SUBFROST is a self-custodial Bitcoin and alkanes wallet from Subzero Research Inc., available as a browser extension and as mobile apps for iOS and Android. This policy covers all three. Where a practice applies only to one product, or only to an optional feature you choose to turn on, we say so.
Keys stay on your device
Your recovery phrase, private keys, and PIN are generated and stored only on your device, and all signing happens on your device. They are never transmitted, uploaded, escrowed, or shared with us or anyone else. We cannot access your funds and cannot recover your wallet if you lose your recovery phrase.
What leaves your device (core wallet)
To work as a Bitcoin wallet, SUBFROST connects to SUBFROST-operated infrastructure over an encrypted, certificate-pinned connection to: read block heights, balances, and UTXOs for your wallet's public Bitcoin addresses; fetch swap/AMM quotes; and broadcast transactions you have signed. The only wallet-specific information that leaves your device is your public Bitcoin addresses and signed, encrypted transaction data. Public addresses are, by the nature of Bitcoin, already visible on the public blockchain. The browser extension also reads recommended Bitcoin fee rates from a public endpoint (mempool.space); no address or account information is sent in that request.
Backups of your wallet
- Browser extension: your encrypted keystore is stored only in your browser's local extension storage. We never receive it. Removing the extension deletes it — back up your recovery phrase first.
- iOS: if you enable iCloud Keychain, your encrypted keystore entry syncs to your other Apple devices through Apple's end-to-end-encrypted iCloud Keychain. The entry is encrypted; Apple cannot read it, and neither can we. You can turn off iCloud Keychain in iOS Settings.
- Android: you can optionally back up your encrypted keystore to your own Google Drive. This is off by default and requires your Google sign-in plus a biometric check. The keystore is encrypted with your password before it is uploaded; we never receive it.
Notifications
- Browser extension: optional local notifications (e.g., “transaction sent”) shown by your browser. Off by default; nothing is sent to us or any third party to produce them.
- iOS: if you enable notifications, the app registers with Apple Push Notification service (APNs) and sends the resulting device token to SUBFROST infrastructure so we can alert you to events such as wrap/unwrap progress and incoming WalletConnect requests. The token is opaque to Apple and contains no wallet data.
- Android: on devices with Google services, notifications use Firebase Cloud Messaging (FCM); the FCM device token is shared with Google as the delivery transport and registered with SUBFROST infrastructure. On devices without Google services, a local background service is used instead and no token is sent to Google.
Device integrity
To protect you against tampered or repackaged builds, the apps verify their own integrity. On Android this is a local measurement of the app's own code; nothing is sent off the device. On iOS the app uses Apple's App Attest to attest the device to SUBFROST infrastructure when you first sign in; App Attest does not create a tracking identifier and its key never leaves your device.
Connecting to web applications
SUBFROST lets you connect to alkanes web applications. In the browser extension, a provider is injected into pages so sites can request your public accounts or ask you to sign; the extension stores the connected site's origin locally and does not read page content. On mobile, you can pair with sites via WalletConnect; the paired site's origin, a session key, and the relay address are stored locally on your device, and encrypted session frames are routed through SUBFROST's relay (wc.subfrost.io), which never sees plaintext or your keys. Every connection and every signature request requires your explicit approval.
Cross-chain swaps (optional)
If you use the optional cross-chain swap feature, SUBFROST routes your request through a third-party exchange provider (SimpleSwap) via our infrastructure. To create a swap, your destination and refund wallet addresses, the assets and amount, and (once settled) the on-chain transaction hashes are shared with the provider to execute the exchange. No email, identity, or KYC information is shared for cross-chain swaps. This feature is off by default.
SUBFROST Pay (optional; where available)
SUBFROST Pay lets you convert frBTC to fiat on a virtual card. It is an optional feature that you activate separately and that is available only in supported regions and on supported platforms (currently Android; it is not yet enabled on iOS or in the browser extension). If you choose to use SUBFROST Pay, we and our payment and identity-verification partner (Stripe) collect the information needed to provide a regulated financial service and to meet identity-verification (KYC/AML) obligations. This may include your email address, legal name, date of birth, postal address, government-issued ID document images, a selfie/liveness check, and a portion of your taxpayer identification number (for example, the last digits of an SSN where required), and, for cash-out, your bank account details. Identity documents and card details are captured by Stripe; card numbers are tokenized by Stripe and never reach SUBFROST. This information is used only to operate SUBFROST Pay and to comply with applicable law; see Stripe's privacy policy for how it handles the data it collects. If you do not use SUBFROST Pay, none of this is collected. On iOS, where Pay is not yet enabled, the only related data we collect is an email address you may submit to be notified when the feature launches.
Camera
SUBFROST uses your device camera to scan QR codes (payment addresses and WalletConnect pairing). On platforms where SUBFROST Pay is available, the camera is also used to capture identity-verification documents and a selfie if you choose to complete Pay verification. Camera images are not used for any other purpose.
Local storage
Your wallet keystore, address book, network selection, connected sites, language, and interface preferences are stored locally on your device (browser extension storage on the web; encrypted device storage on mobile). Removing the app or extension removes this data; back up your recovery phrase first.
No analytics or tracking
SUBFROST does not use analytics, crash reporting, advertising, or telemetry. We do not collect personally identifiable information for tracking, browsing history, or your activity across other apps and websites, and we do not track you across apps or websites owned by other companies.
Data sale and sharing
We do not sell your data, and we do not share it with third parties for their own purposes. The limited sharing described above — Apple and Google for notification delivery and optional backup, Stripe for SUBFROST Pay, and SimpleSwap for optional cross-chain swaps — exists only to provide features you choose to use. We do not use your data to determine creditworthiness or for lending, except where you use SUBFROST Pay and such processing is required to provide that regulated service.
Data retention and deletion
Self-custodial wallet data lives on your device and is removed when you uninstall the app or extension. If you use SUBFROST Pay, you can request deletion of your Pay account and associated data at subfrost.io/delete-account or by contacting us. Identity-verification (KYC/AML) records associated with SUBFROST Pay are retained for seven (7) years after account closure where applicable law requires us to keep them; other Pay account data is deleted on request.
Children
SUBFROST is not directed to children under 13 (or the minimum age required in your jurisdiction).
Changes
We may update this policy; material changes will be posted at this URL with a new “last updated” date.
Contact
Subzero Research Inc. — support@subfrost.io — https://subfrost.io