Auto Wallet — Privacy Policy
Auto Wallet (the “Extension”) is an open-source, self-custodial Chrome extension wallet for EVM-compatible blockchains. This policy explains what data the Extension processes, where it is stored, and what it is used for. The Extension is operated solely by the user on their own device.
- We do not collect, transmit, sell, or share any personal information.
- We do not run any servers, accounts, analytics, or telemetry.
- Your private keys and mnemonics are encrypted with your password and stored only in your browser.
- Network requests are sent directly from your browser to the public services you configure (RPC endpoints) or that are required to display token icons.
1. Data the Extension Processes
The following data is created or handled by the Extension. All of it stays on your device unless explicitly noted.
| Category | Examples | Where it lives |
|---|---|---|
| Wallet secrets | Private keys, mnemonics (seed phrases) | Encrypted with AES-256-GCM (key derived from your password using PBKDF2, 600,000 iterations) and stored locally via chrome.storage.local. Never transmitted. |
| Wallet configuration | Account names and addresses, custom networks, custom tokens, whitelist (auto-sign) rules, transaction history records, settings such as auto-lock timeout | Stored locally via chrome.storage.local. Never transmitted. |
| dApp interaction context | Origin (URL) of the active tab when a dApp requests an action; transaction parameters supplied by the dApp | Used in-memory by the Extension to show confirmation prompts and evaluate whitelist rules. The origin is provided by Chrome (sender.origin) and is not collected by us. |
| Blockchain RPC traffic | Balance queries, transaction broadcasts, calls to read on-chain state | Sent directly from your browser to the RPC endpoint configured for the active network. The Extension does not proxy or log these requests. |
| Token icon requests | HTTP GET to public, static asset URLs to display token logos | Sent directly from your browser to raw.githubusercontent.com (Trust Wallet community assets repository). No identifiers are attached by the Extension. |
2. What We Do Not Do
- We do not collect, store, or transmit personal information, IP addresses, browsing history, or wallet addresses.
- We do not operate any backend servers, databases, or accounts.
- We do not include analytics, telemetry, crash reporting, advertising, or tracking SDKs.
- We do not sell or share data with third parties — there is no data to sell or share.
3. Third-Party Services
Because Auto Wallet is a wallet, it must communicate with blockchain networks. These requests go directly from your browser to third parties that you have either configured yourself or that the Extension uses to show token icons. Their respective privacy policies apply to those interactions.
-
RPC providers: The Extension ships with default public RPC URLs for several EVM chains (e.g.
cloudflare-eth.com,polygon-rpc.com,arb1.arbitrum.io,mainnet.optimism.io,bsc-dataseed.binance.org,api.avax.network). You can change any of these or add your own networks. Whoever operates the RPC endpoint you choose can see the requests your browser sends to them. -
Token icons: Token logos are fetched as static images from
raw.githubusercontent.com(Trust Wallet community asset repository). GitHub may log standard request metadata as described in their privacy policy.
4. Permissions Used and Why
| Permission | Why the Extension needs it |
|---|---|
storage | To save your encrypted wallet, accounts, networks, tokens, whitelist rules and settings on your device. |
windows | To open the transaction confirmation and unlock pop-up windows next to your browser window. |
notifications | To show desktop notifications about transaction status (e.g. submitted, confirmed, failed). |
Host access (<all_urls>) | Required so the Extension can inject the EIP-1193 / EIP-6963 wallet provider into web pages, which is how dApps detect and talk to the wallet. The injected script does nothing until a page actively requests a wallet action. |
5. Security
- Wallet secrets are encrypted with AES-256-GCM using a key derived from your password via PBKDF2 (SHA-256, 600,000 iterations) and a random per-wallet salt.
- The decrypted key only exists in memory while the wallet is unlocked, and is cleared when the configurable auto-lock timeout fires or when you lock the wallet manually.
- Non-whitelisted transactions require explicit user approval through a confirmation pop-up. Gas-limit and value caps are enforced as additional safety nets.
- The Extension uses
sender.originfrom Chrome (not the page-supplied value) to identify the calling site, which prevents origin spoofing by malicious pages.
No system can be guaranteed to be 100% secure. You are responsible for keeping your password and seed phrase safe. If you lose them, your funds cannot be recovered.
6. Children
The Extension is not directed to children under 13, and we do not knowingly process information from children.
7. Data Retention and Your Choices
Because all data lives in your browser, you are in full control. You can remove all data by uninstalling the Extension or by using your browser’s “Clear browsing data” for extension storage. Removing the Extension also removes your encrypted wallet — make sure you have backed up your seed phrase first.
8. Changes to This Policy
We may update this policy if the Extension changes the way it processes data. The “Last updated” date at the top of this page reflects the most recent revision. Substantive changes will be noted in the project repository’s release notes.
9. Contact
Questions or concerns about this policy can be raised via the project’s public issue tracker: github.com/Auto-Wallet/auto-wallet/issues.