Wallet Extension Privacy Policy

Applies to the Arkena Wallet Chrome extension. For the main Arkena platform privacy policy see /privacy.

1. Who We Are

Arkena (“we”) publishes the Arkena Wallet Chrome extension — a self-custody wallet for the Canton Network. This policy describes what the extension does with your data and how the Arkena backend interacts with the extension.

2. Summary

  • The extension is fully self-custodial.
  • Your seed phrase, private key, and wallet password never leave your device.
  • We do not track your browsing history.
  • We do not sell or share user data.

3. Data Stored Locally on Your Device

The following data is stored in chrome.storage.local (encrypted at rest by Chrome) and is never transmitted to our servers:

  • Encrypted seed phrase and private key — PBKDF2-SHA256 (600,000 iterations) plus AES-GCM-256, derived from your wallet password.
  • Public key and Canton party ID — your on-chain identity.
  • Connected dApp origins — the list of websites you have approved to use the wallet.
  • Address book entries — recipients you have saved.
  • UI settings — network selection, auto-lock interval, NFT preapproval contract IDs.

Session-only data is stored in chrome.storage.session and is cleared when the browser closes:

  • Decrypted session key — held in memory while the wallet is unlocked.
  • Short-lived JWT — backend authentication token.

4. Data Sent to the Arkena Backend

When you use the wallet, the following is transmitted over HTTPS to api.arkena.io:

  • Public Canton party ID — used to query your own balances, NFTs, and notifications.
  • Transaction signatures — produced locally on your device, then submitted by the backend to the Canton ledger.
  • Short-lived JWT — issued via challenge-response after you sign a backend-issued nonce. No password is ever sent.

We do NOT collect or transmit:

  • Browsing history.
  • Page content from the sites you visit.
  • Personal identifiers (email, name, phone) beyond what you voluntarily provide elsewhere on Arkena.
  • Your IP address beyond the standard HTTP request metadata used for rate limiting and DDoS protection.

5. Data Sent to Third-Party Services

None. The extension communicates exclusively with the Arkena backend at arkena.io; token prices and 24-hour change are read from the same backend, not from any third-party API.

6. Permissions — Why We Ask

  • storage — persist your encrypted wallet data on this device across browser sessions.
  • alarms — schedule two periodic background tasks: renewing your Canton TransferPreapproval contract before its 90-day expiry, and polling the unread notification count once per minute.
  • Content script on <all_urls> — inject the standard window.arkena wallet provider on every page so dApps on any domain can detect the wallet via EIP-6963 / CIP-103 discovery. We do NOT read page content; we only expose the provider object.
  • Host: https://*.arkena.io/* — the wallet's backend (auth, transaction prepare/execute, NFT metadata, notifications, rewards, dashboard token prices). Without this no wallet feature works.

7. Limited Use Compliance

We certify that the use of data accessed by this extension is limited to the practices disclosed above. We do not transfer user data to advertisers, data brokers, or any third party for credit assessment, lending, or any other secondary purpose.

8. Security

  • Private key and seed phrase are encrypted with PBKDF2-SHA256 (600,000 iterations) and AES-GCM-256, derived from your wallet password.
  • Brute-force protection: five wrong unlock attempts trigger an exponential cooldown (30 s, 1 min, 5 min).
  • Auto-lock after a configurable inactivity period.
  • Phishing defence: every signing request shows the requesting origin, with iframe detection so a hidden frame cannot piggyback on a trusted parent's URL bar.
  • No eval, no new Function, no remote code loading. Strict Content Security Policy: script-src 'self'; object-src 'self'.

9. Data on Canton Network

Transaction data on the Canton Network benefits from its privacy-first architecture. Unlike most public blockchains, Canton provides sub-transaction privacy — only parties involved in a transaction can see its details.

10. Changes to This Policy

When this policy is updated we will revise the “Last updated” date at the bottom of this page and, where the change is material, notify users from inside the extension.

11. Contact

For privacy-related inquiries, email contact@arkena.io or reach us via X (Twitter) or Telegram.

Last updated: April 2026