Privacy Policy

Effective date: 【2025-09-10】Version: 【1.0】

At-a-Glance Summary

Non-custodial: we never see your keys or seed phrase
Minimal data: opt-in analytics; basic logs for security
RPC note: providers may see your IP and infer queried addresses—use custom RPCs if desired
Your controls: opt-out toggles, data requests via [email protected]
No sale/sharing: we don't sell personal data

1) Who we are

Controller: PRC Wallet (【legal entity name】)

Registered address: 【address】

Contact (privacy): [email protected]

Security disclosures: [email protected] (PGP on /security/responsible-disclosure)

This Policy explains how we handle information when you use PRC Wallet (web wallet at wallet.prc.network), our website (prc.network), and related services.

2) Non-custodial by design

We never have your private keys, seed phrases, or passphrases. Keys are generated and encrypted on your device and never leave it.

We do not hold or move customer funds.

We do not require account signup to use the wallet.

3) What we collect (minimal, purpose-bound)

We aim for data minimization. Categories below reflect web wallet + website + support.

A) Telemetry & analytics (optional, cookie-less by default)

What: app version, platform/OS, language, coarse region (country), feature events (e.g., "opened send screen"), performance timings.

What we don't collect: private keys, seed/passphrase, wallet balances, specific wallet addresses, contact lists.

Purpose: product reliability, UX improvements.

Legal basis: Consent (GDPR Art. 6(1)(a)). Disabled by default unless you opt in.

Tool: 【Plausible (self-hosted) / Umami / None】.

B) Crash reports & diagnostics (opt-in)

What: anonymized stack traces, app version, platform, non-sensitive error context.

No seeds/keys/addresses.

Purpose: debugging.

Legal basis: Consent (opt-in).

C) Server & web logs (automatic)

What: IP address, user-agent, timestamps, URL paths, referrers (site only), request IDs.

Purpose: security, fraud/abuse prevention, reliability, rate-limiting.

Legal basis: Legitimate interests (GDPR Art. 6(1)(f)).

D) RPC/network interactions (blockchain access)

What: when you query a chain (e.g., balance, nonce), your request goes to an RPC provider. RPC providers may see your IP address and can infer the wallet address you query.

Purpose: provide blockchain functionality.

Legal basis: Contract (to deliver the service) + Legitimate interests.

Controls: you may set custom RPC endpoints in Settings.

E) Support communications

What: your email, message content, attachments, app version, OS/Browser, optional tx hashes.

Purpose: respond to requests, resolve issues.

Legal basis: Contract / Legitimate interests.

F) Telegram companion (if enabled)

What: your Telegram user ID and message metadata necessary to deliver notifications.

No seeds/keys ever.

Purpose: opt-in alerts/help.

Legal basis: Consent (you initiate the bot).

We do not buy, sell, or share personal information for targeted advertising.

4) What we don't store

No private keys / seed phrases / passphrases
No server-side storage of wallet balances or transaction histories tied to your identity
No contact lists or address books

5) Third-party processors & infrastructure

We use trusted providers to run parts of the service. Each acts under a data processing agreement.

Category	Provider	Data	Purpose	Region
RPC (EVM/Vite)	Alchemy (and/or 【Infura/QuickNode】)	IP, chain requests	Blockchain access	【US/EU】
Hosting/CDN	【Cloudflare / Vercel / Netlify】	IP, routing logs	Security, performance	【Global】
Analytics (opt-in)	【Plausible self-hosted / Umami】	Aggregated events	Product insights	【EU/Your server】
Email	【SendGrid/SES】	Sender/recipient, content	Support mail	【Region】
Support desk	【None / HelpScout / Zendesk】	Ticket data	Support	【Region】
Error tracking (opt-in)	【Sentry self-hosted / None】	Stack traces	Debugging	【Region】

Note: RPC providers may associate IP with blockchain requests. Use custom RPCs or privacy networks if desired.

6) Legal bases (GDPR)

Contract: to provide wallet functionality and support.
Legitimate interests: security, abuse prevention, service reliability, basic analytics (if strictly necessary).
Consent: optional telemetry, crash reports, Telegram bot notifications, cookies beyond strictly necessary.
Legal obligation: responding to lawful requests when required.

7) International transfers

If data is processed outside your country, we rely on appropriate safeguards (e.g., SCCs for EEA transfers). Details available on request.

8) Retention

Server logs: 30 days (security logs up to 12 months)
Telemetry (opt-in): 14 months rolling
Crash reports (opt-in): 12 months
Support tickets: 24 months after closure
Telegram IDs (opt-in): deleted upon bot disconnect or after 12 months of inactivity

We keep data longer only if required by law or to resolve disputes.

9) Your rights

Where applicable (GDPR/UK GDPR/CCPA/CPRA), you may:

Access / correct / delete your data
Portability (receive a copy)
Object / restrict certain processing
Withdraw consent at any time (telemetry/crash/Telegram)

California: we do not sell or share your personal information; you can limit use of sensitive data.

Contact [email protected] to exercise rights. We may verify your request. You can also contact your local supervisory authority.

10) Cookies & similar tech

Wallet: operates without tracking cookies.

Site analytics (optional): cookie-less by default (e.g., Plausible). If we ever use cookies, we'll show a consent banner with choices.

See /legal/cookies for details (if separate).

11) Security measures

Client-side key generation and encryption; keys never leave your device
Transport security (HTTPS), HSTS, TLS 1.2+
Signed builds and checksums/PGP on /download
Rate-limiting, WAF/CDN protections, least-privilege access, vulnerability disclosure program (see /security/responsible-disclosure)

No system is perfect—report issues to [email protected].

12) Children

Our services aren't directed to children under 16 (or the age required by local law). We do not knowingly collect their data.

13) Do Not Track / automated decisions

Browser "Do Not Track" is honored where feasible.

We do not perform automated decision-making that produces legal or similarly significant effects.

14) Data controls you can use (in-product)

Analytics toggle: Off by default; turn on/off anytime
Crash reports: Opt-in toggle
Custom RPCs: Use your own endpoints for privacy
Clear local data: In-app option to purge cached app data (does not affect on-chain records)

15) Web wallet specifics (storage)

Never store seeds/keys in localStorage or send them over the network.

Encrypted key material is kept only on your device (e.g., IndexedDB / secure storage) and unlocked with your local credentials.

Session data (UI prefs) may use localStorage or IndexedDB—never sensitive keys.

16) Browser extension / mobile (when available)

Same principles as web: on-device key generation/encryption; no server-side custody; opt-in telemetry; platform-specific permissions disclosed in-app.

17) Regulatory disclosures & jurisdictions

Primary jurisdiction: 【e.g., Lithuania / Delaware, USA】

EEA/UK: GDPR/UK-GDPR compliant; DPA available on request if you use our business services.

California: CCPA/CPRA compliant; no "sale" or "sharing" of personal information.

DPO (if appointed): 【name or "N/A"】, [email protected].

18) Changes to this Policy

We'll post updates here with a new Effective date and keep prior versions available on request. If changes are material, we'll provide a prominent notice.

19) Contact

Contact Information

Privacy: [email protected]

Security: [email protected] (PGP)

Postal Address

【legal mailing address】