Privacy Policy

Introduction

This Privacy Policy (the "Policy") is published by the UpSwap team ("we", "us") and applies to the non-custodial cross-chain swap widget service provided through the UpSwap domain and its subdomains (the "Service"). This Policy takes effect on June 11, 2026 (Effective Date: 2026-06-11).

Our core principle is Data Minimization: a non-custodial architecture means we have no need — and no desire — to hold user identity information. This Policy sets out in detail what we collect, what we do not collect, how we process it, and the rights you have under the GDPR, CCPA/CPRA, China's PIPL, and other laws.

1. Data collection inventory (minimal)

We collect only the minimum technical data necessary to provide the Service. The complete inventory is below, and we commit to collecting nothing beyond this list:

• 1.1 IP address: logged automatically by the edge CDN for jurisdiction identification (geo-blocking) and DDoS protection; raw logs are automatically purged after 14 days.
• 1.2 User-Agent (browser/device identifier string): used for compatibility diagnostics and anomaly detection.
• 1.3 Referrer (source URL): used for aggregate traffic-source statistics (e.g., partner referrals).
• 1.4 Quote Request Parameters: source chain / destination chain, source asset / destination asset, and amount.
• 1.5 Order ID & Nonce: used for order lifecycle tracking and status queries.
• 1.6 Source / Destination Wallet Address: see Section 4 for the dedicated explanation.

2. Data we explicitly do not collect

To remove any ambiguity, we explicitly list the categories of data we never collect, never request, and never store:

• Name (no real name, nickname, or username is required)
• Email address (unless you proactively contact us via support@upswap.io)
• Phone number
• KYC documents (no ID card, passport, driver's license, proof of address, or similar is ever required)
• Government-issued identification
• Payment methods (credit card, bank card, PayPal, etc.)
• Private keys (technically inaccessible to us by architecture)
• Seed phrases (technically inaccessible to us by architecture)
• Biometric data (fingerprints, facial data, etc.)

3. Cookies and tracking statement

3.1 The Service uses no cookies, no device fingerprinting, and no cross-site tracking. We do not use Google Analytics, Facebook Pixel, TikTok Pixel, advertising tracking SDKs, or any other tool that builds user profiles or tracks users across sites.

3.2 We use a single first-party Anonymous Visitor ID for deduplicated DAU/MAU statistics:

• Storage location: stored only in your browser's localStorage under the key upswap_anon_id, with a UUID v4 value (randomly generated; not derived from any identifying information).
• Limited purpose: used only for aggregate statistics such as "how many unique visitors today"; it is never linked to your wallet address, IP, email, orders, or any other information, and it does not constitute a user profile.
• No cross-site use: readable only by this domain (upswap.io); closing your browser or switching devices generates a brand-new ID, and we cannot link two visits together.
• You can reset it at any time: clearing your browser data, using private browsing, or manually deleting this entry from localStorage resets it. We have no visibility into this whatsoever.
• Not a "cookie" in the strict GDPR/ePrivacy sense: the value lives only in the browser and is not sent automatically with network requests; it is only actively attached to the X-Anonymous-Id header when calling our API, where the server uses it for aggregation without storing any mapping to user identity.

3.3 Because we set no cookies and the anonymous ID does not constitute tracking, this website does not need to display a Cookie Consent Banner; this choice is itself the cleanest compliance posture toward the ePrivacy Directive.

3.4 Backend access logs may briefly retain IP addresses for security and risk control (DDoS protection, abuse prevention); see §1.6 and §7 for the specific retention periods and handling. We commit that IP addresses are never used as a basis for user identification or profiling.

4. How wallet addresses are handled

1. 4.1 Purpose of collection: the source wallet address is used to construct the transaction, and the destination wallet address indicates where the swapped assets are delivered. Both are necessary parameters for completing a cross-chain swap.
2. 4.2 Forwarding path: wallet addresses are forwarded by our edge nodes to Upstream Liquidity Vendors (whose names we do not disclose publicly for commercial confidentiality), which execute the on-chain transactions.
3. 4.3 Retention period: 30 days after an order completes, the wallet-address logs associated with that order are automatically deleted from our systems; after that we retain no address records in any form.
4. 4.4 On-chain visibility: please be aware that by the nature of public blockchains, wallet addresses and transaction records are stored publicly and permanently on-chain; this publicity is outside our control.
5. 4.5 No profiling: we do not build long-term profiles linking wallet addresses with IP or UA, nor do we sell or resell them to on-chain analytics firms.

5. GDPR legal bases (Art. 6)

Under Article 6 of the GDPR, our legal bases for processing the data above are:

• 5.1 Contractual necessity (Art. 6(1)(b)): wallet addresses, quote parameters, order IDs, and similar data are necessary preconditions for performing the cross-chain swap service contract between you and us.
• 5.2 Legitimate interests (Art. 6(1)(f)): IP, UA, and referrer are used for security protection (anti-DDoS, anti-fraud, jurisdiction blocking) and service-quality diagnostics; we have performed an LIA (Legitimate Interest Assessment) and concluded that this does not unduly impair data subjects' rights.

6. Data subject rights

Data subjects in the EU/EEA/UK have the following rights under the GDPR/UK GDPR:

• 6.1 Right of access (Art. 15): request that we disclose the personal data we hold about you.
• 6.2 Right to erasure (Art. 17): also known as the "right to be forgotten" — request that we delete your data.
• 6.3 Right to restriction of processing (Art. 18): suspend the processing of your data.
• 6.4 Right to data portability (Art. 20): receive your data in a structured, commonly used format.
• 6.5 Right to object (Art. 21): object to data processing based on legitimate interests.
• 6.6 Right to lodge a complaint: complain to the supervisory authority in your country.

How to exercise these rights: email privacy@upswap.io with "GDPR Request" in the subject line. We will respond within 30 calendar days of receiving your request (extendable to 90 days for complex cases, with advance notice). Because we do not collect names or emails, we verify identity through your order ID plus a wallet-address signature (Sign Message).

7. CCPA

7.1 No-sale statement: in the past 12 months, we have not sold (sell) or shared for consideration (share) the Personal Information of California residents, including but not limited to not reselling wallet addresses to ad networks, data brokers, or on-chain analytics firms.

7.2 Given our substantive "no sell / no share" practice, not displaying a "Do Not Sell or Share My Personal Information" link on this website is also consistent with CPRA compliance analysis; if you would still like written confirmation of this position, you may email privacy@upswap.io to request a statement.

7.3 California residents also have the right to know, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising their rights (Right to Non-Discrimination).

8. China PIPL cross-border transfer notice

Under Articles 38 to 39 of the Personal Information Protection Law of the People's Republic of China (PIPL), if you are located in mainland China but access the Service through technical means and trigger data processing (notwithstanding that we already block mainland China IPs), we notify you as follows:

1. 8.1 Purpose of cross-border transfer: as necessary to perform the cross-chain swap service contract.
2. 8.2 Overseas recipients: global edge CDN network nodes (covering Singapore, the US, the EU, Japan, and other regions) and upstream liquidity vendors.
3. 8.3 Processing methods: technical log writing and caching, quote request forwarding, and order status queries.
4. 8.4 Categories of personal information: IP, UA, wallet addresses, and order parameters.
5. 8.5 How to exercise PIPL rights against overseas recipients: submit all requests through privacy@upswap.io.
6. 8.6 Reminder: mainland China is a Restricted Jurisdiction for the Service; please do not attempt to access it. Any access that circumvents our blocking violates our Terms of Service.

9. Protection of minors

9.1 The Service is not directed at minors under 16 years of age (GDPR-K baseline) or children under 13 years of age (COPPA baseline). We apply the stricter of these two age floors (16) as our uniform standard.

9.2 We do not knowingly collect any data from individuals under 16. If you are a guardian and discover that a minor has used the Service without consent, email privacy@upswap.io immediately and we will delete the relevant data promptly after verification.

10. Data retention

• 10.1 Edge IP / UA / referrer logs: automatically deleted after 14 days.
• 10.2 Quote request logs (quote logs): automatically deleted after 30 days.
• 10.3 Order metadata (including order ID, chain pair, asset pair, status, and associated wallet addresses): automatically deleted after 6 months.
• 10.4 Legal hold data: if we receive a lawful and valid subpoena / court order, the relevant data is retained for the period required by the order and destroyed immediately once that period expires.
• 10.5 Security incident evidence: logs related to security incidents may be retained for up to 12 months after the incident investigation closes.

11. Third-party data processors

We use the following categories of third-party processors to provide the Service. For commercial confidentiality and security reasons, the specific company names in this list are redacted:

• 11.1 Global CDN / edge compute / KV storage provider: serves the website front end, runs edge Worker compute, and provides lightweight key-value storage. We have reviewed its privacy practices for conformity with GDPR SCC standards.
• 11.2 Upstream Liquidity Vendors: an aggregated set of unnamed cross-chain swap liquidity sources. Wallet addresses and quote parameters are forwarded to the selected vendor to complete the swap.
• 11.3 Email service: operates communication for our four mailboxes — privacy@ / support@ / compliance@ / security@.

All third-party processors act under data processing agreements (DPAs); we share no data with any ad network, data broker, or analytics profiling company.

12. Security measures

• 12.1 Site-wide enforced HTTPS / HSTS (HTTP Strict Transport Security).
• 12.2 A strict Content Security Policy (CSP) to block cross-site scripting.
• 12.3 Edge Worker environment variables (env vars) are encrypted at rest; keys are decrypted and injected only at runtime.
• 12.4 No User Database: by architecture there are no user tables or password tables, eliminating the large-scale data breach surface at the root.
• 12.5 Least-privilege principle: operations staff can access only aggregate statistics, never individual wallet-address records.
• 12.6 Regular third-party penetration testing and a responsible disclosure program (see /security/disclosure).

13. Data breach notification

13.1 Under Article 33 of the GDPR, if a personal data breach occurs that may endanger the rights and freedoms of natural persons, we will notify the competent data protection authority (DPA) within 72 hours of becoming aware of the incident.

13.2 Under Article 34 of the GDPR, if the breach is likely to result in a high risk to affected data subjects, we will inform affected users without undue delay via an announcement on this website and (where contact details are available) direct notification.

13.3 We will likewise fulfill the corresponding notification obligations under Article 57 of China's PIPL, California law, and other jurisdictions.

14. International data transfers

14.1 Our edge CDN network spans the globe, which means your technical data may move between nodes in Singapore, the US, the EU, Japan, and elsewhere.

14.2 For data leaving the EU/EEA/UK (transfer outside the EEA / UK), we rely on one of the following safeguards: (a) destinations covered by a European Commission Adequacy Decision; (b) the EU Standard Contractual Clauses (SCCs), 2021/914 version, signed with overseas processors; (c) the UK International Data Transfer Addendum (UK IDTA).

14.3 We have completed Transfer Impact Assessments (TIAs) for key transfer paths, including assessing whether the destination country's laws preserve accessible remedies for data subjects.

15. Contact

For data protection matters, contact us through the following channels:

• Privacy / data subject requests / Privacy & DSR: privacy@upswap.io
• Compliance inquiries: compliance@upswap.io
• Security vulnerability disclosure: security@upswap.io
• General support: support@upswap.io

All of the mailboxes above are genuinely operated by the UpSwap team. We commit to acknowledging receipt within 5 business days and completing handling within 30 days. All data protection matters are handled centrally by the Privacy Lead behind privacy@upswap.io.

16. Changes to this Policy

16.1 We may update this Policy from time to time to reflect legal changes, service changes, or evolving best practice.

16.2 For material changes (e.g., new data categories, expanded processing purposes, or new third-party processors), we will give notice at least 7 calendar days before the effective date by: (a) a prominent announcement on the website homepage and at the top of this page; (b) email, if you have previously left a contact address.

16.3 For non-substantive changes (e.g., typo fixes, link updates), we may update this page directly without separate notice, but we will update the "last updated" date at the bottom of the page.

16.4 Your continued use of the Service constitutes acceptance of the updated Policy; if you do not accept it, stop using the Service immediately.

Contact

For data protection matters, contact privacy@upswap.io. This mailbox is genuinely operated by the UpSwap team, and all GDPR/CCPA/PIPL data subject requests receive a response within 30 days.