# How to evaluate a privacy service yourself > The seven-step checklist xmr.club curators run on every listing — privacy posture, operator track record, KYC flow tests, withdrawal tests, audit + license review. Apply it to anything we don't cover yet. Canonical URL: https://www.xmr.club/guides/evaluate-a-privacy-service ## Overview Most people pick privacy services by reputation or marketing. Reputations can be paid for; marketing always lies a little. The curator team grades every entry in this directory against a published rubric (/methodology), but new services launch weekly and you'll need to evaluate things on your own. This is the same checklist we use, distilled into something you can run in 30 minutes. ## Body The pre-flight question Before any testing: does this service even need to exist for me? Half the privacy purchases people make solve a problem they don't actually have. Match the service to your threat model first. If a no-KYC VPN buys you nothing because your ISP isn't a threat, stop here. Step 1 — Operator transparency (5 minutes) Who runs it? Find at least one named person, company registration, or pseudonymous account with a multi-year track record. Anonymous-but-active is fine; anonymous-and-fresh is a red flag. How long has the domain existed? WHOIS + Wayback Machine. Domains less than 6 months old that already sell paid plans deserve extra scrutiny. Is the codebase public? Open-source isn't required but the absence has to be justified by some other trust anchor. Any prior incidents? Search "{service} hacked", "{service} exit-scam", "{service} freezes funds". Read the threads. Step 2 — Privacy policy (5 minutes) What's collected? Look for "IP addresses", "device fingerprints", "browser identifiers". A no-logs claim that contradicts the privacy policy = lie. How long is it kept? "Retained indefinitely" or "as required by law" is broader than it sounds — usually means everything, forever. Who has access? Subcontractors, payment processors, "law-enforcement requests". Jurisdiction. Where is the company incorporated? Five-Eyes / Fourteen-Eyes operators face data-sharing pressure most non-aligned jurisdictions don't. Step 3 — Signup test (10 minutes) Use a clean Tor session + a throwaway email. Capture screenshots at every step. Does signup require email? Phone? ID? Anything beyond username + password reduces the privacy ceiling. Try a fake / disposable email. Is it accepted? Some services silently fingerprint disposable-email domains. Note any captcha provider (Cloudflare / Google / hCaptcha) — they all see your IP at signup. Does the account-creation page run third-party JS? Open Dev Tools → Network → look for analytics, Stripe-fingerprint, FB Pixel. Step 4 — Deposit test (5 minutes) Send a small amount (under $20). XMR if accepted; BTC otherwise. Check: does the wallet UI prompt for additional KYC after deposit? (Common anti-pattern at exchanges.) Confirm funds arrive at the published address — not via a re-routed proxy address. Note the actual settlement: is it native, wrapped, or IOU? "We send you XMR" sometimes means "we credit your account, redeemable for XMR". Step 5 — Withdrawal test (10 minutes) Most critical step. The privacy posture is whatever survives this: Withdraw to a fresh address (one the service has never seen). Does withdrawal require additional KYC? "Verify your identity to withdraw" = retroactive KYC = downgrade. Is the withdrawal held? Beyond ~24h for a small amount is a yellow flag; beyond 72h without explanation is red. Does the email confirmation leak information (deposit history, balance, originating IP)? Try a second withdrawal a few days later. Hidden-tier KYC triggers sometimes appear after volume thresholds. Step 6 — Audit + license review (5 minutes) Any third-party audit? Read the report, not just the marketing. Audits expire — anything older than 18 months is stale. Compliance posture. Does the operator publish a transparency report? Subpoena count? Warrant canaries? Code license. AGPL > GPL > MIT > closed-source for trust signaling. For exchanges/custody: Proof-of-reserves cadence. Self-reported is weaker than third-party-attested. Step 7 — Reputation cross-check (5 minutes) Search Reddit r/privacy, r/Monero, r/PrivacyToolsIO for the past 12 months. Search Trustpilot / BBB / Sitejabber for fund-loss complaints, with skepticism for review-farming patterns. Check existing privacy directories: KYCnot.me , PrivacyGuides , Monerica . If multiple disagree with a service's self-claim, weight their consensus. Check us: search the xmr.club audit log and archive for the operator name. Grade yourself Map your findings to the xmr.club rubric : Passed all 7 steps cleanly? Likely A-tier. Re-test in 12 months. One trade-off (email at signup, or smaller operator, or fresh domain)? B-tier. Acceptable for matching threat models. KYC creep at withdrawal, or audit gap, or unresolved fund complaints? C-tier. Use cautiously, never for high-value. Active fund-loss reports or hostile legal jurisdiction? Don't use. Tell us — we'll list it as a warning. When you've done the work, submit it If you've evaluated something we don't list, share the findings via /submit . We re-run the checklist before publishing, but pre-tested submissions land faster + the curator notes get credit. Reference picks for each step ## Recommended picks - [Tor Browser](https://www.xmr.club/tools/tor-browser) · /llm/tools/tor-browser.txt — Step 3 signup test — clean session, padded fingerprint. Mandatory. - [Tuta Mail](https://www.xmr.club/email/tutanota) · /llm/email/tutanota.txt — Step 3 throwaway email source. Accepted at most no-KYC signups. - [Feather](https://www.xmr.club/wallets/feather) · /llm/wallets/feather.txt — Step 4 + 5 deposit/withdrawal testing. Native XMR + Tor. - [kyc.rip aggregator](https://www.xmr.club/exchanges/kyc-rip-aggregator) · /llm/exchanges/kyc-rip-aggregator.txt — Step 4 small-amount test deposits. Multi-engine, no markup. ## License CC-BY-4.0. Attribute "xmr.club".