P
Privos

Privacy Policy

Last updated: February 2026

1. Introduction

Privos (“we,” “us,” or “our”) operates the Privos mobile application and API (collectively, the “Service”). This Privacy Policy explains how we collect, use, and protect your information when you use our Service.

2. Self-Custody Architecture

Privos is a self-custody wallet built on ERC-4337 account abstraction. This means:

  • We never hold, control, or have access to your private keys.
  • Your smart wallet is controlled solely by your authentication credentials.
  • All transactions are unsigned data that your wallet signs locally.
  • We cannot freeze, seize, or move your funds under any circumstances.

3. Information We Collect

3.1 Authentication Data

When you sign up via Privy (Google, Apple, Email, or WalletConnect), we receive and store your Privy user ID and, optionally, your email address. We do not store social login tokens or passwords.

3.2 Wallet Data

We store your wallet address for the purpose of fetching on-chain positions and building transactions. Wallet addresses are public information on the blockchain.

3.3 Agent Key Data

If you create agent delegation keys, we store the SHA-256 hash of the key (never the plaintext key), key metadata (name, scopes, expiry), and usage logs (operation type, timestamp, cost).

3.4 Transaction Metadata

We log transaction metadata (type, asset, amount, timestamp) for audit trails and policy enforcement. We do not store signed transactions or private key material.

3.5 Device Information

For push notifications (via OneSignal), we may store device tokens. We collect basic device information (OS type, app version) for crash reporting via Sentry.

4. How We Use Your Information

  • To provide and operate the Service (fetching positions, building transactions)
  • To enforce spending policies and agent key permissions
  • To send push notifications and email alerts you opt into
  • To maintain audit logs for your security review
  • To monitor and improve Service reliability

5. Data Storage and Security

Data is stored in Supabase (PostgreSQL) with row-level security policies. All API traffic is encrypted via TLS 1.3 (Cloudflare). Agent keys are stored as SHA-256 hashes. JWTs expire after 24 hours and can be explicitly invalidated.

6. Third-Party Services

We use the following third-party services:

  • Privy — Authentication (processes your social login data)
  • Supabase — Database hosting (stores your account data)
  • Alchemy — Blockchain RPC provider (reads on-chain data)
  • ZeroDev — ERC-4337 bundler and paymaster (processes transactions)
  • OneSignal — Push notifications (receives device tokens)
  • Resend — Email notifications (receives email addresses)
  • Sentry — Error tracking (receives anonymized crash data)
  • Cloudflare — CDN and SSL (processes network requests)

7. Data Retention

We retain your data for as long as your account is active. Agent keys are automatically purged after expiry. Transaction audit logs are retained for 12 months. You can request account deletion at any time by contacting [email protected].

8. Your Rights

You have the right to access, correct, or delete your personal data. You can revoke agent keys at any time. You can disable notifications. To exercise any of these rights, contact us at [email protected].

9. Children's Privacy

Our Service is not directed to individuals under 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the “Last updated” date.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at [email protected].