ShieldForge stores nothing on its servers by default.

LOCAL ONLY: Settings (theme, default chain, phishing-watch toggle) and scan history (max 50 entries) are stored in chrome.storage.local — never uploaded.

NETWORK CALLS: The extension contacts only https://shieldforge.xyz to (a) fetch the supported-chain list, (b) submit wallet addresses for on-chain approval lookups, (c) fetch QR codes for the donate modal. No third-party trackers, no analytics SDKs, no advertising.

WALLET KEYS: The extension cannot access wallet private keys — they live in your wallet's isolated extension context. Wallet signing always happens in the wallet's own UI. We never see your seed phrase.

SCANNER LOGS: When you submit an address for scanning, our backend logs the request (address + IP + User-Agent) for ~30 days as standard server logs. Address is treated as pseudonymous (it's public on-chain). Scan results are computed on demand and cached for 60 seconds. No identity-linking.

PHISHING-WATCH CONTENT SCRIPT: Wraps window.ethereum.request on visited dApps to detect typed-data signature requests. Sees the public payload the page asks the user to sign. Never reads keys. Excluded domains: banking sites, Google login, ShieldForge web app.

Full policy: https://shieldforge.xyz/privacy
Contact: privacy@shieldforge.xyz