Privacy Policy

IOTA Wallet operates on the principle of local-first data management, meaning that all essential operations — including key generation, transaction signing, and configuration — take place entirely on the user’s device. No external servers, APIs, or third-party databases are involved in processing or storing user-related data. This approach ensures that users retain complete control over every piece of information the wallet touches.

When the wallet is installed, it creates a local data directory specific to the operating system (e.g., ~/AppData/ on Windows, ~/Library/Application Support/ on macOS, or ~/.config/ on Linux). All wallet-related files, including encryption metadata, preferences, and cache data, are written only to this directory. No background synchronization or remote backups occur unless explicitly configured by the user through an independent service of their choice.

Locally Stored Data

The following types of information may exist locally on your device as part of normal operation:

• Wallet Files — contain encrypted representations of your private keys or recovery seeds. Encryption is applied using AES-256 or an equivalent algorithm derived from your chosen password.
• Configuration Files — store your selected network (mainnet, testnet), node endpoints, preferred language, and interface preferences.
• Cache Data — temporary blockchain data or transaction states required for display and synchronization purposes. This cache can be cleared safely at any time without affecting your assets.
• Error Logs (Optional) — generated only if the app encounters an internal issue. Logs contain no personal identifiers and remain entirely local unless you manually share them with developers.

Each of these file categories exists exclusively within the user’s local environment. They can be inspected, copied, or deleted at any time, and their removal does not communicate any signal or metadata to external systems.

What Is Never Stored or Transmitted

To protect user privacy, the wallet explicitly avoids retaining or transmitting certain data types:

• No cloud backups or automatic synchronization with remote storage.
• No collection of IP addresses, location data, or network identifiers.
• No aggregation of usage analytics, behavior logs, or activity timestamps.
• No association between wallet addresses and personal identity.
• No recording of balances or transaction metadata on developer servers.

The wallet’s node connection feature is purely client-side — it uses your provided endpoints to interact with IOTA network and does not route traffic through centralized relays. All node communications follow the open IOTA protocol directly over HTTPS or local connections, preserving transparency and verifiability.

Temporary Data and Caching

Certain functions may require temporary data to improve performance, such as transaction lists or confirmed block references. This information is held in local cache files and automatically purged when no longer needed. Cached data serves usability only; it does not represent persistent storage and never includes private keys or sensitive information.

Users can manually delete cache data at any time through system-level tools or by resetting the wallet configuration. Doing so will not affect your ability to recover funds or continue using your wallet.

Encryption and Key Management

The wallet applies end-to-end local encryption for every private key and seed phrase. Your password never leaves the device and is not transmitted during encryption or decryption processes.

Encryption relies on a derived key using a salted hash algorithm (PBKDF2, Argon2, or equivalent), making brute-force recovery computationally impractical. Even if an attacker gains access to the local wallet files, they would be unable to decrypt them without your password.

No copy of your recovery phrase is uploaded or cached remotely — only you have it. Losing the phrase means permanent loss of access to your assets, as there are no central recovery mechanisms or fallback systems by design.

Data Persistence and Removal

All data handled by the wallet is tied to the local installation. If you uninstall the wallet or manually delete its data folder, all locally stored information — including encrypted keys, preferences, and logs — will be permanently erased. The blockchain records of your transactions remain publicly visible on the IOTA Tangle but cannot be linked back to you by the wallet or its maintainers.

To reset or move your wallet safely:

1. Export your recovery phrase to a secure offline location.
2. Delete the application data folder or uninstall the app.
3. Reinstall and re-import your recovery phrase on the new system.

No residual traces of your wallet remain after deletion, other than the immutable transaction data already written to the public ledger.

Third-Party Dependencies

All third-party libraries integrated into the wallet are open-source and locally embedded. None of them include telemetry or network analytics. External network requests occur only when communicating with IOTA nodes that you explicitly connect to. Updates and package signatures are verified before installation to prevent tampering or unauthorized code execution.

Philosophy of Storage

The handling of data in the IOTA Wallet mirrors the philosophy of decentralized infrastructure:

• Everything critical stays local.
• Everything sensitive is encrypted.
• Nothing private is ever transmitted.

This principle makes the wallet functionally independent — your data belongs entirely to you, not to any company, foundation, or service provider.

IOTA Wallet processes data solely to provide core functionality and maintain a secure, reliable user experience. All operations are executed locally, with no background data sharing or commercial analytics. The goal is not to observe the user but to ensure the wallet performs correctly — and only for the duration and purpose required.

Every piece of information that the wallet interacts with has a clear and necessary function. There are no hidden data flows, no marketing integrations, and no profiling logic built into the software. The wallet’s use of data can be divided into three essential categories: functional operations, stability and maintenance, and user-driven diagnostics.

Functional Operations

These are the processes required for the wallet to run as intended and connect to the IOTA network:

• Node communication: The wallet must exchange messages with IOTA nodes to broadcast transactions, retrieve balances, and verify ledger states. These requests are protocol-level and contain only the information necessary for blockchain synchronization.
• Local session data: Temporary files or memory variables used to keep your interface responsive, cache balances, and record pending transactions until confirmed. Once processed, this data is cleared automatically.
• Configuration references: The app reads your chosen settings — such as language, theme, or node URL — strictly to render your interface and connect to your preferred network.

These processes never involve user identity, third-party servers, or remote APIs beyond the node endpoints you configure yourself.

Stability and Maintenance

IOTA Wallet may generate small fragments of technical metadata to maintain stability or improve performance, but even these are stored locally unless you choose to share them manually. Examples include:

• Crash logs: Created only when a runtime error occurs. Contain stack traces or code references but no wallet addresses, keys, or personal data.
• Performance metrics: Local counters that measure sync speed, network latency, or cache refresh time — used internally to optimize rendering or connection behavior.
• Version information: The wallet may check your app version against a published update list to notify you of a new release. No identifying data is exchanged during this process.

These functions ensure that the wallet remains efficient and up to date, without transmitting private information to any external party.

User-Driven Diagnostics

Occasionally, users may choose to report issues or errors to improve the wallet. This process is entirely voluntary and transparent. If you decide to submit diagnostic information:

• The wallet packages only technical content, such as log snippets or configuration context.
• Before sending, you can review, edit, or remove any information within the report.
• No system data, private keys, or transaction information is ever included automatically.

Diagnostics are used exclusively for troubleshooting, reviewed manually by maintainers, and deleted once analysis is complete. There is no automated aggregation or long-term storage of user reports.

Analytical and Improvement Use

Aggregated and anonymized data may occasionally be used to understand broad trends — for instance, the number of times a specific version was downloaded or how many nodes were selected globally. This data cannot be traced back to individuals and serves only to inform development priorities, such as which operating systems need performance optimization or which features are most frequently enabled.

There is no behavioral tracking or user profiling. The wallet’s architecture fundamentally prevents identifying usage patterns beyond anonymous counts or protocol-level interactions.

No Commercial or Marketing Use

The wallet does not participate in data monetization, affiliate networks, advertising partnerships, or third-party API integrations that exchange user information. Your data — even anonymous technical metadata — is never sold, rented, or shared with any marketing service.

Legal and Compliance Purposes

In rare cases, the project may be required to preserve minimal technical data for compliance or security verification (for instance, log evidence of a software exploit). Such retention, if necessary, follows open-source security disclosure practices and contains no personal identifiers or user-linked information.

Retention Principles

Any local data persists only for as long as necessary:

• Functional caches are purged automatically or upon app restart.
• Logs remain until you clear them manually or reinstall the wallet.
• No hidden background storage exists — what you see locally is what exists.

This approach guarantees transparency: users can always audit, modify, or remove local information. There are no invisible data stores or external retention systems.

IOTA Wallet interacts directly with IOTA Tangle, the distributed ledger that records and verifies all network transactions. Unlike traditional blockchains that rely on miners or validators, the Tangle is based on a Directed Acyclic Graph (DAG) architecture. Each transaction confirms two previous ones, allowing the network to scale organically without fees or block intervals.

When the wallet connects to the network, it communicates with IOTA nodes — servers that maintain and broadcast ledger data. The wallet does not connect to centralized APIs or proxy relays operated by the developers; instead, it uses standard node endpoints that the user selects manually or from a trusted public list.

This design ensures a transparent, peer-to-peer relationship between the wallet and the network. No intermediary can intercept, analyze, or alter your transactions beyond what the open protocol inherently requires.

What Happens During Network Interaction

Whenever you perform an operation — such as checking your balance, sending tokens, or viewing transaction history — the wallet executes several low-level steps:

1. It connects to your chosen node via HTTPS or local network connection.
2. It requests ledger data (like address balance or transaction confirmation state).
3. It locally signs any outgoing transaction using your encrypted private key.
4. It submits the signed transaction to the node, which relays it to the rest of the Tangle.

At no point are your keys or personal data transmitted. The node receives only protocol-compliant payloads containing the signed message, cryptographic proof, and transaction metadata needed for validation.

Public Nature of the Tangle

IOTA network is public and immutable. This means that once your transaction is confirmed, it becomes part of a global ledger that anyone can read. The following data types are visible publicly:

• Transaction Hash: The unique identifier of each transaction.
• Addresses: The cryptographic addresses used to send or receive tokens.
• Timestamps and Confirmations: The approximate time the transaction was approved and the number of validations it has received.
• Amounts and Assets: The value and type of digital asset transferred.
• Embedded Metadata: If you attach data payloads (for IoT, identity proofs, or supply chain logs), those become permanently visible on the Tangle.

These integrations are governed by the respective third parties' privacy policies.

However, while transactions are public, ownership is not. Addresses are pseudonymous and reveal no identity unless voluntarily disclosed elsewhere. The wallet itself does not label or track your addresses, nor does it attempt to analyze network behavior or correlate usage.

Privacy in a Public Ledger Context

To maintain privacy in a transparent ledger, the wallet follows several practices:

• It generates new addresses automatically when needed, avoiding reuse and limiting traceability.
• It never embeds personal identifiers or metadata into transactions.
• It allows users to connect to their own nodes, bypassing any reliance on shared public infrastructure.
• It stores no off-chain mapping between your wallet data and public ledger entries.

Users who prioritize maximum anonymity can operate through self-hosted nodes or local network configurations, ensuring no external service even sees their connection requests.

On-Ledger Data and Immutability

All transactions stored on the Tangle are permanent and cannot be altered or deleted. This immutability is critical to maintaining network integrity. The wallet has no power to remove or obscure these records — they belong to the global ledger, not to any single entity.

If you send tokens, the proof of that transaction will exist indefinitely on the network. However, without external disclosure, no one can associate that record with your real identity or device.

On-Ledger Data and Immutability

Some users may use the wallet to anchor additional data onto the Tangle — for example, IoT device logs, supply chain events, or verification hashes. When doing so, the wallet encodes and transmits the data payload in the same cryptographically signed way as standard transactions. These payloads remain public forever but contain no identifiable personal content unless the user includes it intentionally.

It is strongly recommended to avoid embedding private or confidential data directly into transactions, as the public ledger does not provide deletion mechanisms.

No External Tracking or Metrics

The wallet performs no analytics on network traffic. It does not log node addresses, transaction frequencies, or balance history outside your local machine. Developers and maintainers cannot see which nodes users connect to or how often they interact with the network.

Any performance metrics (such as sync speed or latency) are evaluated locally and discarded after use. The wallet has no “heartbeat” or continuous ping to any monitoring service.

Security within IOTA Wallet is not an additional feature — it is the framework on which the entire application operates. From the way data is stored and encrypted, to how transactions are verified and broadcast, every mechanism is designed to minimize risk, prevent unauthorized access, and maintain the integrity of your digital assets.

The wallet follows a layered approach to protection, combining cryptographic strength, local isolation, code transparency, and user control. There are no “hidden safeties” that depend on a remote server or centralized service — all safeguards function directly on your device, giving you full ownership of both data and security.

Encryption and Local Protection

Every private key and recovery seed generated by the wallet is encrypted before storage. Encryption is applied using industry-standard algorithms such as AES-256-GCM, derived from a password-based key generation function (PBKDF2 or Argon2). This ensures that even if someone gains physical access to your files, they cannot read or reconstruct the keys without knowing your password.

No plaintext version of your seed phrase is ever written to disk or transmitted across the network. The wallet performs all signing and encryption locally in memory, meaning that private keys never leave the device nor appear in unencrypted form outside the application’s protected runtime.

Integrity Verification and Source Authenticity

All wallet releases are digitally signed. Before installation, users can verify both the checksum and the developer’s cryptographic signature to confirm that the software has not been tampered with. This step prevents malicious actors from distributing altered binaries that might compromise private keys or introduce unauthorized telemetry.

Additionally, the open-source nature of the IOTA Wallet allows independent verification. Developers and community auditors can review the source code and build process, ensuring transparency and reproducibility. Users can verify that the published binaries match the public source exactly, eliminating trust in intermediaries.

Runtime Security

IOTA Wallet operates within an isolated runtime environment. Sensitive processes such as transaction signing, password entry, and encryption are handled in memory with limited exposure to the file system. Once operations are complete, the corresponding memory blocks are cleared immediately.

For extra protection, the wallet can integrate with OS-level sandboxing features on modern platforms:

• macOS App sandbox with hardened runtime and keychain access isolation.
• Windows User-space isolation preventing unauthorized interprocess memory reads.
• Linux Optional execution through AppArmor or Flatpak environments for confined access.

These mechanisms help contain the application within a secure boundary, reducing the risk of external interference.

Password and Access Policies

Users create their own encryption password during wallet setup. This password:

• Is never stored or transmitted.
• Derives the encryption key used to protect the local wallet file.
• Can be changed by re-encrypting the existing wallet.

For convenience, operating systems may prompt to store the password in local keychains, but this is optional and entirely under user control. The wallet itself never saves or exports passwords to disk.

Password and Access Policies

All network connections between the wallet and IOTA nodes occur via HTTPS/TLS encryption, protecting against eavesdropping and man-in-the-middle attacks. The wallet verifies the authenticity of each node response, rejecting data that fails protocol validation or cryptographic proof verification.

Even though ledger data is public, the communication channels are always encrypted to ensure integrity during transmission.

Defense Against Malicious Interference

The wallet employs multiple checks to detect and block tampered or invalid data:

• Verification of node health and synchronization state before broadcasting transactions.
• Validation of transaction bundles and message formats before local signing.
• Built-in checksums for wallet and configuration files to detect corruption or unauthorized modification.

Because the wallet runs entirely locally, it is immune to remote access attempts unless the system itself is compromised. No background listeners, remote APIs, or update daemons are active when the wallet is closed.

Code Security and Maintenance

All dependencies used in the IOTA Wallet are open-source and vetted. Updates are reviewed manually before inclusion in new releases. The build process avoids dependency obfuscation and maintains clear versioning to prevent supply-chain attacks.

Security patches are prioritized and rolled out as standalone updates. Users are encouraged to keep the wallet version current, as each release may include cryptographic library improvements or mitigations against newly discovered vulnerabilities.

User-Controlled Safety Practices

The wallet empowers users to manage their own protection measures effectively. Recommended practices include:

• Store your recovery phrase offline, written or engraved on a secure medium.
• Verify downloads and release signatures before installation.
• Avoid sharing node endpoints with untrusted services.
• Keep your operating system and antivirus software updated.
• Disconnect from public Wi-Fi when managing large balances.

The wallet provides secure defaults but never limits user autonomy — you remain the final authority over all security decisions.

User-Controlled Safety Practices

In the unlikely event of a crash, the wallet’s design prevents sensitive data from being exposed. Unsent transactions remain local until the app restarts and reconnects to the network. Crash logs contain only technical traces and are never uploaded automatically. No background error reporting exists unless the user manually opts to send diagnostic data.

If the local files are lost or the device is damaged, funds remain recoverable using the backup seed phrase. The wallet itself is replaceable; the seed is not.

IOTA Wallet is built on the principle of user sovereignty — meaning that every person using the wallet has complete control over their data, keys, and privacy. Unlike online platforms that process and retain user information on central servers, the IOTA Wallet functions entirely on the client side. All meaningful control stays in the user’s hands, and every data-related decision can be executed locally without third-party involvement.

Your rights are not permissions we grant — they are technical guarantees embedded into the design of the wallet itself. Each mechanism of the application reinforces the idea that the user is the only authority capable of managing stored information, seed phrases, and local configurations.

Full Control Over Data

All wallet-related data — including keys, transaction caches, node configurations, and logs — is stored exclusively on your local device. You can:

• View: Inspect all files and configuration data created by the wallet at any time.
• Modify: Change node endpoints, language, or settings without restrictions.
• Delete: Remove any wallet data or cache folder directly through your file system.

IOTA Wallet never restricts access to its local storage directories and does not hide information in protected system areas. Transparency ensures that users always know what exists, where it is located, and how to erase it.

Right to Deletion and Erasure

If you decide to remove the wallet or start fresh, deleting the local wallet folder completely wipes all stored information — encrypted or otherwise. The developers cannot recover or restore this data, which guarantees that when you delete it, it’s gone permanently.

After deletion, your assets remain visible only on the IOTA Tangle as immutable ledger entries. However, these records contain no identity data and cannot be traced back to you through the wallet itself.

Right to Data Portability

Because the IOTA Wallet is non-custodial, you can move your wallet freely between systems without limitation or approval. Exporting your recovery phrase allows full restoration of your funds and settings on any compatible installation.

This makes your data portable and independent — it belongs to you, not to the software. You are free to migrate, clone, or back up your wallet in whatever format or location you choose, including air-gapped systems or encrypted drives.

Right to Transparency

Everything that happens inside the wallet can be verified.

• The wallet’s source code is public and auditable.
• Network requests can be monitored using standard tools to confirm there are no hidden transmissions.
• Files stored on your device can be opened, inspected, and validated.

There are no “dark zones” or protected internal APIs — every action the wallet performs is transparent and traceable to its codebase.

No Consent Fatigue

Since the wallet doesn’t collect or share personal data, you won’t encounter endless consent forms, cookie banners, or policy pop-ups. Your interaction is simple: you install it, use it, and own the process from start to finish. The only time you’ll be asked to confirm something is when it directly affects your data — such as deleting a wallet file or sending diagnostics voluntarily.

Your Responsibility as the Custodian

With full control comes full responsibility. The IOTA Wallet does not have recovery options, centralized backups, or account resets. Losing your recovery phrase or password means losing access permanently.

Users are encouraged to treat the recovery phrase as a physical key — store it offline, never share it, and never upload it to the cloud. The wallet will not send reminders or request it remotely; its safekeeping is entirely up to you.

IOTA Wallet is a continuously evolving open-source application. As the software improves and new technologies are integrated into the IOTA ecosystem, updates to this Privacy Policy may be introduced to reflect those changes. The goal of every revision is to preserve transparency and user control — never to expand data collection or weaken privacy safeguards.

Policy updates are managed with the same level of openness as the software itself. Each release of the wallet includes a versioned copy of this policy, stored alongside the application files and published on the project’s official website or repository. This ensures that users can always view the exact privacy terms that apply to their installed version, even if the document later changes.

How Policy Updates Occur

Whenever significant updates are made — such as new supported features, protocol improvements, or compatibility changes — the privacy document is reviewed and reissued under a new version number. Updates may include:

• Adjustments to reflect new cryptographic methods or storage models.
• Clarifications on how diagnostic or error data is handled locally.
• Explanations for any optional network extensions or external API integrations.
• Security notices related to new release builds.

No policy revision ever introduces personal data collection, remote tracking, or background analytics. If any feature in the future requires optional connectivity beyond the IOTA network, it will be opt-in by design and accompanied by clear in-app explanations before activation.

User Awareness and Transparency

Policy changes are never hidden. When a new version of the wallet introduces an updated Privacy Policy, the modification date and summary of changes are displayed in the release notes. Users can review these notes before downloading or updating the application.

The old versions remain publicly accessible for audit and comparison, maintaining a transparent history of all prior revisions. This ensures traceability — users can always verify how the privacy framework has evolved and confirm that no retroactive changes were made to previously installed software.

Governance and Oversight

The wallet’s privacy governance follows a community-driven model, rather than a centralized authority. The policy is maintained within the same public repository as the wallet’s codebase, allowing open review, discussion, and contribution from developers and independent auditors.

Changes undergo the same review pipeline as code updates — proposed modifications are visible, discussed publicly, and approved through version control commits. This guarantees that the privacy rules are subject to the same scrutiny and peer verification as the application’s technical components.

The wallet itself operates autonomously. It does not rely on company-managed databases or cloud environments. Consequently, no administrative body can alter or enforce changes remotely once a version is installed on your device. The local application continues to operate under the privacy terms active at the time of installation until you decide to update it.

Future Compatibility and User Choice

As the IOTA network expands — introducing new smart contract layers, interoperability bridges, or modular extensions — the wallet will continue to adopt these technologies in a privacy-preserving way. Any new function that involves external communication will include:

• Full disclosure of what information is processed.
• Local confirmation before activation.
• The ability to disable or remove the feature entirely.

Users retain complete freedom to continue using older versions of the wallet under prior terms if they prefer. The policy’s structure guarantees backward compatibility: newer releases may enhance protection or transparency, but they will not retroactively alter the behavior of previous versions.

No Consent Fatigue

Since the wallet doesn’t collect or share personal data, you won’t encounter endless consent forms, cookie banners, or policy pop-ups. Your interaction is simple: you install it, use it, and own the process from start to finish. The only time you’ll be asked to confirm something is when it directly affects your data — such as deleting a wallet file or sending diagnostics voluntarily.

Commitment to Long-Term Privacy Integrity

Privacy governance is a permanent commitment, not a temporary compliance step. The wallet will remain open for verification, its data model will stay transparent, and its encryption and access logic will continue to be fully local.

Even as legal, regulatory, or technical standards evolve, the wallet’s principles stay unchanged:

• No personal data collection.
• No remote processing.
• No monetization of user information.
• Complete local control and reversibility.

Each update to this document will reaffirm those principles rather than replace them.