Privacy Policy

Effective · April 27, 2026 · Last updated · June 2, 2026

    Short version: Zafu is local-first. External calls are limited to blockchain data providers, threat checks, community-report functions, optional anonymous Network Mode counts, aggregate Cloudflare Web Analytics for the website, waitlist signup, optional Google Sign-In, and optional account sync when you choose it. No advertising analytics or cross-site tracking. No keys or seed phrases ever.
  

If you join a Zafu waitlist, we store your email address, selected product interest, source page, signup time, and optional campaign labels from public marketing links such as utm_source, utm_medium, and utm_campaign. Waitlist emails are used only for Zafu product updates and launch or news notifications for the interests you selected. Waitlist forms do not collect address data, wallet data, clipboard text, full query strings, referrer URLs, Telegram chat text, Google IDs, install IDs, IP addresses, user agents, or browser fingerprints.

1. What Zafu Is

Zafu is a Chrome browser extension that checks cryptocurrency address paste events on wallet and exchange websites, can record local source evidence when you copy an address from Telegram Web, and checks address-only pastes inside Telegram Web before they are inserted. It detects address poisoning, possible copy/paste mismatches, and post-paste address changes before you confirm a transaction. Supports EVM chains, Solana, and local TRON address validation.

2. Data Stored Locally

Wallet data is stored in chrome.storage.local on your device. Optional Google Sign-In can back up saved wallets, trusted contacts, labels, notes, and descriptions so you can recover them after reinstalling Chrome or switching computers. Generated transaction-history indexes, suspicion lists, API keys, local metrics, Network Mode aggregate counters, community cache, prices, and install IDs are not account-synced.

Data	Purpose	Sent anywhere?
Wallet addresses you add (EVM + Solana + TRON)	Used to fetch EVM/Solana transaction history, or to run local TRON paste-time checks	EVM/Solana sent to Etherscan / Solscan API when you fetch history (see §3). TRON is local-only in v1.1.7.
Transaction history index (trusted/suspicion)	Built locally to classify pasted addresses	Never sent anywhere
Address labels and notes	User-assigned names shown in the address book	Synced to Zafu only if you sign in with Google
Exceptions list ("Mark as Safe")	Addresses you have manually verified and whitelisted	Never sent anywhere
Etherscan / Solscan API keys	User-provided keys for higher API rate limits	Sent only to Etherscan / Solscan when fetching history
Settings	Transfer Check toggle, Network Mode toggle, community-reporting toggle, onboarding state	Never sent anywhere
Telegram Web copy source evidence	Recent address-only copy evidence used to confirm whether a pasted address still matches the Telegram-copied address, plus address-only Telegram Web paste checks	Stored locally in session storage. Never includes chat text, sender identity, group/channel names, message IDs, URLs, or full clipboard contents beyond the copied address.
Network Mode aggregate counters	Anonymous counts for product improvement: Transfer Checks, warning states, Telegram Web matches/mismatches, chain type totals, contacts saved, protected wallets, and Intel actions	Sent to Zafu only if you enable Network Mode. Never includes addresses, labels, notes, clipboard text, chat text, URLs, transaction hashes, amounts, balances, Google ID, or email.
Website campaign labels	Path-only landing/source page plus optional UTM or campaign labels used to understand which public marketing links lead to waitlist signups	Sent to Zafu only when you submit a waitlist form. Never includes full query strings, referrer URLs, wallet addresses, clipboard text, Telegram data, IP addresses, user agents, or browser fingerprints.
Random install ID	Anonymous identifier attached to community reports (see §6)	Sent only with community submissions, never linked to identity unless signed in
Google profile email, name, and avatar	Creates your optional Zafu account for backup and restore	Sent to Zafu only if you sign in with Google

3. Third-Party Services

Zafu calls the following external APIs. These calls are initiated only by you (when you add a wallet, paste an address, opt in to automatic threat signals, or sign in) — they are not automatic background calls beyond the scheduled 24h refresh you can disable.

Service	Data sent	When
Etherscan	Your public EVM wallet address, your optional API key	Only when you click "Fetch History" for an EVM wallet, or on 24h auto-refresh
Solscan (public-api.solscan.io, pro-api.solscan.io)	Your public Solana wallet address, your optional API key	Only when you click "Fetch History" for a Solana wallet, or on 24h auto-refresh
Cloudflare ETH RPC	ENS name or address you paste	Resolve ENS names to Ethereum addresses
The Graph	ENS name	ENS forward resolution fallback
GoPlus Security	The crypto address you pasted	Real-time scam check, called only when paste is detected on a wallet/exchange page (EVM only)
Zafu community pool (Supabase edge functions)	Attacker addresses (not your wallet) and an anonymous random install ID	Only when you flag an address, or when you opt in to automatic threat signals and zero-value inbound dust is submitted (see §6). Disable in Settings.
Zafu Network Mode (Supabase edge function)	Anonymous aggregate counts only: Transfer Checks, warning states, Telegram Web matches/mismatches, chain type totals, contacts saved, protected wallets, Address Intel actions, and extension version	Only if you enable Network Mode. Does not require Google Sign-In and does not send addresses, labels, notes, clipboard text, chat text, URLs, transaction hashes, amounts, balances, Google ID, email, or install ID.
Cloudflare Web Analytics	Aggregate website usage and performance metrics such as page views, referrers, countries, device/browser type, and page performance	Used only for aggregate website analytics. Zafu does not use it for advertising retargeting, cross-site tracking, wallet profiling, or user-level behavior reconstruction.
Zafu waitlist (Supabase edge function)	Email address, selected product interest, source page, signup time, path-only landing page, and optional UTM or campaign labels	Only when you submit a waitlist form. Used for Zafu product updates, launch/news notifications for selected interests, and aggregate campaign attribution.
Zafu account sync (Supabase edge functions)	Your Google ID plus saved wallets, trusted contacts, labels, notes, descriptions, favourites, and deletion markers	Only after you choose Google Sign-In. Used for backup and restore across Chrome installs.

These services have their own privacy policies. Zafu does not control how they process the data they receive.

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

4. Browser Permissions

Zafu requests three Chrome extension permissions. The average Chrome extension requests 17.

Permission	Why Zafu needs it
`storage`	Saves wallet list and address index locally on device. User-authored contacts and saved wallets sync only after optional Google Sign-In.
`alarms`	Schedules 24h auto-refresh of wallet history and community report data.
`identity`	Optional Google Sign-In for address-book backup and restore. Never used unless you sign in.

Zafu also uses <all_urls> host access so the content script can detect paste events on wallet, exchange, dapp, and Telegram Web pages. Chrome may describe this as access to "read and change" website data. Zafu uses that access to check crypto-address paste events before the destination field accepts them, and on Telegram Web only when the pasted text is exactly one supported crypto address. It does not request tabs or activeTab, does not read browser history, does not run advertising analytics, does not intercept Telegram mixed text or bot commands, and gates address-checking logic to crypto-relevant contexts.

5. Optional Google Sign-In

Sign-in is entirely optional. Everything in Zafu works anonymously without it.

If you choose to sign in with Google, Zafu uses the Chrome identity permission to obtain your Google account email, display name, avatar, and Google account ID. This is used to:

Back up saved wallets, trusted contacts, labels, notes, descriptions, and favourites
Restore that address book data after reinstalling Chrome or switching computers
Let community reports include a signed-in account signal instead of only a random install ID

You can sign out at any time from Settings. Sign-out clears your session token. Your locally stored data is unaffected.

6. Community Threat Intelligence

When you flag an address as malicious from any Zafu overlay, that attacker address (never your wallet address) is submitted anonymously to the Zafu community pool using a randomly generated install ID. If you opt in to automatic threat signals, Zafu may also submit attacker-pattern addresses detected from wallet-history dust or trusted external confirmations. This data is never linked to your personal identity unless you sign in with Google. You can disable automatic threat signals in Community settings.

Submitted addresses must reach a signal threshold before they warn other users as community-reported. Community-reported does not mean confirmed malicious. Stronger labels require team review or trusted external confirmation. Address owners can dispute incorrect flags directly from the overlay.

7. What Zafu Does NOT Collect

No advertising analytics or cross-site tracking
No Google Analytics, Meta pixel, ad retargeting, or user-level journey tracking
No Network Mode analytics unless you explicitly enable anonymous aggregate counts
No crash reporting
No advertising identifiers
No browsing history
No private keys, seed phrases, or wallet credentials — ever, by architecture
No stored or transmitted web-page content — content script processes crypto-address paste payloads locally, and Telegram Web copy-source logic locally examines copied/targeted text only to extract address-shaped values

8. Your Control Over Data

Delete all locally stored data: open the Zafu popup → Settings → Clear all local data
Disable Network Mode: Settings → Network Mode → off
Disable automatic threat signals: Community → Contribute automatic threat signals → off
Sign out of Google: Settings → Account → Sign out
Or remove the extension entirely — Chrome will delete all chrome.storage.local data automatically

9. Children

Zafu is not directed at children under 13. We do not knowingly collect data from children.

10. Changes to This Policy

If we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the extension after changes constitutes acceptance.

11. Contact

Questions or concerns: [email protected]