Privacy Policy — SPW Wallet

Effective date: 2026-04-28 · Contact: otispromax@gmail.com

SPW Wallet collects nothing. No analytics. No telemetry. No accounts. No sign-up. The extension stores your encrypted recovery phrase on this device only.

What is stored locally

The extension uses the browser's storage APIs:

chrome.storage.local (persists across browser restarts): the encrypted vault — your mnemonic and private keys, after PBKDF2-SHA256 (600,000 iterations) key derivation and AES-256-GCM encryption with your password.
chrome.storage.session (cleared automatically when the browser closes): the decrypted address and signing key material — only while you are unlocked. The mnemonic is never placed in session storage; it is decrypted on demand only when you explicitly choose Show recovery phrase and re-enter your password.

Your password is never stored anywhere. It only exists transiently in memory while you type it. If you forget your password, you must restore from your 12-word recovery phrase.

What is sent over the network

The extension makes HTTPS requests to one host: the SPW node REST API at https://spw.network/api. The requests are:

GET /balance/{your_address} — read your balance
GET /utxos/{your_address} — read your unspent outputs (for send)
GET /explorer/{your_address} — read your transaction history
POST /tx/broadcast — submit a transaction you have signed

These requests contain only your public address and signed transactions. They do not contain your password, private key, or recovery phrase, and they never will. The extension makes no other outbound requests — it does not contact analytics services, ad networks, error reporters, or any third party.

What is sent to your computer's clipboard

When you press Copy address, Copy phrase, or Copy txid, the relevant text is written to your operating system clipboard via the standard browser clipboard API. The clipboard is automatically cleared 60 seconds after copying the recovery phrase (provided the clipboard still contains that exact text). The extension itself does not read your clipboard.

Permissions we request

storage — required to persist the encrypted vault and to hold the decrypted signing material in chrome.storage.session while the wallet is unlocked.
host_permissions: https://spw.network/* — required to query balance and broadcast transactions. This is the only host the extension is permitted to contact.

The extension does not request tabs, activeTab, scripting, <all_urls>, identity, cookies, notifications, or any other broad permission. It has no content scripts, no service worker, and no web-accessible resources.

Third parties

The extension does not communicate with any third party. We do not use Google Analytics, Sentry, Mixpanel, Firebase, font CDNs, or any similar service. All cryptographic libraries (@noble/secp256k1, @noble/hashes, @scure/bip39, qrcode) are bundled inside the extension; nothing is loaded at runtime from a remote source.

Children

The extension is not directed at children under 13.

Changes

If this policy changes, the new version ships with the next extension release and the change is noted in the release changelog on GitHub. Continued use after an update constitutes acceptance.

Source code

The full source is published at github.com/otisaipro/spw-wallet — every line of JavaScript that runs in the extension can be audited there.

Contact

Questions or concerns: otispromax@gmail.com
Issue tracker: github.com/otisaipro/spw-wallet/issues