Kyoto collects nothing. No analytics, no telemetry, no IP logging, no usage tracking. We use anonymous authentication tokens (VOPRF) — we cannot identify or distinguish users even if compelled to.
What we collect
Nothing. Kyoto does not include any analytics, crash reporting, telemetry, or tracking code. We do not log IP addresses. We do not use cookies. We do not fingerprint browsers. There is no user account, no email address, and no identifier tied to your wallet.
Kyoto uses Verifiable Oblivious Pseudorandom Function (VOPRF) tokens for authentication with backend services. These tokens are cryptographically unlinkable — the server that issues a token cannot connect it to the request that redeems it. This means we have no way to distinguish one user from another, even across our own infrastructure.
What stays on your device
All sensitive data lives exclusively on your device:
- Private keys (MobileCoin and Ethereum)
- Recovery phrase (24 words)
- Transaction history
- Wallet balances
- Connected dApp sessions
- Settings and preferences
Private keys are encrypted in chrome.storage.local using AES-256-GCM. The encryption key is derived from your PIN via Juicebox hardware security modules — it never exists on our servers. When the wallet locks, all key material is securely wiped from memory.
Fog-based transaction scanning
To detect incoming MobileCoin transactions, Kyoto queries MobileCoin Fog servers operated by the MobileCoin Foundation. These queries are encrypted end-to-end using the Noise NX protocol with Intel SGX attestation.
The Fog server processes your search keys inside a secure enclave. It cannot see your address, your balance, or your transaction history. It returns encrypted results that only your wallet can decrypt. This is how Kyoto syncs in seconds without downloading the blockchain — and without revealing anything to the server.
Juicebox PIN recovery
Your wallet's recovery secret is split across three independent hardware security modules (HSMs) operated by Juicebox. No single HSM — and no one at Kyoto or Juicebox — can reconstruct your PIN or your recovery secret.
Recovery requires your PIN and cooperation from at least two of the three HSMs. After five incorrect PIN guesses, recovery is permanently locked. This is enforced by the HSMs themselves, not by software.
Ethereum RPC calls
Kyoto connects to public Ethereum RPC endpoints (Alchemy, Ankr, and others) to query balances, estimate gas, and submit transactions. These calls necessarily include your wallet address but not your identity.
You can configure a custom RPC endpoint in Settings to route Ethereum traffic through your own infrastructure.
Third-party services
- MobileCoin Fog — encrypted transaction scanning via SGX enclaves
- Juicebox — PIN recovery HSM infrastructure (threshold cryptography)
- Ethereum RPC providers — blockchain queries and transaction submission
- CoinGecko — price data for USD conversion (no user data sent)
No analytics providers. No ad networks. No data brokers. No social media trackers.
What we share
Nothing. We have no data to share.
Data deletion
Uninstall the extension. All data is stored locally in Chrome's extension storage and is deleted when the extension is removed. There is no server-side account to delete, no data retention policy to wait out, and no deletion request to file.
Changes to this policy
If we ever change this policy, the updated version will be posted here with a new effective date. Given that our policy is "we collect nothing," we don't anticipate meaningful changes.
Contact
Questions about this policy: privacy@antelopeswap.com