transfers, in connection with a merger, acquisition, or sale of assets, subject to the successor honouring this Policy.

We do not sell personal information. We do not share personal information with advertising networks. We do not use personal information to train AI models.

06

Sub-processors

We rely on the following service providers (sub-processors) to run the Service. They process personal information only under our instructions and equivalent confidentiality and security obligations.

ProviderPurposeLocation
DigitalOceanApplication hosting + computeUnited States / EU
MongoDB AtlasPrimary database (workspace data, audit logs, evidence chain)United States / EU
Google FirebaseAuthentication (Google + email/password sign-in)United States
StripeSubscription billing (TraceTxn fees), tenant payment processing uses your own Stripe accountUnited States / Ireland
Google Workspace (SMTP)Transactional email deliveryUnited States
CloudflareDNS, CDN, bot protection (Turnstile)Global

We notify customers of material sub-processor changes through this page and, where you have a signed DPA, via the notification channel set out in it.

07

International data transfers

The sub-processors above operate primarily in the United States, Ireland, and the European Union. When personal information is transferred from your region to another, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses, where applicable) and require equivalent confidentiality and security obligations.

08

How long we keep information

  • Account & workspace data: retained while your account is active. After deletion, we may keep data for up to 30 days to allow recovery, then remove or irreversibly anonymise it (subject to legal retention).
  • Audit logs & evidence chain: retained for the lifetime of your workspace because tampering with this data would defeat its purpose. On deletion, we keep cryptographic chain anchors only.
  • Billing records: retained for the period required by tax and accounting law in our operating jurisdiction.
  • Security & abuse-prevention signals: most live in our auth provider's logs (Firebase) or in-process counters that aren't separately stored. When we do persist a security signal on our side, it's kept up to 12 months and then deleted or rolled up to aggregates.
  • Marketing / transactional email logs: delivery metadata kept up to 90 days for deliverability diagnostics.
09

Your rights

Depending on where you live, you may have the right to access, correct, export, restrict processing of, or delete your personal information; to object to certain processing; and to lodge a complaint with your local data-protection authority.

To exercise these rights for personal information we hold about you as a TraceTxn operator, email [email protected] from the email address associated with your workspace. We respond within 30 days.

For requests about your customers' personal information that we process on your behalf, please direct those requests to your workspace owner, they are the controller of that data.

10

Security

We use technical and organisational safeguards to protect personal information, encryption in transit, encryption at rest for credentials, scoped access controls, audit logging, tenant isolation at the data layer, and bot protection on public forms.

No system is impenetrable. We commit to investigating and, where appropriate, notifying you of personal-data breaches without undue delay, in line with applicable law.

More detail is on our Security page.

11

Children

The Service is intended for business use and not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, email [email protected] and we will delete it.

12

Changes to this Policy

We may update this Privacy Policy. The "Last updated" date above reflects the current version. Material changes are announced by email at least 14 days before they take effect; continued use of the Service after the effective date constitutes acceptance.

13

Contact

Questions about this Policy or our handling of personal information? Email [email protected].