1. Privacy principles
HyskaWallet was built as a non-custodial wallet, so we collect only what is essential to deliver onboarding, compliance tooling, and support without ever touching your assets.
Our practices follow Brazil’s LGPD, the European GDPR, and guidance for virtual asset service providers operating in regulated environments.
- Process data lawfully, transparently, and for explicit purposes explained in this policy.
- Keep personal data adequate, relevant, and limited — no private keys, seed phrases, or transaction payloads leave your device without your action.
- Adopt technical and organisational safeguards proportionate to the sensitivity of each dataset.
2. No registration required
You can explore the mobile apps or web experience without creating an account. We only ask for contact information when you opt in to newsletters, request support, or activate beta programmes that require identification.
3. Private keys stay with you
Wallet generation, recovery, and MPC shares happen on your devices. We do not store or recover private keys, recovery phrases, hardware wallet PINs, or other credential material.
Losing recovery information means we cannot restore access to your assets, so please store backups offline in secure locations.
- Write down and safeguard recovery materials in more than one safe place.
- Use biometrics, device passcodes, and the app’s security checks to protect against unauthorized access.
4. Data we collect
We limit collection to the minimum needed for product stability, compliance, and user support.
Depending on how you interact with HyskaWallet we may process the following categories of personal data:
- Account and preference metadata: email, preferred language, onboarding status, optional referral information, and hashed identifiers used to prevent duplicate registrations.
- Identity verification artifacts (only for regulated plans): document type, issuing country, selfie biometrics, and proof-of-life indicators collected by accredited KYC/KYB providers.
- Device and diagnostics: operating system, device model, app version, crash logs, and security posture checks such as jailbreak/root detection and biometric availability.
- Usage telemetry: aggregated navigation events, feature activation timestamps, risk scoring outputs, and anonymised funnel data to improve clarity of flows.
- Support context: messages, attachments, screen captures, and incident IDs you voluntarily send so our team can assist you.
- Business plan compliance artefacts: invoices, contracts, and corporate documentation required for Know Your Business (KYB) assessments.
5. Legal bases for processing
Each purpose maps to a lawful basis documented in our Record of Processing Activities. The main bases we rely on include:
- Consent: analytics, beta communications, marketing updates, and optional surveys start only after you opt in and can be withdrawn at any moment in the app or email footer.
- Contract performance: maintaining your account, guiding onboarding, and providing recovery assistance require us to process limited personal data.
- Legal obligations: AML/CTF checks, identity verification, and statutory reporting follow Central Bank, CVM, and international requirements.
- Legitimate interests: security logging, fraud prevention, and product analytics help us safeguard the service while respecting your fundamental rights (balancing reviews happen at least annually).
6. Why we process data
We never sell personal data. Processing happens strictly to keep the experience safe, compliant, and understandable.
- Run guided onboarding, wallet recovery flows, transaction simulations, and automated alerts.
- Operate compliance features such as sanctions screening, suspicious activity workflows, and audit exports.
- Send transactional communications, policy notices, and beta invites you requested.
- Improve usability by analysing anonymised usage trends and collecting qualitative feedback.
7. Blockchain transparency
Transactions executed from HyskaWallet interact with public blockchains. Network explorers may expose balances and history associated with your addresses.
We cannot alter or delete information recorded on distributed ledgers. Consider which addresses you reuse and share.
8. Third-party providers
Certain features rely on vetted partners who act as processors or independent controllers. They operate under their own policies and may have geographic restrictions.
- Identity verification partners for KYC/KYB processes store documents only for the legally required period.
- Cloud hosting, analytics, crash reporting, and email delivery services located in Brazil, the EU, or the US operate under Standard Contractual Clauses and confidentiality agreements.
- Payment, on/off ramp, and compliance bureaus supporting AML/CTF obligations under Instruction CVM 617 and BCB Resolution 96.
- Professional advisors (legal, compliance, accounting) engaged under strict confidentiality when needed.
9. Security measures
Personal data is hosted in ISO/IEC 27001 and SOC 2 compliant environments with segmented networks, continuous monitoring, and incident response playbooks.
If we detect or are notified of a breach, we follow regulatory notification requirements and contact affected users when mandated.
- TLS 1.3 for data in transit and AES-256 encryption managed by hardware security modules for sensitive data at rest.
- Least privilege access with mandatory multi-factor authentication, just-in-time approvals, and quarterly reviews.
- Annual penetration tests, continuous vulnerability scanning, and oversight from independent auditors.
10. Retention and deletion
We retain personal data only for as long as necessary to deliver the Services or meet legal obligations. When retention periods expire, data is deleted or anonymised.
- Account and telemetry data: kept while your account is active and up to twelve months after closure for security investigations.
- Identity verification records: typically retained for five years or the duration mandated by regulators, then securely erased.
- Support and compliance tickets: stored up to 24 months unless law or ongoing disputes require a longer period.
11. Your data protection rights
You can exercise rights by emailing privacy@hyskawallet.app or using the in-app privacy center. Response timelines follow LGPD (15 days) or GDPR (one month).
- Access: confirm whether we process your data and receive a copy in portable format.
- Rectification: request correction or update of incomplete or inaccurate data.
- Erasure and restriction: ask us to delete, anonymise, or suspend processing when legally permissible.
- Portability and objection: transfer your data to another provider or object to processing based on legitimate interest.
- Complaints: contact the ANPD or your local supervisory authority if you believe we mishandled your data.
12. Support and communications
When you engage with support, we may collect incident details, contact information, and any attachments you provide. These records stay confidential and help us resolve issues.
Newsletter subscriptions and beta programmes are optional. You can unsubscribe at any time via the link in our emails or inside the app.
13. Children and regional requirements
The Services are not directed at children under 13 years old. If we learn that a minor provided personal data, we delete it promptly.
Local regulations may grant additional rights. We honour stronger protections applicable to your region when they provide greater safeguards.
14. Updates to this policy
We update this policy when practices, technologies, or regulations change. Material updates trigger alerts inside the app, via email (when available), and on privacy.hyskawallet.app.
If you do not agree with the revised terms, you may stop using the Services or contact us to explore alternatives before changes take effect.
