Legal

Privacy Policy

Effective June 13, 2026 · Last updated June 13, 2026

Traxy ("Traxy", "we", "us") helps you track habits, journaling, fitness, nutrition, mental health, and finances across the web and the Traxy mobile app. Because Traxy can handle health and financial information, we hold ourselves to a high bar for privacy. This policy explains exactly what we collect, why, how we protect it, and how you can export or permanently delete it.

1. Data we collect

We collect only what we need to run the features you use:

  • Account data — username, email, password (stored only as a salted bcrypt hash), display name, timezone, and an optional profile photo.
  • Content you create — trackers, check-ins, journal entries, reactions and comments, calendar events, and the visibility settings you choose for each.
  • Health & fitness data — workouts, steps, heart rate, sleep, weight, mental check-ins, and nutrition you log directly or connect from Apple Health (see §2).
  • Financial data — accounts, balances, and transactions you add manually or import through Plaid (see §3).
  • Technical data — a device identifier and basic diagnostic logs used to keep the app secure and working. We do not use third-party advertising trackers.

2. Apple Health & HealthKit

If you connect Apple Health on iOS, Traxy reads only the specific HealthKit data types you explicitly authorize (for example steps, workouts, heart rate, sleep, and weight). You grant and revoke this access in the Health app at any time.

  • HealthKit data is used solely to power the features you see in Traxy — your dashboards, bubbles, and trackers — and to sync them to your own account so they appear on the web app.
  • We never use Health data for advertising or marketing, and we never sell it or share it with data brokers.
  • We do not share Health data with any third party except as needed to operate your own account, and never without your action.

This use complies with Apple's HealthKit requirements and applicable health-privacy law.

3. Financial data (Plaid)

To import bank balances and transactions, Traxy uses Plaid. When you link an account, you authenticate directly with your bank through Plaid; Traxy never sees or stores your bank login credentials. Plaid returns account and transaction data to Traxy under access tokens that we store encrypted at rest.

Plaid's handling of your information is governed by the Plaid End User Privacy Policy. You can disconnect a linked institution at any time from the Finance screen, which revokes Traxy's access and removes the stored tokens.

4. Other connected services

  • Withings — if you connect Withings, we use OAuth tokens (stored encrypted) only to fetch the measurements you ask an automation to read, such as weight for a given day.
  • Google Calendar — if you connect it, we read/write only the calendar data needed for the calendar features you enable.
  • Nutrition databases — food searches may query providers such as USDA, Nutritionix, and Open Food Facts to return nutrition facts.
  • Inbound webhooks & automations — any external service you wire up sends data to a per-user signed endpoint; we verify an HMAC signature before accepting it.

You control each connection and can disconnect it at any time, which revokes the stored tokens.

5. How we use your data

  • To provide and sync the features you use across web and mobile.
  • To show the people you choose your shared trackers and activity (per your visibility settings).
  • To power the in-app AI advisor — only over the data scopes you grant it, which you control in Settings.
  • To keep the service secure, debug problems, and prevent abuse.

We do not sell your personal data, and we do not use your health or financial data for advertising.

6. Sharing & disclosure

We disclose data only:

  • To people you choose — friends or groups you share specific trackers with, according to your visibility settings.
  • To service providers that run Traxy on our behalf (e.g. cloud hosting, Plaid, Withings, Apple) under contracts that limit them to providing the service.
  • When legally required — to comply with valid legal process or protect the rights and safety of users and the public.

7. How we protect it

  • Encryption in transit (HTTPS/TLS) for all traffic.
  • Sensitive tokens (Plaid, Withings, OAuth, webhook secrets) are encrypted at rest with application-level envelope encryption.
  • Passwords are stored only as salted bcrypt hashes — never in plain text.
  • On mobile, your session token is held in the device's secure keychain (SecureStore).
  • Inbound webhooks are HMAC-signature-verified; sensitive endpoints are rate-limited; access to health and financial data is audit-logged.

8. Retention & deletion

We keep your data while your account is active. You can permanently delete your account — and everything tied to it — at any time:

  • In the mobile app: Profile → Danger zone → Delete account.
  • On the web: Settings, or by contacting us at the address below.

Deletion is immediate and irreversible: it removes your trackers, journals, health and finance records, connected-service tokens, automations, and webhooks. Backups are purged on our regular rotation.

9. Your rights & choices

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can exercise most of these directly in the app, or contact us and we will help. We will not discriminate against you for exercising any privacy right.

10. Children

Traxy is not directed to children under 13 (or the minimum age required in your region), and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this policy as Traxy evolves. We will revise the "Last updated" date above and, for material changes, give notice in the app or by email.

12. Contact us

Questions or requests? Email privacy@traxy.app.

Terms of Service → Back to home