Legal

Privacy Policy

Effective June 16, 2026 · Version 1.0

Privacy is the point of Brume. This policy explains the little data we do process for the website, waitlist, and APIs, what we deliberately never collect, and the rights you have over your data.

1. Overview and scope

This policy describes how Brume Labs ("Brume", "we", "us") handles personal data across the brume.cash website, the waitlist, our APIs, and the Brume browser extension. Brume is designed to be local-first and self-custodial, so we process as little personal data as possible.

2. Who we are

Brume Labs is the controller of the limited personal data described here. You can reach us about privacy at privacy@brume.cash.

[verify] If we are required to appoint an EU/UK representative or Data Protection Officer, their details will be listed here.

3. What we never collect

We do not collect your private keys, seed phrase, or wallet password. They are generated and stored, encrypted, on your device and are never transmitted to us. We cannot see them, and we cannot recover them.

4. Information we process

Wallet data (on your device)

Your encrypted keystore, accounts, and settings are stored locally in your browser. This data stays on your device and is not sent to us.

API request data

When the wallet queries our APIs (for portfolio, activity, or token metadata), we process the public wallet address you look up and standard request metadata such as IP address, timestamp, and user agent. We use this to return results, prevent abuse, and apply rate limits. We do not link wallet addresses to real-world identities.

Waitlist

If you join the waitlist, we process the email address you submit so we can notify you about the launch.

Support and analytics

If you email us, we process your message and contact details to respond. [verify] If we run website analytics, we use privacy-respecting, aggregate measurement that does not identify you; we do not use advertising trackers.

5. How we use information

  • Operate, maintain, and secure the Service.
  • Prevent abuse, fraud, and excessive use through rate limiting.
  • Respond to your questions and support requests.
  • Send you a launch notification if you joined the waitlist.
  • Comply with legal obligations and enforce our Terms.

7. How we share information

We share data only with service providers that help us run the Service, and only as needed:

  • RPC and blockchain data providers (for example, Helius and Solana RPC providers) to read on-chain data.
  • Hosting and database infrastructure (for example, Supabase) to run our APIs.
  • [verify] An email provider, if we use one to manage the waitlist.
  • Authorities or others where required by law, or to protect rights, safety, and the integrity of the Service.
  • A successor entity in connection with a merger, acquisition, or sale of assets.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

8. Blockchain transparency

Transactions you broadcast are recorded on public blockchains. That data is permanent, global, and outside our control. We cannot edit or delete on-chain records. Brume's privacy features reduce but may not fully eliminate on-chain or network-level metadata, so consider what you reveal before you transact.

9. Data retention

  • API request logs are kept for a short period for security and abuse prevention, then deleted or anonymized.
  • Waitlist email addresses are kept until you unsubscribe or for a reasonable period after launch.
  • Support messages are kept only as long as needed to handle your request.
  • Your local keystore stays on your device until you remove it. We cannot delete it for you.

10. Security

We use reasonable technical measures to protect data, including encryption in transit (TLS) and access controls on our systems. On your device, your keystore is encrypted using key derivation (PBKDF2) and authenticated encryption (AES-GCM).

No system is perfectly secure, and Brume is non-audited development software. You are responsible for the security of your own device and seed phrase.

11. Your rights

Depending on where you live, you may have some or all of the following rights over your personal data:

  • Access, correct, delete, or receive a portable copy of your data.
  • Object to or restrict certain processing, and withdraw consent at any time.
  • For California residents: know what we collect, delete and correct it, and opt out of sale or sharing. We do not sell or share personal information, and we will not discriminate against you for exercising your rights.
  • Lodge a complaint with your local data protection authority.

To exercise these rights, email privacy@brume.cash. We may need to verify your request, and we respond within the time the law requires (generally one month under GDPR, 45 days under CCPA). Note that we cannot act on data we do not hold, such as your keys or on-chain transactions.

12. International data transfers

[verify] We and our providers may process data in countries other than yours, including the United States. Where we transfer personal data out of the EU or UK, we rely on appropriate safeguards such as Standard Contractual Clauses.

13. Children's privacy

The Service is not directed to children under 18, and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. We will update the effective date above and, for material changes, provide notice where appropriate.

15. Contact

Questions about your privacy? Email us at privacy@brume.cash.

Looking for the terms of service?

Terms of Service