Privacy Policy

Last updated: 7/20/2025

1. Introduction

This Privacy Policy ("Policy") describes how InFlux Technologies Limited, a UK company ("we," "us," or "our"), handles information in connection with the SSP Wallet ecosystem, including our websites (sspwallet.io and sspwallet.com), SSP Wallet browser extension, SSP Key mobile application, SSP Relay service, and related services (collectively, the "Services").

SSP Wallet is designed with privacy-by-design principles. We are committed to minimizing data collection and ensuring user control over their cryptocurrency assets and personal information.

2. Our Privacy-First Approach

SSP Wallet is a self-custody cryptocurrency wallet that implements the following privacy principles:

  • No Private Key Access: We never have access to, store, or transmit your private keys, seed phrases, or wallet passwords
  • Local Storage Only: All sensitive wallet data is stored locally on your devices using AES-GCM encryption
  • Minimal Data Collection: We collect only the minimum data necessary to facilitate secure device communication
  • Temporary Data: Communication data is automatically deleted within 15 minutes
  • Consent-Based Analytics: We only use Google Analytics after explicit user consent, never by default

3. Information We Do NOT Collect

In accordance with our privacy-first design, we explicitly do not collect:

  • Private keys, seed phrases, or wallet passwords
  • Transaction history or blockchain data
  • Wallet balances or portfolio information
  • Personal identification information (name, address, phone number)
  • Email addresses (except for voluntary support communications)
  • Browsing history or behavioral analytics
  • Location data or device identifiers for tracking purposes
  • IP addresses for user profiling (though standard web server logs may temporarily contain IP addresses)

4. Information We Do Collect

4.1 Technical Communication Data

To enable secure 2-of-2 multisignature functionality between your browser wallet and mobile app, our SSP Relay service temporarily stores:

  • Synchronization Data: Public keys and extended public keys (xpubs) for device pairing (15-minute retention)
  • Transaction Requests: Partially signed transaction data awaiting second signature (15-minute retention)
  • Firebase Tokens: Push notification tokens for mobile alerts (persistent until token refresh)

4.2 Device Security Data

For enhanced security, we generate device fingerprints using:

  • Canvas rendering characteristics
  • Browser and device specifications
  • Screen resolution and color depth

Important: This fingerprinting is used solely for additional encryption layers, not for tracking or advertising purposes.

4.3 Website Usage Data

Our website may collect standard web server logs including:

  • IP addresses (for security and rate limiting)
  • Browser type and version
  • Referring websites
  • Access timestamps

4.4 Optional Analytics Data (Consent Required)

Important: Analytics tracking is completely disabled by default and only activated with your explicit consent through our cookie banner.

When you choose to accept analytics cookies, we use Google Analytics to collect:

  • Page views and navigation patterns
  • Session duration and bounce rates
  • Device and browser information
  • Geographic location (country/region level only)
  • Referral sources

Privacy Controls:

  • Analytics tracking never starts without your consent
  • You can decline analytics while still using our website
  • Analytics cookies are automatically cleared if you decline
  • You can change your preference at any time via our cookie settings
  • All analytics data is anonymized and aggregated

5. Third-Party Services

5.1 Onramper (Fiat On/Off-Ramp)

When you choose to use fiat on/off-ramp services, you will be redirected to Onramper, a third-party service. Your interaction with Onramper is subject to their privacy policy and terms of service. We share only:

  • Your wallet address (with your explicit consent)
  • Selected blockchain network

5.2 WalletConnect Integration

SSP Wallet supports WalletConnect v2 for dApp connections. When you connect to external applications:

  • Your wallet address may be shared with the connected dApp
  • Transaction requests are processed through our secure 2-of-2 system
  • We do not monitor or store your dApp interactions

5.3 Firebase Cloud Messaging

We use Firebase Cloud Messaging to send push notifications about pending transactions. This service stores device tokens but does not access message content.

6. Data Security and Encryption

We implement multiple layers of security:

  • Local Encryption: All sensitive data is encrypted using AES-GCM with PBKDF2 key derivation
  • Device Fingerprint Encryption: Additional encryption layer using device-specific characteristics
  • BIP48 Key Derivation: Industry-standard hierarchical deterministic key generation
  • Secure Transmission: All communications use HTTPS/WSS encryption
  • Automatic Deletion: Temporary communication data is automatically deleted within 15 minutes

7. Data Retention and Deletion

  • Synchronization Data: Automatically deleted after 15 minutes
  • Transaction Requests: Automatically deleted after 15 minutes
  • Push Tokens: Stored until device uninstalls app or token refresh
  • Web Server Logs: Retained for security purposes for a maximum of 30 days
  • Local Wallet Data: Under your complete control; can be deleted by uninstalling applications

8. Your Rights and Controls

As a self-custody wallet user, you maintain complete control over your data:

  • Data Portability: Export your seed phrases and wallet data at any time
  • Data Deletion: Uninstall applications to remove all local data
  • Service Termination: Stop using services at any time without penalty
  • Communication Control: Disable push notifications in device settings

Note: Due to blockchain immutability, transaction data recorded on public blockchains cannot be deleted.

9. International Transfers

Our relay servers may be located in various jurisdictions. When you use SSP Wallet, minimal technical data (public keys, transaction requests) may be temporarily processed in these locations. All data remains encrypted and is automatically deleted within 15 minutes.

10. Open Source Transparency

SSP Wallet is open source software licensed under AGPL-3.0. Our code is publicly auditable, ensuring transparency in our privacy practices. Security audits are performed by third-party organizations including Halborn.

11. Children's Privacy

SSP Wallet is not intended for use by individuals under 18 years of age. We do not knowingly collect information from children under 18. If you become aware that a child has provided us with personal information, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify users of material changes through our website and encourage periodic review of this policy.

13. Contact Information

For questions about this Privacy Policy or our data practices, please contact:

InFlux Technologies Limited
Email: [email protected]
Subject Line: Privacy Policy Inquiry

For technical support or general inquiries, please use our support system at sspwallet.io/support