Legal
Privacy Policy
Last updated
mallow labs LLC (“mallow,” “we,” “us,” or “our”) values your privacy. This Privacy Policy describes what information we collect when you use the mallow wallet mobile application (the “App”) or visit wallet.mallow.art (the “Site,” and together with the App, the “Services”), how we use it, with whom we share it, and the choices and rights you have. By using the Services, you agree to the practices described in this Privacy Policy.
This document is a wallet-specific policy. It is not the privacy policy for the mallow marketplace at mallow.art, which is governed separately.
1. Who we are
The data controller is:
- mallow labs LLC
- 30 N Gould St Ste R, Sheridan, WY 82801, USA
- Privacy contact: legal@mallow.art
2. App privacy at a glance (Apple App Store nutrition)
The categories below mirror Apple’s App Privacy disclosures — and the Google Play Data Safety form, which carries the same answers — so you can see at a glance what the App does and does not collect.
| Category | What we collect | Linked? |
|---|---|---|
| Data Used to Track You | None | — |
| Contact Info — Name | Display name on your profile, if you set one | Linked |
| Contact Info — other (email, phone, address) | None | — |
| Identifiers — User ID | Your public wallet address. Used for authentication, push notification routing, scrubbed diagnostics keying, and standard server logs. | Linked |
| Identifiers — Device ID / Advertising ID | None — we do not read IDFA, IDFV, or any advertising identifier | — |
| User Content — Photos or Videos | Avatar images you upload to your profile, and any image you choose to mint as an NFT. NFT mint images are stored publicly on IPFS and are permanent. | Linked |
| User Content — other | Bio, social links, and NFT mint metadata (title, description, royalty configuration) you provide | Linked |
| User Content — emails, audio, customer support, gameplay | None | — |
| Diagnostics — Crash Data | Stack traces from caught and uncaught exceptions, with seed phrases, private keys, PINs, bearer tokens, and raw wallet addresses scrubbed before transmission. Sent to mallow’s self-hosted error-tracking service — no third-party processor. | Linked |
| Diagnostics — Performance Data | A 10% sample of transaction timings and span data, scrubbed on the same rules as crash data | Linked |
| Diagnostics — other | Breadcrumbs and informational log entries the App emits while running, scrubbed on the same rules | Linked |
| Financial Info | None — we never receive your seed phrase, private keys, payment cards, or account credentials. Token balances and holdings are read from public blockchains on your behalf and are not collected or retained by mallow. | — |
| Health & Fitness | None | — |
| Location | None | — |
| Sensitive Info | None — we do not solicit sensitive categories; please do not put them in your bio | — |
| Contacts (OS address book) | None | — |
| Browsing History | None — marketplace browsing is not retained against your wallet | — |
| Search History | None — marketplace search is not retained against your wallet | — |
| Purchases | None — there are no in-app purchases | — |
| Usage Data | None — we do not run product analytics on the App or this Site | — |
| Surveys, Environment Scanning, Other Data | None | — |
On “Linked”. The wallet address is the de-facto account identifier across mallow infrastructure. Even when individual data points (a redacted identifier in a crash report, a push token paired with a session) are themselves anonymized, they remain Linked because the same authenticated wallet session ties them to your wallet address. We chose to disclose this plainly rather than fragment the row.
On diagnostics destination. Crash, performance, and breadcrumb data are sent to mallow’s self-hosted error-tracking service running on mallow infrastructure. They are not shared with Sentry, Firebase Crashlytics, or any other third-party processor.
On Reown social sign-in. If you create a wallet via Google or Apple sign-in, the third-party identity provider receives your authentication signals. Your social-account email and password do not reach mallow. See Section 3.4 and Section 4 for what Reown itself handles.
3. Information we collect
3.1 Information stored only on your device
The following is created and stored locally on your device. It is never transmitted to mallow:
- Your recovery phrase (12 or 24 words) and derived private keys, held in iOS Keychain or Android Keystore
- Your PIN and biometric-unlock preferences
- Your address book entries — nicknames you assign to wallet addresses for sending
- Your wallet labels and account nicknames
- Your watchlist and favorites (artworks, tokens, artists)
- Your app preferences, including theme, currency, chain toggles, push toggle, and biometric preference
These never sync to mallow servers and are not included in any remote
backup. iOS Keychain items used for the seed phrase and private keys are
stored at the kSecAttrAccessibleWhenUnlockedThisDeviceOnly accessibility
level, which is not backed up to iCloud.
3.2 Information generated automatically when you use the App
- Public wallet addresses for the chains you use (Solana, Ethereum, Tezos)
- On-chain activity initiated by you (transactions, balance reads, swap quotes). On-chain activity is by nature public and visible on the underlying blockchain
- Push notification token, if you grant push permission, registered with our notification service so we can deliver app notifications
- Diagnostic data — crash reports, a 10% sample of performance traces, and breadcrumb log entries — scrubbed of seed phrases, private keys, PINs, bearer tokens, and raw wallet addresses before transmission. This data is sent to a mallow-operated, self-hosted error-tracking service running on mallow infrastructure. It does not reach Sentry, Firebase Crashlytics, or any other third-party processor.
3.3 Information collected on this Site
wallet.mallow.art does not use cookies, run analytics, or load any third-party scripts. Your browser may transmit standard HTTP request metadata (IP address, user agent, referer) to Cloudflare, our hosting provider, for the purpose of delivering the Site. See our Cookie Policy.
3.4 Information from third-party sign-in (optional)
If you create a wallet using social sign-in (Google or Apple) via Reown AppKit, the third-party identity provider will share authentication signals necessary to create your embedded wallet. mallow does not receive your social-account email, identifier, or password. The sign-in provider’s privacy policy and Reown’s privacy policy each apply to the data they handle.
4. Third-party services
The App relies on the third-party services listed below. Each has its own privacy practices, which apply to data they receive. We have configured the App to share only what is necessary to provide the feature.
mallow operates its own diagnostics service on its own infrastructure; no third-party error-tracking processor is used.
| Service | Used for | What it receives |
|---|---|---|
| Helius | Solana RPC + indexer (balances, prices, transaction broadcast) | Your wallet’s public addresses, queried token mints, transactions you sign and broadcast |
| Firebase Cloud Messaging (Google) | Push notification delivery | Device push token; the content of notifications |
| Reown AppKit | Optional social sign-in (Google/Apple) for embedded wallet | Your social-account identifier as needed to provision an embedded wallet |
| Jupiter | Token swap quotes and routing on Solana | Wallet address, input/output token mints, amounts |
| IPFS (pin.mallow.art) | NFT metadata pinning when you mint | Public NFT metadata you submit |
| mallow API (api.mallow.art) | Marketplace data displayed in the App; first-party — operated by mallow | Public wallet address; query parameters for content you browse |
| Cloudflare | Hosting and CDN for wallet.mallow.art and our APIs | Standard request metadata (IP, user agent) |
We do not sell, rent, or trade your information.
5. How we use information
We use the limited information we collect to:
- Operate, maintain, and secure the Services
- Deliver push notifications you have opted into
- Diagnose crashes and improve reliability via scrubbed diagnostic reports sent to mallow’s self-hosted error-tracking service
- Communicate with you when you contact us
- Comply with legal obligations and enforce our Terms of Service
We do not perform behavioral advertising, do not build advertising profiles, and do not use your information to train AI models.
6. How long we keep data
- On-device data (seed phrase, keys, PIN, preferences): retained on your device until you uninstall the App or wipe the device
- Push tokens: retained while the App is installed; revoked when you uninstall or disable push
- Diagnostics (crash reports, performance traces, breadcrumbs): retained on mallow’s self-hosted error-tracking service for up to 90 days, accessible only to authorized mallow engineers, and pruned on a rolling basis
- Site request logs: retained by Cloudflare per its standard logging retention
7. How we share information
We share information only as described in this Policy. Specifically:
- Service providers listed in Section 4, only to provide the Services
- Legal disclosures when required by law, lawful process, or to protect the rights, property, or safety of mallow or others
- Business transfers in the event of a merger, acquisition, or sale of assets, in which case we will notify you and provide reasonable notice before your information becomes subject to a different policy
8. Your choices and rights
You can:
- Decline push notifications in your device settings
- Disable optional social sign-in by creating a wallet from a seed phrase instead
- Delete the App to remove all on-device data; this is irreversible — we cannot recover your wallet for you
- Contact us at legal@mallow.art for any request not handled by the controls above
9. EEA and UK users (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to personal data we hold about you, subject to applicable law:
- Access — confirm whether we process your personal data and request a copy
- Rectification — correct inaccurate data
- Erasure — request deletion in certain circumstances
- Restriction — limit how we use your data
- Objection — object to processing based on legitimate interests
- Portability — receive your data in a portable format
- Withdraw consent at any time where consent was the basis for processing
- Lodge a complaint with your local data protection authority
Lawful bases. Where we rely on a legal basis under Article 6(1) GDPR, it is one of the following: performance of a contract (operating the wallet you asked to use), legitimate interest (security, crash reporting, fraud prevention), legal obligation, or consent (push notifications, optional features).
International transfers. Some of our service providers are based in the United States. We rely on appropriate transfer mechanisms (Standard Contractual Clauses or equivalent) where required.
EU representative. If you require an EU representative under Article 27 GDPR, please contact us at legal@mallow.art and we will provide current designation information.
To exercise any right, email legal@mallow.art. We will respond within the timeframes required by applicable law.
10. California residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what categories of personal information we collect, the purposes, and the categories of recipients
- Access the specific pieces of personal information we hold about you
- Delete personal information, subject to legal exceptions
- Correct inaccurate personal information
- Opt out of sale or sharing of personal information for cross-context behavioral advertising
- Limit use of sensitive personal information
- Non-discrimination for exercising your rights
We do not sell personal information and we do not share personal information for cross-context behavioral advertising. Because the Site uses no cookies and no analytics, there is nothing to opt out of with respect to this Site.
To exercise California rights, email legal@mallow.art with the subject “California Privacy Request.” We will verify your request using the wallet address you provide and respond within the statutory timeframe.
11. Children’s privacy
The Services are intended for users 18 years of age or older, or the age of majority in their jurisdiction, whichever is greater. We do not knowingly collect personal information from anyone under 13 (or under the equivalent age in jurisdictions outside the United States). If you believe a child has provided us with personal information, contact us at legal@mallow.art and we will delete it promptly.
12. Security
We design the App to minimize data exposure: your seed phrase is encrypted at rest using your device’s secure enclave, never transmitted to mallow, and not visible to any cloud backup. Network requests use TLS. We follow industry-standard practices to protect the limited data we do receive.
No system is perfectly secure. You are responsible for protecting your device, your seed phrase, and the access methods you use to unlock the App. See our Security guide for recommended practices.
13. Changes to this Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects when changes took effect. Material changes will be surfaced in the App or on the Site. Your continued use of the Services after changes take effect constitutes acceptance of the updated Policy.
14. Contact
Questions about this Privacy Policy or our handling of your information?
- mallow labs LLC
- 30 N Gould St Ste R, Sheridan, WY 82801, USA
- legal@mallow.art