crxpay

Legal

Privacy Policy

We collect what we need to run the service, never sell your data, and store as little as possible. This page is the precise legal version. Last updated May 9, 2026.

1. Who we are

crxpay is operated by Talksurge("we", "our", "crxpay"). We provide a subscription and payments platform for Chrome extension developers. This policy covers crxpay.io, dashboard.crxpay.io, docs.crxpay.io, and our SDK.

2. What we collect

From extension developers (our customers):

  • Account info: email, name, organization name, hashed password.
  • Stripe Connect identifiers (your acct_ id) — we never see or store your bank details, KYC documents, or card information; those stay with Stripe.
  • Configuration data: the extensions you register, their products, prices, paywalls, entitlements, and experiments.
  • Usage telemetry: API request counts, error rates, feature usage.

From end-users of your extension (via our SDK):

  • An anonymous install_id (a UUID generated locally in the browser), used to scope subscription state to a single install.
  • When the user pays: their email (only if they entered one in your paywall), Stripe customer id, subscription status, and entitlement grants.
  • Optional install metadata if you choose to send it: locale, browser flavor, extension version. We never collect IP-derived geolocation, browsing history, or page content.

3. How we use it

  • To operate the platform: provision Stripe Connect accounts, route webhooks, resolve entitlements, fan out events to your endpoints.
  • To send transactional emails: signup verification, password reset, dunning notifications, license key delivery.
  • To compute aggregate, anonymized benchmarks (only after k-anonymity ≥ 50 extensions per cohort) — opt-out from project settings.
  • To investigate abuse, fraud, or service-degradation incidents.

We do not sell your data, share it with advertising networks, or train AI models on it.

4. Sub-processors

  • Cloudflare — hosting (Workers, D1, KV, R2, Queues).
  • Vercel — hosting for the dashboard, marketing, docs.
  • Stripe — payment processing + Connect.
  • Resend — transactional email delivery.
  • Axiom — operational logs (no PII; identifiers are hashed).

We pick sub-processors with strong security postures (SOC 2, GDPR DPAs available). A current list with current DPA links is maintained at privacy@crxpay.io on request.

5. Data retention

  • Account data: until you delete the account, then 30 days for backups.
  • Subscription + entitlement records: kept indefinitely while the account is active (you may need them for accounting or chargeback disputes).
  • Operational logs: 90 days.
  • Webhook delivery logs: 30 days.

6. Your rights (GDPR, CCPA, etc.)

You can request access, correction, deletion, or portability of your data at any time. Email privacy@crxpay.io — we respond within 30 days. If you're an end-user of an extension built on crxpay, contact the extension developer first; they control your data.

7. Security

Passwords are hashed with bcrypt. Session tokens are signed JWTs with a 7-day TTL. Webhook signatures use HMAC-SHA256. License envelopes are signed with Ed25519. Data in transit uses TLS 1.3. Data at rest in Cloudflare D1 is encrypted by the platform. We follow the OWASP Top 10 as a baseline and conduct internal reviews before each major release.

8. Cookies

We use one essential cookie (crxpay_session, httpOnly) on dashboard.crxpay.io to keep you signed in. We use one preference cookie (crxpay_mode) to remember your test/live toggle. We do not set analytics or advertising cookies on the marketing site.

9. Changes to this policy

We'll post the new version here with an updated date. Material changes (new sub-processor, new data category) trigger an email to all account owners at least 30 days before the change takes effect.

10. Contact

privacy@crxpay.io for any privacy question or request.