Privacy Policy
Last Updated: May 11, 2026
Introduction
Stealf is a privacy-first Solana mobile wallet operated by Stealf, Inc., a company incorporated in Delaware, USA. This Privacy Policy explains what data we collect, how we use it, and the rights you have over it.
By using Stealf, you agree to the practices described below. If you don't agree, please don't use the app.
What We Collect
When you create an account and use Stealf, we collect:
- Account info: email address, username
- Wallet addresses: the public address of your Bank wallet (created via Turnkey) and your Stealth wallet (created locally on your device)
- On-chain transactions: amounts, timestamps, counterparty addresses, signatures. This data is already public on the Solana blockchain — we read it via Helius to display your history.
- Technical data: IP address, device type, OS version, app version
- Crash and error reports: collected via Sentry to fix bugs (disabled in development)
What We Don't Collect
This is the part that matters. By design:
- We never see or store the private key of your Stealth wallet. It's generated on your device and stored in the secure enclave (iOS Keychain / Android Keystore). It never leaves the device.
- We never see your yield balances in plaintext. Yield balances are encrypted via Arcium MPC. Even our backend can't decrypt them without the multi-party computation.
- We don't link your Bank wallet and your Stealth wallet. There is no shared identifier between them in our system. The separation is structural, not a policy choice.
- We don't collect KYC data, government IDs, biometric data, or financial information. Banking features (cards, transfers) are not part of the current product. If we add them later, this policy will be updated and you'll be notified before any new data is collected.
How We Use Your Information
- Provide the service: authenticate sign-ins, display balances and transaction history, process swaps and yield operations
- Communicate: send one-time passcodes for email authentication, account-related notifications, and (only if you opt in) product updates
- Security: detect abuse, rate-limit suspicious activity, debug errors
- Legal compliance: respond to lawful requests when required
We do not sell your personal data. We do not share it for advertising.
Authentication & Biometrics
Stealf authenticates access to your Bank wallet via Turnkey using OAuth (Google, Apple) or one-time passcodes sent to your email. Biometric authentication (Face ID, Touch ID, fingerprint) is handled locally by iOS or Android. We never receive, store, or transmit your facial images, biometric templates, fingerprints, or any biometric data. We only receive the result of the local authentication (success or failure).
One-time passcodes sent to your email expire after a short period and are invalidated after use.
Third-Party Services
We rely on the following service providers. Each has its own privacy policy:
| Provider | Purpose | Data shared |
|---|---|---|
| Turnkey | Bank wallet management, OAuth authentication | Email, wallet address |
| Helius | Solana RPC and transaction webhooks | Wallet addresses (already public on-chain) |
| Jupiter | Token swap routing | Wallet address, transaction parameters |
| Arcium | Encrypted yield computation (MPC) | Encrypted ciphertexts only |
| Jito | SOL liquid staking | On-chain transactions (already public) |
| Resend | Sending authentication emails | Email address |
| Sentry | Error monitoring | Crash logs, anonymized context |
| MongoDB Atlas | Database hosting | Account data |
| CoinGecko | SOL/USD price feed | No personal data |
Some of these providers are located outside the EU (mainly in the United States). When you use Stealf from the European Union, your data may be transferred to the US. We rely on Standard Contractual Clauses where applicable.
Your Rights
If you're in the European Economic Area, UK, or Switzerland (GDPR), you have the right to:
- access the personal data we hold about you
- correct inaccurate data
- request deletion of your data
- restrict or object to processing
- request portability of your data
- withdraw consent at any time
- lodge a complaint with your local supervisory authority (in France: the CNIL)
If you're a California resident (CCPA/CPRA), you have the right to:
- know what personal information we collect and how we use it
- request deletion of your personal information
- opt out of the sale of personal information (we do not sell personal information)
- non-discrimination for exercising your rights
To exercise any of these rights, email us at louis@stealf.xyz from the email address linked to your account. We'll respond within 30 days.
Data Retention
We keep your account data for as long as your account is active. If you delete your account, we delete your personal data within 90 days, except where we are legally required to retain it (for example, fraud prevention or legal claims).
On-chain transactions cannot be deleted — they are permanent records on the Solana blockchain, which we don't control.
Children
Stealf is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we'll delete it.
Security
We use industry-standard measures to protect your data: encryption in transit (HTTPS/WSS), encryption at rest, restricted access, rate limiting, and monitoring. No system is 100% secure, and you are responsible for keeping your device, OAuth, and recovery phrase safe.
Changes to This Policy
If we update this policy, we'll post the new version here and update the "Last Updated" date. For material changes, we'll notify you by email.
Contact
Questions? Email louis@stealf.xyz.