Privacy Policy
OculusVault is a non-custodial Hedera wallet delivered as a Telegram Mini App and a Chrome extension. It is designed so that we collect as little as possible and never hold your keys. This policy explains exactly what is and isn't handled.
The short version
- Your private keys are generated and encrypted on your device. We only ever store the encrypted ciphertext — we cannot read your keys.
- We do not sell or transfer your data to third parties.
- We do not use analytics, advertising, or tracking.
- The only personal data we handle is your Telegram user id, used solely to authenticate you and locate your encrypted wallet record.
What we collect
- Authentication information: your Telegram user id (and, if present, username), obtained through Telegram's official, cryptographically-signed sign-in (Mini App
initDataor the Telegram Login Widget) and verified on our server. - Your encrypted wallet record: the ciphertext produced when your private key is encrypted on your device with your password. It is stored server-side keyed by your Telegram user id so your wallet can follow you across our apps. It contains no readable key material.
We do not collect your password, your private key, your name, email, location, browsing history, or contacts.
How we use it
- To verify your Telegram identity and issue a short-lived session so you can access your wallet.
- To store and return your encrypted wallet record (which only you can decrypt).
- Public Hedera network endpoints (Mirror Node, RPC relays) are contacted to read balances and history and to submit the transactions you initiate. These requests include your public account address only.
What we never do
- We never see, store, or transmit your private key or password in any readable form.
- We never sell, rent, or share your data with third parties.
- We never use your data for advertising, profiling, or any purpose unrelated to operating the wallet.
Chrome extension permissions
storage— stores your session token and preferences; an unlocked key is held only in memory-backed session storage and cleared when the browser closes.- Host access to
api.oculusvault.com— our backend, for sign-in verification and your encrypted record. - Host access to Hedera endpoints (
*.hedera.com,*.hashio.io) — reading balances/history and submitting your transactions.
The extension contains no remote code; all logic is bundled and open-source.
Data retention & deletion
Your encrypted wallet record persists so you can keep using your wallet. You control it: removing it from within the app (or contacting us) deletes the stored ciphertext. Because the wallet is non-custodial, deleting the record does not delete your funds — your key (which you alone hold) always controls the on-chain account.
Security
Keys are encrypted with Argon2id + XChaCha20-Poly1305 before leaving your device. Sign-in is verified server-side via HMAC. The server is rate-limited and transmits over HTTPS. The full security model is documented at SECURITY.md.
Open source
Every line is public under Apache-2.0 at github.com/jmgomezl/oculusvaultwallet. You can verify these claims in the code.
Contact
Questions or data-deletion requests: open an issue at github.com/jmgomezl/oculusvaultwallet/issues.