Privacy Policy

ChainArmor collects the bare minimum of personal data to run the service. We do not require KYC, we do not sell or share your data with advertisers, and you can delete your account at any time. Everything you add to the product (wallet addresses, labels) is public blockchain data that you choose to associate with your account.

ChainArmor (“we”, “us”) provides a blockchain wallet monitoring and risk assessment service. If you have a question about this policy or the data we hold on you, reach us at our contact page.

To run the service, we collect and store:

• Email address. Required to sign in (magic-link authentication) and to deliver alerts. We never ask for a name, phone number, or government ID.
• Wallet addresses you add. Public blockchain data that you explicitly choose to monitor, either by typing an address manually or by connecting a browser wallet (such as MetaMask or Trust Wallet). When you connect a wallet, we only import the public address(es) you approve — we never request or receive your private keys, seed phrases, or signing authority.
• Notification channel destinations. If you link Telegram or a webhook, we store the chat ID or URL needed to deliver messages.
• Billing metadata. Your subscription tier, billing interval, and Stripe customer ID. Payment details (card numbers, CVV) are handled by Stripe; we never see them.
• Minimal usage data. Request timestamps and IP addresses on authenticated API calls for abuse detection and rate-limiting. We keep these for 30 days then aggregate them.
• Anti-bot data (functional, with consent). When you enable functional cookies, Cloudflare Turnstile collects your IP address and browser metadata to distinguish you from automated bots. This data is processed by Cloudflare and is not stored by ChainArmor. You can disable this at any time via Cookie settings.

We do NOT collect:

• Names, phone numbers, or real-world identity documents.
• Browser fingerprints or cross-site tracking cookies.
• Marketing-tracking pixels or third-party advertising scripts.
• Your wallet's private keys or signing material.

Your data is used only to:

• Authenticate you and keep your session active.
• Scan the wallets you've added against public blockchain blacklists (USDT/USDC freeze lists, OFAC sanctions, and similar).
• Compute risk scores and indirect-exposure proximity data on those wallets.
• Deliver alerts to the channels you've configured.
• Bill you through Stripe for paid plans.
• Investigate and block abuse of the service.

We do not use your data for profiling, advertising, or training machine-learning models.

The service is built on a small set of external providers. Each receives only the data it strictly needs to do its job.

• Stripe — handles subscription billing. Receives: email, plan selection, Stripe customer ID. Governed by Stripe's own privacy policy.
• Resend — sends transactional email (magic links, alerts). Receives: recipient email, subject line, body.
• Telegram Bot API — delivers alerts to users who link a Telegram channel. Receives: chat ID, message text.
• Blockchain RPC providers (TronGrid, Alchemy, Infura and similar) — receive the public wallet addresses you add, so we can fetch their transaction history. Does not reveal any personal data to the provider.
• Reown (WalletConnect relay) — facilitates wallet connection from mobile wallet apps. When you use the WalletConnect option, your connection is relayed through Reown's encrypted relay server. Reown cannot read your wallet address or account data; it processes encrypted session metadata and your IP address. See Reown's Privacy Policy.
• Cloudflare (Turnstile anti-bot) — when you enable functional cookies, our login and verification forms load Cloudflare Turnstile to distinguish humans from automated bots. Cloudflare processes your IP address, browser type, and interaction data to generate a verification token. This data is processed by Cloudflare and not stored by ChainArmor. You can disable this at any time via the “Cookie settings” link in the footer. See Cloudflare's Privacy Policy.
• Google (Firebase Analytics) — when you enable statistics cookies, we load Google Analytics via Firebase to understand which pages are visited and how the product is used. Google processes anonymized interaction data, page views, and browser metadata. No personal data (email, wallet addresses) is sent to Google. You can disable this at any time via “Cookie settings” in the footer. See Google's Privacy Policy.

We do not sell personal data. We do not share personal data with advertisers or data brokers.

• Email address, login credentials, notification channel destinations, API keys — kept only as long as your account is active. Permanently deleted the moment you delete your account (see section 5a).
• Wallet addresses you added, the derived transaction counterparty graph, proximity/risk scores, and alert history — retained in anonymized form for network analysis even after you delete your account. This is public blockchain data that you chose to associate with our analysis pipeline. Details in section 5a below.
• Billing records (invoices, Stripe events) — retained for 7 years as required by tax authorities in most jurisdictions. After account deletion, the only remaining link is your Stripe customer ID inside Stripe itself; our database no longer stores it.
• Logs with IP addresses — 30 days.

You can delete your account any time from Settings → Danger zone → Delete account. The deletion is high-friction on purpose: you must type your full email address into a confirmation field before the destructive button activates.

When you confirm deletion, we immediately:

• Overwrite your email on our user record with an opaque placeholder. Your original email is not recoverable.
• Delete every notification channel you linked (Telegram chat IDs, webhook URLs and their secrets).
• Delete all your API keys.
• Delete any pending magic links or Telegram verification nonces.
• Cancel your active Stripe subscription with proration — a final partial-period invoice will be settled against your payment method, and no further charges will occur.
• Clear your authentication cookies so your current browser session stops working immediately.
• Set your account status to deleted, which blocks any still-valid access tokens from being used.

What we keep after deletion, in anonymized form:

• The wallet addresses you added to your account.
• The counterparty list and proximity scores we computed for those wallets.
• The alert audit trail for the wallets you scanned, so we can improve the risk model.
• Aggregated wallet-creation / deletion records used for anti-abuse (the rolling 30-day cap).

None of this retained data contains your email, your billing information, your IP address, or anything else that identifies you as a person. The only link between these rows and the (now-anonymized) account row is an internal UUID that has no meaning outside our database. We keep this data because it is public blockchain information that you chose to share with us for analysis — and that analysis (wallet clustering, blacklist adjacency, fraud pattern detection) improves for every user as the dataset grows.

If you want a stricter deletion that wipes the wallet and counterparty rows as well — or if you have a legal basis (e.g. a supervisory authority order) that requires it — email our privacy contact. We honor those requests; the self-service flow just defaults to the anonymization path because it produces the most useful public-good outcome.

If you are in the EU, UK, or a jurisdiction with similar data protection laws, you have the right to:

• Access the personal data we hold on you.
• Correct inaccurate data.
• Request deletion (“right to erasure”).
• Export your data in a portable format.
• Object to processing.
• Lodge a complaint with your local supervisory authority.

Because our accounts are pseudonymous (email-only), these requests are typically fulfilled by logging in and either using the in-product settings (delete wallet, delete account) or emailing our support team from the email address associated with your account. We do not ask for government ID to verify a data request — email-address-based confirmation is our verification method.

We use the following cookies:

Essential cookies are required for the service to function and cannot be disabled. Functional cookies and Statistics cookies are loaded only with your explicit consent and can be disabled at any time via the “Cookie settings” link in the page footer.

We do not use advertising or cross-site tracking cookies. You can change your cookie preferences at any time.

All traffic is served over HTTPS. Authentication tokens live in HTTP-only cookies so an XSS flaw cannot exfiltrate them. Passwords are never stored because we don't use them — magic-link authentication only. Database access is restricted to the backend service, and administrative access uses hardware second-factor authentication.

No system is perfect. If you believe you've found a security issue, please report it to our contact page and we'll respond within two business days.

Our infrastructure is hosted in the United States. If you access the service from outside the US, your data is transferred to and processed in the US. We rely on standard contractual clauses where required to comply with GDPR's international transfer rules.

The service is not directed at people under 16 and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we will delete the account.

If we make material changes to this policy, we'll email active accounts 30 days before they take effect. Minor editorial changes (clarifying language, fixing typos) are applied immediately with an updated date at the top of this page.