Privacy Policy

Last Updated: May 28, 2026

1. Introduction

HotKey ("the App") is committed to protecting your privacy. This Privacy Policy explains how we handle data when you use the HotKey Android app, iOS app, Chrome Extension, and Solana Seeker dApp Store listing.

TL;DR: HotKey does not collect personal data, analytics, accounts, private keys, seed phrases, or your wallet activity. The only data we receive is what you explicitly submit when you tap "Report Token" — see Section 2A. Public blockchain data may be sent to Solana infrastructure only to perform actions you request.

2. Data We Do NOT Collect

HotKey does not collect or store:

• Personal information (name, email, address, etc.)
• Analytics or usage data
• IP addresses
• Browser fingerprints or tracking cookies
• Android Advertising ID (AAID), iOS Identifier for Advertisers (IDFA), or any device identifier
• Wallet addresses, balances, or transaction history to our servers (these are sent only to third-party Solana infrastructure listed in Section 4, ephemerally, to service your requests)
• Private keys or seed phrases (these never leave your device)
• Crash logs, error reports, or performance telemetry

2A. What We DO Collect: Content Moderation Reports (User-Submitted)

The Android and iOS apps display token names and images chosen by anonymous on-chain creators (pump.fun, Raydium, etc.). To comply with Google Play's Inappropriate Content / User Generated Content policies and Apple's Guideline 1.2, the app provides a "Report Token" action on every token row.

When you (and only when you) tap "Report Token", the app sends a single row to our Supabase moderation table containing:

• Token mint address — already public on-chain
• Token name and symbol — already public on-chain (the same string visible to every other HotKey user)
• In-app surface — which screen you reported from (e.g. trenchscope, feed, token_detail)
• Optional reason — free-text justification you may type (omitted by default)

What the report does NOT contain:

• No user identifier (no per-install UUID, no reporter ID — we deliberately removed this in v1.3.x to keep reports anonymous)
• No wallet address
• No device fingerprint or IP address
• No account identifier (we have no accounts)

A submitted report effectively says "this public token was flagged for review" — nothing about who flagged it. We retain reports for operator review and may use them to remove tokens from in-app discovery. To request deletion of reports you submitted, email admin@glitchlabs.app — but note that without a per-user identifier on the report, deletion requires us to delete an entire token's reports in bulk on your behalf (since we cannot identify which reports came from you specifically).

3. Local Data Storage

iOS App

The iOS app stores data locally on your device using the iOS Keychain and local storage:

• Private keys and seed phrases — stored in the iOS Keychain with biometric protection (Face ID), never transmitted
• Wallet metadata — wallet names, IDs, and public addresses
• Device identifier — a random UUID stored in the Keychain, used solely as a local namespace for your wallet data. This ID is not used for tracking or analytics and is not shared with third parties
• Trade history — records of your trades stored locally on device with iOS file protection
• Address book — saved recipient addresses stored locally
• Settings — app preferences (theme, slippage, chart provider, RPC URL) stored in UserDefaults

Android App

The Android app stores data locally on your device using Android's EncryptedSharedPreferences and DataStore:

• Private keys and seed phrases — stored in EncryptedSharedPreferences backed by Android Keystore (AES-256-GCM), never transmitted
• PIN — hashed with PBKDF2-SHA256 (100,000 iterations) and stored locally; raw PIN is never persisted
• Wallet metadata — wallet names, IDs, and public addresses
• Trade history — records of your trades stored locally on device
• Address book — saved recipient addresses stored locally
• Settings — app preferences (theme, language, slippage, chart provider, RPC URL, execution engine) stored in Jetpack DataStore

Chrome Extension

The Extension stores data locally in your browser using Chrome's chrome.storage.local API:

• Encrypted private keys — AES-256 encrypted with your password
• Wallet metadata — wallet names, IDs, and public addresses
• Active wallet selection — which wallet is currently active
• Transaction history — records of your trades (buy/sell/send)
• Position tracking — bought/sold SOL amounts per token
• Settings — quick buy amounts, RPC URL, slippage preferences

Local wallet data stays on your device. Public blockchain data such as wallet addresses, token mints, quotes, and signed transactions may be sent to third-party Solana infrastructure solely to perform user-requested wallet, swap, pricing, or transaction functions. HotKey does not store this data on its servers or use it for tracking.

Market Data (Supabase)

The iOS app fetches publicly available market data (token prices, trending lists, DexScreener feed events) from our Supabase database. This data is read-only, contains no personal information, and no user-identifiable data is sent in these requests.

4. Third-Party API Requests

The App makes API requests to third-party Solana infrastructure for functionality. These requests may include public wallet addresses, token contract addresses, quote details, or signed transactions, but never your private keys or seed phrases.

Jupiter API (api.jup.ag)

• Used for: Swap routing, execution, and token pricing
• Data sent: Token mints, amounts, taker address
• Purpose: Obtain swap transactions and execute trades
• Privacy policy: jup.ag

Helius RPC & DAS API (helius-rpc.com)

• Used for: Blockchain queries, token metadata, wallet holdings, and transaction submission
• Data sent: Token mint addresses, wallet public addresses, signed transactions
• Purpose: Fetch balances, token data, submit transactions, and confirm status
• Privacy policy: helius.dev

Jito Block Engine (jito.wtf)

• Used for: MEV-protected transaction submission (optional)
• Data sent: Signed transactions
• Purpose: Submit transactions with MEV protection when selected as execution engine

Solana RPC Nodes

• Used for: Blockchain queries and transaction submission
• Data sent: Public addresses, signed transactions
• Purpose: Check balances, submit transactions, confirm status
• Note: You can configure a custom RPC endpoint in settings (Android validates the URL is HTTPS before persisting it)

Supabase (operator-controlled backend)

• Used for: (a) read-only market data fetch (token prices, trending lists, DexScreener feed events) — no user data sent in these requests; (b) writing content-moderation reports (see Section 2A) when you explicitly tap "Report Token"; (c) fetching the runtime Jupiter API key via a server-side edge function (no user data sent)
• Data sent: Only what is described above and in Section 2A
• Purpose: Market data UI + UGC moderation pipeline + key-rotation infrastructure
• Privacy policy: Supabase as a data processor under our control — content reports are stored in a Supabase project we operate

We have no control over and are not responsible for the privacy practices of third-party services (Jupiter, Helius, Jito). Supabase is our own backend; reports submitted there are governed by this Privacy Policy.

5. Data Security

While user-controlled wallet data stays local, we take security seriously:

iOS App

• iOS Keychain for private key and seed phrase storage with device-level encryption
• Face ID / PIN protection for app access and sensitive operations
• Biometric-protected Keychain for seed phrases (requires Face ID to read)
• iOS file protection for trade history (encrypted when device is locked)
• Screenshot protection for sensitive screens (private key export)
• HTTPS-only network connections enforced for all API requests

Android App

• EncryptedSharedPreferences backed by Android Keystore for private key and seed phrase storage
• AES-256-GCM encryption with hardware-backed StrongBox support where available
• PIN lock with PBKDF2 hashing and progressive lockout after failed attempts
• Biometric unlock via AndroidX BiometricPrompt (fingerprint and face)
• Screenshot protection for sensitive screens (private key export, PIN entry)
• HTTPS-only network connections enforced for all API requests

Chrome Extension

• AES-256 encryption for all private keys using password-derived keys (PBKDF2)
• Content Security Policy to prevent XSS attacks
• Sandboxed execution via Chrome's extension security model
• No inline scripts in extension pages

6. Content Script Permissions

The Extension uses content scripts on supported trading terminals (including Axiom, Padre Terminal, pump.fun, gmgn.ai, Photon, and DexScreener) to detect token contract addresses. This script:

• Scans the page DOM for Solana addresses
• Does NOT read form inputs, passwords, or sensitive fields
• Does NOT modify page content or inject ads
• Only sends detected token addresses to the Extension's service worker

7. Browser Permissions

The Extension requests the following Chrome permissions:

• sidePanel — Display the trading UI in the browser sidebar
• storage — Store encrypted wallet data locally
• activeTab — Communicate with supported terminal tabs
• tabs — Query open supported terminal tabs for token detection
• scripting — Inject detection code when content script is unavailable

These permissions are used solely for Extension functionality and not for tracking or data collection.

8. No User Accounts

The App does not require user accounts or authentication with our servers. Your wallet is your identity. The iOS app uses a locally-generated device identifier solely as a namespace for Keychain storage — this identifier is never sent to our servers or used for tracking.

9. No Cookies or Tracking

The App does not use cookies, tracking pixels, advertising identifiers (IDFA), or any analytics services. There is no Google Analytics, Mixpanel, Firebase Analytics, or similar tracking. We do not participate in any ad networks or tracking frameworks.

10. Children's Privacy

The HotKey App and Extension are not intended for use by individuals under the age of 18. We do not knowingly collect data from children.

11. Open Source Transparency

HotKey is fully open-source. You can inspect all code to verify our privacy claims and ensure no data collection is taking place.

12. Data Deletion

iOS App

To delete all app data:

1. Open Settings in the app and tap "Reset Wallet" to remove all wallet data
2. Or uninstall the app from your device

Note: Keychain data may persist after uninstall to enable wallet recovery on reinstall. To fully remove Keychain data, use the "Reset Wallet" option before uninstalling. Make sure to back up your private keys or seed phrases before doing this.

Android App

To delete all Android app data:

1. Open Settings in the app and tap "Reset Wallet" to remove all wallet data
2. Or uninstall the app from your device
3. Or go to Android Settings > Apps > HotKey > Clear Data

Make sure to back up your private keys or seed phrases before doing this.

Chrome Extension

To delete all Extension data:

1. Uninstall the Extension from Chrome
2. Or use Chrome's "Clear browsing data" with "Site data" selected

This will permanently delete all wallets, keys, transaction history, and settings stored by the Extension. Make sure to back up your private keys before doing this.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the HotKey App or Extension after changes constitutes acceptance.

14. Contact

For privacy questions or concerns, please contact us through the App Store, Google Play Store, Solana dApp Store, Chrome Web Store, or via the support channels listed on our website at hotkey.space.

15. Apple App Tracking Transparency

The iOS app does not track users across other companies' apps or websites. We do not use the Advertising Identifier (IDFA) or participate in any ad networks. No App Tracking Transparency prompt is required because no tracking occurs.

15A. Google Play Data Safety & Android Advertising ID

The Android app does not query, read, or transmit the Android Advertising ID (AAID), the App Set ID, the Android ID, or any other resettable or non-resettable device identifier. No advertising SDKs, no Firebase Crashlytics, no Mixpanel, no AppsFlyer, no Adjust, and no analytics frameworks of any kind are bundled in the APK — this is verifiable by inspecting the open-source dependency list in our build configuration.

Our Google Play Data Safety form declares one category of data collection: "Other actions / User-generated content," collected only when you tap "Report Token" (see Section 2A). Every other category — Personal info, Financial info, Health, Messages, Photos/Videos, Audio, Files and docs, Calendar, Contacts, App activity (other), Web history, App info and performance, Device or other IDs — is declared as not collected.

16. GDPR & CCPA Compliance

HotKey does not collect personally identifiable information, so most GDPR / CCPA data subject rights (access, portability, opt-out of sale) have no data to act on. The one exception is the content-report rows described in Section 2A — though these contain no per-user identifier and are not personal data under either regulation's strict definition, we honor deletion requests as a courtesy. Email admin@glitchlabs.app with the token mint address(es) you wish to retract reports for.

You always have full control over your local app and extension data — see Section 12 for deletion paths.