Privacy Policy

TxBooks is a Bitcoin-native bookkeeping service for merchants. To provide the service we need to store your account details, your wallet's public information (xpub/zpub/etc.), and the transactions we derive from the public blockchain. We never receive or store your private keys or seed phrases — you keep those. We do not sell data. We do not place third-party ad trackers on the site. You can export or delete your data at any time.

1.1 Account information

When you sign up via Google OAuth or an email magic-link, we store: your email address, display name, optional avatar URL (Google only), timestamps for account creation and last login, and session cookies managed by Auth.js.

1.2 Organization + billing information

When you create or join an Organization we store the Organization name, membership role, and billing status. Subscription billing is handled by Stripe; we receive and store only non-sensitive metadata (customer ID, subscription ID, status, current-period dates). Your full card number is never sent to, seen by, or stored by TxBooks.

1.3 Wallet and transaction data

To sync a merchant wallet you paste an extended public key (xpub / ypub / zpub / tpub / upub / vpub). We store the xpub itself, a label you give it, and derived addresses. We then use these to fetch transactions from public Bitcoin block explorers and index them against your Organization. We never receive your private key or seed phrase; the system is read-only by design.

1.4 Support communications

If you contact us (via support@txbooks.app or the contact form) we retain the message and our reply so we can follow up.

1.5 Server logs

Our hosting provider (Render) keeps standard HTTP request logs — IP address, timestamp, URL path, user-agent, response status. We use Axiom for application logging (non-PII request IDs, error traces, duration metrics). Neither log stream is used for advertising.

• Operate the service (syncing wallets, generating reports, sending receipts)
• Bill you for your subscription via Stripe
• Email transactional notifications (invoices, sync failures, account alerts)
• Prevent abuse (rate limiting, bot detection via Cloudflare Turnstile)
• Debug issues and improve reliability
• Comply with legal obligations (tax reporting, lawful requests)

We do not sell your data, share it with advertisers, or use it to train machine-learning models.

To run TxBooks we rely on the following third parties:

• Render (US) — hosting + managed Postgres database
• Stripe (US) — payment processing and subscription billing
• Google (US) — OAuth sign-in (if you use Google login)
• Resend (US) — transactional email (magic links, receipts, alerts)
• Cloudflare (US) — DNS, Turnstile bot protection, email forwarding
• Axiom (US) — application-level logging and observability
• Kraken (US) — BTC/USD spot price reference for reports
• mempool.space / Blockstream.info — public blockchain data for wallet sync

Each subprocessor only receives the minimum data needed to perform its function. We review subprocessor practices annually.

We use a small number of essential cookies: a session cookie set by Auth.js to keep you signed in, and a locale cookie to remember your language preference. We do not place advertising or cross-site tracking cookies. We do not currently integrate Google Analytics, Facebook Pixel, or similar trackers. If this changes we will update this policy and prompt you before tracking begins.

• Active accounts: retained for as long as your Organization remains active
• Cancelled accounts: deleted within 30 days of cancellation, except where longer retention is required for tax or legal reasons
• Application logs: retained up to 90 days
• Billing records: retained for 7 years per US tax requirements

Regardless of where you live, you may request any of the following and we will respond within 30 days:

• Access: a copy of the data we hold about you
• Portability: a machine-readable export of your Organization's data
• Correction: updates to inaccurate data
• Deletion: removal of your account and associated data
• Objection: opt out of any non-essential processing (note: the service cannot function without essential processing)

California residents have specific CCPA rights; EU / UK residents have GDPR rights. To exercise any right, email privacy@txbooks.app or reply from the email address on your account.

We protect your data using industry-standard measures: TLS in transit, encrypted storage at rest via managed Postgres, least-privilege access controls, bcrypt password hashing where applicable, and Cloudflare Turnstile on authentication surfaces. No system is perfectly secure, but we respond to suspected breaches within 72 hours and notify affected users when required by law.

Our servers are located in the United States. If you access TxBooks from outside the US, your data is transferred to and processed in the US. We rely on standard contractual clauses with our subprocessors where applicable.

TxBooks is not directed at users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us for removal.

We will update the date at the top of this page whenever this policy changes. Material changes (new subprocessors, new data categories) will be announced via email to active accounts at least 14 days before taking effect.

Questions or to exercise a right under this policy: privacy@txbooks.app.

General support: support@txbooks.app.