Privacy Policy

Last updated: March 31, 2026

nproxy ("we", "us", or "our") operates the nproxy.app service, an package registry proxy that analyzes packages for security threats. This Privacy Policy describes what data we collect, how we use it, and your rights.

Data We Collect

Package metadata

When your package manager resolves packages through nproxy, we process package metadata (package names, versions, maintainer information, and dependency trees) from upstream registries including npm, PyPI, Go modules, crates.io, Maven Central, and RubyGems.

Usage data

We collect information about requests made to your nproxy endpoint, including:

  • Package names and versions requested
  • Timestamps of requests
  • Security rule results (which rules triggered and why)
  • IP addresses (for rate limiting and abuse prevention)
  • User-agent strings (to identify the package manager being used)

Account data

When you create an account, we collect your email address and any profile information you provide. If you create an organization, we store the organization name and configuration settings you choose.

Payment data

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We receive and store your Stripe customer ID and subscription status.

How We Use Your Data

  • Security analysis: Package metadata is analyzed in real time to detect malicious packages, account takeovers, typosquats, and other supply chain threats.
  • Audit logging: Request and rule data is stored to provide your organization with an audit trail of blocked and allowed packages.
  • Service improvement: Aggregated, anonymized usage data helps us improve our security rules and detection accuracy.
  • Account management: Email addresses are used for account authentication, service notifications, and support.

Cookies

We use essential cookies for session management and authentication. We do not use third-party advertising or tracking cookies. You can manage your cookie preferences through the cookie consent banner displayed on your first visit.

Third-Party Services

We share data with the following third-party services:

  • Socket.dev: Package names and versions are sent to Socket.dev's API for malware detection and risk scoring. See Socket.dev's privacy policy.
  • Stripe: Payment and billing data is processed by Stripe. See Stripe's privacy policy.
  • Cloudflare: Our service runs on Cloudflare's infrastructure. Cloudflare processes request data for DNS resolution, CDN caching, and DDoS protection. See Cloudflare's privacy policy.

Data Retention

Audit log data is retained for the duration specified by your plan (90 days for Pro, custom for Enterprise). Account data is retained for as long as your account is active. You may request deletion of your account and associated data at any time.

Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing of your data

Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest, and access controls. Our infrastructure runs on Cloudflare Workers with data stored in Cloudflare D1 and R2.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.

Contact

For privacy-related questions or requests, contact us at privacy@nproxy.app.