We collect the following categories of information when you use TrafficUniversal:
| Category | Data Points | Purpose |
|---|---|---|
| Account Info | Name, email address, password (bcrypt hash), profile photo | Authentication, account management |
| Usage Data | Pages visited, plugin views, clicks, search queries | Platform improvement, analytics |
| Payment Data | Transaction IDs, amounts, timestamps only — card data handled by payment processors | Purchase records, receipts |
| Technical Data | IP address, browser type, device information, session data | Security, fraud prevention |
| Plugin Data | Installed plugins, API key usage logs, access scope authorizations | Plugin management, security audit |
- Provide, operate, and improve the TrafficUniversal platform
- Process payments and maintain purchase records
- Send transactional emails (receipts, account alerts, security notifications)
- Detect, investigate, and prevent fraud and security incidents
- Analyze platform usage to improve user experience
- Comply with legal obligations and respond to lawful requests
We do not sell your personal data to third parties. We do not use your data for advertising profiling.
⚠️ This section is critical. When you install plugins that require API key access, those plugins may access portions of your account data.
- Each plugin declares its required data access scopes in its marketplace listing and plugin.json
- When you purchase and activate a plugin, you authorize it to access only its declared scopes
- We log all API access for security auditing (retained for 90 days)
- Plugin developers are independent data controllers for data they receive via API access
- You can view all active API authorizations at Settings → API Keys
- You can revoke any plugin's API access at any time from your settings
📖 TrafficUniversal is not responsible for how plugin developers store, process, or share data they receive via API access. Please review each plugin's declared data access and linked privacy policy before installing. If a plugin accesses data not declared in its marketplace listing, report it to us.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | While active + 90 days after deletion | Account recovery, dispute resolution |
| Transaction records | 7 years | Legal / tax compliance requirement |
| API access logs | 90 days | Security auditing |
| Analytics events | 1 year | Platform improvement |
| Security / system logs | 90 days | Incident investigation |
Depending on your jurisdiction, you have the following rights regarding your personal data:
📋 Access
Request a copy of the personal data we hold about you
✏️ Correction
Request correction of inaccurate or incomplete data
🗑️ Deletion
Request deletion of your data ("Right to be Forgotten")
📦 Portability
Receive your data in a structured, machine-readable format
⛔ Restriction
Request restriction of processing your personal data
🚫 Objection
Object to processing of your data for specific purposes
To exercise any of these rights, contact us at privacy@trafficuniversal.com. We will respond within 30 days. Note: certain data may be retained where required by law (e.g., transaction records).
| Cookie Type | Purpose | Can Opt Out? |
|---|---|---|
| Essential | Session management, CSRF protection, authentication | No — required for Platform to function |
| Analytics | Understanding platform usage patterns | Yes — via Cookie Settings |
| Advertising | N/A — we do not use advertising or tracking cookies | N/A |
We use the following third-party services, each with their own privacy policies:
- Stripe (payment processing) — stripe.com/privacy
- Razorpay (payment processing) — razorpay.com/privacy
- eSewa (payment processing, Nepal) — see eSewa's privacy policy
- Google OAuth (optional login) — policies.google.com/privacy
TrafficUniversal does not receive or store full payment card details from any of these processors.
We implement the following security measures to protect your data:
- Passwords — hashed using bcrypt (never stored in plain text)
- CSRF protection — all forms protected with CSRF tokens
- HTTPS enforced — all traffic encrypted in transit via TLS
- HSTS — HTTP Strict Transport Security enabled
- Rate limiting — API endpoints rate-limited to prevent abuse
- Security headers — X-Frame-Options, X-Content-Type-Options, CSP enforced
- Regular audits — periodic security reviews of platform and plugin code
- IP blocking — automated blocking of suspicious IP addresses
Despite these measures, no system is completely secure. If you discover a security vulnerability, please report it to security@trafficuniversal.com.
TrafficUniversal is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
If you believe a child has provided personal data to us, please contact privacy@trafficuniversal.com and we will delete that information promptly.
For privacy-related inquiries, data access requests, or concerns:
📧 Privacy: privacy@trafficuniversal.com
🔒 Security: security@trafficuniversal.com
💬 Support: support@trafficuniversal.com
We aim to respond to all privacy requests within 30 days.