Privacy Policy

Effective 2026-05-12 · Loaded (operated by Safe Foundation)

This page describes what the Loaded iOS app and the Loaded co-signer service collect, how we use it, and who else processes it on our behalf. It reflects the system as it actually runs — not a template.

What we collect from you directly

• Email address, when you sign up via email-OTP. Used to authenticate you and to send transactional notices. Stored by our auth provider Privy; we do not store your raw email on our own servers.
• WebAuthn passkey credential (public key only). Stored on your device's Secure Enclave; the public key is shared with Privy and with our co-signer for transaction signing.
• Display name + avatar emoji you set in your profile. Stored on the co-signer to label your account.
• Passcode hash (Argon2id) for the in-app local unlock. The raw passcode never leaves your device.

What the co-signer records about your activity

• Your Safe address and the chain it lives on.
• Audit log of signing events: every transaction the co-signer participates in, including the timestamp, calldata hash, and the rule decisions. Used for forensic integrity (tamper-evident hash chain) and to enforce per-Safe send limits.
• Recovery state: registered guardians, active recovery requests, and the kit signatures that approved them.
• Notification inbox: notifications dispatched to you (recovery events, deposits) so you can re-read them in the app.
• Device push token, when you opt into notifications. Used solely to deliver pushes via Apple APNs; never shared.

What we deliberately do NOT collect

• Your private keys. They never touch our servers; Privy holds the embedded wallet key, your device holds the passkey, and your NFC Recovery Kit cards hold the recovery key.
• Your IP address as a persistent record. Our HTTP access logs retain IPs for a short window for abuse detection only.
• Location, camera, microphone, contacts, or photo-library data. Loaded does not request these permissions.

Third parties that process your data on our behalf

• Privy — authentication, embedded wallet, passkey credential storage.
• Pimlico — ERC-4337 bundler and paymaster for transaction submission. Receives public Safe addresses and signed UserOps; no PII.
• Dune SIM — blockchain balance and activity indexing. Receives public Safe addresses to subscribe to; no PII.
• PostHog — product analytics, when enabled. Events are pseudonymous (keyed to a per-Safe distinct ID, not your email).
• Apple APNs — push notification delivery. Receives device tokens and notification payloads.
• Candide — open-source SocialRecoveryModule smart contracts (no service relationship; addresses are CREATE2-deterministic on-chain).
• Monerium EMI ehf. — Iceland-regulated Electronic Money Institution. If you link a Monerium account inside Loaded to receive EUR via SEPA, Monerium issues a personal IBAN bound to your Safe and credits inbound transfers as EURe (e-money on Base). Monerium handles your KYC directly via a portal handoff; Safe Foundation never sees the KYC data you submit (name, ID document, address, source of funds). Subject to Monerium's own privacy policy and terms.

Monerium EUR e-money services

If you enable the EUR account surface inside Loaded, Monerium EMI ehf. — regulated by Iceland's Financial Supervisory Authority under the Electronic Money Institutions Act — provides the underlying service. Inbound SEPA payments to your personal IBAN are credited as EURe (1 EURe ≈ €1, MiCA-compliant e-money). EURe is not a bank deposit, is not protected by any deposit-insurance scheme, and does not pay or accrue interest. Redemption at par is requested through Monerium and settles via SEPA back to a bank account in your name. Disputes about your e-money account are handled by Monerium.

On-chain visibility

Your Safe address, its balance, and every transaction it makes are public on the Base mainnet blockchain. Anyone can see them, including parties unrelated to Loaded. This is true of every Ethereum-based wallet, not a Loaded-specific disclosure.

Retention

• Audit log entries are retained indefinitely as a forensic record of co-signer activity.
• Recovery request records are retained indefinitely.
• Notification inbox entries are retained indefinitely so you can re-read them.
• Rolling-24h send activity records are pruned after the window expires.
• Access logs (incl. transient IP records) are retained for 30 days.

Your rights

To request deletion of your co-signer-side records or export of your activity history, email contact@safefoundation.org. Note that we cannot delete on-chain records — those live on the Base mainnet blockchain and are outside any single party's control.

Changes to this policy

Material changes will be announced via in-app notification and an updated effective date at the top of this page. The full revision history is committed publicly to our source repository.

Contact

Questions about this policy or your data: contact@safefoundation.org.