Privacy Policy

Effective · April 27, 2026 · Last updated · April 29, 2026

    Short version: Zafu is local-first. External calls are limited to blockchain data providers, threat checks, community signal functions, optional Google Sign-In, and optional account sync when you choose it. No advertising analytics. No telemetry. No keys or seed phrases ever.
  

1. What Zafu Is

Zafu is a Chrome browser extension that intercepts copy-paste events on cryptocurrency wallet interfaces and exchange websites. It detects address poisoning and clipboard hijacking before you confirm a transaction. Supports EVM chains and Solana.

2. Data Stored Locally

Wallet data is stored in chrome.storage.local on your device. Optional Google Sign-In can back up saved wallets, trusted contacts, labels, notes, and descriptions so you can recover them after reinstalling Chrome or switching computers. Generated transaction-history indexes, suspicion lists, API keys, local metrics, community cache, prices, and install IDs are not account-synced.

Data	Purpose	Sent anywhere?
Wallet addresses you add (EVM + Solana)	Used to fetch your transaction history from Etherscan or Solscan	Sent to Etherscan / Solscan API (see §3)
Transaction history index (trusted/suspicion)	Built locally to classify pasted addresses	Never sent anywhere
Address labels and notes	User-assigned names shown in the address book	Synced to Zafu only if you sign in with Google
Exceptions list ("Mark as Safe")	Addresses you have manually verified and whitelisted	Never sent anywhere
Etherscan / Solscan API keys	User-provided keys for higher API rate limits	Sent only to Etherscan / Solscan when fetching history
Settings	Transfer Check toggle, community-reporting toggle, onboarding state	Never sent anywhere
Random install ID	Anonymous identifier attached to community signals (see §6)	Sent only with community submissions, never linked to identity unless signed in
Google profile email, name, and avatar	Creates your optional Zafu account for backup and restore	Sent to Zafu only if you sign in with Google

3. Third-Party Services

Zafu calls the following external APIs. These calls are initiated only by you (when you add a wallet, paste an address, opt in to automatic threat signals, or sign in) — they are not automatic background calls beyond the scheduled 24h refresh you can disable.

Service	Data sent	When
Etherscan	Your public EVM wallet address, your optional API key	Only when you click "Fetch History" for an EVM wallet, or on 24h auto-refresh
Solscan (public-api.solscan.io, pro-api.solscan.io)	Your public Solana wallet address, your optional API key	Only when you click "Fetch History" for a Solana wallet, or on 24h auto-refresh
Cloudflare ETH RPC	ENS name or address you paste	Resolve ENS names to Ethereum addresses
The Graph	ENS name	ENS forward resolution fallback
GoPlus Security	The crypto address you pasted	Real-time scam check, called only when paste is detected on a wallet/exchange page (EVM only)
Zafu community pool (Supabase edge functions)	Attacker addresses (not your wallet) and an anonymous random install ID	Only when you flag an address, or when you opt in to automatic threat signals and zero-value inbound dust is submitted (see §6). Disable in Settings.
Zafu account sync (Supabase edge functions)	Your Google ID plus saved wallets, trusted contacts, labels, notes, descriptions, favourites, and deletion markers	Only after you choose Google Sign-In. Used for backup and restore across Chrome installs.

These services have their own privacy policies. Zafu does not control how they process the data they receive.

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

4. Browser Permissions

Zafu requests three Chrome extension permissions. The average Chrome extension requests 17.

Permission	Why Zafu needs it
`storage`	Saves wallet list and address index locally on device. User-authored contacts and saved wallets sync only after optional Google Sign-In.
`alarms`	Schedules 24h auto-refresh of wallet history and community signals.
`identity`	Optional Google Sign-In for address-book backup and restore. Never used unless you sign in.

Zafu also uses <all_urls> host access so the content script can detect paste events on any wallet or exchange. The content script only activates address-checking logic when a valid crypto address is pasted — it does not read page content, form fields, passwords, or any other data.

5. Optional Google Sign-In

Sign-in is entirely optional. Everything in Zafu works anonymously without it.

If you choose to sign in with Google, Zafu uses the Chrome identity permission to obtain your Google account email, display name, avatar, and Google account ID. This is used to:

Back up saved wallets, trusted contacts, labels, notes, descriptions, and favourites
Restore that address book data after reinstalling Chrome or switching computers
Let community reports include a signed-in account signal instead of only a random install ID

You can sign out at any time from Settings. Sign-out clears your session token. Your locally stored data is unaffected.

6. Community Threat Intelligence

When you flag an address as malicious from any Zafu overlay, that attacker address (never your wallet address) is submitted anonymously to the Zafu community pool using a randomly generated install ID. If you opt in to automatic threat signals, Zafu may also submit attacker-pattern addresses detected from wallet-history dust or trusted external confirmations. This data is never linked to your personal identity unless you sign in with Google. You can disable automatic threat signals in Community settings.

Submitted addresses must reach a signal threshold before they warn other users as community-reported. Community-reported does not mean confirmed malicious. Stronger labels require team review or trusted external confirmation. Address owners can dispute incorrect flags directly from the overlay.

7. What Zafu Does NOT Collect

No analytics or usage tracking
No crash reporting
No advertising identifiers
No browsing history
No private keys, seed phrases, or wallet credentials — ever, by architecture
No content from web pages — content script reads only paste-event payloads matching crypto address patterns

8. Your Control Over Data

Delete all locally stored data: open the Zafu popup → Settings → Clear all local data
Disable automatic threat signals: Community → Contribute automatic threat signals → off
Sign out of Google: Settings → Account → Sign out
Or remove the extension entirely — Chrome will delete all chrome.storage.local data automatically

9. Children

Zafu is not directed at children under 13. We do not knowingly collect data from children.

10. Changes to This Policy

If we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the extension after changes constitutes acceptance.

11. Contact

Questions or concerns: security@stayzafu.com