A public-private key pair is generated locally on a user’s computer. That key pair is seeded with a signed message from the user’s Ethereum wallet. This means that a user is only able to use that key pair if they have access to the particular wallet that the key was generated from.
This key pair is uploaded securely to IPFS, and the corresponding IPFS hash is stored on a smart contract. Only you can retrieve and decrypt your private key from that IPFS storage, but others can retrieve your public key. No part of this process happens through AirSwap, so there is no risk of exposing your private key to any other party.