Home LegalCoW Swap - Privacy Policy

CoW Swap - Privacy Policy

Last updated: July 2025

This Privacy Policy ("Policy") explains how CoW Hosting Limited ("CoW," "we," "our" or "us") collects, uses, shares and protects information in connection with the products and services available through https://cow.fi (collectively, the "Services"). It also sets out the rights and choices you have under the BVI Data Protection Act 2021 ("DPA") and—where relevant—other data protection regimes.

Important blockchain note:

When you use the Services, your wallet and CoW Swap broadcast a signed transaction to CoW Protocol. In the event your trade is settled, CoW Protocol will broadcast data to a public, decentralised blockchain. Once written, on‑chain data (e.g. wallet address, order parameters, executed trade details) is effectively immutable and outside our unilateral control.

1. Who we are & scope of this Policy

Controller. CoW Hosting Limited is a company limited by guarantee incorporated in the British Virgin Islands. We act as the primary data controller for the Services. Where we operate an interface or API on behalf of a DAO, foundation or other client, CoW may act as joint‑controller.

Covered Services. This Policy applies to:

swap.cow.fi (the main trading interface);
CoW Swap APIs (Order Signing API, Solvers’ API, CoW Hooks);
Cow Explorer (explorer.cow.fi);
Documentation sites and community portals under the cow.fi domain;
Any other online location that links to or embeds this Policy.

It does not cover third‑party front‑ends, wallets or relay services that simply integrate the CoW protocol. Their privacy practices remain their own.

2. Key definitions


Personal Data	Information relating to an identified or identifiable natural person ("Data Subject").
Processing	Any operation performed on Personal Data, whether or not by automated means (collection, storage, transmission, etc.).
Blockchain Data	Transaction metadata that is deliberately published to a public distributed ledger in order to execute or settle a trade. Public‑key wallet addresses are considered Personal Data when they can reasonably be linked to an individual.

3. How we collect Personal Data

3.1 Information you provide directly

Correspondence. Details you volunteer when contacting support (e‑mail, Discord handle, wallet type, error logs, etc.).
User‑research & surveys. Name/pseudonym, wallet address, occupation, typical trade sizes, interview recordings, screenshots.
Bug‑bounty submissions. Name or alias, e‑mail address, payment details for bounty payout.

3.2 Information collected automatically via the Services

Device & usage telemetry. Browser/OS, device type, screen resolution, referrer URL, pages visited, time‑stamp, click‑stream, error codes.
Web‑server & API logs. IP address, connected wallet type, wallet address (hashed for analytics), HTTP headers.
Order‑intent metadata. When you draft or submit an order we store (off‑chain) the wallet address, sell/buy tokens & amounts, slippage tolerance, order kind, deadline, fee tier and signed appData package and then forward that signed intent to the CoW Protocol for potential matching.

3.3 Blockchain Data

If the CoW Protocol successfully matches and settles your intent, the following become permanently visible on-chain and to the public:

Wallet address(es) of sender and recipient;
Traded token pair and execution price;
appData hash; and
Transaction hash, gas metrics and block‑time.

3.4 Aggregated & de‑identified data

We may create statistical summaries or analytics that cannot reasonably be used to identify you. Such data is not Personal Data.

4. Legal bases for processing

We rely on one or more of the following legal grounds under §29 of the BVI DPA:

Contractual necessity – processing order‑intent data so we can execute the trade you request;
Legitimate interests – securing and improving the Services, defending legal claims, preventing fraud or abuse;
Consent – voluntary participation in user‑research, optional analytics cookies (if any), marketing communications;
Compliance with a legal obligation – responding to lawful orders, enquiries from regulators or courts; and
Vital interests / Public interest – very rarely, to protect life or public health.

Where we rely on consent you may withdraw it at any time (see Section 11).

5. How we use Personal Data

Service delivery – host the front‑end, sign and relay orders, show status surface protocol-level execution status in Cow Explorer.
Troubleshooting & support – diagnose bugs, respond to tickets, reproduce error paths.
Analytics & product improvement – understand feature adoption, optimise UI flows, benchmark performance.
Security & abuse prevention – detect spam, Sybil or sanction‑listed wallets; mitigate DDoS.
Legal & compliance – maintain audit logs, enforce Terms of Use, satisfy lawful disclosure requests.
Corporate events – assess or facilitate a merger, restructuring or asset transfer.

We never sell your Personal Data, and we do not engage in automated decision‑making that produces legal effects on you without human review.


Recipient category	Typical data shared	Purpose
Cloud hosting & infra(AWS, Vercel, Cloudflare)	IP address, API payloads, order‑intent metadata	Serve the Interface, protect against attacks
Blockchain node providers(Infura, Alchemy)	Raw transaction payloads	Relay your signed intent to the blockchain network via RPC providers
Analytics providers(Amplitude, Fathom)	Hashed wallet, usage events	Product analytics (opt‑in)
Collaboration & support tools(Discord, GitHub, Typeform, Zoom, Dovetail, Miro)	Contact details, conversation transcripts	Community management, user research
Professional advisors & auditors	Minimal necessary records	Legal, tax and security audits
Regulators & law‑enforcement	As lawfully compelled	Compliance with legal obligations

All service providers are bound by contract to use Personal Data only on our instructions and to apply appropriate security controls.

7. Cookies

The interface uses cookies. Cookies are a feature of web browser software that allows web servers to recognize the computer or device used to access a website. A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don't have to keep re-entering them whenever you come back to the site or browse from one page to another. Please refer to our Cookies Policy.

8. International transfers

Because we rely on globally distributed infrastructure and third‑party processors, your Personal Data may be transferred outside the BVI. Where we do so we rely on contractual safeguards consistent with §55(2)(d) DPA or, where applicable, standard contractual clauses recognised by the EU/UK.

9. Data security

We implement administrative, technical and organisational measures designed to protect Personal Data, including:

TLS encryption in transit;
Principle‑of‑least‑privilege access controls;
Continuous vulnerability monitoring and penetration testing;
Incident‑response procedures with 72‑hour breach notification commitments under the DPA.

No internet system is 100 % secure, and we cannot guarantee absolute security of data transmitted via the Service.

10. Your rights

Under the Data Protection regulation you have rights to:

Access – confirm whether we process your Personal Data and obtain a copy;
Correction – rectify inaccurate or incomplete Personal Data;
Erasure – request deletion where legal grounds apply (subject to blockchain limitations);
Restriction – pause our processing while a challenge is resolved;
Objection – object to processing based on legitimate interests or direct marketing;
Portability – obtain a machine‑readable copy of data you provided;
Withdraw consent – opt‑out of any processing based on consent at any time; and
Complain – lodge a complaint with the BVI Office of the Information Commissioner.

Blockchain caveat. Data stored on public ledgers cannot feasibly be modified or erased. Where erasure is requested, we will remove or anonymise the data we control off‑chain and, where possible, issue smart‑contract calls that render on‑chain records inert. The open-source CoW Protocol smart contracts run independently on public blockchains and are outside CoW Hosting’s direct operational control.

To exercise your rights, e‑mail legal@cow.fi from the address you used to contact us or sign a nonce with the wallet you used on CoW Swap. We may ask for additional verification to protect your account.

11. Data retention

Server logs – 30 days, unless extended for security investigations.
Order‑intent records – 1 year after trade execution or expiry.
Support tickets & UX research – 18 months after closure.
Accounting & compliance – as required by applicable law.

We may retain anonymised or aggregated data indefinitely.

12. Children

The Services are not directed to children under 18. We do not knowingly collect Personal Data from minors. If you believe a child has provided us Personal Data, please contact legal@cow.fi; we will delete such information from our systems.

13. Changes to this Policy

We may update this Policy periodically. It is your duty to refer to this page for any change of this Policy.. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

14. Contact us

For any questions, concerns or exercise of rights, contact our Data‑Protection team:

E‑mail: legal@cow.fi

If we are unable to resolve your concern, you may contact the Office of the Information Commissioner at https://www.privacy.vg or +1 (284) 468‑3036.

This Policy supersedes all earlier versions relating to CoW Swap and associated Services.

CoW Swap - Privacy Policy