Bad WalletBack to site ↗
DraftThis is a best-effort working draft, not yet reviewed by legal counsel. It is published for internal review and will be finalized before the app launches publicly. It is not yet a binding agreement.
Legal

Privacy Policy

Last updated: June 18, 2026

Bad Wallet is built to need as little of your data as possible. There are no accounts, no KYC, and no tracking, and your keys and recovery phrase never leave your device. This policy explains the limited data the app does handle, and who processes it.

1. The short version

Here is the gist. The sections below are the full policy.

  • Your recovery phrase, private keys, and passphrase never leave your device. We cannot see them.
  • We do not collect your name or government ID, and we run no KYC. There are no accounts.
  • We use no analytics, tracking, advertising, or crash-reporting tools, and we do not sell your data.
  • To answer your questions, the Bad Expert assistant sends your messages to our backend and our AI provider.
  • To show your balance, the app looks up your addresses through a blockchain data provider, which can see them.
  • If you send feedback, we receive what you write plus basic device details (and your email and a screenshot only if you add them).

2. Who this policy covers

This Privacy Policy explains how Sour Labs ("we", "us", "our") handles information in connection with the Bad Wallet app, the Bad Expert assistant, our backend services, and the badwallet.app website (together, the "Services").

3. What we never see or collect

Your recovery phrase, private keys, and passphrase are created and stored only on your device, in its secure storage. They are never sent to us or to anyone else, and we have no way to access them or your funds.

We also do not collect or receive your Bitcoin addresses, balances, or transaction history on our servers, and we do not ask for your name, date of birth, government ID, or any other identity documents. Bad Wallet has no user accounts and performs no KYC.

4. What stays on your device

Most of what Bad Wallet stores never leaves your phone or computer, including:

  • your recovery phrase, passphrase, and any watch-only keys, held in the device's secure storage (Android Keystore, the iOS Keychain, or the desktop operating system's keychain);
  • your wallet data, such as addresses, transactions, and balances, kept in a local database;
  • your app settings, such as theme, currency, and display units; and
  • a local copy of your Bad Expert conversations.

5. Information we process when you use online features

Some features need to talk to our backend or to third parties. Here is what that involves.

How the app identifies itself to our backend

When you use Bad Expert or send feedback, the app proves the request is genuine using a public key derived from your wallet, together with a digital signature and a small proof-of-work calculation. This public key acts as a pseudonymous identifier: it lets us link your requests to a single wallet and prevent abuse, but it does not tell us who you are, and it is derived on a separate path that does not reveal your Bitcoin addresses or balances.

Bad Expert (the AI assistant)

When you chat with Bad Expert, the messages you send (and the assistant's replies) are sent to our backend and processed by our AI provider, Google (Vertex AI and the Gemini models), to generate a response. We store your conversation on our servers, linked to your wallet's public key, so the assistant can keep context across messages. We do not send your balance, addresses, or transaction history. Please do not type your recovery phrase or other secrets into the chat.

Feedback and bug reports

If you submit feedback, we receive the message you write plus basic diagnostics that help us reproduce problems: app version, platform, operating-system version, device model, language, and which Bitcoin network your wallet uses (for example, mainnet or testnet). If you choose to, you can also add your email address and a screenshot; these are optional and are only sent if you provide them. Feedback does not include your recovery phrase, keys, addresses, balances, or transaction history. We also forward a copy of feedback to our team through a private Discord channel so we can act on it.

6. Information processed by third parties

To provide the Services, we rely on the third parties below (our "subprocessors"). Each has its own privacy practices.

  • Google Cloud — hosts our backend and provides the Bad Expert AI (Vertex AI and Gemini), our database, and our anti-abuse and logging infrastructure.
  • Blockstream — the blockchain data provider the app queries to show your balance and transactions. See the note below.
  • CoinGecko — provides Bitcoin price data; it receives your chosen display currency, but no wallet information.
  • mempool.space — opened only if you tap to view a transaction in a block explorer, which sends that transaction's public ID.
  • Discord — receives a copy of feedback you submit, so our team is notified.

A note on blockchain lookups and address privacy

To display your balance and history, the app looks up your wallet's addresses through a blockchain data provider (currently Blockstream). This means that provider can see the addresses your wallet asks about, and can associate them with one another and with your network connection. This is an inherent trade-off of lightweight wallets that do not run their own full Bitcoin node.

We do not hand over your extended public key in one piece, but querying your individual addresses still reveals them to the provider. We may offer the option to use your own node or data source in the future.

7. What we do not do

We want to be specific about this:

  • No analytics or telemetry. The app contains no analytics, tracking, or telemetry tools.
  • No crash reporting. We do not use third-party crash or performance-monitoring tools.
  • No advertising or third-party trackers, and no selling or renting of your data.
  • No push notifications. The app does not register for or send push notifications.
  • Minimal permissions. The app requests only internet access and, optionally, your camera, which is used solely to scan QR codes.

8. Logging and IP addresses

Our application code does not log your IP address or any device identifier, and our anti-abuse rate limiting is keyed to your wallet's public key rather than your IP address. However, like any internet service, our hosting provider (Google Cloud) necessarily processes your device's IP address in order to deliver responses to you, and our servers keep basic request logs, such as the request method, path, and result, for a limited period, typically around 30 days.

9. How long we keep data

We keep data only as described here:

  • Bad Expert conversations are stored until you clear them. Starting a new chat (the reset option) deletes your conversation history for your wallet from our servers. Otherwise, history is kept so the assistant can maintain context.
  • Feedback and bug reports are kept so we can investigate issues and follow up with you; we do not currently delete them on a fixed schedule.
  • Anti-abuse data, used for rate limiting and replay protection, is short-lived and expires automatically within minutes.

We expect to define more specific retention limits before the app's public launch.

10. Your choices and rights

You are in control of most of what is shared:

  • You can use the wallet fully without ever using Bad Expert or sending feedback.
  • You can clear your Bad Expert history at any time by starting a new chat.
  • You can choose not to include your email or a screenshot when sending feedback.

Depending on where you live (for example, in the EEA, the UK, or California), you may have rights to access, correct, or delete personal data we hold about you. To make a request, email us at hello@sourlabs.io. Because we identify stored data by your wallet's public key rather than by your name, we may need you to demonstrate control of that wallet so we can find the right data.

11. International data transfers

Our infrastructure is provided by Google Cloud and may process and store data in countries other than your own, including the United States. Where required, we rely on appropriate safeguards for those transfers.

12. Children

The Services are not intended for anyone under 18 (or the age of majority where they live), and we do not knowingly collect personal data from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "last updated" date above and post the new version.

14. Contact

Questions, or want to make a privacy request? Email us at hello@sourlabs.io.