notrix.
Log inSign up
LEGAL

Privacy policy

Last updated: May 1, 2026

This policy explains what data we collect, why, and what your rights are. We try to collect as little as possible while still operating a secure subscription service. If something is unclear, email privacy@notrix.pro.

1. Data we collect

  • Account: email, password (hashed via bcrypt), display name, optional Discord username, optional avatar.
  • Hardware fingerprint (HWID): SHA-256 hash of your CPU, motherboard, and disk identifiers. We never store the raw values.
  • Billing: handled by Stripe; we store only the order ID, last-4 of card, and country. Full card data lives at Stripe.
  • Usage: license validate timestamps, IP (truncated to /24 for analytics), tray-client version, current game.
  • Support tickets: ticket text + attachments you upload.
  • Audit log: actor, action, target, timestamp for every privileged operation.

2. Data we DO NOT collect

  • Game memory contents (read by DMA but never sent to our servers)
  • Screenshots or video of your gameplay
  • Browser history outside of notrix.pro
  • Other users' HWIDs, network packets, or device telemetry
  • Any data from your game PC — only the second PC running our tray client communicates with us

3. Why we collect it

  • HWID: enforce one-machine-per-key (prevents key sharing)
  • Email: send you keys, receipts, expiry warnings, security alerts
  • Usage: aggregate metrics (active sessions count) and fraud detection (impossible-travel alerts)
  • IP: rate limiting, fraud scoring, GDPR jurisdiction (we don't store full IPs long-term)
  • Audit log: legal compliance, security investigations, customer transparency requests

4. Who we share it with

We share data with the minimum necessary processors:

  • Stripe — payment processing
  • Postmark / Resend — transactional email delivery
  • Vercel — application hosting
  • Cloudflare — DNS, tunnel, DDoS protection
  • Sentry — error reporting (PII scrubbed)
  • Backblaze B2 — encrypted backups

We do not sell your data, share it with advertising networks, or use it to train AI models.

5. Retention

  • Active account data: kept while account is active
  • Logs containing PII: 30 days, then anonymized
  • Audit log: indefinite (anonymized after account deletion)
  • Backups: 30 days rolling on Backblaze, then deleted
  • Compliance/tax records: 7 years (legal requirement)

6. Your rights (GDPR / CCPA)

You can:

  • Access your data (Settings → Danger zone → Export)
  • Correct inaccurate data (Settings → Profile)
  • Delete your account (Settings → Danger zone → Delete) — anonymizes everything except the audit log
  • Restrict processing for specific purposes (email privacy@notrix.pro)
  • Port your data — JSON export available anytime
  • Audit who has impersonated your account (Settings → Sessions)

7. Cookies

We use cookies for: authentication (HttpOnly Secure), CSRF protection, theme preference, and tenant resolution. We do not use third-party tracking cookies. EU visitors see a cookie consent banner on first visit.

8. Security

We use industry-standard practices: bcrypt password hashing, TLS 1.3 in transit, AES-256 at rest for sensitive fields, rate limiting, BotID, Stripe Radar fraud scoring, and a third-party penetration test before public launch. We disclose breaches within 72 hours per GDPR.

9. International transfers

Data is stored on Vercel (US/EU regions), our home server (US), and Backblaze (US). EU customers' data is processed under GDPR Standard Contractual Clauses where applicable.

10. Changes

Material changes are emailed with 30 days notice. Effective date is shown at the top of this page.

This is a placeholder document for layout review. Final legal text will be drafted by counsel.

Questions? Email legal@notrix.pro