CSRF session cookie
A random nsw cookie for the duration of the browser session. Used only to gate the order-creation API. No identifier inside.
Transparency
How this actually works.
Specifics about the architecture, the data, the flagging policy. If you care whether "no logs" is a slogan or a description, this page is for you.
Architecture
A thin frontend over a routing layer
SwapNoKYC is a PHP 8.2 frontend over a third-party liquidity aggregator. There is no user database. Ephemeral order state lives as flat JSON files on the filesystem, and a minimal admin log records order lifecycle events for operations.
The only persistent store beyond that is a filesystem cache for rate quotes (60-second TTL) and the currency list (5-minute TTL).
Every order is a capability: the order ID plus a token returned by the backend. You hold the URL with those embedded; we hold the matching deposit address plus a timestamp. Nothing else.
No third-party analytics. No fingerprinting. No persistent user-id. The upstream router sees the minimum swap metadata needed to execute — and nothing ever correlates you across sessions.
Data inventory
What we record
Every field we touch, listed. No hidden buckets.
Order record
Pair, amount, deposit address, payout address, type (float/fixed), created-at timestamp. Purged on settlement (or after 30 days max).
Anti-abuse counters
Per-IP rate-limit counters, reset every minute. Never linked to personal data.
Nginx access logs
Method, path, status, user-agent. Rotated every 24 hours.
What we never record
Name, email, phone, ID, date of birth, nationality
Any third-party analytics tag (no GA, no Hotjar, no Segment, no Meta Pixel)
Tracking cookies beyond the session CSRF token
Long-term IP logs (rotation < 24h)
Device or browser fingerprints
Any correlating identifier across sessions
Flagging
What happens when an order is flagged
1
Order enters Emergency state
The upstream router screens deposit addresses against sanctions lists and illicit-flow feeds. If an address matches, the order page surfaces emergency actions.
2
Two options, both under your control
Refund to an address you provide (no questions asked), or accept the current market rate and continue. You choose. There is no third hidden option.
3
Never an identity demand
We do not ask for identity documents at this stage. Ever. If both actions are rejected, the deposit is returned to the sender address visible on-chain.
Third parties
Every external service we call
CDN / TLS
Cloudflare
Serves static assets. TLS terminates at Cloudflare; we receive the real client IP via CF-Connecting-IP for rate-limiting only.
Webfonts
fonts.bunny.net
Inter and JetBrains Mono. A privacy-preserving mirror of Google Fonts that does not log IPs.
Liquidity provider
ChangeNOW
Receives the swap request metadata necessary to execute: pair, amount, destination, optional refund address.
Security posture
Hardening at a glance
- HTTPS-only with HSTS preload-eligible configuration.
- Strict Content-Security-Policy; no inline scripts beyond JSON payloads.
- X-Frame-Options SAMEORIGIN · X-Content-Type-Options nosniff · strict Referrer-Policy.
- Permissions-Policy restricts geolocation, microphone, camera, payment to "none".
- CSRF tokens on all state-changing API endpoints.
- All sensitive configuration (API keys, signing material) live outside the webroot.
Security reports: [email protected]. See also security.txt and full disclosure policy.
