Privacy Policy

TRaX ("we," "us," or "our") operates the TRaX Streaming platform ("Service"). This Privacy Policy describes what information we collect, how we use it, who we share it with, and your rights regarding your data. By using the Service, you agree to the collection and use of information as described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password. If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google via our authentication provider (the IdP). We also store a unique identifier linking your account to our authentication system.

Email Verification Data

When you register or sign in with an unverified email, we generate a one-time verification code and send it to your email address. These codes expire after 10 minutes and are deleted after use.

Payment Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We send Stripe your name, email address, and user ID. Your payment card details are collected directly by Stripe and are never stored on our servers. We store your Stripe customer ID, subscription ID, plan details, billing period dates, and payment history (amounts, currency, status) in our database.

Platform Connection Data

When you connect third-party streaming platforms (such as Twitch, YouTube, Facebook, Twitter/X, LinkedIn, Kick, TikTok, Instagram, or Rumble), we store your platform username, platform user ID, platform email address, avatar URL, follower count, OAuth access tokens, and connection timestamps. We also store RTMP stream URLs and stream keys you provide for multi-platform distribution.

Streaming and Studio Data

We store your studio configurations, scenes, stream destinations, media files you upload, and streaming session history (including duration and device information). When you use collaborative features, we store shared input records, approval actions, and collaboration roles.

Security Credentials

If you enable two-factor authentication (TOTP), we store your TOTP secret and backup codes in our database. If you register a passkey (WebAuthn), we store the associated public key, credential ID, and device metadata.

Automatically Collected Data

When you use the Service, we automatically collect:

• IP address and user agent string, recorded with each login session
• Usage data including streaming time and session duration, used for billing and refund eligibility
• Studio activity data such as cursor position, active element, and presence information during collaborative sessions
• Performance metrics for stream quality and studio operations

2. Cookies and Tracking Technologies

Cookies

We use the following cookies:

• Session cookie — An authentication cookie that keeps you signed in. This is essential for the Service to function and cannot be disabled.

Local Storage

We use browser local storage to store conversion tracking data on our login and signup pages, including UTM parameters, referral source, and timestamps. This data is used to understand how users find and sign up for our Service.

Analytics

Our login and signup pages send events to Google Analytics (via gtag) including page views, login attempts, signup attempts, and conversion events. These events may include your referral source and UTM campaign parameters, but do not include your email, password, or other personally identifiable information.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage your account
• Process payments and manage your subscription
• Distribute your streams to your configured third-party platforms
• Enable collaborative streaming features between users
• Send transactional emails (email verification codes)
• Track usage for billing and refund eligibility
• Monitor and improve the performance and reliability of the Service
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not use your information for advertising purposes or sell your data to third parties. We do not send marketing emails.

4. Third-Party Services and Data Sharing

We share your information with the following third-party service providers, solely for the purposes of operating the Service:

We may also disclose your information if required by law, in response to a valid legal process, or to protect the rights, property, or safety of TRaX, our users, or the public.

5. Data Security

We implement security measures to protect your personal information, including:

• All data transmitted between your browser and our servers is encrypted using TLS
• Passwords are hashed by our authentication provider (the IdP) and are never stored in plaintext
• Application secrets are managed through HashiCorp Vault in production environments
• Session tokens are cryptographically signed
• Two-factor authentication (TOTP and passkeys) is available for additional account security
• WebRTC connections use per-user TURN server credentials
• Email verification is required for all new accounts

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention practices:

• Account data is retained until you delete your account
• Session data expires after 30 days of inactivity
• Email verification codes expire and are deleted after 10 minutes
• Streaming session records are periodically cleaned up
• Payment records are retained as required for tax and accounting obligations
• Audit logs are retained for security and compliance purposes

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — You can view your account information through your profile settings
• Correction — You can update your name, email, and profile information through your account settings
• Deletion — You can request account deletion through your account settings. Deleting your account removes your authentication credentials and cascades to associated data including sessions, studio configurations, and platform connections
• Disconnection — You can disconnect any linked third-party platform at any time through your account settings
• Objection — You may object to certain processing of your data by contacting us

To exercise any of these rights, contact us at [email protected]. We will respond to requests within 30 days.

8. International Data Transfers

Your information may be processed on servers located outside your country of residence. Our authentication provider, payment processor, email service, and storage infrastructure may operate in different jurisdictions. By using the Service, you consent to the transfer of your information to these locations. We take steps to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

9. Children's Privacy

The Service is not intended for anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will take steps to delete that information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date above. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at [email protected].