Sign in

Legal

Privacy Policy

Last updated: May 3, 2026

1. Who we are

TxNod("TxNod", "we", "us", or "our") provides non-custodial multi-chain crypto payment infrastructure for software developers and operators of online services. TxNod is operated from Dubai, United Arab Emirates. This Privacy Policy explains what limited information we collect when you, as an invited operator, use our website and dashboard, how we use it, and the choices you have.

TxNod is a non-custodial service: we never receive, store, or transmit your private keys, seed phrases, mnemonics, or any other signing material. Funds flow directly from end-customer wallets to addresses you control on the public blockchain. We are not a wallet, a custodian, or a money-transmitter.

2. Scope of this policy

This policy covers the TxNod marketing website, the invite-only operator dashboard, the REST API, the Model Context Protocol (MCP) endpoint, and the official TxNod TypeScript SDK insofar as the SDK exchanges data with our servers. It does not cover end customers who pay invoices issued by an operator: end customers do not register with TxNod, do not provide an email address, and interact only with public blockchain addresses.

Third-party websites or services linked from TxNod (for example documentation hosting, blockchain explorers, or wallet vendors) are governed by their own privacy policies.

3. Information we collect

We collect only the data needed to operate the service:

  • Account data. The email address you use to receive an invite and sign in, your display name (if provided), your role within TxNod (operator or administrator), and your account status.
  • Authentication data. Short-lived one-time codes generated for email sign-in, the Google account subject identifier (a stable opaque string returned by Google when you choose Google sign-in), and time-bounded session identifiers stored in a secure HTTP-only cookie.
  • Wallet metadata. Extended public keys (xpubs / stake addresses) you register so we can derive payment addresses on your behalf. These are public keys — they cannot move funds — but we still treat them as privacy-sensitive and never expose them in logs or analytics.
  • API credential metadata. Project HMAC API keys (only the public identifier; the secret is hashed and shown to you exactly once at creation), and Personal Access Tokens (only the prefix and last four characters; the full token is shown to you exactly once at creation).
  • Operational data.Audit records of authentication attempts, invoice state transitions, webhook delivery attempts, and significant administrative actions. These records include timestamps, the actor's user identifier, the requesting IP address, and a user-agent string. They are used to investigate incidents and to satisfy our security obligations.
  • Communications. If you contact us at support@txnod.com, we retain the message and our reply.
  • Cookies. A single essential session cookie (session) is set after you sign in; it is HTTP-only, secure, same-site, and used solely to keep you authenticated. We do not use advertising cookies, analytics cookies, tracking pixels, or third-party social plug-ins.

We do not collect: government identification, payment-card numbers, banking details, biometric data, or end-customer personal information. We do not run advertising, analytics, or behavioural-tracking scripts on the website.

4. How we use information

We use the data above to:

  • provide, maintain, and improve the TxNod service, including allocating payment addresses derived from your registered xpubs and dispatching signed webhook events to your project endpoints;
  • authenticate you, prevent unauthorised access, and detect abuse (for example, rate-limiting authentication attempts and rejecting sign-ins from unregistered email addresses without sending any email);
  • keep tamper-evident audit trails for security review and to investigate disputes;
  • send transactional emails strictly necessary to operate the service (sign-in codes, security alerts, subscription notices, invite acceptance);
  • comply with applicable law and respond to lawful requests from authorities.

We do not sell, rent, or trade your personal information. We do not use your data for behavioural advertising or to train machine-learning models.

5. Sharing and service providers

We share data only with vetted service providers who process it on our behalf under written contracts that restrict their use of the data to providing their service to us:

  • Email delivery. Resend transmits transactional emails (sign-in codes, security alerts) on our behalf. Resend receives only the recipient address and the email body.
  • Identity (optional). Google receives the standard OAuth request when you choose to sign in with a Google account. Google returns a stable subject identifier and your verified email; we do not request other profile fields.
  • Blockchain RPC providers. To watch the public blockchain for payments to addresses you control, we query third-party node providers (such as NOWNodes, Alchemy, Blockfrost, TronGrid, and Toncenter). These queries contain blockchain addresses and transaction hashes — both of which are already public information on the chain — and never your account email or other personal data.
  • Hosting and infrastructure. The TxNod application runs on a private server hosted by a commercial hosting provider; the underlying operating-system and network logs the provider keeps are governed by their policy.

We may disclose information when we believe in good faith that the law requires it, to enforce our Terms of Service, to protect the security and integrity of the service, or to defend our rights, property, or safety, or those of our users or the public.

If TxNod is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction; the recipient will be bound by terms no less protective than this policy.

6. Data retention

We keep account data for as long as your account is active, plus a limited period afterwards to satisfy security, accounting, and dispute-resolution obligations. Audit records are retained for a rolling twelve-month window in the operational database; older records may be archived in encrypted offline backups for a longer period as part of our standard backup schedule. Backups are rotated and ultimately destroyed on a defined schedule.

When you ask us to delete your account, we deactivate it promptly and remove or anonymise associated personal data within a reasonable period, except where we are legally required to retain it (for example, to keep tax records or to respond to a pending legal request).

7. Security

We use industry-standard technical and organisational safeguards: TLS in transit, hashed credentials at rest, scoped Personal Access Tokens with one-time display, HMAC-signed webhooks with constant-time signature comparison, encrypted database backups, structured audit logging with sensitive fields redacted, and least-privilege access controls. No system is perfectly secure; we cannot guarantee absolute security but we work to discover and remediate vulnerabilities promptly.

8. Your choices

You may at any time:

  • request a copy of the personal data we hold about your account by emailing support@txnod.com;
  • correct inaccurate account information directly in the dashboard or by writing to us;
  • delete your account, after which we will remove or anonymise your data subject to the retention rules above;
  • withdraw a consent you previously gave us for a specific processing activity, without affecting the lawfulness of processing carried out before withdrawal;
  • complain to a supervisory authority in your jurisdiction, where local law gives you that right.

Because TxNod is invite-only, we do not maintain a public-facing self-service account-deletion form; delete and data-export requests are handled by email and we will respond within a reasonable period.

9. International data transfers

TxNod is operated from Dubai, United Arab Emirates. Some of our service providers process data in other countries, including the European Economic Area and the United States. Where required by applicable law, we rely on appropriate safeguards (such as our service providers' standard contractual clauses or equivalent mechanisms) to protect data when it leaves your country.

10. Children

TxNod is not directed to children. We do not knowingly collect personal information from anyone under the age of eighteen. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we make material changes we will revise the "Last updated" date above and, where appropriate, notify operators by email or through the dashboard. Continued use of the service after the effective date of the updated policy constitutes acceptance of the changes.

12. Contact us

If you have questions about this policy or about how we handle your information, please write to support@txnod.com. We respond from Dubai, United Arab Emirates.