Skip to content

Privacy Policy

Last updated: May 24, 2026

1. Data controller

Swerver ("we", "us") operates swerver.net. For privacy inquiries, contact privacy@swerver.net.

2. Information we collect

Account data: email address, name, and organization name provided during signup via our identity provider (Zitadel).

Payment data: wallet addresses you provide for settlement, transaction hashes from x402 payments, and billing information processed by Stripe. We do not store credit card numbers.

Usage data: API request counts, response codes, latency metrics, and settlement amounts associated with your gateways.

Blockchain data: wallet addresses and on-chain transaction records associated with x402 payments. On-chain data is recorded on public blockchain networks and cannot be modified or deleted once confirmed.

3. Legal basis for processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract performance — to operate your account, process payments, and deliver the Service
  • Legitimate interest — to monitor service health, prevent abuse, and improve the platform
  • Legal obligation — to retain financial records as required by applicable law

4. How we use information

We use collected information to operate the Service, process payments, enforce plan limits, provide usage analytics, and communicate with you about your account. We do not sell your data.

5. Sub-processors

We use the following sub-processors that may process your data:

  • Zitadel (Switzerland) — authentication and identity management
  • Stripe (US) — subscription billing, payment processing, and x402 settlement
  • Neon (US) — managed database hosting
  • Amazon Web Services (US) — application hosting and infrastructure
  • Cloudflare (US) — content delivery, DNS, and cookieless web analytics
  • x402.org — x402 payment facilitation

We maintain Data Processing Agreements with each sub-processor. Transfers from the EU/EEA to the US are governed by Standard Contractual Clauses (Module 2). Zitadel operates under Switzerland's EU adequacy decision.

6. International data transfers

Your data may be processed in the United States (AWS, Neon, Stripe, Cloudflare) and Switzerland (Zitadel). We rely on Standard Contractual Clauses and adequacy decisions to ensure appropriate safeguards for cross-border transfers as required by GDPR Chapter V.

7. Data retention

Account and usage data are retained while your account is active and for 90 days after deletion. Settlement and transaction records are retained indefinitely for compliance with financial record-keeping requirements. On-chain blockchain data cannot be deleted due to the immutable nature of distributed ledgers.

8. Security

We use encryption in transit (TLS), encrypted tokens at rest (AES-256-GCM), hashed API keys, and role-based access controls to protect your data.

9. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data (subject to legal retention requirements and blockchain immutability)
  • Restriction — restrict processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Complaint — lodge a complaint with your local data protection supervisory authority

You can access and update most account data through the dashboard settings. For data export, erasure, or other requests, contact privacy@swerver.net. We respond within 30 days.

10. California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise these rights, contact privacy@swerver.net.

11. Cookies

We use a single session cookie for authentication. This cookie is strictly necessary to operate the Service and does not require consent under the ePrivacy Directive. We use Cloudflare Web Analytics for traffic measurement, which is fully cookieless and does not set any client-side storage. We do not use tracking cookies or third-party advertising.

12. Changes

We may update this policy. Material changes will be communicated via the email associated with your account at least 30 days before taking effect.

13. Contact

Privacy questions: privacy@swerver.net