1. Information we collect
1.1 Account information
When you register we collect your name, email address and a password. Passwords are never stored in plain text — they are stored only as a salted bcrypt hash and cannot be read by us.
1.2 Authentication & security data
- A session token (JWT) stored in your browser’s local storage to keep you signed in.
- If you enable two-factor authentication (2FA): a TOTP secret and one-time backup codes (backup codes are stored hashed).
- Security event logs used to protect your account — including IP address, browser/user-agent, timestamps and events such as sign-in, failed sign-in, lockout, password change and 2FA changes.
1.3 Risk-check inputs and results
To provide checks, we process the subjects you submit — wallet addresses, token contracts, transaction hashes, website domains, P2P counterparties and email addresses — together with the network you select. We may store your checks, saved watchlists and generated reports so they are available in your dashboard.
1.4 Usage, API and billing data
- Product usage such as number of checks performed and features used.
- For business plans: API keys you create and request logs (subject checked, score, timestamp).
- Plan and billing records associated with your account (the current build uses demo billing and does not collect full card details).
1.5 Technical data
Standard technical information such as device and browser type and an approximate location derived from your IP address, used for security, abuse prevention and reliability.
2. How we use information
- Provide and operate the Service and return your risk checks and reports.
- Authenticate you and keep your account and sessions secure.
- Detect, prevent and investigate fraud, abuse and security incidents (e.g. brute-force lockout, rate limiting, audit logging).
- Maintain, improve and troubleshoot the Service.
- Communicate important account, security or service notices.
- Comply with legal obligations and enforce our terms.
3. Legal bases
Where applicable law (such as the GDPR) requires a legal basis, we rely on: performance of our contract with you (to provide the Service); our legitimate interests (to secure, maintain and improve the Service and prevent abuse); your consent (where requested); and compliance with legal obligations.
4. Cookies & local storage
We use your browser’s local storage to hold your session token and basic preferences so the Service works. We do not use third-party advertising or cross-site tracking cookies. Clearing your browser storage will sign you out.
5. Blockchain data
Blockchain networks are public and immutable. Addresses, transactions and contracts you check may already be publicly available on those ledgers, and risk signals are derived in part from public on-chain and open-source data. We do not control public blockchains and cannot alter or delete information recorded on them.
6. How we share information
We do not sell your personal data. We share information only with:
- Service providers / infrastructure — hosting and platform vendors (for example, our backend and database host and our frontend host) that process data on our behalf under appropriate safeguards.
- Data sources — public blockchain and open-source intelligence sources queried to produce a risk result.
- Legal & safety — where required by law, regulation, legal process or to protect the rights, safety and security of users, the public or Wallet Spec.
- Business transfers — in connection with a merger, acquisition or sale of assets, subject to this Policy.
7. Data retention
We keep account and check data for as long as your account is active or as needed to provide the Service. Security event logs are kept for a limited period for protection and audit purposes. When data is no longer needed, we delete or anonymise it, unless a longer retention period is required by law.
8. How we protect your data
- Passwords hashed with bcrypt; sensitive secrets never returned to the client.
- Optional two-factor authentication (TOTP) with one-time backup codes.
- Per-account brute-force lockout and per-IP rate limiting.
- Session revocation when you change your password or sign out of all devices.
- Strict security headers, transport encryption (HTTPS) and a security audit log.
No method of transmission or storage is 100% secure, but we work to protect your information using appropriate technical and organisational measures.
9. Your rights and choices
Depending on your location, you may have the right to access, correct, export or delete your personal data, object to or restrict certain processing, and withdraw consent. You can update your profile and password in the app, enable or disable 2FA, and sign out of all sessions. To exercise other rights, contact us at privacy@specwallet.com. You may also have the right to lodge a complaint with your local data protection authority.
10. International transfers
Your information may be processed in countries other than your own. Where required, we use appropriate safeguards for such transfers.
11. Children
The Service is not directed to children and is intended for users aged 18 or older. We do not knowingly collect personal data from children.
12. Third-party links
The Service may link to third-party websites or resources. We are not responsible for the privacy practices of those third parties; review their policies separately.
13. Changes to this Policy
We may update this Policy from time to time. We will revise the “Last updated” date above and, for material changes, provide additional notice where appropriate. Continued use of the Service after an update means you accept the revised Policy.
14. Service providers & data location
We use the following sub-processors to run the Service:
- Hosting: the application backend runs on Render; the website runs on Vercel.
- Database: account and check data is stored in a managed PostgreSQL database (Render).
- Payments: card payments are handled by Lemon Squeezy (merchant of record) and crypto (USDT) payments by NOWPayments. We never receive or store your card details.
- Risk intelligence: a check may query third-party and public sources (blockchain explorers, OFAC sanctions data, Google Safe Browsing, VirusTotal, URLhaus, Spamhaus, RDAP/DNS). We send only the subject you submit (e.g. an address, domain or email) — never your account data.
15. Data retention
We keep your account and check history while your account is active so you can review past reports. You can delete individual items, or permanently delete your account and all associated data, at any time from Profile → Security → Delete account. Security audit logs may be kept for a limited period for fraud-prevention and integrity purposes.
16. Contact us
Questions about this Policy or your data, or to make a data request, contact us at privacy@specwallet.com.