1. What we collect
Account data
- Email address — required for login, notifications, support
- Password — stored as argon2id hash (we cannot recover; only verify)
- Display name — optional, shown on tickets
- Telegram chat ID — if you link Telegram bot
- Signup IP and timezone — for fraud prevention
- 2FA secret — if you enable 2FA (encrypted at rest)
Billing data
- Plan tier, cycle, expiry date
- Payment transaction references (NowPayments txn IDs, bank ref codes)
- Credit balance and history
- Country derived from signup IP (for VAT compliance, if applicable)
We do not collect credit card numbers (we don't process card payments). Crypto payments are pseudonymous on-chain — we record the txn ID, not your wallet address.
Connection metadata (operational)
For each request through our proxies, we log:
- Timestamp
- Authentication user (your assigned haproxy_user)
- Bytes uploaded / downloaded for bandwidth billing
- Response status code (200, 403, 5xx, etc.) for error monitoring
- Destination domain (hostname only) for your debug stats — see Section 2 for what this is NOT
- Upstream IP used (which Provider A-leased IP served the request)
Support data
- Tickets you open, including any text and screenshots you attach
- Telegram messages if you contact us via bot
2. What we don't collect
Specifically and intentionally, we do not log or retain:
- URL paths — only the hostname (e.g.
amazon.com), never /dp/B08...
- Query parameters
- Request headers beyond what's needed for auth and routing
- Request bodies (POST data, JSON payloads, form fields)
- Response bodies (HTML, JSON, file contents)
- Cookies your tool sends through the proxy
- Authentication credentials you send to target sites
Our HAProxy and 3proxy configurations are set to TCP-tunnel HTTPS traffic without inspection. We physically cannot decrypt TLS without a man-in-the-middle setup, which we do not run.
3. How we use data
- Provide the Service — authenticate logins, route traffic, deliver IPs
- Bill and prevent fraud — match payments, detect abuse patterns
- Customer support — respond to tickets, debug your issues
- Service improvements — aggregate stats (not individual behavior) for product decisions
- Legal compliance — respond to lawful requests, AUP violations
We do not sell, rent, or trade your data. We do not use your data for advertising or marketing without your explicit opt-in to our newsletter.
4. Who we share with
We share data only with these third-party processors strictly to provide the Service:
| NowPayments | Crypto payment processing — receives amount + txn reference |
| Resend | Transactional email — receives email address + message body |
| Cloudflare | DNS, CDN, DDoS protection — sees connection metadata, not content |
| Vultr | VPS hosting — runs our infrastructure; no access to customer data |
| Provider A / upstream IP providers | IP leasing — sees auth credentials we issue them, not your customer email |
| Fraud-detection vendor | IP reputation scoring — receives proxy IPs (ours, not your egress traffic). Vendor identity disclosed under DPA on request. |
We may disclose data if compelled by lawful subpoena. We commit to challenging overbroad requests and notifying you when legally permitted.
5. Retention
- Account data — kept while your account is active; 30 days after deletion request, then anonymized
- Payment ledger — retained 7 years for tax/accounting compliance (txn IDs only, no card data)
- Connection logs — 90 days then aggregated; raw logs deleted
- Support tickets — 2 years from resolution
- Audit log — 90 days, then archived to encrypted cold storage for 1 year
6. Your rights (GDPR & beyond)
Regardless of where you live, you have the right to:
- Access all data we hold about you — request via dashboard or email
- Export your data in JSON format (Settings → Danger zone → Export)
- Correct inaccurate information
- Delete your account and personal data (Settings → Danger zone → Delete)
- Restrict processing — request we pause use of your data for specific purposes
- Object to data processing (e.g. opt out of newsletter)
- Lodge a complaint with your local data protection authority
We respond to verified rights requests within 30 days. Free of charge unless requests are excessive or unfounded.
7. Cookies
We use the minimum cookies necessary:
- Session cookie (essential) — keeps you logged in; signed JWT, httpOnly, secure, samesite=Lax
- Cloudflare Turnstile token (essential) — anti-bot verification on signup/login
- Analytics cookie (optional, opt-in) — Plausible self-hosted, no third-party tracking
We do not use Google Analytics, Facebook Pixel, or any cross-site tracking cookies. No third-party advertising trackers.
8. Security
- All data in transit: TLS 1.3
- Passwords: argon2id hashed (64 MB memory cost, 3 iterations)
- API tokens: SHA-256 hashed at rest, shown once at generation
- Database: SQLite on encrypted Vultr volumes (LUKS), continuous backup to Cloudflare R2 (encrypted at rest)
- 2FA available (TOTP) — required for admin/staff accounts
- Audit log of all sensitive actions (login, password change, replace IP, payment)
We disclose any confirmed data breach within 72 hours (GDPR Art. 33).
9. International transfers
Our infrastructure runs in the US (New Jersey), EU (Frankfurt), and Asia (Tokyo). Your data may be processed in these regions for low-latency routing. We rely on Standard Contractual Clauses (SCCs) for EU-to-US transfers as appropriate.
Privacy questions: privacy@proxyxin.com
Data subject access / rights requests: dpo@proxyxin.com
If you are in the EU/EEA and feel we have not addressed your concern, you may also lodge a complaint with your local Data Protection Authority.