How we handle your data.

This policy explains what Trixy collects when you use the Trixy Chrome extension or the trixy.ai website, what we do with it, and the rights you have over it. Trixy is built and operated by Trixy Inc.

• Polymarket proxy address. The public on-chain address you submit when applying. We use it to fetch your public Polymarket activity so the product can render the Portfolio tab and the admin queue can gauge your place in line. Stored on our servers, tied to your application.
• Access code. A randomly generated string we issue at apply time. Saved on the device you applied from and sent with each request so we can identify your session. It does not grant access to your wallet or sign anything on-chain.
• Polymarket activity. Public position data, trade volume, and balance read from public sources at apply time and on each Portfolio refresh. Snapshotted so the queue can prioritize active traders. Refreshed periodically.
• Active tab URL (extension only). When you have a Polymarket market page open, the extension reads the URL of the active tab to extract the market identifier. We do not read page content, form data, cookies, or any tab outside Polymarket. URLs are not stored or transmitted.
• Optional public handle and tweet. If you opt to skip the queue by tweeting, we store: the AI-generated tweet text we ask you to post (so the mention scanner can match it against a posted tweet), the public X handle that posted it, and the URL of the verified tweet. The tweet content itself is public by the time we see it. Skip tweeting and we never see any of this.

No name, no email (unless you write to us directly), no payment information, no health data, no GPS or IP-based location, no browsing history beyond the Polymarket URL the extension is open against, no clickstream/keystroke/scroll telemetry from inside the extension, no DOM or page content scraping.

• Operate the product. Render the Intel, Portfolio, and Explore views in the side panel. Generate the AI-written thesis. Run the access gate.
• Operate the queue. Score new applications by your public Polymarket activity so we can prioritize active traders. Store the tweet text generated for you so the mention scanner can verify a posted tweet.
• Operate the service. Server logs (request paths, latencies, error traces) for debugging and uptime. The marketing website uses anonymized pageview analytics; the extension does not.

• Sell, rent, or trade your data to third parties.
• Sign, broadcast, or relay on-chain transactions on your behalf. Your wallet alone produces the signature for every order. (See Polymarket builder attribution below for the one in-page field we do set.)
• Use your data for credit scoring, lending, insurance, or employment decisions.
• Share data with advertisers or data brokers.
• Train AI models on your trading history.

• Market data provider. We read Polymarket's public market and position APIs server-side to render intel, opportunities, and the Portfolio tab. The extension itself does not call these APIs directly.
• Large language model. The AI-written thesis is produced by a third-party language model. Prompts contain market data, holder analysis, and public comments — never your wallet address, access code, or any personally identifying information.
• Mention scanner. When you opt in to skip the queue by tweeting, a server-side scanner reads public mentions of our handle to verify the tweet. Only public tweets are read; no Twitter login is required from you.

Trixy participates in Polymarket's builder program — a fee-share mechanism Polymarket runs for tools that help users place orders. When you have the extension installed and you place an order on polymarket.com, Trixy attaches its builder code to the order before your wallet signs it. A small portion of the order's fee then routes to Trixy as the builder of record.

This is a default behaviour — no toggle in the side panel. To opt out, uninstall the extension; orders you place after that carry no Trixy attribution.

• What we change. A single field — builderCode — on the in-page order object before your wallet signs it. The order's market, side, size, price, and the cryptographic signature itself are entirely produced by your wallet. Trixy never sees your private key, never broadcasts orders on your behalf, and never alters anything you'd see on the Polymarket order ticket.
• What we receive. Whatever builder rebate Polymarket pays out for orders carrying our code. Polymarket pays the builder; we never touch your funds. We do not learn anything about your trades that isn't already visible through Polymarket's public APIs.
• How it works technically. A small in-page script (builder-attribution.js) runs only on polymarket.com pages and only sets the builder code on Polymarket's own order client. It reads no form input, no DOM content, no cookies, and nothing on any other tab. Source code ships in the public extension bundle and is reviewable in the listing.

• Extension. The Trixy Chrome extension uses no cookies, no web beacons, no fingerprinting, no analytics SDKs, and no ad networks. Local storage on your device holds only your access code and a short-lived session token — nothing is sent to third parties.
• Marketing website (trixy.ai) and extension. We use a self-hosted Umami instance at analytics.trixy.ai to count visits, pageviews, and feature usage. Umami does not set cookies, does not persist IP addresses, and does not share data with any third party. For logged-in extension users we also log a truncated form of your Polymarket proxy address (first 8 + last 4 characters) against each event so we can see product-funnel behaviour per user — the same public address you authenticated with, never your access code or any other secret. You can block analytics at the browser level with any standard ad/tracker blocker.
• Do Not Track / Global Privacy Control. We honour the Global Privacy Control (GPC) signal as an opt-out request from California users and treat it as a withdrawal of consent under GDPR where applicable. Legacy "DNT" headers are not standardised; we do not rely on them, but our actual data practices (no advertising, no cross-context behavioural tracking) reflect their spirit.

• All traffic between your browser, the extension, and our servers is encrypted with TLS 1.2 or higher.
• Access codes are issued with sufficient entropy that guessing is impractical. Session tokens (JWTs) are short-lived and signed with a server-side secret.
• Server access is restricted to a small number of operators on a need-to-have basis. Database files are not exposed to the public internet.
• No system is 100% secure. If we become aware of a breach affecting your data we'll notify you and the relevant authorities within the timeframes required by applicable law.

Our servers are hosted in the United States. If you access the Service from outside the US, your data will be transferred to, stored, and processed in the US. By using the Service you acknowledge this transfer. For users in the EU/UK, we rely on the EU Commission's Standard Contractual Clauses (or equivalent UK addenda) where applicable to safeguard the transfer.

Application records and access codes are kept until you ask us to delete them or your account is permanently rejected. Cached public activity is refreshed periodically. Server logs are retained for a short rolling window (currently around 30 days). Your access code lives on the device you applied from until you uninstall the extension or clear site data.

If you are in the EU, UK, or another jurisdiction with GDPR-style rules, we rely on the following bases:

• Performance of a contract. To deliver the Service you applied for (rendering Intel, Portfolio, Explore; issuing and verifying access codes).
• Legitimate interest. To prevent abuse, score applications for the waitlist, keep the Service running, and improve it. We've reviewed each use and concluded the impact on you is limited.
• Consent. For the optional tweet-to-skip-queue flow and for any future marketing communication. You can withdraw consent at any time; withdrawal does not affect the legality of prior processing.
• Legal obligation. Where we have to retain or disclose data in response to a valid legal request, court order, or applicable law.

Email privacy@trixy.ai from the address you'd like the request tied to and we will: confirm what we have on you, export it, correct it, restrict its use, or delete it. We respond within 30 days.

• EU / UK (GDPR). Right of access, rectification, erasure, restriction, portability, and objection. Right to withdraw consent at any time. Right to lodge a complaint with your local supervisory authority.
• California (CCPA / CPRA). Right to know what we collect, right to delete, right to correct, right to limit use of sensitive personal information (we don't collect any), and right to opt out of "sale" or "sharing" for cross-context behavioural advertising. We do not "sell" or "share" personal information as defined by the CCPA/CPRA, and we have not done so in the prior twelve months. You will never be retaliated against for exercising any of these rights.
• Authorised agents. You may designate an agent to make a request on your behalf; we will verify the agent's authority before responding.

Trixy is not directed at children under 18 and we do not knowingly collect data from anyone below that age. If you believe a child has shared data with us, email privacy@trixy.ai and we will delete it. Polymarket's terms separately require users to be of legal age in their jurisdiction.

This policy is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-law rules. If your local privacy law gives you stronger rights than this policy describes, those continue to apply alongside it.

When we change what we collect or how we use it we'll bump the "Last updated" date at the top and, for material changes, surface a notice in the extension and on this page.

privacy@trixy.ai for anything privacy-related. Trixy Inc.