Privacy Policy

Last Updated: March 22, 2026

1. Introduction

Untaxed ("the App") is committed to protecting your privacy. This Privacy Policy explains how we handle data when you use the Untaxed Android app, iOS app, Chrome Extension, and Solana Seeker dApp Store listing.

TL;DR: We don't collect, store, or transmit any personal data. Everything runs locally on your device.

2. Data We Do NOT Collect

The App does not collect, store, or transmit:

• Personal information (name, email, address, etc.)
• Analytics or usage data
• IP addresses
• Browser fingerprints or tracking cookies
• Wallet addresses or transaction history to our servers
• Private keys or seed phrases (these never leave your device)

3. Local Data Storage

iOS App

The iOS app stores data locally on your device using the iOS Keychain and local storage:

• Private keys and seed phrases — stored in the iOS Keychain with biometric protection (Face ID), never transmitted
• Wallet metadata — wallet names, IDs, and public addresses
• Device identifier — a random UUID stored in the Keychain, used solely as a local namespace for your wallet data. This ID is not used for tracking or analytics and is not shared with third parties
• Trade history — records of your trades stored locally on device with iOS file protection
• Address book — saved recipient addresses stored locally
• Settings — app preferences (theme, slippage, chart provider, RPC URL) stored in UserDefaults

Android App

The Android app stores data locally on your device using Android's EncryptedSharedPreferences and DataStore:

• Private keys and seed phrases — stored in EncryptedSharedPreferences backed by Android Keystore (AES-256-GCM), never transmitted
• PIN — hashed with PBKDF2-SHA256 (100,000 iterations) and stored locally; raw PIN is never persisted
• Wallet metadata — wallet names, IDs, and public addresses
• Trade history — records of your trades stored locally on device
• Address book — saved recipient addresses stored locally
• Settings — app preferences (theme, language, slippage, chart provider, RPC URL, execution engine) stored in Jetpack DataStore

Chrome Extension

The Extension stores data locally in your browser using Chrome's chrome.storage.local API:

• Encrypted private keys — AES-256 encrypted with your password
• Wallet metadata — wallet names, IDs, and public addresses
• Active wallet selection — which wallet is currently active
• Transaction history — records of your trades (buy/sell/send)
• Position tracking — bought/sold SOL amounts per token
• Settings — quick buy amounts, RPC URL, slippage preferences

All this data is stored locally on your device and is never transmitted to us or any third party.

Market Data (Supabase)

The iOS app fetches publicly available market data (token prices, trending lists, DexScreener feed events) from our Supabase database. This data is read-only, contains no personal information, and no user-identifiable data is sent in these requests.

4. Third-Party API Requests

The App makes API requests to third-party services for functionality. These requests may include your public wallet address or token contract addresses, but never your private keys.

Jupiter API (api.jup.ag)

• Used for: Swap routing, execution, and token pricing
• Data sent: Token mints, amounts, taker address
• Purpose: Obtain swap transactions and execute trades
• Privacy policy: jup.ag

Helius RPC & DAS API (helius-rpc.com)

• Used for: Blockchain queries, token metadata, wallet holdings, and transaction submission
• Data sent: Token mint addresses, wallet public addresses, signed transactions
• Purpose: Fetch balances, token data, submit transactions, and confirm status
• Privacy policy: helius.dev

Jito Block Engine (jito.wtf)

• Used for: MEV-protected transaction submission (optional)
• Data sent: Signed transactions
• Purpose: Submit transactions with MEV protection when selected as execution engine

Solana RPC Nodes

• Used for: Blockchain queries and transaction submission
• Data sent: Public addresses, signed transactions
• Purpose: Check balances, submit transactions, confirm status
• Note: You can configure a custom RPC endpoint in settings

We have no control over and are not responsible for the privacy practices of these third-party services. Please review their respective privacy policies.

5. Data Security

While we don't transmit your data, we take local security seriously:

iOS App

• iOS Keychain for private key and seed phrase storage with device-level encryption
• Face ID / PIN protection for app access and sensitive operations
• Biometric-protected Keychain for seed phrases (requires Face ID to read)
• iOS file protection for trade history (encrypted when device is locked)
• Screenshot protection for sensitive screens (private key export)
• HTTPS-only network connections enforced for all API requests

Android App

• EncryptedSharedPreferences backed by Android Keystore for private key and seed phrase storage
• AES-256-GCM encryption with hardware-backed StrongBox support where available
• PIN lock with PBKDF2 hashing and progressive lockout after failed attempts
• Biometric unlock via AndroidX BiometricPrompt (fingerprint and face)
• Screenshot protection for sensitive screens (private key export, PIN entry)
• HTTPS-only network connections enforced for all API requests

Chrome Extension

• AES-256 encryption for all private keys using password-derived keys (PBKDF2)
• Content Security Policy to prevent XSS attacks
• Sandboxed execution via Chrome's extension security model
• No inline scripts in extension pages

6. Content Script Permissions

The Extension uses content scripts on supported trading terminals (including Axiom, Padre Terminal, pump.fun, gmgn.ai, Photon, and DexScreener) to detect token contract addresses. This script:

• Scans the page DOM for Solana addresses
• Does NOT read form inputs, passwords, or sensitive fields
• Does NOT modify page content or inject ads
• Only sends detected token addresses to the Extension's service worker

7. Browser Permissions

The Extension requests the following Chrome permissions:

• sidePanel — Display the trading UI in the browser sidebar
• storage — Store encrypted wallet data locally
• activeTab — Communicate with supported terminal tabs
• tabs — Query open supported terminal tabs for token detection
• scripting — Inject detection code when content script is unavailable

These permissions are used solely for Extension functionality and not for tracking or data collection.

8. No User Accounts

The App does not require user accounts or authentication with our servers. Your wallet is your identity. The iOS app uses a locally-generated device identifier solely as a namespace for Keychain storage — this identifier is never sent to our servers or used for tracking.

9. No Cookies or Tracking

The App does not use cookies, tracking pixels, advertising identifiers (IDFA), or any analytics services. There is no Google Analytics, Mixpanel, Firebase Analytics, or similar tracking. We do not participate in any ad networks or tracking frameworks.

10. Children's Privacy

The Extension is not intended for use by individuals under the age of 18. We do not knowingly collect data from children.

11. Open Source Transparency

The Extension is fully open-source. You can inspect all code to verify our privacy claims and ensure no data collection is taking place.

12. Data Deletion

iOS App

To delete all app data:

1. Open Settings in the app and tap "Reset Wallet" to remove all wallet data
2. Or uninstall the app from your device

Note: Keychain data may persist after uninstall to enable wallet recovery on reinstall. To fully remove Keychain data, use the "Reset Wallet" option before uninstalling. Make sure to back up your private keys or seed phrases before doing this.

Android App

To delete all Android app data:

1. Open Settings in the app and tap "Reset Wallet" to remove all wallet data
2. Or uninstall the app from your device
3. Or go to Android Settings > Apps > Untaxed > Clear Data

Make sure to back up your private keys or seed phrases before doing this.

Chrome Extension

To delete all Extension data:

1. Uninstall the Extension from Chrome
2. Or use Chrome's "Clear browsing data" with "Site data" selected

This will permanently delete all wallets, keys, transaction history, and settings stored by the Extension. Make sure to back up your private keys before doing this.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the Extension after changes constitutes acceptance.

14. Contact

For privacy questions or concerns, please contact us through the App Store, Google Play Store, Solana dApp Store, Chrome Web Store, or via the support channels listed on our website at untaxed.wtf.

15. Apple App Tracking Transparency

The iOS app does not track users across other companies' apps or websites. We do not use the Advertising Identifier (IDFA) or participate in any ad networks. No App Tracking Transparency prompt is required because no tracking occurs.

16. GDPR & CCPA Compliance

Since we do not collect personal data, GDPR and CCPA data subject rights (access, deletion, portability) do not apply. However, you always have full control over your local app and extension data.