Privacy Policy

TL;DR

Loroco does not collect, sell, or share your personal information. We never have access to your private keys, mnemonic (seed) phrase, or wallet password. The signing key lives inside a WebAssembly engine on your device and never leaves it. Every transaction is approved by you, per call.

1. Who we are

Loroco is an open-source Chia (XCH) browser-extension wallet (Manifest V3), built on a WASM fork of Sage. This policy describes how the Loroco extension handles information. Questions? Open an issue at github.com/MarvinQuevedo/loroco.

2. What we do not collect

Loroco is designed to minimize data exposure. We do not collect, transmit, or store any of the following:

Your private keys, master secret key, or mnemonic (seed) phrase — these are held inside the sage-wasm signing engine and never leave your device.
Your wallet unlock password — you supply it each browser session; it is never persisted or transmitted.
Personally identifiable information (name, email, phone, IP, physical address).
Your browsing history, the content of pages you visit, or behavioral analytics/telemetry.

There are no advertising trackers, and no data is sold or rented to third parties.

3. Data stored locally on your device

To work as a wallet, Loroco stores the following only on your own device (via the browser storage API). None of it is sent to us:

Encrypted keychain blob

So your wallet survives between sessions. Encrypted at rest; decryptable only with your password.

Public addresses & balances

To display your XCH, CAT and NFT holdings.

Connected dApp sites & permissions

To remember which sites you authorized to connect — stamped per origin.

Watched assets, offers, settings

To restore your preferences and pending offers across sessions.

Cached token / CAT metadata

To show token names and icons without re-fetching every time.

You can erase all of it any time by removing the extension or clearing its storage in your browser.

4. Network requests

To interact with the Chia blockchain, Loroco sends requests to public infrastructure. Each request carries only what the action you requested needs (e.g. a public address to read a balance, or a transaction you approved to be broadcast):

Chia full-node / blockchain APIs (e.g. coinset.org) — read balances, sync coin state, broadcast approved transactions.
Offer & metadata services (e.g. dexie, TibetSwap) — token metadata and making/taking/looking up offers when you choose to.

These third-party services have their own privacy policies; we don't control them.

5. Permissions Loroco requests

Loroco requests only the permissions needed for its single purpose — being a Chia wallet:

storage — save your encrypted wallet and settings locally.
alarms — periodically refresh balances and blockchain state in the background.
tabs — match a connection/approval request to the right site and open the approval window.
Host permissions — inject the window.loroco / window.chia provider into pages so Chia dApps can request a connection. Every sensitive action still requires your explicit, per-request approval inside the extension.

Loroco does not download or execute remote code. All executable code, including the WebAssembly signing engine, ships inside the extension package. Nothing fetched over the network is evaluated as script.

6. How transactions and approvals work

Loroco is non-custodial: you, and only you, control your funds. Every transaction, signature, or offer requested by a connected website must be explicitly approved by you in Loroco's approval dialog before anything is signed. We cannot move, freeze, or recover your funds, reset your password, or recover your seed phrase.

7. Children

Loroco is not directed to anyone under 18, and we do not knowingly collect data from children.

8. Changes to this policy

We may update this policy to reflect changes in the extension or applicable law. Changes take effect when posted on this page; the "Last updated" date above marks the latest revision.

9. Contact

Questions, concerns, or data requests: open an issue at github.com/MarvinQuevedo/loroco.