Privacy Policy

Last updated: April 2, 2026

1. Introduction

MERX ("we", "our", "the platform") operates merx.exchange, a TRON blockchain resource exchange. This policy describes how we collect, use, and protect information when you use our platform, API, SDKs, and MCP server.

2. Information We Collect

Account data

Email address, hashed password (bcrypt), and OAuth provider identifiers (Google, GitHub, Twitter) when you create an account.

API keys

We store a bcrypt hash and a 16-character prefix of your API key. The full key is shown once at creation and never stored in plaintext.

Transaction data

Order history, deposit and withdrawal records, and on-chain transaction IDs associated with your account. All financial records are stored in an immutable ledger.

Usage data

API request logs (endpoint, timestamp, IP address, response status) retained for 30 days for rate limiting and abuse prevention. MCP tool call counts (aggregated, no personal data).

TRON addresses

Target addresses you provide for energy delegation. These are public blockchain addresses, not personal data.

3. Information We Do Not Collect

We do not collect, store, or transmit TRON private keys. When using the MCP server or SDKs with TRON_PRIVATE_KEY, the key remains in the local process and is never sent to MERX servers. Transaction signing happens locally.

4. How We Use Information

Process energy and bandwidth orders on your behalf
Maintain account balances and transaction history
Prevent abuse and enforce rate limits
Send webhook notifications you configured
Improve platform reliability and performance

5. Data Sharing

We do not sell or share personal data with third parties. Order execution requires sending your target TRON address to energy providers (this is an on-chain operation visible to anyone). We use TronGrid API for blockchain queries.

6. Data Security

All traffic encrypted via TLS 1.2/1.3. Database access restricted by role (API, web, admin). API keys stored as bcrypt hashes. Admin panel requires TOTP 2FA. Treasury private key stored as Docker secret with restricted access. See our authentication documentation for details.

7. Data Retention

Account and transaction data retained for the lifetime of your account. API request logs retained for 30 days. A2A task and ACP run data stored in Redis with 24-hour TTL and then automatically deleted.

8. Cookies

We use session cookies for authentication (NextAuth). No tracking cookies. No third-party analytics.

9. Your Rights

You can export your order history via the API (GET /api/v1/history). To request account deletion, contact us at the email below. Deletion removes your account, API keys, and webhook configurations. Ledger entries are retained for financial integrity.

10. Contact

For privacy questions: privacy@merx.exchange

Telegram: @merx_exchange