Privacy Policy

Last updated: January 2026

Our Privacy Philosophy

VoidPay is built on a fundamental principle: we can't lose, leak, or sell your data because we never have it. This isn't just a policy choice — it's an architectural decision baked into the core of our application.

How Our Zero-Backend Architecture Works

When you create an invoice, all the data is compressed and encoded directly into the URL's hash fragment (the part after the # symbol).

https://voidpay.xyz/pay#N4IgbghgTg9g...

Here's the key: hash fragments are never sent to web servers. This is a fundamental property of how URLs work in web browsers (defined in RFC 3986). When you open an invoice link, your browser keeps the hash fragment local and only sends the base URL to our server.

What We Don't Collect

  • Invoice dataamounts, descriptions, line items, dates
  • Wallet addressessender or recipient
  • Personal informationnames, emails, company details
  • Payment informationtransaction hashes, payment status
  • User accountswe have no registration or authentication
  • Analytics or telemetryno Google Analytics, no Sentry, no tracking pixels
  • Cookies for trackingwe use no cookies whatsoever

Local Storage (Your Data, Your Device)

VoidPay uses your browser's LocalStorage to save invoice drafts and history. This data:

  • Never leaves your devicestored locally in your browser
  • Is fully under your controlyou can clear it anytime via browser settings
  • Is exportableyou can export your history as JSON for backup or migration
  • Is importablerestore your data on any device

Social Preview (Optional Trade-off)

When you share an invoice link on social media, platforms like Twitter or Telegram request a preview image. To generate this preview, you can optionally include minimal metadata in the URL query string:

https://voidpay.xyz/pay?og=INV-001_1250_USDC_arb_Acme#N4Ig...

The ?og= parameter contains only: invoice ID, amount, currency, network, and sender name. This is the only data that our server can see, and only if you choose to include it. The full invoice details remain private in the hash fragment.

This feature is opt-in. Links without the ?og= parameter will show a generic VoidPay preview instead of invoice-specific details.

Third-Party Services

VoidPay interacts with the following external services:

RPC Providers (Alchemy, Infura)

We proxy blockchain requests through our edge functions to protect API keys. These requests contain only blockchain data (token balances, transaction status) — no personal information or invoice contents.

WalletConnect / RainbowKit

When you connect your wallet to pay an invoice, the connection is handled by WalletConnect. We don't store wallet addresses or connection data. See WalletConnect's privacy policy for their data practices.

Blockchain Networks

Payments are made directly on public blockchains (Ethereum, Arbitrum, Optimism, Polygon). All blockchain transactions are publicly visible by design. VoidPay does not add any additional tracking to these transactions.

Abuse Prevention (Privacy-Preserving)

To prevent phishing and scam invoices, we maintain a public blocklist of known malicious URLs. Here's how we protect privacy while doing this:

  • SHA-256 hashesThe blocklist contains only hashes of malicious URL fragments
  • IrreversibleHashes are irreversible — you cannot recover invoice data from them
  • Client-side checkingYour invoice URL is never sent to our servers for validation
  • Public on GitHubThe blocklist is public for transparency and community review

Open Source Transparency

VoidPay is open source under the MIT License. Every claim in this privacy policy can be verified by reviewing our code. You can also self-host VoidPay if you prefer complete control.

View Source Code

Data Retention

Since we don't collect user data, there's nothing to retain or delete. Your browser's LocalStorage data persists until you clear it. Invoice URLs remain functional indefinitely — they are self-contained and don't depend on any server-side storage.

Children's Privacy

VoidPay is not directed to children under 18. Cryptocurrency transactions require legal capacity to enter into contracts. We do not knowingly provide services to minors.

Changes to This Policy

If we change this policy, we'll update the "Last updated" date at the top of this page and commit the changes to our public GitHub repository. Since there's no account system, we cannot send you notifications — we recommend checking this page periodically.

Contact

Questions about privacy? We're happy to explain our architecture in more detail:

Terms of ServiceBack to Home