PARACYT Wallet — Privacy Policy

Effective: May 21, 2026 · Last updated: May 21, 2026
Plain-English summary: PARACYT Wallet is a self-custodial cryptocurrency wallet. Your private keys are encrypted and stored only on your device — they never leave it. To function as a wallet, the extension contacts public blockchain nodes and a small, explicitly-listed set of third-party services. We do not collect personally identifiable information, do not run analytics or telemetry, do not sell or share user data for advertising or any unrelated purpose, and do not use the data we handle for any purpose other than providing the wallet's core functionality.

1. Who we are

PARACYT Wallet is a Chrome browser extension developed and operated by Glewme Corp, a California C corporation (referred to as "we", "us", "our" in this policy). "PARACYT Wallet" is the trade name of the wallet product. This policy applies to the PARACYT Wallet extension distributed through the Chrome Web Store and any directly installed builds.

2. What user data we collect, use, and share

This section discloses every category of user data the extension handles, organized by the data categories used in the Chrome Web Store user data policy. For each category we state explicitly whether the data is collected, the purpose of use, how it is stored, and which third parties (if any) it is shared with.

Data categoryCollected by the extension?
Personally identifiable information (name, address, email, ID number, phone)No. The wallet does not collect or transmit any PII. There is no account, signup, email collection, or registration.
Health informationNo.
Financial and payment information (wallet balances, transaction history, swap/send activity)Yes — handled locally only and used solely to provide wallet functionality. Details below in section 2.1.
Authentication information (master seed, private keys, password)Yes — stored locally only, encrypted, and never transmitted. Details below in section 2.2.
Personal communications (emails, SMS, chat messages)No.
Location (precise location, IP-based location)No. We do not request, collect, store, or transmit location data. Third-party network services contacted on your behalf (blockchain RPCs, DEX aggregators) will independently observe the IP address of your network request as part of normal internet operation; we do not record or store IP addresses.
Web history (browsing history, page visits)No. The extension does not read or track the pages you visit.
User activity (clicks, scrolls, in-product behavior, analytics)No analytics or telemetry. The wallet handles only the on-chain operations you explicitly initiate (described in section 2.3); these are not collected for analysis, profiling, or any purpose beyond performing the operation you requested.
Website content (text, photos, videos, files from web pages)No. The extension does not read page content. The provider script injected into pages only forwards messages between an explicitly-approved page and the wallet's service worker.

2.1 Financial information — wallet addresses and on-chain activity

What is handled: Your public wallet addresses (Solana address, EVM address, and the server-issued PARACYT "PARA" address), the tokens and balances visible to those addresses on the public blockchains, and the transactions you choose to send.

How it is used: Solely to display your balances, build the transactions you request, and submit those transactions to the relevant blockchain. These are the core operations of any cryptocurrency wallet.

How it is stored: Public wallet addresses are stored locally on your device in Chrome's extension storage (chrome.storage.local). The wallet does not maintain a server-side database of your balances or transaction history; balance and history views are queried live from public blockchain nodes when you open the wallet.

How it is shared: Public wallet addresses and the contents of transactions are, by the public nature of blockchains, visible to every participant on those blockchains once a transaction is broadcast. The wallet shares this data with the third-party services listed in section 5, each contacted only when you take an action that requires it (e.g. viewing a balance contacts an RPC node; requesting a swap quote contacts a DEX aggregator).

2.2 Authentication information — private keys, master seed, password

What is handled: Your master seed (32 bytes), your Ed25519 keypair (Solana), your secp256k1 keypair (EVM), your post-quantum WOTS+ Merkle tree, and the password you set to encrypt them. The wallet additionally maintains a counter ("leaf index") indicating which one-time post-quantum signature keys have been used so they are never reused.

How it is used: Solely to sign the cryptocurrency transactions you choose to send. The wallet's popup user interface never sees the decrypted private key — it sends signing requests to the service worker via Chrome's internal message passing, which is fully on-device.

How it is stored: The keystore is encrypted with AES-256-GCM under a key derived from your password using PBKDF2-SHA256 (310,000 iterations) with a per-keystore random salt and initialization vector. The encrypted blob is written to chrome.storage.local. The decrypted keystore exists only in the service worker's runtime memory while the wallet is unlocked, and is wiped after fifteen minutes of inactivity (auto-lock). Private keys are never written unencrypted to disk.

How it is shared: Never. Private keys, the master seed, the WOTS+ keys, and the password are not transmitted to Glewme Corp, to any third party, or to any network service under any circumstances. Without your password, the keystore cannot be decrypted by anyone, including Glewme Corp.

User-initiated export: Users may, at their own choice, display and copy their seed and addresses through the wallet's Settings ("Show Seed" and "Export Keys" actions), each gated by password reconfirmation. The seed is displayed in the format used to restore the wallet on this or another compatible client. Exported material leaves the device only through the user's deliberate copy action; the extension never transmits it.

2.3 User-initiated on-chain activity

What is handled: The contents of the cryptocurrency transactions you create using the wallet (send, swap, contract interaction, bridge, etc.) and the metadata required to construct them (token symbols, amounts, recipient addresses, slippage tolerance, etc.).

How it is used: Solely to build, sign, and broadcast the operation you requested. A short-lived "in-flight transaction tracker" records the transaction hash, current confirmation stage, and timestamps locally so the wallet can show you the status of operations you initiated; this record is held in chrome.storage.local and is automatically trimmed.

How it is shared: Transaction contents are shared with the RPC node that broadcasts them and with any DEX aggregator or backend service required by the operation, each listed in section 5. Once a transaction is broadcast it becomes publicly visible on the chain — this is a property of public blockchains, not of this wallet.

2.4 Approved dApp origins (locally stored)

What is handled: A list of website origins (such as https://example.com) that you have explicitly approved to interact with the wallet, with the timestamp of approval.

How it is used: To remember which sites you have allowed to read your public wallet address and to request transaction signatures, so you are not asked to re-approve a site on every page load.

How it is stored: Locally in chrome.storage.local only.

How it is shared: Not shared with any third party. You can revoke any origin at any time in the wallet's "Connected Sites" view.

3. We do not sell user data

We do not, and will not, sell user data to third parties, transfer user data to any third party for the purpose of advertising or marketing, or use user data for any purpose unrelated to the wallet's core, user-initiated functionality. We do not transfer user data to determine creditworthiness or for lending purposes.

4. We do not run analytics or behavioral tracking

The extension does not include analytics, telemetry, crash reporting, behavioral tracking, fingerprinting libraries, advertising SDKs, or third-party tracking pixels. The wallet does not set cookies. It does not phone any service for analytics, attribution, or feature-flag purposes. The only background network activity is a periodic health check of the PARACYT backend (approximately once every thirty seconds while the wallet UI is open) so the UI can disable features whose backend is unreachable.

5. Third-party services the wallet contacts (complete list)

The extension contacts the following third-party services on your behalf. Each is contacted only when you take an action that requires it, with the exception of the PARACYT backend health probe noted above. For each service we name the operator, the purpose, and the data shared.

5.1 Blockchain RPC providers (required for any wallet operation)

To read on-chain balances and broadcast transactions, the wallet contacts blockchain RPC nodes for each supported chain. Primary endpoints are operated by QuickNode, Inc. on chains Glewme Corp has subscribed to (Solana, Ethereum, Arbitrum, BNB Chain, Linea, Avalanche). Fallback public endpoints include nodes operated by Llama Nodes, PublicNode, dRPC, Ankr, Cloudflare, Coinbase (for Base), and the official foundations of supported chains. Each RPC provider observes the IP address of the request and the request payload, which for blockchain operations is by design publicly disclosable. Each provider's own privacy policy applies to their service. You may configure custom RPC endpoints in the wallet's settings if you prefer different providers.

5.2 DEX aggregators (only when you use the Swap feature)

You can avoid contact with DEX aggregators by not using the Swap feature.

5.3 PARACYT backend services, operated by Glewme Corp

The wallet contacts the PARACYT backend (hosted by Glewme Corp at paracyt.com and tokenchef.win) for the following purposes. The backend is the same entity as the wallet's publisher; using these features means sharing the listed data with Glewme Corp.

5.4 Price feed providers (used to display USD-equivalent values)

To display approximate USD values for cryptocurrency balances and swap quotes, the wallet fetches price data from public price endpoints. The wallet rotates through these providers and uses the first one that responds successfully:

These requests do not contain your wallet address or any account information — only the ticker symbols being priced (e.g. "SOL", "ETH"). Each provider's own privacy policy applies to the request itself, which from their perspective looks like any other anonymous price query.

5.5 Token metadata image hosts

The swap UI displays token icons sourced from token-list metadata. Loading these images contacts the image hosts (typically tokens.1inch.io, raw.githubusercontent.com, IPFS gateways, and various token-issuer hosts). Glewme Corp does not operate or control these hosts. The HTTP request for an image carries no wallet-specific information beyond the standard request headers a browser sends for any image.

5.6 dApp websites you explicitly connect to

When you connect the wallet to a website (such as a decentralized exchange or other dApp), the wallet shares your public wallet address with that website, and that website may request signatures on transactions and messages. Each such share requires an explicit approval click from you in a separate approval window. The wallet never shares wallet data with a website that has not been approved.

6. Permissions used by the extension

The extension requests these Chrome permissions:

The extension does not request the tabs, activeTab, history, cookies, webRequest, identity, geolocation, notifications, or any other permission beyond the two listed above.

7. Quantum-resistant signature keys

PARACYT Wallet maintains a Merkle tree of WOTS+ (Winternitz One-Time Signature) keypairs derived from your master seed. Each tree contains 1,024 single-use signature keys. The wallet stores a counter (the "leaf index") indicating which keys have been used, so a one-time key is never used twice. The counter is stored locally in chrome.storage.local and is not transmitted. The WOTS+ keypairs themselves are derived deterministically from the seed at signing time; only the seed (encrypted) and the counter are persisted.

8. Data retention and deletion

All user data is stored locally on your device. To delete your wallet data, use the "Delete Wallet" button in the wallet's settings (which requires password reconfirmation), or uninstall the extension from Chrome's extension settings. Either action immediately removes the encrypted keystore and all related local data from your device. Once removed locally, the data cannot be recovered by Glewme Corp because Glewme Corp does not maintain a copy.

On the backend side, Glewme Corp retains the (public wallet address) to (PARA address) mapping records described in section 5.3 indefinitely so that PARA addresses continue to resolve. You may request deletion of your backend-side mapping record by emailing privacy@paracyt.com from a request signed by the wallet you wish to delete; we will remove the record within thirty days. Removal does not affect the public blockchain itself, which is outside our control.

9. Children's privacy

PARACYT Wallet is not directed at children under 13. The wallet does not knowingly collect personal information from any user, including children. We do not market the wallet to minors.

10. International users

The wallet is designed to operate without collecting personal data, so the same privacy posture applies regardless of where you are located. Third-party services contacted by the wallet (RPC providers, DEX aggregators, price-feed providers) operate globally; your request to them is routed and processed by their infrastructure under their own policies. Glewme Corp's own infrastructure is hosted in the United States.

11. Security disclosures and updates

If a security vulnerability is discovered in PARACYT Wallet, we will publish updated versions through the Chrome Web Store. Users are encouraged to keep auto-updates enabled. Critical vulnerabilities will be disclosed publicly once patched.

12. Changes to this policy

If we update this privacy policy, the "Last updated" date at the top of this page will be revised, and the new version will be linked from the wallet's "About" view. Material changes that introduce a new data flow or a new third-party recipient will be communicated through the Chrome Web Store listing's update notes prior to taking effect.

13. Your rights

Because we do not collect personally identifiable information, most data-protection rights (access, deletion, portability) do not have data on our side to apply to. You retain full control of your wallet data because it lives on your device. You can:

14. Contact

For privacy questions or to report a concern, contact:

Glewme Corp
Email: privacy@paracyt.com
Website: https://paracyt.com

For security vulnerabilities, please email security@paracyt.com.

15. Jurisdiction

Glewme Corp is incorporated in the State of California, United States. Any disputes regarding this privacy policy will be governed by the laws of the State of California, without regard to conflict of laws principles, and will be resolved in the state or federal courts located in California.