PARACYT Wallet is a Chrome browser extension developed and operated by Glewme Corp, a California C corporation (referred to as "we", "us", "our" in this policy). "PARACYT Wallet" is the trade name of the wallet product. This policy applies to the PARACYT Wallet extension distributed through the Chrome Web Store and any directly installed builds.
This section discloses every category of user data the extension handles, organized by the data categories used in the Chrome Web Store user data policy. For each category we state explicitly whether the data is collected, the purpose of use, how it is stored, and which third parties (if any) it is shared with.
| Data category | Collected by the extension? |
|---|---|
| Personally identifiable information (name, address, email, ID number, phone) | No. The wallet does not collect or transmit any PII. There is no account, signup, email collection, or registration. |
| Health information | No. |
| Financial and payment information (wallet balances, transaction history, swap/send activity) | Yes — handled locally only and used solely to provide wallet functionality. Details below in section 2.1. |
| Authentication information (master seed, private keys, password) | Yes — stored locally only, encrypted, and never transmitted. Details below in section 2.2. |
| Personal communications (emails, SMS, chat messages) | No. |
| Location (precise location, IP-based location) | No. We do not request, collect, store, or transmit location data. Third-party network services contacted on your behalf (blockchain RPCs, DEX aggregators) will independently observe the IP address of your network request as part of normal internet operation; we do not record or store IP addresses. |
| Web history (browsing history, page visits) | No. The extension does not read or track the pages you visit. |
| User activity (clicks, scrolls, in-product behavior, analytics) | No analytics or telemetry. The wallet handles only the on-chain operations you explicitly initiate (described in section 2.3); these are not collected for analysis, profiling, or any purpose beyond performing the operation you requested. |
| Website content (text, photos, videos, files from web pages) | No. The extension does not read page content. The provider script injected into pages only forwards messages between an explicitly-approved page and the wallet's service worker. |
What is handled: Your public wallet addresses (Solana address, EVM address, and the server-issued PARACYT "PARA" address), the tokens and balances visible to those addresses on the public blockchains, and the transactions you choose to send.
How it is used: Solely to display your balances, build the transactions you request, and submit those transactions to the relevant blockchain. These are the core operations of any cryptocurrency wallet.
How it is stored: Public wallet addresses are stored locally on your device in Chrome's extension storage (chrome.storage.local). The wallet does not maintain a server-side database of your balances or transaction history; balance and history views are queried live from public blockchain nodes when you open the wallet.
How it is shared: Public wallet addresses and the contents of transactions are, by the public nature of blockchains, visible to every participant on those blockchains once a transaction is broadcast. The wallet shares this data with the third-party services listed in section 5, each contacted only when you take an action that requires it (e.g. viewing a balance contacts an RPC node; requesting a swap quote contacts a DEX aggregator).
What is handled: Your master seed (32 bytes), your Ed25519 keypair (Solana), your secp256k1 keypair (EVM), your post-quantum WOTS+ Merkle tree, and the password you set to encrypt them. The wallet additionally maintains a counter ("leaf index") indicating which one-time post-quantum signature keys have been used so they are never reused.
How it is used: Solely to sign the cryptocurrency transactions you choose to send. The wallet's popup user interface never sees the decrypted private key — it sends signing requests to the service worker via Chrome's internal message passing, which is fully on-device.
How it is stored: The keystore is encrypted with AES-256-GCM under a key derived from your password using PBKDF2-SHA256 (310,000 iterations) with a per-keystore random salt and initialization vector. The encrypted blob is written to chrome.storage.local. The decrypted keystore exists only in the service worker's runtime memory while the wallet is unlocked, and is wiped after fifteen minutes of inactivity (auto-lock). Private keys are never written unencrypted to disk.
How it is shared: Never. Private keys, the master seed, the WOTS+ keys, and the password are not transmitted to Glewme Corp, to any third party, or to any network service under any circumstances. Without your password, the keystore cannot be decrypted by anyone, including Glewme Corp.
User-initiated export: Users may, at their own choice, display and copy their seed and addresses through the wallet's Settings ("Show Seed" and "Export Keys" actions), each gated by password reconfirmation. The seed is displayed in the format used to restore the wallet on this or another compatible client. Exported material leaves the device only through the user's deliberate copy action; the extension never transmits it.
What is handled: The contents of the cryptocurrency transactions you create using the wallet (send, swap, contract interaction, bridge, etc.) and the metadata required to construct them (token symbols, amounts, recipient addresses, slippage tolerance, etc.).
How it is used: Solely to build, sign, and broadcast the operation you requested. A short-lived "in-flight transaction tracker" records the transaction hash, current confirmation stage, and timestamps locally so the wallet can show you the status of operations you initiated; this record is held in chrome.storage.local and is automatically trimmed.
How it is shared: Transaction contents are shared with the RPC node that broadcasts them and with any DEX aggregator or backend service required by the operation, each listed in section 5. Once a transaction is broadcast it becomes publicly visible on the chain — this is a property of public blockchains, not of this wallet.
What is handled: A list of website origins (such as https://example.com) that you have explicitly approved to interact with the wallet, with the timestamp of approval.
How it is used: To remember which sites you have allowed to read your public wallet address and to request transaction signatures, so you are not asked to re-approve a site on every page load.
How it is stored: Locally in chrome.storage.local only.
How it is shared: Not shared with any third party. You can revoke any origin at any time in the wallet's "Connected Sites" view.
We do not, and will not, sell user data to third parties, transfer user data to any third party for the purpose of advertising or marketing, or use user data for any purpose unrelated to the wallet's core, user-initiated functionality. We do not transfer user data to determine creditworthiness or for lending purposes.
The extension does not include analytics, telemetry, crash reporting, behavioral tracking, fingerprinting libraries, advertising SDKs, or third-party tracking pixels. The wallet does not set cookies. It does not phone any service for analytics, attribution, or feature-flag purposes. The only background network activity is a periodic health check of the PARACYT backend (approximately once every thirty seconds while the wallet UI is open) so the UI can disable features whose backend is unreachable.
The extension contacts the following third-party services on your behalf. Each is contacted only when you take an action that requires it, with the exception of the PARACYT backend health probe noted above. For each service we name the operator, the purpose, and the data shared.
To read on-chain balances and broadcast transactions, the wallet contacts blockchain RPC nodes for each supported chain. Primary endpoints are operated by QuickNode, Inc. on chains Glewme Corp has subscribed to (Solana, Ethereum, Arbitrum, BNB Chain, Linea, Avalanche). Fallback public endpoints include nodes operated by Llama Nodes, PublicNode, dRPC, Ankr, Cloudflare, Coinbase (for Base), and the official foundations of supported chains. Each RPC provider observes the IP address of the request and the request payload, which for blockchain operations is by design publicly disclosable. Each provider's own privacy policy applies to their service. You may configure custom RPC endpoints in the wallet's settings if you prefer different providers.
lite-api.jup.ag), operated by Jupiter Studios — used to fetch swap quotes and build swap transactions on Solana. Receives your wallet address (so the resulting transaction can be signed) and the swap parameters (input token, output token, amount, slippage). Jupiter's privacy policy applies to their service.api.1inch.dev), operated by 1inch Network — used to fetch swap quotes and build swap transactions on supported EVM chains. Receives your wallet address and the swap parameters. 1inch's privacy policy applies to their service.You can avoid contact with DEX aggregators by not using the Swap feature.
The wallet contacts the PARACYT backend (hosted by Glewme Corp at paracyt.com and tokenchef.win) for the following purposes. The backend is the same entity as the wallet's publisher; using these features means sharing the listed data with Glewme Corp.
/api/glewme/profile/connect) — when you unlock or create a wallet, the wallet sends your public Solana address to the backend to obtain a server-issued "PARA address" identifier. The backend stores a mapping of (public wallet address) to (PARA address) so that other users sending to your PARA address can resolve it to your public wallet address. The backend does not receive any private key material and does not log IP addresses against wallet addresses./api/glewme/resolve/:identifier) — when you send funds to a PARA address, the wallet contacts the backend to resolve it to the underlying public blockchain address. The backend receives the PARA address being looked up./api/wallet/register) — if you are among the first wallets registered, the wallet sends your public wallet address to record a cosmetic "beta tester" cohort number. No personal information is sent./api/glewme/wallet/:address) — the wallet contacts the backend with your public wallet address to retrieve a curated token list and metadata so the dashboard renders correctly./api/glewme/build-launch-tx, related endpoints) — if you use the Launch feature, the backend assists in building the launch transaction and recording cross-chain materialization data. The backend receives the public wallet address and the launch parameters.To display approximate USD values for cryptocurrency balances and swap quotes, the wallet fetches price data from public price endpoints. The wallet rotates through these providers and uses the first one that responds successfully:
api.coinbase.com) — public spot-price endpoint.api.coingecko.com) — public price endpoint.api.binance.com) — public ticker endpoint.min-api.cryptocompare.com) — public price endpoint.These requests do not contain your wallet address or any account information — only the ticker symbols being priced (e.g. "SOL", "ETH"). Each provider's own privacy policy applies to the request itself, which from their perspective looks like any other anonymous price query.
The swap UI displays token icons sourced from token-list metadata. Loading these images contacts the image hosts (typically tokens.1inch.io, raw.githubusercontent.com, IPFS gateways, and various token-issuer hosts). Glewme Corp does not operate or control these hosts. The HTTP request for an image carries no wallet-specific information beyond the standard request headers a browser sends for any image.
When you connect the wallet to a website (such as a decentralized exchange or other dApp), the wallet shares your public wallet address with that website, and that website may request signatures on transactions and messages. Each such share requires an explicit approval click from you in a separate approval window. The wallet never shares wallet data with a website that has not been approved.
The extension requests these Chrome permissions:
storage — to store the encrypted keystore, approved origins, and settings on your device. No data leaves the device through this permission.host_permissions: <all_urls> — required so the wallet's dApp provider script (window.paracyt.ethereum, window.paracyt.solana) can be injected into web pages, which is how every browser-based crypto wallet operates. The wallet does not read page content or browsing history through this permission. The provider script only forwards messages between an explicitly-approved web page and the wallet's service worker, and only after you have clicked Approve in the wallet's approval window.
The extension does not request the tabs, activeTab, history, cookies, webRequest, identity, geolocation, notifications, or any other permission beyond the two listed above.
PARACYT Wallet maintains a Merkle tree of WOTS+ (Winternitz One-Time Signature) keypairs derived from your master seed. Each tree contains 1,024 single-use signature keys. The wallet stores a counter (the "leaf index") indicating which keys have been used, so a one-time key is never used twice. The counter is stored locally in chrome.storage.local and is not transmitted. The WOTS+ keypairs themselves are derived deterministically from the seed at signing time; only the seed (encrypted) and the counter are persisted.
All user data is stored locally on your device. To delete your wallet data, use the "Delete Wallet" button in the wallet's settings (which requires password reconfirmation), or uninstall the extension from Chrome's extension settings. Either action immediately removes the encrypted keystore and all related local data from your device. Once removed locally, the data cannot be recovered by Glewme Corp because Glewme Corp does not maintain a copy.
On the backend side, Glewme Corp retains the (public wallet address) to (PARA address) mapping records described in section 5.3 indefinitely so that PARA addresses continue to resolve. You may request deletion of your backend-side mapping record by emailing privacy@paracyt.com from a request signed by the wallet you wish to delete; we will remove the record within thirty days. Removal does not affect the public blockchain itself, which is outside our control.
PARACYT Wallet is not directed at children under 13. The wallet does not knowingly collect personal information from any user, including children. We do not market the wallet to minors.
The wallet is designed to operate without collecting personal data, so the same privacy posture applies regardless of where you are located. Third-party services contacted by the wallet (RPC providers, DEX aggregators, price-feed providers) operate globally; your request to them is routed and processed by their infrastructure under their own policies. Glewme Corp's own infrastructure is hosted in the United States.
If a security vulnerability is discovered in PARACYT Wallet, we will publish updated versions through the Chrome Web Store. Users are encouraged to keep auto-updates enabled. Critical vulnerabilities will be disclosed publicly once patched.
If we update this privacy policy, the "Last updated" date at the top of this page will be revised, and the new version will be linked from the wallet's "About" view. Material changes that introduce a new data flow or a new third-party recipient will be communicated through the Chrome Web Store listing's update notes prior to taking effect.
Because we do not collect personally identifiable information, most data-protection rights (access, deletion, portability) do not have data on our side to apply to. You retain full control of your wallet data because it lives on your device. You can:
privacy@paracyt.com from a signed request, as described in section 8.For privacy questions or to report a concern, contact:
Glewme Corp
Email: privacy@paracyt.com
Website: https://paracyt.com
For security vulnerabilities, please email security@paracyt.com.
Glewme Corp is incorporated in the State of California, United States. Any disputes regarding this privacy policy will be governed by the laws of the State of California, without regard to conflict of laws principles, and will be resolved in the state or federal courts located in California.