End-User Privacy Policy
Last updated: March 16, 2026
This policy applies to you if you have created a wallet or signed into an application that uses the Cavos SDK. If you are a developer integrating Cavos, see our Developer Privacy Policy.
1. Who we are
Cavos Labs (“Cavos”, “we”, “us”) provides the infrastructure that lets applications create self-custodial Starknet wallets for their users via OAuth sign-in (Google, Apple, or email magic link). Our contact for privacy matters is hello@cavos.xyz.
The application you signed into is operated by a third party (the “developer”). Cavos acts as an infrastructure provider for that developer. This policy explains only what Cavos itself collects and processes — the developer may have their own data practices which are covered by their own privacy policy.
2. What data we collect and why
OAuth identity claims (from your sign-in provider)
When you sign in via Google, Apple, or email, your identity provider issues a signed token containing claims about you. Cavos processes the following claims to create and authenticate your wallet:
- Provider user ID (
sub) — a unique, opaque identifier assigned to you by Google, Apple, or Firebase. Used to derive your wallet address deterministically. Stored in our database. - Email address — only collected if you sign in via email magic link. Stored temporarily during the verification flow (up to 24 hours), then deleted.
- Name & profile picture — if provided by your sign-in provider (Google / Apple). Displayed in the wallet UI. Never stored on our servers — kept only in your browser session storage.
Wallet address
Your Starknet wallet address is derived from your provider user ID and stored in our database to associate it with the developer’s application and the network (mainnet / testnet). This is a pseudonymous blockchain address — it is not directly linked to your name or email in our database.
Session key (generated locally)
A cryptographic session key pair is generated in your browser for each login. The private key never leaves your device and is never transmitted to our servers. It lives only in your browser’s sessionStorage and is automatically cleared when you close the browser tab.
Anonymous usage metrics
We record anonymized usage metrics (wallet address + app + network) to calculate billing for the developer. We do not store transaction hashes, transaction contents, or any PII alongside these metrics.
3. Data at a glance
| Data | Where stored | Persisted server-side? | Purpose |
|---|---|---|---|
| Provider user ID (sub) | Our database | Yes | Wallet address derivation & deduplication |
| Email address | Our database (temp) | Only during email verification (≤24 h) | Magic link authentication |
| Name & profile picture | Your browser only | No | Displayed in wallet UI |
| Wallet address | Our database + Starknet | Yes | Wallet identity & analytics |
| Session private key | Your browser only | No | Transaction signing |
| Session public key | Starknet (on-chain) | Yes (blockchain) | On-chain session verification |
| ZK proof (sub, nonce, exp, iss, aud) | Starknet (on-chain) | Yes (blockchain) | Trustless wallet ownership proof |
Data stored on the Starknet blockchain is public and permanent by nature. This includes your wallet address, session public keys, and zero-knowledge proofs.
4. What we do NOT collect
- We do not store your OAuth password or any credentials.
- We do not store your session private key — it never leaves your browser.
- We do not link your email or name to your wallet address in our database (as of March 16, 2026).
- We do not store transaction hashes or the contents of transactions you submit.
- We do not use advertising trackers or sell your data to third parties.
5. Legal basis for processing (GDPR)
- Contract (Art. 6(1)(b)) — processing your provider user ID and wallet address is necessary to provide the wallet service you requested.
- Legitimate interest (Art. 6(1)(f)) — anonymous usage metrics are necessary for billing the developer accurately.
- Legal obligation (Art. 6(1)(c)) — email verification tokens are retained briefly to comply with anti-abuse obligations.
6. Data retention
- Provider user ID & wallet address — retained while your wallet exists in the application. You can request deletion at any time (see §8).
- Email address — deleted automatically within 24 hours of the magic link verification flow completing or expiring.
- Usage metrics — retained for 13 months then aggregated and anonymized.
- On-chain data — your wallet address and session public keys on Starknet are permanent and cannot be deleted (this is the nature of public blockchains).
7. Sub-processors
Cavos shares data with the following infrastructure providers:
- Supabase (EU, AWS eu-west-1) — database storage for wallet records.
- Google Firebase (US, with SCCs) — email magic link delivery and authentication.
- Vercel (US, with SCCs) — hosting of the Cavos API and dashboard.
- Starknet network — public blockchain where your wallet address and session keys are registered on-chain.
SCCs = Standard Contractual Clauses (EU mechanism for lawful data transfers).
8. Your rights
Under GDPR you have the following rights regarding the data Cavos holds about you:
- Access (Art. 15) — request a copy of the data we hold linked to your wallet address.
- Erasure (Art. 17) — request deletion of your wallet record. We will remove your provider user ID and wallet address from our database. Note: on-chain data cannot be deleted.
- Rectification (Art. 16) — correct inaccurate data by contacting us.
- Portability (Art. 20) — receive your data in a machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interest.
To exercise any right, email hello@cavos.xyz with your wallet address and the application you used. We will respond within 30 days.
9. Security
We use TLS for all data in transit, row-level security in our database, and restrict access to production systems. Your session private key is never transmitted to our servers — it is generated and stored exclusively in your browser. In the event of a data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33).
10. Children
The Cavos SDK is not intended for use by anyone under 16. We do not knowingly collect data from minors. If you believe a minor has created a wallet, contact us at hello@cavos.xyz.
11. Changes to this policy
We may update this policy when our practices change. Material changes will be announced on this page with a new “Last updated” date. We recommend checking this page periodically.
12. Contact
Questions? Email us at hello@cavos.xyz. You also have the right to lodge a complaint with your local data protection authority.