Shield data policy

What we collect, what we don't, what a subpoena returns.

One plain-English page. No lawyer-speak. If anything on this page turns out to be false in practice, that is grounds for you to uninstall Shield and tell everyone you know. We publish a monthly signed warrant canary so you can check this hasn't changed.

Last updated: 2026-04-17 · Applies to: Zoza Shield browser extension v0.2+ and api shield-api.zoza.world · Client SDK open-source: github.com/CoreCogitAI/shield-js-sdk (MIT); backend source-available under NDA

At a glance

Category	Sent to Zoza?	Retention
Wallet addresses, private keys, seed phrases Any form, any chain.	Never	We never see or touch these. They stay in your wallet.
Transaction contents / signatures you sign After our modal, signing happens inside your wallet.	Never	The modal's decision is local. We don't receive the signed payload.
Your approval ledger The list of approvals you've granted, shown in the popup.	Local only	Stored in `chrome.storage.local` on your device. Deleted when you uninstall.
Clipboard hashes (for clipboard guard) SHA-256 of addresses you copied.	Local only	In-memory + `chrome.storage.local`. Auto-deleted after 5 minutes.
URL lookups "Is this domain in the phishing registry?"	Yes, minimally	Only the domain (not full URL, not query params) is sent. We log the request count per domain-hash for 7 days, then delete. See below.
Phishing reports you submit When you click "Report phishing" in the popup.	Yes	Domain + your optional comment + a rotating reporter token (not your IP, not your wallet). Kept for 90 days while investigators assess.
Our phishing + verified-dApp registry	Public	Fully public, hash-chained, signed. Verify here.
Telemetry / analytics events "feature_used", click counts, etc.	None shipped	Shield does not emit telemetry. No Google Analytics, no Sentry, no Mixpanel, no PostHog. If we add any in the future, it will be opt-in with an explicit toggle AND an entry in the audit log.
IP address	At request time	Our CDN (Cloudflare) logs IPs for DDoS protection. Logs are rotated in 72 hours and never joined to any Shield-specific identifier.

How URL lookups stay private

The extension does need to ask our server "is example.com in the phishing registry?" That query is unavoidable for the core defense. Here's how we minimize what we learn:

We never receive the full URL, only the hostname. https://example.com/wallet?k=secret becomes example.com.
The extension caches registry snapshots for offline lookup. Most of your browsing does not trigger a server hit.
Request count per domain is aggregated across all users before logging — we never record "user X visited domain Y".
The raw request log is rotated in 7 days. Only anonymous aggregate stats survive longer.
You can audit the exact request → response shape in the extension source: background.js: checkURL().

What a subpoena would return

What we must hand over if compelled

Aggregated URL-lookup counts per domain for the last 7 days (not per-user).
Phishing reports submitted via the popup, for the last 90 days — with rotating reporter tokens, not IPs.
Cloudflare access logs for the 72-hour retention window — IPs and request paths to shield-api.zoza.world. These are joinable to a user only by timing correlation, not by any identifier we hold.
Our source code, build infrastructure, and the registry itself (all already public).

What is not possible to hand over

Your approval history. It is on your device.
Your clipboard. We never see it.
Your wallet addresses, seeds, private keys, signed transactions.
A map of "which user visited which dApp." We do not keep that association.
The decisions you made in the Shield modal. Local only.

If we receive a subpoena we believe is unlawful, illegitimate, or overbroad, we will challenge it. We publish a monthly warrant canary stating we have not received a National Security Letter or its equivalent. If that canary stops appearing, treat it as signal.

How to verify every claim above

You do not have to trust us. Every claim is verifiable:

Claim	How to verify
Extension doesn't send wallet data	Open Chrome DevTools → Network while you use a dApp. Only `shield-api.zoza.world` receives traffic, and only `/v1/check` (domain string) and `/v1/registry` (snapshot download) appear.
Approval ledger is local-only	Request source access (email security@zoza.world), open `products/zoza-shield/extension/background.js`. Search for `RECORD_APPROVAL` — every handler writes to `chrome.storage.local`, nothing network. Public GitHub link lands with the open-source release.
Installed extension matches the source	Run `bash scripts/shield-build.sh` from the tagged commit (source available on request). Compare SHA-256 against the release notes published on the warrant canary.
Registry hasn't been tampered	Open the audit verifier. Paste the public root key. Verify the hash chain in your browser with no trust in our server.

When this page changes

Every change to this page corresponds to a signed entry in the audit log with action retention_policy_update. If the live text on this page contradicts the last signed audit entry, the live text is wrong and should not be trusted.

Major changes (adding telemetry, new data collected, retention lengthened) will be announced 30 days in advance via a blog post and a warrant-canary-adjacent signed statement.

Contact

Security issues: security@zoza.world (PGP key at /.well-known/security.txt).
Privacy questions: privacy@zoza.world.
Law enforcement: legal@zoza.world. Valid process only — informal requests receive a copy of this page.