Privacy Policy

Last updated · May 7, 2026

Sefa is a self-custody wallet. Your private keys live on your device — we never see, store, or transmit them. This policy explains what we do collect and why.

How sign-in works

Sefa signs you in using your wallet — your seed phrase is your only credential. We do not collect an email or a password. To prove ownership of your wallet, your device signs a server-issued challenge with your on-device private key; we verify that signature and mint a session token tied to a wallet-derived user ID. The seed phrase never leaves your device.

What we collect

• Wallet-derived user ID — a deterministic identifier computed from your public key. We use this to scope your data server-side.
• Wallet addresses (public, on-chain) — registered with our balance and deposit watchers.
• Display name — the name you choose during onboarding so the AI assistant can address you. Optional and editable in Settings.
• Push notification token — used to deliver deposit, transaction, and alert notifications.
• Transaction metadata (tx hash, amount, token, timestamp) — synced to your account so your activity feed works across devices.
• Chat messages with the AI assistant — sent to our AI inference providers for response generation. Persisted in your account so your conversation continues across sessions. We do not authorise our AI providers to train their models on your messages, and we redact identifying chat telemetry after 30 days.
• Approximate country — derived from your IP at first onboarding so we can comply with applicable sanctions and export-control laws. Cached on-device; not used for advertising.
• Optional feedback (thumbs up/down on AI replies, including reports of harmful or inappropriate output) — used to improve assistant quality and review flagged messages.
• Conversion fee receipts — when you convert tokens we log the small spread we charge (default 0.4%) for accounting.

What we never collect

• Private keys, seed phrases, PINs, or biometric data.
• Email addresses, passwords, or any external account credentials.
• Off-device signing data.
• Contacts list, photos, precise location, or device identifiers used for cross-app or cross-website advertising.
• Tracking identifiers used for behavioural ad targeting.

Service providers

We rely on a small number of third-party service providers to operate the app. Each receives only the data it needs to perform its function. The categories of providers we use are:

• Cloud database and authentication — stores your account data and brokers session tokens.
• Backend orchestration — runs the workflows behind balance sync, deposit detection, and transaction history.
• Blockchain RPC providers — read on-chain balances and broadcast signed transactions.
• AI inference providers — generate replies for the AI assistant. Messages are sent only when you use chat.
• Token routing services — price token conversions and route them on-chain.
• Push notification delivery — delivers deposit, transaction, and alert pushes.
• IP-based geolocation — used at onboarding for sanctions compliance only.

A current list of named sub-processors is available on request to support@getsefa.com.

Your choices

• Disable push notifications anytime from your device settings.
• Skip the optional AI feedback prompts.
• Disable the AI assistant from Settings → AI assistant. The rest of the wallet keeps working.
• Report a harmful or inappropriate AI reply by tapping thumbs-down on the message and choosing “Harmful or inappropriate”.
• Sign out without losing access — your keys stay on the device. Sign back in with biometric or your PIN; no password to remember.
• Delete your account from Settings → About → Delete account. This wipes your server-side data.

Data deletion

Tap Delete account in Settings → About. We remove your wallet-derived user record, balances, transactions, notifications, alerts, push tokens, conversion-fee logs, AI feedback, referrals, and saved handles. The wallet-derived user ID is also added to a blocklist so the same seed cannot re-create the account on the server. This is irreversible. Your on-chain history remains public. See our account deletion page for details.

Children

Sefa is not directed to anyone under 18. We do not knowingly collect data from minors.

Changes

When we change this policy we update the date above. Continued use after changes means you accept the updated version.

Contact

Questions about this policy? Email support@getsefa.com.