HobaWallet Privacy Policy

Last updated: 2025-09-13

This policy describes how HobaWallet (the “Extension”) handles your data.

What the Extension does

• Injects an Ethereum provider into web pages (for dapps) and exposes discovery via EIP‑6963.
• Lets you create or import a wallet and sign transactions/messages.
• Optionally connects to third‑party RPC endpoints and WalletConnect relays to interact with blockchains and dapps.

Data the Extension stores locally

• Encrypted wallet vault (seed phrase/private keys) in the browser using IndexedDB. The encryption password is never sent anywhere.
• User settings (theme, networks, UI preferences) in IndexedDB and Chrome storage.
• Session info (e.g., selected account, current chain) in Chrome storage to improve UX.

All sensitive material (seed/private keys) stays on your device and is encrypted at rest. The Extension does not transmit your keys to any server.

Data the Extension may send

To function, the Extension performs network requests to:

• Blockchain RPC endpoints (e.g., JSON‑RPC URLs you configure or defaults). These services will see your IP address and the on‑chain requests you make (e.g., eth_call, eth_sendRawTransaction).
• WalletConnect relay when using WalletConnect. The relay transports encrypted payloads between your wallet and the dapp. The relay provider may see metadata such as IP and timing information.
• Optional NFT/ENS APIs when you enable related features. These providers may require API keys and will see your IP and the queries made.

Token logos and images

• The portfolio and token management views may fetch token logos via public Token Lists (CoinGecko and PancakeSwap). The lists provide logoURI fields that point to third‑party image hosts (commonly https://assets.coingecko.com, https://coin-images.coingecko.com, and https://tokens.pancakeswap.finance). If a token is not found in these lists, the Extension may query the CoinGecko API to look up a logo by chain and contract address.
• What is sent: the browser requests the image URL in the logoURI; when using the CoinGecko API fallback, it sends the chain’s platform slug (e.g., binance-smart-chain) and the token contract address to https://api.coingecko.com. Your IP address is visible to these hosts. No wallet seed, private keys, balances, or identifiers are sent.
• Authentication: if you configure a CoinGecko Pro API key, requests to api.coingecko.com include the x-cg-pro-api-key header. The key is only used for these API calls and is not shared with other services.
• Referrer: the Extension sets referrerPolicy=no-referrer on these image requests to avoid sending the extension page URL as a referrer.
• Accuracy: third‑party logos may be incomplete or outdated. When a logo is unavailable, a non‑identifying fallback icon is shown instead.
• Choice: if you prefer not to load remote logos, you may block these domains at the network level (e.g., uBlock, firewall) or use the Extension in an environment that restricts external image requests. Core wallet functionality does not depend on remote logos.

These third parties have their own privacy policies. You can choose different RPC endpoints/providers in Settings.

Data sharing

The Extension does not collect, sell, or share personal information. It does not run analytics or send telemetry.

Permissions rationale

• Storage: save encrypted vault and settings.
• Offscreen: keep request handling running without the popup open.
• Alarms: schedule occasional state broadcasts for reliability.
• Tabs (optional): used only to improve event delivery (hydrating refreshed tabs) and to open the popup fallback if window creation fails. The Extension works without this permission.
• Content script on http/https: inject the Ethereum provider for dapps to connect. No host permissions are requested beyond the content script match patterns.

Your choices

• You can remove accounts or clear settings at any time from the UI.
• You can uninstall the Extension to remove it from your browser. Local data may persist until browser data is cleared.

Contact

For questions or requests regarding this policy, open an issue on the project’s GitHub repository.

Back to site