Privacy Policy
EcosWallet — Last updated: April 12, 2026
EcosWallet is a self-custody Bitcoin wallet published by the ToutCréer association, hosted in France (OVH). This policy transparently describes what data is collected, where it is stored, who has access to it, and for how long.
Core principle: the user is the sole holder of their private keys. Loss of the seed phrase results in permanent loss of funds. No recovery is possible on the publisher's side.
1. Data collected
| Data | Storage | Access | Retention |
|---|---|---|---|
| Seed phrase (12 words) | Local SecureStore only | No one except the user | Until wallet reset |
| Device ID (UUID v4) | SecureStore + backend | Backend (TOFU auth) | Wallet lifetime |
| HMAC key (derived from seed) | Backend (enrollment) | Backend (signature verification) | Device lifetime |
| xpub (extended public key) | Backend (watch-only wallet) | Backend only | Wallet lifetime |
| Derived BTC addresses | Backend (Bitcoin Core watch-only) | Backend | Wallet lifetime |
| TX history | Local cache + Bitcoin Core (public chain) | Local app + backend | Wallet lifetime |
| IP address | In-memory rate limiter | Backend (not persisted) | Max 60 minutes |
| BTC price | CoinGecko API | CoinGecko sees the device IP | Not stored |
2. What we do NOT collect
- ✕ No personal identity — no name, email, phone number, or KYC
-
✕
No private keys on the server — never, by design (
disable_private_keys=true) - ✕ No tracking / analytics / telemetry — zero third-party SDKs (no Firebase, Sentry, Mixpanel)
- ✕ No cookies
- ✕ No geolocation
- ✕ No access to contacts, photos, or files — camera permission will only be requested for QR code scanning (future feature)
3. Third-party services
| Service | Data exposed | Purpose |
|---|---|---|
| mempool.space | BTC addresses (HTTP requests) | UTXO scanning + TX broadcast |
| blockstream.info | BTC addresses (fallback) | Failover for primary service |
| CoinGecko | Device IP | BTC/USD/EUR exchange rates |
| EAS / Expo | Build metadata | AAB build only (not at runtime) |
4. Risk transparency
Server-side xpub risk
The xpub stored on the backend allows viewing all past and future wallet transactions. If the server were compromised, an attacker could not steal funds but could monitor the wallet's complete financial activity.
Public indexers
BTC addresses are sent in cleartext to Esplora APIs (mempool.space, blockstream.info). A third party observing these requests could correlate addresses to an IP address. Tor support is not yet implemented.
Seed phrase loss
As a self-custody wallet, losing the seed phrase results in the permanent and irreversible loss of all funds. The publisher has no means of recovery whatsoever.
5. Data sharing
No data is sold or shared for advertising purposes. The only data transmitted to third parties is listed in the "Third-party services" section above, strictly necessary for the wallet to function.
6. Data deletion
On device
The "Reset wallet" action in the app permanently deletes the seed phrase, JWT token, and local cache.
On server
The Bitcoin Core watch-only wallet persists on the server but contains no personal data — only public descriptors derived from the xpub. To request complete server-side deletion, please contact us.
7. Jurisdiction and GDPR
The server is hosted in France (OVH). GDPR applies. Since we do not collect any personally identifiable data (no name, email, or phone number), GDPR rights of access, rectification, and deletion primarily apply to technical data (xpub, Device ID, HMAC key).
8. Contact
For any questions regarding the privacy of your data, you can reach us via the Contact page on toutcreer.fr.