Privacy Policy

Last updated: April 5, 2026

1. Introduction

Troxy ("we", "us", "our") operates the Troxy payment control platform. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal data.

2. Data We Collect

Account data: Your email address, used for authentication (magic link login) and transactional notifications.

Transaction metadata: When your AI agent calls the Troxy API, we log the merchant name, amount, currency, agent identifier, card alias, and the decision made (ALLOW, BLOCK, ESCALATE, NOTIFY). We never store full card numbers — only the alias you create.

API usage: Request timestamps, IP addresses (via Cloudflare), and API key identifiers for security and debugging purposes.

Policy configuration: The rules and spending limits you define in the dashboard.

3. How We Use Your Data

• Authentication: Your email is used to send one-time login links.
• Service operation: Transaction logs power the audit trail and dashboard activity feed.
• Security: API usage logs help us detect abuse and unauthorized access.
• Notifications: We send email alerts when your policies are triggered (ESCALATE or NOTIFY decisions).

We do not use your data for advertising, marketing, or profiling. We do not sell your data to third parties.

4. Data Storage and Security

Your data is stored in AWS (us-east-1, Northern Virginia). We use industry-standard security practices including encrypted databases, secrets management (AWS Secrets Manager), and private network isolation for our database. All API traffic is encrypted via TLS.

5. Third-Party Services

• Amazon Web Services (AWS): Cloud infrastructure, database, and email delivery (Amazon SES).
• Cloudflare: DNS, DDoS protection, and CDN. Cloudflare processes request metadata (IP addresses, request paths) per their own privacy policy.

6. Data Retention

We retain your account data and transaction logs for as long as your account is active. When you delete your account, all associated data is permanently deleted within 30 days. Audit logs older than 12 months may be archived or deleted earlier.

7. Your Rights

You have the right to:

• Access: View all your data via the dashboard.
• Delete: Delete your account and all associated data from Settings → Delete Account.
• Export: Request a copy of your data by emailing gaslan@troxy.io.
• Correct: Update your account information at any time.

8. Cookies

The Troxy dashboard uses a single session cookie to maintain your login state (JWT token stored in localStorage). We do not use tracking cookies or third-party analytics.

9. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

For privacy-related questions or requests, contact us at gaslan@troxy.io.