Guardlet Privacy Policy
Last updated: 1 August 2025
Welcome to Guardlet. This Privacy Policy explains what data we collect, how we use it, and your rights. It is designed to be transparent and actionable.
Summary
- We minimize data collection and avoid unnecessary tracking.
- Wallet private keys never leave your device.
- We use industry-standard security and encryption.
- You control marketing preferences and data exports.
What We Collect
Account and Profile
- Email address and basic profile details you provide (e.g., first/last name).
- Security artifacts (e.g., 2FA enrollment status). We do not store your TOTP seed unencrypted.
Wallet Telemetry (Optional)
- Non-sensitive usage analytics for app performance and reliability, if enabled.
- Crash logs with pseudonymous identifiers. No private keys, seed, or raw balances are captured.
Payments and Compliance
- Transactional metadata needed for fiat on/off-ramps or compliance where applicable.
- Records required by law (e.g., receipts, audit logs), retained per statutory periods.
What We Don’t Collect
- We never collect your seed phrase or private keys.
- We do not read your personal contacts or messages.
- We don’t sell personal data.
How We Use Data
- Provide and improve the Guardlet services.
- Detect, prevent, and investigate fraud and abuse.
- Fulfill legal and regulatory obligations.
- Communicate product updates and security notices.
Legal Bases (EEA/UK)
- Contract performance, legitimate interests, consent, and legal obligation depending on the context.
Data Retention
- We retain data only as long as needed for the purpose collected or required by law.
- You can request deletion of your account data where applicable.
Sharing and Transfers
- Vendors/Processors that help us run Guardlet (hosting, analytics, support). We require strict confidentiality and security commitments.
- Legal requests where we are compelled by law.
- Corporate transactions (e.g., merger, acquisition) with notice.
Security
- End-to-end encryption for sensitive flows, TLS in transit, encryption at rest.
- Hardware-backed secure enclaves where available.
- Regular security reviews, audits, and incident response procedures.
Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, port, or object to processing of your personal data.
To exercise rights, email: [email protected].
International Transfers
- We use standard contractual clauses and comparable safeguards where required.
Children
- Guardlet is not directed to children under 16. If you believe a child has provided data, contact us to remove it.
Cookies and Similar Technologies
- Essential cookies for authentication and security.
- Optional analytics cookies to improve the product.
- You can disable analytics in the app settings.
Changes to This Policy
We will update this policy as needed and indicate the “Last updated” date. Significant changes will be communicated in‑app or via email.
Contact
Guardlet Ltd. Attn: Privacy Team Email: [email protected]
See also: Terms of Use.
Who We Are and Scope
- Controller: Guardlet Ltd. is the controller for personal data processed in connection with the Services, except where we act as a processor for business customers.
- Contact: [email protected]
- DPO (where required): [email protected]
- Covered Services: Guardlet consumer wallet, Guardlet Business/Enterprise portals, marketing websites, support portals, and communications.
Principles We Follow
- Data minimization: We collect only what we need.
- Self‑custody first: Your private keys/seed never leave your device.
- Security by design: Encryption in transit and at rest; strict access controls; continuous monitoring.
- Transparency and control: You can manage preferences and exercise privacy rights.
Additional Details on Information We Collect
Recovery and Biometric Options (Optional)
If you enable biometric recovery or FaceLock, the app creates a biometric template (mathematical representation) on device. If we process any derived signal server‑side to enable multi‑factor recovery, we do so only with your consent and in accordance with applicable laws (see Biometric Notice below).
Usage and Analytics (Optional)
Event telemetry (feature usage, screens, performance metrics) helps us improve reliability and UX. You can opt out where required; analytics never collect private keys or seed phrases.
Payment and Compliance (When Applicable)
If you use integrated fiat on/off‑ramp or payment services provided by third‑party processors, they collect and process billing details, KYC/KYB information, and payment instruments. We receive limited references (e.g., status, reference IDs) to operate the feature and for support/audit.
How We Use Information (Expanded)
- Provide, operate, maintain, and secure the Services
- Facilitate wallet operations, swaps, staking, and other features you request
- Deliver customer support and troubleshoot issues
- Send administrative notices (e.g., security, service updates)
- Personalize content and improve performance and usability
- Prevent, detect, and investigate fraud, abuse, or security incidents
- Comply with legal obligations and enforce terms
- Conduct research, testing, and analytics (where permitted)
- Communicate offers and news (with appropriate opt‑in/opt‑out controls)
We do not sell personal data.
Cookies and Similar Technologies (Expanded)
| Type | Purpose | Examples |
|---|---|---|
| Necessary | Security, session management | auth tokens, CSRF |
| Preferences | Language, UI settings | locale, theme |
| Performance | Load times, crash metrics | timing, errors |
| Analytics (optional) | Improve product | page/app events |
| Marketing (optional) | Measure campaigns | referral tags |
You can manage preferences via your browser or OS settings and in‑app controls where available. Disabling necessary cookies may impair functionality.
Sharing and Disclosure (Expanded)
- Vendors/Processors: Hosting, storage, analytics (optional), support tooling, communications, security, and fraud prevention—bound by contracts and confidentiality.
- Payment and Identity Providers: If you use on/off‑ramp, card, or identity verification features, we share the minimum necessary data to complete the transaction or verification.
- Enterprise Administrators: For Guardlet Business, certain profile and usage details may be visible to your organization admins per their policies.
- Legal/Compliance: To comply with laws, enforce terms, or respond to lawful requests.
- Corporate Events: In mergers, acquisitions, or restructuring, data may be transferred subject to this Policy and applicable law.
We do not sell personal data.
International Data Transfers
Where data are transferred internationally, we use appropriate safeguards (e.g., EU Standard Contractual Clauses, UK IDTA/Addendum) and assess third‑country laws where required.
Retention (Expanded)
- Account and profile: retained while your account is active and a reasonable period thereafter for security/audit (e.g., 24 months) unless deletion is requested and permitted.
- Support tickets: usually 24–36 months.
- Transactional references: as required for audit, tax, fraud prevention (e.g., 5–7 years in some jurisdictions).
- Analytics (optional): typically 12–24 months in aggregate form.
- Biometric templates (if applicable and consented): deleted upon withdrawal or within statutory timelines.
Security (Expanded)
We employ administrative, technical, and physical safeguards, including encryption (in transit/at rest), key management, least‑privilege access, security reviews, and incident response. No method is 100% secure; you are responsible for maintaining device security and protecting your recovery factors.
Automated Decision‑Making
We do not engage in solely automated decisions that produce legal effects about you. We may use automated signals for fraud risk and abuse detection; human review may follow for high‑risk cases.
Regional Rights
California (CPRA) & U.S. State Notices
- We do not sell or share personal information for cross‑context behavioral advertising as defined by CPRA.
- You may request access, deletion, correction, and to limit use of sensitive personal information.
- Authorized agents may submit requests; we will verify authority and identity as required by law.
Brazil (LGPD)
You may request confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing. You may also revoke consent.
EEA/UK (GDPR)
You may lodge a complaint with your data protection authority. If applicable, our EU/UK representative details will be provided upon request.
Children’s Privacy
The Services are not directed to children under 16 (or as defined by local law). We do not knowingly collect personal data from children under 13. If you believe a child has provided information, contact us and we will take appropriate steps to delete it.
Biometric Information Notice (e.g., FaceLock)
If you enable biometric features:
- We create a biometric template on your device. If any server‑side derived signal is used for multi‑factor recovery or fraud prevention, we process it only with your consent and solely for the stated purpose.
- We do not sell, lease, or trade biometric data.
- Retention: We delete biometric data when the purpose has been satisfied, upon your withdrawal of consent, account deletion, or within three (3) years of your last interaction with the Services—whichever occurs first, unless a longer period is required by law.
- Safeguards: Encryption, access controls, and secure transport.
- Additional U.S. state laws (e.g., Illinois BIPA, Texas, Washington) may grant further rights; we comply where applicable.
Third‑Party Platforms and Links
If you choose to use third‑party platforms (e.g., fiat on‑ramp/off‑ramp, dApps, exchanges), your use is governed by their terms and privacy policies. They are independent controllers of personal data they collect. We recommend reviewing their policies before connecting your wallet or sharing data.
Do Not Track and Global Privacy Control
Our Services do not respond to DNT signals. Where legally required, we honor valid Global Privacy Control (GPC) signals for relevant processing.