Privacy Policy
Last updated: June 2026
1. Overview
TokoMask ("we," "us," "our") is a self-custody, non-custodial Web3 browser wallet extension. This Privacy Policy describes our data practices for the TokoMask Chrome extension and the TokoMask website at tokomask.com. The short version: TokoMask collects no personal data, no usage analytics, and no telemetry. Your wallet keys, seed phrase, and passwords never leave your device.
2. Information We Do Not Collect
TokoMask does not collect, store, transmit, or have access to any of the following: your name, email address, or any personal identifier; your seed phrase or private keys — these are generated on your device and encrypted locally and are never sent to any server; your wallet password or PIN — used locally only and never transmitted or stored in plaintext; your wallet address or balance — we do not log which addresses you own; your transaction history — transactions are broadcast directly from your browser to the configured RPC endpoint; the web pages you visit — the content script injects a provider bridge only and does not read or transmit page content; your IP address or location — TokoMask makes no connections to TokoMask-operated servers; crash reports or error logs — the extension contains no crash reporting or analytics SDK.
3. Data Stored Locally on Your Device
All data created or used by TokoMask is stored exclusively in Chrome's local extension storage (chrome.storage.local) on your own device. This includes: your encrypted wallet vault (AES-256-GCM, PBKDF2 with 600,000 iterations — encrypted before storage); network configurations you have added (no secrets, plaintext); per-origin dApp connection permissions (public addresses only); active chain ID; and your auto-lock timeout setting. This data is never backed up to the cloud, synced across devices, uploaded to TokoMask servers, or accessible to the TokoMask team.
4. Network Requests
TokoMask makes outbound network requests only to the RPC endpoint configured for the active network — for example, https://rpc.mosscan.com for Clubmos Mainnet, or any custom RPC URL you add. These are standard blockchain JSON-RPC calls (eth_getBalance, eth_sendRawTransaction, etc.). The RPC provider you use can observe your source IP and queried addresses; if you prefer privacy, configure a self-hosted RPC in Settings → Networks. TokoMask makes no calls to analytics services, crash reporters, TokoMask-operated APIs, price oracles, or any CDN. All code ships bundled with the extension — no remote code is ever loaded.
5. How the Content Script Works
TokoMask includes a content script that runs on every web page. This is required by the EIP-1193 Web3 provider standard to inject window.ethereum before dApp JavaScript runs. The content script injects a thin provider bridge, forwards provider requests from dApp code to the TokoMask service worker, and returns responses. It does not read page content, observe browsing history, transmit any page data to TokoMask or third parties, or inject advertisements.
6. Third-Party Libraries
TokoMask uses audited, permissively-licensed open-source cryptographic libraries that operate entirely on your device: @scure/bip39 and @scure/bip32 for mnemonic and HD key derivation (MIT); @noble/secp256k1 and @noble/hashes for elliptic curve signing and hashing (MIT); @metamask/browser-passworder for AES-256-GCM vault encryption (MIT); viem for EVM JSON-RPC calls (MIT); ethers for HD wallet derivation (MIT). None of these libraries make network requests or collect data.
7. Children's Privacy
TokoMask is not directed at children under 13. We do not knowingly collect personal information from children. Since we collect no personal information from anyone, no special handling is required — however, using a cryptocurrency wallet involves financial risk that is not appropriate for minors without adult supervision.
8. Data Security
Your wallet vault is protected by AES-256-GCM encryption and PBKDF2 key derivation with SHA-256 and 600,000 iterations, making brute-force attacks computationally expensive. Because TokoMask operates no servers, your vault cannot be stolen from our infrastructure — it does not exist there. Auto-lock re-encrypts your vault after a configurable idle period (default 15 minutes). The security of your wallet ultimately depends on the strength of your password and the safekeeping of your seed phrase. TokoMask cannot recover a lost seed phrase.
9. Your Rights
You may stop using TokoMask and remove the extension at any time. Since your keys live on your device, uninstalling removes your local wallet data — always back up your recovery phrase first. This policy is written to align with the principles of the GDPR and CCPA. Since TokoMask processes no personal data, there is no personal data to access, correct, port, or erase. We do not sell personal information because we collect none.
10. Changes to This Policy
If we materially change this policy we will update the "Last Updated" date. Material changes would only occur if new features involved data collection — in which case we would describe those changes clearly and obtain consent where required by law. We will not reduce your privacy protections without explicit notice.
11. Contact
Questions about this policy can be sent to privacy@tokomask.com.