TrackXpress Privacy

Last Updated: April 18, 2026

1. Introduction

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AliExpress Deals Bot (“the Bot”, “we”, “us”, or “our”). This Bot operates as a Telegram bot and associated mini-application.

We are committed to protecting your privacy and handling your data in a transparent and secure manner. This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller Information

Data Controller: MassiveBox
Email: legal@boxo.cc
Telegram: @massivebox

3. What Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Telegram User Data

Telegram User ID (unique numerical identifier provided by Telegram)
This is the primary identifier we use to associate your data with your account

3.2 User Preferences

Country/Region preference (for shipping and pricing localization)
Currency preference (for price display in your preferred currency)
Last usage timestamp (to track when you last interacted with the Bot)

3.3 Product Tracking Data

Product IDs of items you choose to track
Start price (the price when you began tracking)
Notification target price (the price threshold for alerts)
Notification count (how many alerts have been sent)
Tracking status (active/disabled)
Tracking timestamps (when tracking started/ended)

3.4 Technical Data (Processed Transiently)

IP Address – used temporarily during initial region setup to suggest your country via local GeoIP lookup (MaxMind GeoLite2). This is not stored persistently, nor transmitted to any external server.
User-Agent and browser information during mini-app usage.

We process your personal data based on the following legal grounds:

4.1 Contractual Necessity (Article 6(1)(b))

Processing is necessary to provide the Bot’s core functionality:

Storing your Telegram User ID to identify your account
Storing tracking preferences and product data to provide price monitoring
Sending price drop notifications

4.2 Legitimate Interests (Article 6(1)(f))

Analyzing usage patterns to improve the Bot’s functionality
Temporary IP-based geolocation for suggesting regional settings
Maintaining system security and preventing abuse

We have conducted a balancing test to ensure that our legitimate interests do not override your rights and freedoms.

For certain optional features, we may rely on your explicit consent, which you can withdraw at any time.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

5.1 Core Service Provision

Account Management: Linking your data to your Telegram User ID
Price Tracking: Monitoring product prices and detecting drops
Notifications: Sending Telegram messages when prices drop below your target
Regional Customization: Displaying prices in your preferred currency and shipping region

5.2 Service Improvement

Analyzing which features are most used
Identifying and fixing technical issues
Optimizing the price checking algorithms

5.3 Communication

Responding to your inquiries and support requests
Sending important service updates (maintenance, policy changes)

6. Data Storage and Security

6.1 Storage Location

Your personal data is stored on secure servers located in Italy.

6.2 Security Measures

We implement appropriate technical and organizational measures to protect your data:

Encryption: All data in transit is protected using TLS/SSL encryption
Access Control: Database access is restricted to authorized personnel only
Secure Authentication: API keys and credentials are stored as environment variables, never in code
Regular Backups: Database backups are encrypted and stored securely

6.3 Caching

Some information is temporarily cached in memory for 15-60 minutes to improve performance and reduce API calls. Cached data does not include personally identifiable information.

7. Data Retention

7.1 Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Category	Retention Period	Rationale
User Account Data	Until account deletion	Necessary for service provision
Product Tracking Data	2 months after tracking ends	For historical reference and analytics
Notification Logs	6 months	For troubleshooting and abuse prevention
IP Address (transient)	Not stored	Used only momentarily for GeoIP

7.2 Deletion Procedures

When the retention period expires, or when you request deletion, your data is:

Permanently deleted from our active databases
Removed from any backups within 30 days (next backup cycle)

As a data subject, you have the following rights regarding your personal data:

8.1 Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data and receive a copy in a structured, commonly used format.

8.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

8.3 Right to Erasure (“Right to be Forgotten”) (Article 17)

You have the right to request the deletion of your personal data when:

The data is no longer necessary for the purposes collected
You withdraw consent (where processing was based on consent)
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed

Exceptions: We may retain data where required by law or for legal claims.

8.4 Right to Restrict Processing (Article 18)

You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance.

8.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing violates GDPR. In the EU, this is typically your local Data Protection Authority.

9. Exercising Your Rights

To exercise any of your rights, please contact us using the information provided in Section 2.

Response Time: We will respond to your request within 30 days of receipt. If the request is complex or numerous, we may extend this period by two months, notifying you of the extension within the initial 30-day period.

Verification: To protect your privacy, we may need to verify your identity before processing your request, typically by confirming your Telegram User ID.

Fees: We provide the first copy of your data free of charge. Additional copies may incur a reasonable fee based on administrative costs.

10.1 Third-Party Service Providers

We use the following third-party services that may process your data:

Service	Purpose	Data Shared	Location
Telegram	Messaging platform	User ID, messages	Telegram’s servers
AliExpress	Product data	Product IDs, region preferences	AliExpress servers

10.2 Data Processors

We may engage data processors to perform functions on our behalf, such as:

Hosting and infrastructure providers
Database management services

All data processors are bound by data processing agreements that ensure compliance with GDPR.

We do NOT:

Sell your personal data to third parties
Share your data for marketing purposes without consent
Transfer data outside the EEA without appropriate safeguards

11. Cookies and Tracking

11.1 Mini-App Usage

Our mini-application (web interface) does not use traditional cookies for tracking purposes. However, we do use:

Local Storage: To temporarily store your user ID and preferences within the mini-app session
Session Identifiers: For maintaining your login state within the Telegram ecosystem

11.2 Telegram Platform

The Bot operates within Telegram’s platform, which may use its own cookies and tracking technologies. Please refer to Telegram’s Privacy Policy for information on their practices.

12. Children’s Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data without parental consent, please contact us, and we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service enhancements.

Notification of Changes:

For material changes, we will notify you through the Bot or via Telegram
The “Last Updated” date at the top of this policy will reflect the most recent revision
We encourage you to review this policy periodically

Continued Use: Your continued use of the Bot after any changes to this Privacy Policy constitutes your acceptance of those changes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us.
Contact information is available in Section 2.

We are committed to addressing your concerns and will respond to all inquiries promptly.

Appendix A: Data Processing Summary

Purpose	Legal Basis	Data Categories	Retention
Service Provision	Contract	User ID, Preferences, Tracking Data	Duration of use + 12 months
Price Notifications	Contract	Product IDs, Price Thresholds	Duration of tracking + 12 months
Regional Customization	Legitimate Interest	Country, Currency	Duration of use
Service Improvement	Legitimate Interest	Usage patterns, Error logs	6 months

This Privacy Policy is effective as of the date indicated above and supersedes all prior versions.