ProofKit's coordinator does not record your IP address or the sites you visit. Operators provisioning your tunnel see only an anonymized session identifier — never your email, wallet, or real identity. What is kept is the minimum needed to bill bandwidth and settle payments.
The coordinator does not log end-user IP addresses or browsing destinations. There is no traffic-inspection log, and your visited sites stay inside the encrypted tunnel. Identity is never sent to the operators who route your traffic.
To run a paid marketplace, ProofKit stores account basics (email, optional name), your TON address for payments, and per-session bandwidth counters used to bill pay-per-GB and split operator revenue. This is billing metadata, not a browsing history — we do not claim to store nothing.
Node operators receive an anonymized session email like [email protected] and a tunnel UUID — never your real email, wallet, or account. Identity stays with the coordinator; routing stays with the operator.
Your route uses two independent operators: an entry node that sees your IP but not your destination, and an exit node that sees your destination but not your IP. As with Tor, a single operator who manages to run both hops of your route — or two operators who collude — could correlate the two ends. ProofKit does not currently hard-block this; we rely on operator diversity, staking and reputation, and we disclose the residual risk plainly rather than claim it away.
Some nodes in the marketplace show a config-verified badge. It means the node's ProofKit-managed XRay and nginx configuration is unmodified, checked by a software self-report. It is a deterrent against casual tampering — not a cryptographic guarantee that the operator cannot capture traffic, since an operator with root could alter the software itself. A future hardware-attested tier (confidential VMs) provides a stronger guarantee on supported hosts.
No. The coordinator does not capture or store end-user IP addresses. An audit-log field exists for administrative events but is never populated from web requests. A CDN in front of the site may process IP transiently for DDoS protection, as with any website.
No. Browsing destinations stay inside the encrypted VLESS tunnel. The coordinator stores bandwidth totals for billing, not the sites you reach. Exit-node operators can see traffic they route, as with any VPN, but cannot tie it to your identity.
We avoid that absolute. ProofKit keeps no IP or destination logs, but it does store account and per-session bandwidth metadata needed to bill pay-per-GB and pay operators. That is honest no-traffic-logs, not no-data-at-all.
Pick a route by country, price, uptime, and proof status. Pay only for traffic you actually use. Unused TON balance is withdrawable from the escrow, subject to pending charges.