Privacy Policy

Effective: March 27, 2026 · Last updated: March 27, 2026

Tx.app (“we,” “us”) operates txpay.app, a non-custodial cross-chain cryptocurrency payment links service. This policy explains what data we collect, how we use it, and your rights. We collect the minimum needed to operate and never sell your data.

1. What We Collect

Account Data

  • Email address — authentication & payment notifications
  • Wallet addresses (EVM, Bitcoin, Solana) — link creation & payment routing
  • Authentication method — email, wallet, or both

Payment Data

  • Transaction hashes — payment tracking & deduplication
  • Payer wallet address — payment records
  • Token type, amount, chain — payment records & USD conversion

Technical Data

  • IP address — rate limiting & abuse prevention (not stored long-term)

What We Do NOT Collect

Private keys, seed phrases, government ID, browsing history, analytics data, advertising identifiers, location data, or biometric data.

2. How We Use Your Data

Exclusively for: operating the service, authentication, security (rate limiting, CSRF, HMAC), payment notifications, dashboard statistics, and debugging. We do not use data for advertising, profiling, or sale to third parties.

3. Third-Party Services

We share only the minimum data needed with:

  • Supabase (US) — database hosting
  • Vercel (US) — application hosting
  • Resend (US) — email delivery
  • Li.Fi (EU) — cross-chain swap/bridge routing
  • Alchemy (US) — blockchain RPC
  • CoinGecko — price data (no user data sent)
  • WalletConnect — wallet connections
  • Upstash (US) — rate limiting

Blockchain transactions are recorded on public, immutable blockchains. We cannot delete or modify on-chain data.

4. Cookies

We use functional cookies only: authentication session (iron-session), wallet state (wagmi), CSRF protection, and logout signal. No analytics or tracking cookies.

5. Data Retention

  • Account data — until you delete your account
  • Payment records — 2 years from payment date
  • IP addresses — in-memory only, not persisted
  • Server logs — 30 days

6. Your Rights

You can request: access, correction, deletion, data portability (JSON), restriction, or objection to processing.

Email privacy@txpay.app with your request. Include your account email or a signed wallet message for verification. We respond within 30 days.

GDPR: Legal bases are contract performance, legitimate interests (security), and consent (notifications). Data transfers to the US rely on Standard Contractual Clauses. You may lodge a complaint with your local DPA.

7. Security

TLS encryption, HMAC-SHA256 link integrity, AES-256 session encryption, SHA-256 OTP hashing, rate limiting on all endpoints, CSRF protection, constant-time comparisons, and no custody of funds. Report vulnerabilities to privacy@txpay.app.

8. Children

The service is not intended for anyone under 13. We do not knowingly collect data from children.

9. Changes

Material changes will be posted with 14 days notice. Continued use after changes constitutes acceptance.

10. Contact

privacy@txpay.app
Maximo Correa · Buenos Aires, Argentina