Legal

Privacy Policy

How Wallet Spec handles your data across our website (specwallet.com) and the Wallet Spec application and API.

Last updated: June 22, 2026
This Privacy Policy explains what information Wallet Spec (“Wallet Spec”, “we”, “us”) collects when you use our website and the Wallet Spec application, dashboard and API (together, the “Service”), how we use and protect it, and the choices and rights you have. By creating an account or using the Service, you agree to this Policy.

1. Information we collect

1.1 Account information

When you register we collect your name, email address and a password. Passwords are never stored in plain text — they are stored only as a salted bcrypt hash and cannot be read by us.

1.2 Authentication & security data

  • A session token (JWT) stored in your browser’s local storage to keep you signed in.
  • If you enable two-factor authentication (2FA): a TOTP secret and one-time backup codes (backup codes are stored hashed).
  • Security event logs used to protect your account — including IP address, browser/user-agent, timestamps and events such as sign-in, failed sign-in, lockout, password change and 2FA changes.

1.3 Risk-check inputs and results

To provide checks, we process the subjects you submit — wallet addresses, token contracts, transaction hashes, website domains, P2P counterparties and email addresses — together with the network you select. We may store your checks, saved watchlists and generated reports so they are available in your dashboard.

1.4 Usage, API and billing data

  • Product usage such as number of checks performed and features used.
  • For business plans: API keys you create and request logs (subject checked, score, timestamp).
  • Plan and billing records associated with your account (the current build uses demo billing and does not collect full card details).

1.5 Technical data

Standard technical information such as device and browser type and an approximate location derived from your IP address, used for security, abuse prevention and reliability.

2. How we use information

  • Provide and operate the Service and return your risk checks and reports.
  • Authenticate you and keep your account and sessions secure.
  • Detect, prevent and investigate fraud, abuse and security incidents (e.g. brute-force lockout, rate limiting, audit logging).
  • Maintain, improve and troubleshoot the Service.
  • Communicate important account, security or service notices.
  • Comply with legal obligations and enforce our terms.

3. Legal bases

Where applicable law (such as the GDPR) requires a legal basis, we rely on: performance of our contract with you (to provide the Service); our legitimate interests (to secure, maintain and improve the Service and prevent abuse); your consent (where requested); and compliance with legal obligations.

4. Cookies & local storage

We use your browser’s local storage to hold your session token and basic preferences so the Service works. We do not use third-party advertising or cross-site tracking cookies. Clearing your browser storage will sign you out.

5. Blockchain data

Blockchain networks are public and immutable. Addresses, transactions and contracts you check may already be publicly available on those ledgers, and risk signals are derived in part from public on-chain and open-source data. We do not control public blockchains and cannot alter or delete information recorded on them.

6. How we share information

We do not sell your personal data. We share information only with:

  • Service providers / infrastructure — hosting and platform vendors (for example, our backend and database host and our frontend host) that process data on our behalf under appropriate safeguards.
  • Data sources — public blockchain and open-source intelligence sources queried to produce a risk result.
  • Legal & safety — where required by law, regulation, legal process or to protect the rights, safety and security of users, the public or Wallet Spec.
  • Business transfers — in connection with a merger, acquisition or sale of assets, subject to this Policy.

7. Data retention

We keep account and check data for as long as your account is active or as needed to provide the Service. Security event logs are kept for a limited period for protection and audit purposes. When data is no longer needed, we delete or anonymise it, unless a longer retention period is required by law.

8. How we protect your data

  • Passwords hashed with bcrypt; sensitive secrets never returned to the client.
  • Optional two-factor authentication (TOTP) with one-time backup codes.
  • Per-account brute-force lockout and per-IP rate limiting.
  • Session revocation when you change your password or sign out of all devices.
  • Strict security headers, transport encryption (HTTPS) and a security audit log.

No method of transmission or storage is 100% secure, but we work to protect your information using appropriate technical and organisational measures.

9. Your rights and choices

Depending on your location, you may have the right to access, correct, export or delete your personal data, object to or restrict certain processing, and withdraw consent. You can update your profile and password in the app, enable or disable 2FA, and sign out of all sessions. To exercise other rights, contact us at privacy@specwallet.com. You may also have the right to lodge a complaint with your local data protection authority.

10. International transfers

Your information may be processed in countries other than your own. Where required, we use appropriate safeguards for such transfers.

11. Children

The Service is not directed to children and is intended for users aged 18 or older. We do not knowingly collect personal data from children.

12. Third-party links

The Service may link to third-party websites or resources. We are not responsible for the privacy practices of those third parties; review their policies separately.

13. Changes to this Policy

We may update this Policy from time to time. We will revise the “Last updated” date above and, for material changes, provide additional notice where appropriate. Continued use of the Service after an update means you accept the revised Policy.

14. Service providers & data location

We use the following sub-processors to run the Service:

  • Hosting: the application backend runs on Render; the website runs on Vercel.
  • Database: account and check data is stored in a managed PostgreSQL database (Render).
  • Payments: card payments are handled by Lemon Squeezy (merchant of record) and crypto (USDT) payments by NOWPayments. We never receive or store your card details.
  • Risk intelligence: a check may query third-party and public sources (blockchain explorers, OFAC sanctions data, Google Safe Browsing, VirusTotal, URLhaus, Spamhaus, RDAP/DNS). We send only the subject you submit (e.g. an address, domain or email) — never your account data.

15. Data retention

We keep your account and check history while your account is active so you can review past reports. You can delete individual items, or permanently delete your account and all associated data, at any time from Profile → Security → Delete account. Security audit logs may be kept for a limited period for fraud-prevention and integrity purposes.

16. Contact us

Questions about this Policy or your data, or to make a data request, contact us at privacy@specwallet.com.