/ LEGAL

Terms & Privacy.

Plain-English summary of how NYC-X works, what data we handle, and what we don't.

Last updated: July 8, 2026

We never hold your money

Customers pay directly to your FamApp UPI ID. Funds never touch, transit through, or settle on NYC-X servers.

AES-256-GCM encryption

Your Gmail App Password is encrypted before storage using industry-standard AES-256-GCM. It is never returned via any API.

Hashed API keys

Secret API keys are hashed with SHA-256 before storage. We can never see your key after creation — only you can.

Signed webhooks

Every webhook is signed with HMAC-SHA256. Verify the signature server-side to prevent forgery.

Read-only Gmail access

We only READ FamApp payment confirmation emails via IMAP. We never send, modify, delete, or move your emails.

HTTPS everywhere

All traffic uses TLS. No plain-text credentials in transit or at rest.

1. What NYC-X is

NYC-X is a hosted payment gateway that helps merchants accept UPI payments through their own FamApp account. We generate branded checkout pages, produce UPI QR codes with a fixed amount, and automate the reconciliation step by reading FamApp's payment confirmation emails from the merchant's connected Gmail account. NYC-X is not a licensed payment aggregator, not a merchant of record, and does not custody, escrow, or process customer funds.

2. Funds flow

Money moves directly from the customer's UPI wallet to the merchant's FamApp UPI ID via UPI rails operated by NPCI and the customer's / merchant's respective banks. NYC-X only observes the confirmation email that FamApp sends the merchant. NYC-X has no ability to move, hold, freeze, or refund money.

3. Data we collect

  • Merchant account: email address, business name, optional description.
  • Payment settings: FamApp UPI ID, Gmail address, Gmail App Password (encrypted at rest with AES-256-GCM).
  • Order data: amount, description, optional customer name/email, order status, UTR, transaction ID, sender name extracted from confirmation emails.
  • Operational logs: API request metadata, webhook delivery attempts, IMAP scan events (used for debugging and abuse prevention).

4. Data we do NOT collect

  • We do not read, store, or index emails other than FamApp payment confirmations.
  • We do not access your Gmail contacts, calendar, drive, or any other Google service.
  • We do not collect customer bank details, UPI PINs, card numbers, or CVVs.
  • We do not track cross-site behavior, sell data to third parties, or run ad networks.

5. Encryption & security

  • Gmail App Passwords are encrypted with AES-256-GCM using a server-side key never exposed to clients.
  • API secret keys are stored as SHA-256 hashes only — the plaintext is shown exactly once at creation.
  • All webhook payloads are signed with HMAC-SHA256 (X-NYCX-Signature).
  • Authentication uses Clerk-managed JWT sessions.
  • All requests are served over HTTPS with HSTS.

6. Your responsibilities as a merchant

  • Keep your Gmail App Password confidential. Revoke and rotate it from your Google Account if you suspect compromise.
  • Do not disable IMAP or turn off FamApp email notifications — verification will stop working.
  • Do not delete or auto-archive FamApp payment emails before NYC-X has a chance to read them.
  • Comply with all applicable laws and the terms of service of FamApp, Gmail, and any other services you use.
  • You are the merchant of record. NYC-X is a technical tool — tax, refunds, and disputes are your responsibility.

7. Verification delays

Payment verification depends on FamApp delivering its confirmation email to your Gmail inbox in a timely manner. Occasional delays (network, spam filters, provider changes) are outside NYC-X's control. If FamApp changes its email format, the parser may need updating before verification resumes.

8. Limitation of liability

NYC-X is provided as-is, without warranty of any kind. To the maximum extent permitted by law, NYC-X and its operators shall not be liable for any indirect, incidental, or consequential damages arising from the use or inability to use the service, including missed or delayed verifications, webhook failures, or interruptions in third-party providers (FamApp, Gmail, UPI networks).

9. Termination

You may delete your merchant account at any time. Upon deletion, encrypted credentials are removed. Order and log records may be retained for up to 90 days for abuse investigation and legal compliance, then permanently deleted.

10. Contact

For questions, security disclosures, or account deletion requests, contact @DebjitFr on Telegram.

By using NYC-X you agree to these terms.

NYC-X is not affiliated with FamApp, Trio Money, or Google. FamApp is a trademark of its respective owner.