privacycanon·always current

// Privacy Briefing

// The honest rundown of what the Forge sees, where it sends it, and what it can't see. No cookie banner theatre. No lawyer waffle. Read the list, make the call.

The Forge is a scanner that happens to run as a website. Websites see things. Most sites hide exactly what, behind paragraphs of legalese and a cookie wall. This page does the opposite. Every data flow the Forge touches is listed below, in plain English, with the outside party that touches it named. Read the list. If any of it crosses a line, close the tab.

// What The Forge Collects From You

The Forge does not use cookies. It does not run a session database. There is no account, no email, no password, no wallet-connect. The site does not know who you are, and it is built that way on purpose.

Things stored in your browser — never sent anywhere:

  • localStorage keys: forge:hidden-venues, forge:view-mode, forge:timeframe, forge:sort-key, forge:watchlist. These remember your UI preferences between reloads. Clear your browser storage and they're gone — no server copy exists.
  • Transient React state for the current page — sort order, search input, open modal — dies the moment you refresh.

// What Gets Sent To The Backend

Every data request the dashboard makes is anonymous. The backend logs standard request metadata — URL path, timestamp, response status — and the request IP is visible to whatever host the backend runs on. No user identifier is attached. The backend does not store any mapping from IPs to behaviour.

If you paste an address into the Portfolio page, that address is sent to the backend and relayed to Zerion so their indexer can return the portfolio data. The backend caches the result keyed by the address for ten minutes. No cookie is set. No cross-session correlation happens. Another visitor pasting the same address gets the same cached response — the Forge does not know it's the same person, and it does not try to find out.

// Third-Party Services

The Forge talks to outside APIs. Each one is named explicitly so nothing is buried.

Perp venue APIs — Hyperliquid, dYdX, Paradex, Aster, Lighter, Vertex, Extended, Backpack, Pacifica, Ethereal. The backend scrapes each one on a ten-second pulse for funding rates and open interest. Your browser never contacts these APIs directly; the backend is the only client. You are not identified to any venue.

Zerion — only called when you paste an address into the Portfolio page. Your IP is not forwarded; the backend is the client. Zerion sees the address you pasted. See Zerion's own privacy policy for how they treat it.

Llama RPC (eth.llamarpc.com) — called from your browser every thirty seconds to fetch the latest Ethereum block number for the footer. No account, no key, no user identifier. Your IP is visible to Llama. If this matters to you, disable JavaScript for that domain or block it in uBlock.

Plausible analytics — loaded only when the environment flag NEXT_PUBLIC_ANALYTICS_ENABLED is true. Plausible does not set cookies, does not fingerprint, does not collect personal data. It records pageviews and referrer only. No goals or custom events are configured. See plausible.io/privacy for their own terms.

Sentry error monitoring — optional, gated by environment flag. If enabled, a JavaScript error on the site sends a stack trace and the request URL to Sentry. The URL is scrubbed of query strings before it leaves the browser, so Portfolio addresses never appear in the error payload. Session replay and profiling are explicitly disabled. IPs are not collected. If a production deployment does not set the Sentry DSN, no error data leaves your browser at all.

Qwerti — embedded as an iframe on the Swap page and on the Spot Carry buy flow. When you load either, Qwerti's widget runs in your browser inside the iframe. Every outbound URL carries the Forge's referral tag so Qwerti knows the referral came from here. Anything you do inside the widget — signing, onboarding, card payments — is between you and Qwerti. Read their privacy policy before you sign anything.

// Hosting Infrastructure

The frontend is served from Vercel. Vercel sees request metadata — IP, User-Agent, referrer, path. Vercel's built-in analytics is disabled; the Forge does not use it. The backend runs on Railway (or a future equivalent host) with the same kind of standard request logging. Neither provider has a user account tied to the Forge visitor, and the Forge does not export any server logs to third parties beyond what is named above.

// What The Forge Cannot See

Because there is no account, the Forge cannot correlate your visit today with your visit next week. Because there are no third-party trackers, the Forge cannot follow you off-site. Because there is no wallet connect, the Forge does not know which wallets belong to you. Pasting an address into the Portfolio page tells the backend which address you asked about — not whether the address belongs to you.

// Your Controls

Clear your browser storage for this domain and every stored preference is wiped. Block the JavaScript for eth.llamarpc.com and the footer block-height readout goes dark — nothing else breaks. Block plausible.io and pageview analytics stops; nothing else breaks. Use a VPN or Tor if you don't want Vercel or Railway to see your actual IP. The Forge works the same either way.

// Changes To This Page

This page changes when the data flows change. A new third- party integration gets listed here before it ships. A new tracker is not added silently — if the Forge adds one, it shows up in the list above first. The commit history of this file in the public repo is the audit trail.

// Contact

Questions about data handling go to @BartertownC on X. DMs are open.