Privacy Policy

Effective May 20, 2026 · Last updated May 20, 2026 · Version 2026-05-20 Updated

BLAC Privacy Policy

Last Updated: May 21, 2026

Effective Date: May 21, 2026

Data Controller: BLAC LABS AB, a company to be incorporated under the laws of Sweden (Reg. No. pending — to be assigned upon incorporation) Contact: hello@blaclabs.io

1. Introduction

At BLAC LABS AB ("we," "our," "us," or "BLAC"), we are committed to protecting your privacy. This Privacy Policy explains our data practices in connection with our websites, the BLAC Wallet mobile application (currently in beta), the BLAC Server backend infrastructure, and any other related products, features, or services (collectively, the "Services"). BLAC Wallet is a software tool — it is not a financial product or advisory service.

This Privacy Policy is incorporated into and forms part of our Terms of Service.

CORE PRINCIPLE: THE BLAC WALLET IS A NON-CUSTODIAL, CLIENT-SIDE APPLICATION. BY DESIGN AND ARCHITECTURE, WE DO NOT COLLECT, RECEIVE, STORE, PROCESS, OR HAVE ACCESS TO ANY PERSONAL DATA, PRIVATE KEYS, SEED PHRASES, WALLET CONTENTS, TRANSACTION HISTORIES, OR ANY OTHER USER-IDENTIFIABLE INFORMATION THROUGH THE CORE WALLET FUNCTIONS.

The only exception is the strictly minimal, pseudonymous data required to deliver optional features that you explicitly opt into (push notifications, live activities, and external alerts). This is fully described in Section 2.4. Even for opt-in features, BLAC LABS AB has no means by which to identify you as an individual.

2. Our Data Architecture

2.1. How the BLAC Wallet Works

The BLAC Wallet is designed with a zero-knowledge, minimum-collection architecture:

  • No Analytics or Telemetry: The Wallet application does not send any usage data, analytics data, telemetry data, crash reports, or behavioral data to any server operated by or on behalf of BLAC LABS AB.
  • No User Accounts: The Services do not require registration, account creation, login credentials, email addresses, phone numbers, or any form of user identification.
  • No Tracking: The Wallet application does not contain any first-party or third-party analytics SDKs, tracking pixels, advertising identifiers, fingerprinting mechanisms, or any other form of user tracking technology.
  • No Cookies (Application): The Wallet application does not use cookies or similar local storage mechanisms for tracking purposes.
  • Local-Only Processing: All cryptographic operations, key generation, key storage, transaction signing, and data processing occur exclusively on your local device. No such data is transmitted externally except for signed transactions broadcasted to public Blockchain networks by your device directly.

2.2. Data We Do NOT Collect

We explicitly and affirmatively confirm that BLAC LABS AB does NOT collect, receive, store, access, or process:

  • Personal Identity Information: Names, postal addresses, email addresses, phone numbers, dates of birth, or any other personally identifiable information (PII).
  • KYC/AML Data: Passports, driver's licenses, national identity numbers, social security numbers, or any other identity verification documents.
  • Financial Data: Bank account numbers, credit/debit card numbers, or financial account information.
  • Biometric Data: Facial recognition data, fingerprint data, or any other biometric identifiers. Any biometric authentication (e.g., Face ID, Touch ID) is processed entirely on your device's secure hardware (e.g., Apple Secure Enclave) and is never transmitted to us.
  • Private Keys and Seed Phrases: We NEVER have access to, receive, store, or process your Private Keys, Seed Phrases, PINs, passwords, or any wallet authentication credentials.
  • Transaction Data: We do not collect, monitor, or store your individual transaction history, wallet balances, or Digital Asset holdings.
  • IP Addresses: Our servers do not write any conventional access log to disk. IP addresses are processed transiently in memory by our rate-limiting layer and are discarded within the duration of the rate-limit window (typically seconds to minutes). The raw IP address is never written to persistent storage and is never associated with any user record, installation identifier, wallet address, or transaction. When, and only when, an automated-abuse threshold is crossed, our anti-abuse layer may record a minimal security-incident entry in a size-bounded local log. This entry contains only a salted, non-reversible one-way hash derived from request metadata (never the raw IP), an abuse score, and a timestamp; it cannot be reversed to recover an IP address and is not linked to any user, installation, wallet address, or transaction. The legal basis for this processing is our legitimate interest in preventing automated abuse and protecting the integrity of the Services (Art. 6(1)(f) GDPR).
  • Device Identifiers (Hardware): We do not collect device IDs, advertising identifiers (IDFA/GAID), hardware serial numbers, IMEI numbers, or UDIDs.
  • Location Data: We do not collect GPS coordinates, Wi-Fi access point data, Bluetooth beacon data, or any other location information.
  • Usage/Behavioral Data: We do not collect information about how you use the application, which features you access, session duration, or interaction patterns.
  • Contact Lists or Personal Files: We do not access your contacts, photos, files, calendar, or any other personal data stored on your device.

2.3. Blockchain Data (Public by Nature)

When you execute a transaction using the Wallet, the signed transaction is broadcasted from your device directly to the relevant Blockchain network. Blockchain transactions are inherently public and recorded permanently on the distributed ledger. This includes your public wallet addresses, transaction amounts, and transaction hashes.

This data is not collected by BLAC LABS AB. It is a fundamental characteristic of public Blockchain technology that transaction data is publicly accessible. BLAC LABS AB has no control over the public nature of Blockchain data.

2.4. Opt-In Notification Service Data

If you explicitly enable push notifications, Live Activities, or external alerts via the BLAC Wallet, we will store a minimal, pseudonymous record on our servers strictly for the purpose of delivering the notifications you have requested. This is the only category of data we store for users of the Wallet, and only for users who opt in.

What we store (only when you opt in):

  • A pseudonymous installation identifier — a random UUID generated once on your device, with no link to your identity, Apple ID, hardware serial number, or any personal attribute.
  • Your Apple Push Notification service (APNs) device token, which is required by Apple to deliver pushes to your device.
  • Your notification preferences (e.g., which categories of updates are enabled, privacy display mode).
  • The alert rules you create (e.g., "notify me when BTC crosses a chosen price").
  • A short delivery log used for de-duplication and reliability.
  • If — and only if — you opt into account-level notifications for protocols such as Hyperliquid, the public blockchain address you have chosen to monitor. This is used solely to query public on-chain data so we can produce the notifications you have requested.

We cannot identify you from this data. The installation identifier is a random UUID with no association to any personal information. The APNs token is a delivery address managed by Apple. Any blockchain address you ask us to monitor is already public on-chain and contains no identifying information by itself; BLAC LABS AB has no way to connect such an address to a real person. BLAC LABS AB has no internal lookup table, no customer record, and no registration system that could connect any of these identifiers to a real person. We do not attempt to identify users and have no technical means to do so on our own.

We disclose, for full transparency, that under GDPR these pseudonymous identifiers are nevertheless treated as personal data because (a) they allow a specific device to be singled out, and (b) Apple — but not BLAC LABS AB — could theoretically connect the APNs token to an Apple ID if compelled to do so by valid legal process directed at Apple. Our position is one of structural inability to identify you; we acknowledge that the regulatory category still applies.

Legal basis (GDPR Art. 6):

  • Art. 6(1)(a) — your explicit consent, given when you enable notifications via the device's system permission prompt and the BLAC Wallet's in-app toggle.

How long we keep it:

  • Immediate deletion when you opt out. When you disable notifications in the BLAC Wallet's settings, your device record and all associated rules, preferences, events, and delivery logs are deleted from our servers within milliseconds.
  • Immediate deletion on uninstall. When Apple's Push Notification service informs us that your token is no longer valid (typically following an app uninstall or device reset), your device record and associated data are purged automatically.
  • Inactivity-based deletion. If you do not open the BLAC Wallet for 24 consecutive months, your device record and associated rules are deleted automatically by our daily retention process.
  • Delivery log retention. The de-duplication delivery log is automatically deleted after 90 days regardless of activity, since it is only needed for short-term reliability.

Your control:

  • Toggle notifications off at any time in the BLAC Wallet settings — this triggers immediate, irrevocable deletion of your record.
  • Uninstall the BLAC Wallet — Apple's feedback to us triggers automatic deletion.
  • No personal account exists to "manage," because no account exists.

Where it lives:

On self-hosted servers operated by BLAC LABS AB and physically located in Sweden (EEA). We do not use any third-party cloud notification provider, analytics tool, or external database. The only third party that ever sees this data is Apple, which is necessary because Apple operates APNs — the sole mechanism by which iOS devices receive push notifications. Apple is an independent data controller for any data they receive directly through APNs.

2.5. Anti-Abuse Device Verification

To prevent fraudulent or automated requests to our backend, the BLAC Wallet uses Apple's App Attest framework. App Attest generates a cryptographic key on your device. At registration, our servers cryptographically verify the device's attestation against Apple's App Attestation Root certificate authority, proving that requests originate from a genuine, unmodified installation of BLAC Wallet. This is the sole mechanism by which the backend may be accessed.

  • The verification record stored on our servers contains a randomized cryptographic key identifier, a device-specific public key used to verify that subsequent requests are signed by the same genuine installation, and an attestation counter. Each individual request additionally carries a one-time nonce and timestamp, which provide anti-replay protection.
  • This identifier is specific only to the BLAC Wallet application on your specific device. It contains no hardware-level serial numbers (such as IMEI or UDID), cannot be used to track you across different apps, and provides no link to your personal identity, Apple ID, or physical person.
  • This identifier is not used to track, profile, or identify users. It is used solely for cryptographic verification of legitimate requests and is never combined with any other dataset.
  • The record is automatically deleted after 365 days without a successful verification (e.g., following uninstall or extended non-use), enforced by a daily retention process.

The legal basis for this processing is our legitimate interest in preventing automated abuse and protecting users (Art. 6(1)(f) GDPR). A Legitimate Interest Assessment (LIA) has been conducted and is available upon request at hello@blaclabs.io.

3. Website

3.1. BLAC Website

When you visit our website (e.g., blaclabs.io), the following applies:

  • No Cookies: Our website does not set or read any cookies. We do not use strictly necessary cookies, analytics cookies, advertising cookies, session cookies, or third-party tracking cookies of any kind. No consent banner is required because no cookies are deployed.
  • No Persistent Access Logs: We do not write access logs to disk. Standard request metadata (such as IP address, user agent, and timestamps) is processed transiently in memory for the sole purpose of TLS termination, routing, and rate limiting. Such metadata is not retained, is automatically discarded within seconds or minutes of the request being served, and is never associated with any user, session, or visitor record.
  • No Analytics, No Fingerprinting, No Tracking: The website does not contain any first-party or third-party analytics, tracking pixels, advertising SDKs, social media trackers, fingerprinting scripts, or similar technologies.

3.2. Legal Basis for Website Processing (GDPR — Art. 6)

Because we do not persistently log, store, or retain any visitor data, no personal data is processed by BLAC LABS AB in connection with ordinary visits to the website, and no GDPR legal basis is required on our part for retention. To the limited extent that transient request metadata is processed in memory for the technical delivery of the website (TLS termination, routing, rate limiting), the legal basis is our legitimate interest in delivering the requested service and protecting network integrity (Art. 6(1)(f) GDPR). Such metadata never reaches persistent storage.

4. Data Sharing

4.1. No Sale of Data

We do not sell, rent, lease, trade, or otherwise commercially transfer any personal data to any third party, and we never have.

4.2. No Sharing of Wallet Data

Because the Wallet application's core functions do not collect or transmit any user data to BLAC LABS AB (other than the opt-in notification data described in Section 2.4 and the App Attest verification described in Section 2.5), there is no such data for us to share.

4.3. Third-Party Blockchain Interactions

When you use the Wallet to interact with Blockchain networks, your device communicates directly with third-party infrastructure (e.g., blockchain nodes, RPC providers such as Alchemy or Infura). These communications are initiated by your device, not by BLAC LABS AB. Your interaction with these third-party services may be subject to their respective privacy policies. BLAC LABS AB does not act as an intermediary, proxy, or data processor in these interactions.

Because BLAC LABS AB does not route, relay, or transmit user data to these third-party providers, BLAC LABS AB is not a "data controller" or "data processor" within the meaning of GDPR with respect to any data exchanged between your device and these providers. These third parties are independent data controllers for any data they receive directly from your device.

4.4. Apple Push Notification Service (APNs)

If you opt into notifications (Section 2.4), our servers send push payloads to Apple's APNs infrastructure for delivery to your device. Apple receives your APNs device token (which they issued) and the payload of the notification. Apple is an independent data controller for any data processed via APNs and is subject to Apple's own privacy practices. BLAC LABS AB does not control, route, or store any data on Apple's behalf.

4.5. Legal Requirements

In the unlikely event that BLAC LABS AB receives a valid legal request (e.g., court order, subpoena, or regulatory demand) for user data:

  • We will comply with applicable law to the extent required.
  • However, the only data we possess is the limited, pseudonymous opt-in notification data described in Section 2.4, which cannot be linked to a real person by us. We cannot provide data we do not have, and we cannot resolve identities we do not know.
  • We will, to the extent legally permitted, challenge requests that are overly broad or that seek data we do not possess.

5. Data Security

5.1. Wallet Application Security

  • Local Encryption: All sensitive data (Private Keys, Seed Phrases) is encrypted on your device using hardware-backed security mechanisms (e.g., Apple Secure Enclave) and is never transmitted externally.
  • No Server-Side Storage of Sensitive User Data: We do not store wallet secrets, transaction history, or any financial information on our servers under any circumstance.

5.2. Infrastructure Security

  • Self-Hosted Infrastructure: Our backend infrastructure is self-hosted by BLAC LABS AB in Sweden (EEA). We do not use third-party cloud providers (such as AWS, GCP, Azure) for storing or processing user data.
  • Transport Encryption: All communications with our website and any backend services are encrypted using TLS 1.2 or higher.
  • Security Practices: We implement commercially reasonable administrative, technical, and physical safeguards to protect our infrastructure, including hardware-level access controls, encrypted backups, and network isolation.

5.3. Personal Data Breach Notification

In accordance with GDPR Articles 33 and 34:

  • We will notify the Swedish supervisory authority (Integritetsskyddsmyndigheten, IMY) of any personal data breach affecting opt-in notification data within 72 hours of becoming aware of it, except where the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • We will notify affected users without undue delay where a breach is likely to result in a high risk to their rights and freedoms.

Because the only personal data we hold is pseudonymous and cannot be linked to individuals by us, the realistic risk profile of any breach is materially lower than for traditional services that hold identifying information.

5.4. Security Disclaimer

No method of electronic transmission or storage is completely secure. While we strive to use commercially reasonable means to protect our infrastructure, we cannot guarantee absolute security. You are solely responsible for the security of your device and your Private Keys and Seed Phrases.

6. Data Retention

6.1. Core Wallet Functions

Because the Wallet's core functions do not transmit any data to BLAC LABS AB, no data is retained by us in connection with your everyday use of the Wallet.

6.2. Opt-In Notification Service Data

Retention is described in detail in Section 2.4. Summary:

Data Retention
Notification device record (installation identifier, APNs token, preferences, rules) Until you disable notifications, until your APNs token is invalidated, or 24 months of inactivity — whichever comes first
Notification delivery log (de-duplication) 90 days

Deletion at all three triggers (opt-out, APNs invalidation, inactivity) is automated and irreversible.

6.3. App Attest Verification Records

Verification records are retained for as long as your installation is active. Inactive records are removed during routine maintenance.

6.4. Website Transient Metadata

We do not persistently log website traffic. Any transient request metadata processed in memory by our infrastructure for TLS termination, routing, or rate limiting is automatically discarded within seconds or minutes of the request and is never written to persistent storage. Accordingly, no retention period applies.

6.5. On-Device Data

All data generated by the Wallet application is stored exclusively on your device. You can delete this data at any time by uninstalling the application. Ensure you have securely backed up your Seed Phrase before uninstalling, as uninstallation will permanently delete locally stored key material.

7. International Data Transfers

7.1. Wallet Core Functions

Because the Wallet's core functions do not transmit personal data to BLAC LABS AB, no international data transfer by BLAC LABS AB occurs.

7.2. Opt-In Notification Data

Our backend infrastructure is self-hosted in Sweden (EEA). No international transfer occurs on our side. Where Apple's APNs service is involved in delivery (Section 4.4), any cross-border processing is conducted by Apple under its own transfer mechanisms in compliance with Chapter V of the GDPR.

7.3. Website

Because we do not persistently log, store, or retain any visitor data, no personal data is transferred internationally by BLAC LABS AB in connection with website visits.

8. Your Rights Under GDPR and Applicable Law

8.1. Your Data Protection Rights

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or another jurisdiction that provides similar data protection rights, you have the following rights with respect to your personal data:

  • Right of Access (Art. 15 GDPR): The right to request confirmation of whether we process your personal data and to obtain a copy thereof.

  • Right to Rectification (Art. 16 GDPR): The right to request correction of inaccurate personal data.

  • Right to Erasure (Art. 17 GDPR): The right to request deletion of your personal data ("right to be forgotten"). For opt-in notification data, this right is exercised in-app simply by disabling notifications, which triggers immediate deletion.

  • Right to Restriction of Processing (Art. 18 GDPR): The right to request restriction of processing of your personal data.

  • Right to Data Portability (Art. 20 GDPR): The right to receive your personal data in a structured, commonly used, and machine-readable format.

  • Right to Object (Art. 21 GDPR): The right to object to processing of your personal data based on legitimate interests.

  • Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent (as for opt-in notification data), you may withdraw consent at any time by disabling notifications in the BLAC Wallet, without affecting the lawfulness of processing based on consent before its withdrawal.

  • Right Regarding Automated Decision-Making (Art. 22 GDPR): BLAC LABS AB does not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.

  • Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Sweden, the competent supervisory authority is:

    Integritetsskyddsmyndigheten (IMY) Box 8114 104 20 Stockholm, Sweden Website: https://www.imy.se Email: imy@imy.se

8.2. Practical Note

Because we hold only pseudonymous opt-in notification data and cannot link it to your real identity, we may be unable to fulfill certain rights requests (e.g., access or portability) unless you provide the installation identifier from your device. We will respond to any valid request in accordance with applicable law and inform you accordingly.

8.3. How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: hello@blaclabs.io

We will respond to your request within one (1) month, or within such longer period as may be permitted by applicable law, and will inform you if we are unable to comply with your request and the reasons therefor.

9. Children's Privacy

The Services are not directed to, and not intended for, individuals under the age of eighteen (18) or the age of legal majority in their jurisdiction, whichever is greater. We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact us at hello@blaclabs.io, and we will take steps to investigate and, if appropriate, delete such data.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

10.1. Categories of Personal Information

In the 12 months preceding the effective date of this Privacy Policy, BLAC LABS AB has collected the following categories of "personal information" as defined by the CCPA/CPRA, only from users who opt into notifications:

CCPA Category Collected by BLAC LABS AB
Identifiers (name, alias, address, email, phone, IP, account name) No
Personal information categories (Cal. Civ. Code § 1798.80(e)) No
Protected classification characteristics No
Commercial information No
Biometric information No
Internet or network activity (browsing history, search history, interaction data) No
Geolocation data No
Sensory data (audio, visual, etc.) No
Professional or employment-related information No
Education information No
Inferences drawn from other personal information No
Sensitive personal information No
Pseudonymous device identifiers (random installation UUID + APNs token, opt-in only) Yes — only for users who enable notifications
Public blockchain addresses voluntarily provided for account-level notifications (opt-in only) Yes — only for users who enable account-level monitoring

10.2. Sale, Sharing, and Use

We do not sell or share personal information for purposes of cross-context behavioral advertising or otherwise. We do not use sensitive personal information for purposes other than as permitted by Cal. Civ. Code § 1798.121.

10.3. CCPA Rights

You may exercise the following rights:

  • Right to know what personal information we collect.
  • Right to delete personal information (exercised in-app by disabling notifications).
  • Right to correct personal information.
  • Right to opt out of sale/sharing (not applicable — we do not sell or share).
  • Right to non-discrimination for exercising your rights.

For inquiries, contact us at hello@blaclabs.io.

11. Do Not Track Signals

The Wallet application does not track users and therefore does not need to respond to "Do Not Track" or Global Privacy Control (GPC) signals. Our website does not currently respond to "Do Not Track" or GPC signals, as we do not engage in any cross-context tracking, advertising, or sale of personal information.

12. Changes to This Privacy Policy

(a) We may update this Privacy Policy from time to time. Any changes will be posted on our website and/or within the application with a revised "Last Updated" date.

(b) If we make material changes that significantly affect your privacy rights, we will make reasonable efforts to provide prominent notice in advance of such changes taking effect.

(c) Your continued use of the Services after any changes constitutes your acceptance of the revised Privacy Policy, subject to (b).

13. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

BLAC LABS AB Data Protection Inquiries: hello@blaclabs.io General Inquiries: hello@blaclabs.io Website: https://blaclabs.io