Last updated: April 23, 2026
Most privacy policies exist to explain how a service collects and monetizes your data. Ours exists to explain how we don’t.
Mistex is a non-custodial, non-account crypto swap. We built it so that we genuinely have nothing to hand over if someone asks. This page tells you what that looks like in practice.
No name, no email, no phone, no date of birth. No ID documents, no selfies, no proof of address. No social login, no OAuth, no third-party identity broker. No mandatory account. A cabinet account is optional and only exists if you choose to claim cashback or run a referral link.
To run a swap we have to process three kinds of information, and only for as long as the swap itself is running: the deposit address we give you and the payout address you give us, the amount and the currency pair, and order status metadata.
Once a swap terminates (completed, refunded, expired) this working state is no longer needed. We don’t build histories keyed to anyone — no “user profile”, no behavioural graph, no ad IDs.
We don’t run request logs with client IPs. The reverse proxy strips identifying headers before they reach our application. The application itself writes only operational diagnostics — things like “rate fetch failed, retrying” — which never include addresses or amounts you’d need to link a person to a swap.
We don’t run analytics, pixels, session recording, A/B experiments keyed to individuals, or any third-party tracking scripts. There is nothing in the page that phones home about you.
Mistex runs a native Tor v3 hidden service so you can reach us without ever touching clearnet DNS, certificate authorities, or your ISP’s nameservers. You are free to use Tor, a VPN, or any combination — we do not rate-limit, fingerprint, or flag traffic for using them.
The onion mirror is shown in the footer and via the Onion-Location header on mistex.io. Cookie and login state on the onion mirror are scoped to the onion origin — a login on clearnet does not propagate there, and vice versa. That’s deliberate.
The only cookies we set are session cookies needed to keep you logged in if you choose to create a cabinet account, and one short-lived attribution cookie if you arrived via a referral link. They are HttpOnly, SameSite=Strict, and scoped to the origin you came in on. We do not set tracking cookies.
We don’t sell, share, rent, or syndicate anything about you to third parties, because we don’t collect anything about you to begin with. Where we rely on external infrastructure the only data that ever leaves us is the swap itself — deposit address, output address, amount — which is intrinsic to the transaction.
Because there is no account, no identifier, and no retained profile, most traditional rights (access, rectification, erasure) are answered by the design itself: there’s nothing stored about you that could be produced or corrected. If you did voluntarily create a cabinet account, you can delete it from inside the cabinet at any time.
Authentication uses HttpOnly cookies over HTTPS (clearnet) or plain Tor (onion). Optional two-factor authentication is available and recommended. Recovery codes are single-use. We never ask for seeds, private keys, or wallet backups, and no support process ever needs them.
We may update this policy over time. Material changes will be reflected by bumping the date at the top of this page. If a change materially reduces the no-account / no-data baseline, we will say so in plain English at the top of the revised version, not bury it in a diff.