Privacy Policy

Last updated: 2026-05-14 Effective: 2026-05-14

Plain-English summary. Ropil is built to know as little about you as possible. We do not collect your name, your email, your IP logs, your wallet address, your swap history, or any KYC. The only thing we collect is aggregate, privacy-preserving page-view analytics — no cookies for tracking, no fingerprinting, no profile. If you swap, the third-party protocols you route through will see your wallet address on a public blockchain. That's how blockchains work; we can't change it.

1. What We Do NOT Collect

This list is the most important part of this policy. As a matter of architecture, Ropil does not:

• collect, store, or transmit wallet addresses to our own servers when you connect a wallet or build a swap quote (calls to Underlying Protocols happen from your browser to those protocols directly);
• store swap history, route history, or transaction hashes attributable to you;
• store IP-address access logs beyond the short-lived, automatically rotated logs strictly necessary for our edge / DDoS protection (see Section 4);
• set tracking cookies, advertising cookies, or marketing cookies;
• deploy third-party analytics that fingerprint your device — no Google Analytics, no Meta Pixel, no TikTok pixel, no LinkedIn Insight tag, no Hotjar, no FullStory, no session-replay;
• collect any KYC / identity data — no name, no date of birth, no address, no government ID, no selfie, no proof-of-residence;
• collect email addresses, phone numbers, or social-media handles, unless you voluntarily send them to us via hello@ropil.xyz (Section 7);
• sell, rent, share, or licence personal data for advertising, marketing, training of AI models, or any other commercial purpose;
• run any AML / sanctions screening of wallet addresses ourselves (the Underlying Protocols may run their own screening — see Section 5).

We have engineered the Interface to be a stateless front-end: it loads in your browser, talks to public blockchain RPCs and to Underlying Protocol APIs on your behalf, and forgets you when you close the tab.

2. What We DO Collect

Summary. Aggregate page-view counts. Nothing tied to an identity.

The Interface uses self-hosted Plausible Analytics (or an equivalent privacy-preserving analytics package — Operator may substitute Umami, Pirsch, Counter.dev, or Simple Analytics; the substantive behaviour will be the same). Plausible runs on infrastructure controlled by us and:

• does not set cookies of any kind;
• does not use a persistent device identifier — it generates a hash from the daily-rotating IP and User-Agent salt that cannot be reversed and is not retained;
• does not collect personal data within the meaning of the EU GDPR or UK GDPR; the Plausible data-policy confirms this;
• counts page views, referrer (where your visit came from — e.g. https://twitter.com/), country (from a daily-rotated GeoIP hash), browser family and operating-system family.

We additionally collect, in edge logs held by our hosting / CDN provider for no more than 7 days and used only to mitigate denial-of-service attacks, fraud and abuse:

• truncated IP address (last octet stripped for IPv4; last 80 bits stripped for IPv6),
• request method, path and HTTP status code,
• approximate timestamp,
• a generic User-Agent string.

These edge logs are not joined to analytics events, are not exported to any third party for marketing, and are rotated automatically.

If you choose to write to us at hello@ropil.xyz, we receive whatever you choose to send (your message body, your sender address, and any attachments). We retain that correspondence only as long as needed to answer you and to keep a record of any legal request.

3. Wallet Addresses, Transactions, and Blockchains Are Public

Summary. When you swap, you broadcast a transaction to a public blockchain. Anyone can see it. We can't make that private.

The moment your wallet signs and broadcasts a swap, that transaction — including your wallet address, the amounts, the tokens, the route taken, and the destination address — becomes part of the public ledger of the blockchain(s) involved and is permanently visible to anyone in the world via a block explorer such as Etherscan, Solscan, Blockchair, etc.

This is an inherent property of public blockchains. We do not control it, and we do not warrant any form of on-chain privacy. If you require on-chain unlinkability, you must use privacy-preserving tools at your own risk and subject to the law of your jurisdiction.

A wallet address may, in some legal frameworks (GDPR, UK GDPR, certain U.S. state laws), be treated as personal data only when it can reasonably be linked to a natural person. By the policies above, we do not perform that linkage on our infrastructure.

4. Third-Party Data Flows

Summary. When you swap, you talk to LI.FI / Relay / THORChain (and the RPC endpoints / block explorers we display). They have their own privacy policies.

To produce a swap, your browser communicates directly (or through a CORS proxy under our control whose request bodies we do not persist beyond transient memory) with:

• LI.FI — aggregator and bridge router. Privacy notice: https://li.fi/legal/privacy-policy/ — they may see your wallet address, IP address, requested route, and User-Agent.
• Relay Protocol — intent-based solver network for cross-chain swaps. Privacy notice: https://relay.link/ (consult their published policies). When this tab is used, we backend-proxy the quote and status calls, so Relay sees only our server IP, not yours; the wallet address is visible to them by necessity (it is the recipient/sender of the swap).
• THORChain — community-operated permissionless protocol. Use of any THORChain front-end inherently exposes wallet addresses on a public chain.
• Public RPC providers (Infura, Alchemy, Ankr, public chain RPCs, etc.) — used to read on-chain state and to broadcast transactions. They may log IP and request data per their own policies.
• Block explorers linked from the Interface — they receive a referrer when you click through.
• Wallet providers (MetaMask, Rabby, WalletConnect, etc.) — the wallet you choose has its own data practices and is independent from us.

We do not sell, transfer or share any data we hold with these parties for marketing or profiling. Their receipt of data is the unavoidable consequence of you choosing to use a cross-chain swap interface.

5. Sanctions and Compliance Screening

Operator does not screen wallet addresses or transactions itself. The Underlying Protocols and the public infrastructure layer (block builders, RPCs, fiat off-ramps) may apply their own screening, and may decline to serve a route involving a sanctioned address. That refusal is theirs, not ours. We provide no list of screened addresses and do not maintain or share a blocklist.

If a law-enforcement authority of competent jurisdiction issues a lawful order to us for data, our cooperation is necessarily limited by the fact that we do not collect the data they typically request. We will respond to lawful, properly served requests in accordance with the laws of the jurisdiction whose authority issued the order.

6. Cookies and Local Storage

Summary. Strictly essential only. No tracking, no advertising.

We use only:

• Essential localStorage / sessionStorage entries to remember user-interface state across page loads — e.g. your selected language, theme (dark/light), most-recently-used chain, slippage-tolerance preference. These never leave your browser.
• WalletConnect session data stored in your browser by the WalletConnect SDK so that your wallet stays connected between page reloads. This is local to your browser.

We do not set any first-party tracking cookie, any third-party advertising cookie, or any cross-site tracking cookie. You can clear all local state at any time via your browser's storage controls.

7. Your Rights

Summary. You have rights under GDPR and similar regimes. Because we hold almost no data about you, most of those rights are trivial to satisfy — there is nothing to retrieve, correct, or delete on our side.

Depending on the jurisdiction in which you reside, you may have rights to: access, rectify, erase, restrict, or object to the processing of your personal data; data portability; withdrawal of consent; and the right to lodge a complaint with a supervisory authority.

To the extent we hold any personal data about you (which is generally limited to inbound correspondence under Section 2 above), you may exercise those rights by writing to hello@ropil.xyz from the same email address you used to correspond with us. We will respond within one month, or as required by the applicable law.

We do not collect data sufficient to identify you across visits, so an access or erasure request for analytics or edge-log data cannot, by design, be satisfied at the individual level — there is no record to retrieve or delete that is attributable to you.

8. Data Retention

• Self-hosted Plausible Analytics: aggregate counts are retained indefinitely; no individual record exists to retain.
• Edge / CDN access logs: rotated within 7 days.
• Inbound correspondence to hello@ropil.xyz: kept as long as needed to handle the matter and to comply with any legal hold (typically up to 24 months from the last reply, unless a longer period is required by law).
• WalletConnect session data: lives in your browser and is controlled by you.

9. International Transfers

The Interface is delivered globally from a CDN edge. The self-hosted analytics instance, the back-end (if any) and any inbound correspondence may be processed in jurisdictions outside your country of residence. By using the Interface you acknowledge that any limited data we do process (under Sections 2 and 7) may be transferred internationally. We rely on appropriate safeguards (Standard Contractual Clauses, where applicable) when transferring personal data across borders.

10. Children

The Interface is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Security

We follow reasonable technical and organisational measures: TLS for all traffic, strict Content-Security-Policy headers, dependency-pinned builds, principle-of-least-privilege access controls on our own infrastructure, and refusal to integrate third-party scripts that we cannot inspect. No system is perfectly secure; please treat all interactions with web wallets and DeFi software with appropriate skepticism (see also our Risk Disclosure).

12. Changes to this Policy

We may update this Policy from time to time. The Last updated date at the top of this page will be revised when we do. Material changes will, where reasonably practicable, be announced via the home page of the Interface for a period of at least 14 days.

13. Contact

For all privacy questions, rights requests, or security reports, please write to hello@ropil.xyz (ProtonMail; PGP key available on request).

Drafted with reference to the CoW Swap Privacy Policy (https://cow.fi/legal/cowswap-privacy-policy), the structure of the Uniswap Labs Privacy Policy, the Plausible Analytics data policy (https://plausible.io/data-policy), and Article 13/14 GDPR informational duties. The Jumper, Matcha and 1inch privacy notices were not directly fetched during drafting and are noted as UNVERIFIED.