Privacy policy

Last updated: 2026-04-25

This policy explains what data SwyDex (“we”) collects when you use our website and APIs, why we collect it, and the choices you have. We aim to collect as little personal data as we need to run the service well.

What we collect

  • Account data — name, email, hashed password (bcrypt), and the company name you provide at sign-up.
  • Authentication metadata — sign-in timestamps, IP addresses, and user agent strings, used for security alerts and rate-limiting.
  • API usage — request paths, status codes, latencies, and counters per API key. Used for billing and quotas.
  • On-chain identifiers — wallet addresses we generate for you, along with transaction hashes you submit. We do not collect personal data about the senders or recipients of those transactions beyond what is on the public blockchain.
  • Cookies / localStorage — used only to persist your session token. We do not run advertising trackers.

What we do NOT collect

  • Plaintext passwords or wallet mnemonics. Mnemonics are encrypted with a per-tenant data encryption key, itself wrapped by a managed KMS provider.
  • Marketing tracking pixels, third-party advertising cookies, or fingerprinting.
  • Browsing history outside the SwyDex domains.

How we use your data

  • To operate the service (create wallets, route webhooks, settle transactions).
  • To bill you for usage that exceeds your plan.
  • To send transactional email (sign-in alerts, payment receipts, security notifications). Marketing email is opt-in and you can disable it from settings at any time.
  • To detect abuse (rate-limiting, suspicious-activity alerts).

Who we share with

SwyDex shares the minimum necessary data with these subprocessors:

  • Tatum — blockchain RPC + wallet derivation. Receives wallet addresses and transaction broadcasts.
  • Stripe — billing. Receives your email + your tenant id as metadata. Card data is collected directly by Stripe; we never see card numbers.
  • Postalynk — transactional and marketing email delivery. Receives your email and the rendered email body.
  • Google Cloud KMS — encrypts the data encryption key that protects your wallet mnemonics. Receives no personal data.
  • hCaptcha — bot detection on auth endpoints. Receives your IP and a one-shot token.

Data location and retention

Data is stored in a single managed Postgres database in the EU. We keep account data for the lifetime of your account plus 30 days after deletion (to handle accidental cancellations). Audit logs are retained for 7 years to satisfy AML/KYC obligations where applicable. Email open/click logs are retained for 90 days.

Your rights

Where applicable (GDPR / CCPA / similar), you can request a copy of your data, ask us to correct it, or delete it. Email privacy@swydex.com with your tenant id and the request type. We aim to respond within 14 days.

Security

See our security page for the controls in place. If you believe you've found a vulnerability, please disclose it responsibly to security@swydex.com.

Changes

When we materially change this policy we'll email account owners and post a summary on the dashboard at least 14 days before the change takes effect.

Questions? privacy@swydex.com.