Skip to main content
Menu
Language

Privacy Policy

Last updated: April 2026

1. Information We Collect

We believe in transparency. Here is exactly what we collect and why:

  • Wallet addresses — your public blockchain address when you connect an external wallet (MetaMask, Trust Wallet, etc.) or create an embedded wallet. Wallet addresses are publicly visible on the blockchain by design.
  • Google account info (embedded wallet users) — if you sign in with Google to use our Quick Wallet, we receive your Google email address and user ID via Supabase Auth. We use this solely to authenticate you and link your encrypted wallet vaults. We do not access your Google contacts, files, or any other Google data.
  • Encrypted wallet vaults (embedded wallet users) — you can create multiple wallets, each with its own seed phrase. Every seed phrase is encrypted on your device using your PIN before it reaches our servers. We store one encrypted blob per wallet and a shared server-derived salt. We cannot read, decrypt, or recover any seed phrase. See Section 4 for full details.
  • Wallet and account metadata — custom wallet names, account names, and avatar selections are stored locally on your device and optionally synced to our server as part of your encrypted preferences so they can be restored on other devices.
  • Transaction data — on-chain transaction hashes, token creation details, launchpad participation records, and trade history. This data is already publicly available on the blockchain; we index it for display purposes.
  • Payment details (off-ramp users) — if you use our Sell to Bank feature, we collect your bank account number, bank name, and account holder name. This data is encrypted client-side with AES-256-GCM before being sent to our server. For PayPal or Wise withdrawals, we collect the email address you provide.
  • Token metadata — if you create a token, you may optionally provide a logo, description, website URL, and social links (Twitter, Telegram, Discord). This information is publicly displayed on your token's detail page.
  • Referral data — if you create or use a referral alias, we store the alias linked to your wallet address. Referral earnings are tracked on-chain in the smart contracts.
  • Comments — if you post comments on a token launch, we store the comment text linked to your wallet address.
  • Usage data — pages visited, features used, and visitor counts (browsing, creating, investing). We do not use third-party analytics trackers. Visitor tracking is aggregate and anonymous.

2. How We Use Your Information

  • To process token creation, launchpad operations, and trades on the platform.
  • To authenticate you via wallet signature (external wallets) or Google OAuth (embedded wallet).
  • To store and retrieve your encrypted wallet vault so you can access your embedded wallet across sessions and devices.
  • To process fiat withdrawals via our payment partners (Flutterwave for bank transfers).
  • To resolve your bank account holder name when you enter bank details (via Flutterwave's account verification API).
  • To calculate and display exchange rates for fiat off-ramp transactions.
  • To display platform statistics, activity feeds, and recent transaction tickers. Wallet addresses are shown in truncated form in activity feeds.
  • To track referral relationships and distribute referral earnings via smart contracts.
  • To detect and prevent fraudulent activity.

3. What We Do NOT Collect or Have Access To

For full transparency:

  • Private keys — we never have access to your private keys, whether you use an external wallet or our embedded wallet.
  • Seed phrases — each wallet's seed phrase is encrypted on your device before being sent to our server. We store only the encrypted blob per wallet. Without your PIN, no seed phrase can be decrypted.
  • PINs — your embedded wallet PIN never leaves your browser. It is used locally to encrypt and decrypt all your wallet seed phrases. When you change your PIN, every wallet is re-encrypted locally with the new PIN and the new blobs are sent to our server in a single atomic operation — the old or new PIN is never transmitted.
  • Recovery codes — each wallet has its own set of 3 recovery codes, generated on your device. Recovery codes are not stored on our server in readable form — they are used as alternative decryption keys for that specific wallet's vault. Recovering one wallet does not restore others.
  • Passwords — we do not use password-based authentication. External wallet users sign a cryptographic message; embedded wallet users authenticate via Google OAuth.
  • KYC documents — we do not collect identity documents, selfies, or government IDs.

4. Embedded Wallet: How Your Keys Are Protected

Our embedded wallet (Quick Wallet) supports multiple wallets per account, each with multiple HD-derived accounts. We use a semi-custodial model. We want you to fully understand how it works:

  • Multi-wallet architecture — you can create or import multiple wallets under one login. Each wallet has its own independently generated seed phrase. All wallets share a single PIN for convenience — one PIN unlocks everything.
  • Seed generation — each wallet's seed phrase (mnemonic) is generated entirely on your device using standard BIP-39. It is never transmitted to our servers in plaintext.
  • HD accounts — each wallet can derive multiple accounts (addresses) from a single seed phrase using BIP-44 derivation paths. Account names and avatars are stored locally and optionally synced as encrypted preferences.
  • Encryption — each seed phrase is encrypted in your browser using PBKDF2 (600,000 iterations) with your PIN + a server-provided salt, then sealed with AES-256-GCM. The result is an encrypted blob per wallet that is meaningless without your PIN.
  • Server storage — we store one encrypted blob per wallet and a shared deterministic salt derived from your user ID. Each wallet also stores up to 3 additional encrypted blobs corresponding to its own recovery codes (each recovery code independently encrypts that wallet's seed).
  • PIN requirements — your PIN must be at least 6 digits. A 6-digit PIN provides 1,000,000 possible combinations, and PBKDF2 with 600,000 iterations makes brute-force attacks computationally expensive.
  • PIN changes — when you change your PIN, every wallet's seed phrase is decrypted locally with your current PIN, re-encrypted with the new PIN, and all new blobs are sent to our server in a single atomic database operation. Either all wallets update or none do — there is no partial-failure state. Neither the old nor new PIN is ever transmitted to our server.
  • PIN caching — for convenience, your PIN is cached in your browser's local storage after you enter it. This allows automatic unlock without re-entering your PIN. You can clear this by disconnecting your wallet.
  • Per-wallet recovery — each wallet has its own set of 3 recovery codes. Recovering one wallet with its codes does not restore your other wallets. We strongly recommend backing up recovery codes for each wallet separately.
  • Export options — you can export individual account private keys or an entire wallet's recovery phrase at any time from the Account Panel. This gives you full portability — exported keys work with any Ethereum-compatible wallet.
  • What this means — your wallets require both our server (for the encrypted vaults and salt) AND your PIN (or a wallet-specific recovery code) to unlock. If our platform were to become permanently unavailable and you had not exported your seed phrases or private keys, you would lose access to your wallets. We strongly recommend exporting your seed phrases as a backup.
  • Vault deletion — you can permanently delete your encrypted vaults from our servers at any time. This action is irreversible. Ensure you have exported your seed phrases before deleting.

5. Data Storage & Security

Your data is stored securely:

  • Database — hosted on Supabase with row-level security policies, encrypted connections, and service-role access control for write operations.
  • Payment details — encrypted with AES-256-GCM on your device before storage. Even in the event of a database breach, payment details cannot be read without the encryption key.
  • Wallet vaults — encrypted with AES-256-GCM using your PIN and a server salt. Even with full database access, the vault cannot be decrypted without the user's PIN.
  • Authentication — external wallets are verified via cryptographic signatures with HMAC session tokens (7-day expiry). Embedded wallets authenticate via Supabase Auth (Google OAuth) with JWT verification on each request.
  • Smart contracts — on-chain funds are held in smart contracts on the blockchain, not in our database. Off-ramp USDT is held in the TradeRouter escrow contract during withdrawal processing.

6. Third-Party Services

We share limited data with the following service providers:

  • Flutterwave — processes bank transfers for our fiat off-ramp. Receives your bank account details (account number, bank code, account name) only when you initiate a withdrawal. Also used for bank account name verification when you enter payment details. Subject to Flutterwave's Privacy Policy.
  • Google (via Supabase Auth) — if you use the embedded wallet, Google provides your email and user ID for authentication. We do not request access to any other Google data. Subject to Google's Privacy Policy.
  • Supabase — provides our database hosting, authentication, and file storage (for token logos). Subject to Supabase's Privacy Policy.
  • Blockchain networks — all token creation, launches, and trades are recorded on public blockchains (BNB Smart Chain, Ethereum, and other supported networks). This data is publicly accessible and permanent by design.
  • WalletConnect / Reown — facilitates external wallet connections. Subject to their own privacy policies.
  • Exchange rate providers — we fetch fiat exchange rates (NGN, GBP, EUR, etc.) from third-party rate APIs to calculate off-ramp payouts. No user data is shared with these providers.

We do not sell, rent, or trade your personal information to any third parties.

7. Cookies & Local Storage

TokenKrafter uses minimal browser storage:

  • Essential cookies — required for the platform to function (wallet connection state, theme preference, language selection). These cannot be disabled.
  • Local storage — we store your preferences (theme, language, slippage tolerance, imported tokens, favorites), session tokens (HMAC-signed, 7-day expiry), cached PIN (for embedded wallet users), wallet and account metadata (names, avatars), and cached account balances for instant display on reload. This data stays on your device.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Data Retention

  • Transaction records are kept indefinitely as they correspond to permanent blockchain records.
  • Token metadata (name, logo, description, social links) is kept indefinitely as long as the token exists on-chain.
  • Payment details for completed withdrawals are retained for 90 days, then deleted.
  • Incomplete withdrawal requests (awaiting_trade) are automatically deleted after 30 minutes.
  • Embedded wallet vaults (one per wallet) are retained until you explicitly delete them or request deletion.
  • Referral aliases are retained as long as the associated wallet is active.
  • Comments on launches are retained indefinitely unless you request deletion.

9. Your Rights

You have the right to:

  • Access — request a copy of the data we hold about your wallet address or Google account.
  • Deletion — request deletion of your off-chain data (payment details, comments, metadata, wallet vault, referral alias). Note: on-chain data (transactions, token contracts, launch records) cannot be deleted as it is part of the public blockchain.
  • Correction — update your payment details, token metadata, or referral alias at any time.
  • Export — export each wallet's recovery phrase or individual account private keys at any time from the Account Panel. Your data portability is guaranteed — you can use your exported keys with any Ethereum-compatible wallet.
  • Vault deletion — permanently delete your encrypted wallet vaults from our servers via the Account Panel or by contacting us.

To exercise these rights, contact us at support@tokenkrafter.com.

10. Children

TokenKrafter is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or data requests, contact us at support@tokenkrafter.com.

Explore Launch Trade Create