Privacy Policy

Last updated: March 2026

Our Privacy Philosophy

VoidPay is built on a fundamental principle: we can't lose, leak, or sell your data because we never have it. This isn't just a policy choice — it's an architectural decision baked into the core of our application.

How Our Zero-Backend Architecture Works

When you create an invoice, all the data is compressed and encoded directly into the URL's hash fragment (the part after the # symbol).

https://voidpay.xyz/pay#N4IgbghgTg9g...

Here's the key: hash fragments are never sent to web servers. This is a fundamental property of how URLs work in web browsers (defined in RFC 3986). When you open an invoice link, your browser keeps the hash fragment local and only sends the base URL to our server.

What We Don't Collect

  • Invoice dataamounts, descriptions, line items, dates
  • Wallet addressessender or recipient
  • Personal informationnames, emails, company details
  • Payment informationtransaction hashes, payment status
  • User accountswe have no registration or authentication
  • Sensitive financial analyticswe never track invoice amounts, wallet addresses, recipient names, or payment details. See "Product Analytics" section below for what we do collect
  • Cookies for trackingwe use no cookies whatsoever

Local Storage (Your Data, Your Device)

VoidPay uses your browser's LocalStorage to save invoice drafts and history. This data:

  • Never leaves your devicestored locally in your browser
  • Is fully under your controlyou can clear it anytime via browser settings
  • Is exportableyou can export your history as JSON for backup or migration
  • Is importablerestore your data on any device

Social Preview (Optional Trade-off)

When you share an invoice link on social media, platforms like Twitter or Telegram request a preview image. To generate this preview, you can optionally include minimal metadata in the URL query string:

https://voidpay.xyz/pay?og=INV-001_1250_USDC_arb_Acme#N4Ig...

The ?og= parameter contains only: invoice ID, amount, currency, network, and sender name. This is the only data that our server can see, and only if you choose to include it. The full invoice details remain private in the hash fragment.

This feature is opt-in. Links without the ?og= parameter will show a generic VoidPay preview instead of invoice-specific details.

Third-Party Services

VoidPay interacts with the following external services:

RPC Providers (Alchemy, Infura)

We proxy blockchain requests through our edge functions to protect API keys. These requests contain only blockchain data (token balances, transaction status) — no personal information or invoice contents.

WalletConnect / RainbowKit

When you connect your wallet to pay an invoice, the connection is handled by WalletConnect. We don't store wallet addresses or connection data. See WalletConnect's privacy policy for their data practices.

Umami Analytics (self-hosted)

We use a self-hosted Umami instance for privacy-preserving product analytics. Umami is cookie-free, GDPR-compliant, and collects no personal or financial data. You can opt out anytime via the footer toggle. See the "Product Analytics" section for details.

Blockchain Networks

Payments are made directly on public blockchains (Ethereum, Arbitrum, Optimism, Polygon). All blockchain transactions are publicly visible by design. VoidPay does not add any additional tracking to these transactions.

Product Analytics

VoidPay uses a self-hosted Umami instance (hosted on our own infrastructure at m.voidpay.xyz) for privacy-preserving product analytics. Here is how it works:

  • Cookie-freeno cookies, no session identifiers, no fingerprinting
  • No financial datawe never track invoice amounts, wallet addresses, recipient names, notes, or transaction hashes
  • Hash fragments excludedURL hash fragments (which contain full invoice data) are explicitly excluded from tracking
  • Aggregate metrics onlywe collect network name, token symbol, wallet type, referrer domain, and UI interaction types — all aggregate, never linked to identity
  • Opt-out availableclick the eye icon in the footer to disable all analytics tracking. Your preference is saved in localStorage
  • Self-hostedanalytics data is stored on our own infrastructure, never shared with third parties or sold

Abuse Prevention (Privacy-Preserving)

To prevent phishing and scam invoices, we maintain a public blocklist of known malicious URLs. Here's how we protect privacy while doing this:

  • SHA-256 hashesThe blocklist contains only hashes of malicious URL fragments
  • IrreversibleHashes are irreversible — you cannot recover invoice data from them
  • Client-side checkingYour invoice URL is never sent to our servers for validation
  • Public on GitHubThe blocklist is public for transparency and community review

Open Source Transparency

VoidPay is open source under the MIT License. Every claim in this privacy policy can be verified by reviewing our code. You can also self-host VoidPay if you prefer complete control.

View Source Code

Data Retention

Since we don't collect user data, there's nothing to retain or delete. Your browser's LocalStorage data persists until you clear it. Invoice URLs remain functional indefinitely — they are self-contained and don't depend on any server-side storage.

Children's Privacy

VoidPay is not directed to children under 18. Cryptocurrency transactions require legal capacity to enter into contracts. We do not knowingly provide services to minors.

Changes to This Policy

If we change this policy, we'll update the "Last updated" date at the top of this page and commit the changes to our public GitHub repository. Since there's no account system, we cannot send you notifications — we recommend checking this page periodically.

Contact

Questions about privacy? We're happy to explain our architecture in more detail:

Terms of ServiceBack to Home