Openfort Privacy Policy

Last Updated: January 16, 2026

1. Introduction

Alamas Labs Inc., doing business as Openfort ("Openfort," "we," "us," or "our"), provides this Privacy Policy to describe how we collect, use, and share information in connection with our website at https://www.openfort.io (the "Website") and our wallet infrastructure services, APIs, SDKs, and related tools (collectively, the "Services").

This Privacy Policy applies to information we collect from: (i) developers and businesses who use our Services to integrate wallet functionality into their applications ("Developers"); (ii) end users of Developer applications who interact with wallets through our Services ("End Users"); and (iii) visitors to our Website ("Visitors").

IMPORTANT: Openfort is a non-custodial service provider. We do not have access to, store, or control Private Keys or Digital Assets. This Privacy Policy describes the limited information we do collect in connection with providing our Services.

2. Information We Collect

2.1 Information You Provide

Account Information. When Developers register for an account, we collect:

  • Name and contact information (email address, phone number)
  • Company name and business information
  • Billing and payment information
  • Login credentials (hashed and encrypted)

Communications. When you contact us for support or inquiries, we collect:

  • Contact information you provide
  • Content of your communications
  • Any attachments or files you submit

2.2 Information Collected Automatically

Usage Data. We automatically collect certain information when you use our Services:

  • API call logs and request metadata
  • Service usage patterns and feature utilization
  • Error logs and diagnostic information
  • Performance metrics and response times

Device and Browser Information. We collect:

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Referring URLs and pages visited

Cookies and Similar Technologies. We use cookies and similar tracking technologies to:

  • Maintain session state and authentication
  • Remember your preferences
  • Analyze usage patterns
  • Improve our Services

2.3 Information by Wallet Type

The information we collect varies depending on which wallet services are used. The following describes what information Openfort collects and, importantly, what information Openfort does not have access to.

OpenSigner (Client-Side Wallets)

OpenSigner is our open-source, client-side signing solution where Private Keys are generated and stored exclusively on the End User's device.

What We Collect:

  • Public wallet addresses (for service functionality)
  • Transaction metadata (timestamps, chain IDs, transaction hashes)
  • Error logs (if errors occur during signing operations)

What We Do NOT Have Access To:

  • Private Keys (generated and stored only on user devices)
  • Recovery phrases or seed phrases
  • User passwords or authentication credentials
  • Digital Asset balances or holdings (viewable only on public blockchains)

TEE Backend Wallets

TEE Backend Wallets are secured via Trusted Execution Environment (TEE) technology where cryptographic operations occur within isolated, secure enclaves.

What We Collect:

  • Public wallet addresses
  • Transaction metadata and signing request logs
  • Access control and permission configurations
  • Encrypted key material (stored within TEE infrastructure)

What We Do NOT Have Access To:

  • Raw Private Keys (protected by TEE hardware isolation)
  • Decrypted key material (never leaves the TEE enclave)
  • Ability to sign transactions without proper authentication

Delegated Actions

Delegated Actions enable Developers to sign transactions on behalf of End Users who have granted explicit permission.

What We Collect:

  • Permission grants and delegation configurations
  • Delegated action logs (for audit purposes)
  • Scope limitations and transaction policies
  • Revocation records

2.4 Blockchain Information

Transactions conducted through our Services are recorded on public blockchain networks. This information, including wallet addresses and transaction history, is publicly accessible and not within Openfort's control. We do not consider publicly available blockchain data to be personal information under this Privacy Policy.

3. How We Use Information

We use the information we collect for the following purposes:

Service Provision

  • To provide, maintain, and improve our Services
  • To process transactions and API requests
  • To authenticate users and manage accounts
  • To provide customer support

Security and Compliance

  • To detect, prevent, and address fraud and security issues
  • To monitor for and prevent unauthorized access
  • To comply with legal obligations
  • To enforce our terms and policies

Analytics and Improvement

  • To analyze usage patterns and trends
  • To develop new features and services
  • To improve user experience
  • To generate aggregated, anonymized statistics

Communications

  • To send service-related notifications and updates
  • To respond to inquiries and support requests
  • To send marketing communications (with consent where required)

4. How We Share Information

We do not sell personal information. We may share information in the following circumstances:

Service Providers. We share information with third-party service providers who perform services on our behalf, including:

  • Cloud infrastructure providers (Google Cloud Platform for TEE infrastructure)
  • Analytics providers (PostHog for product analytics)
  • Error monitoring services (Sentry for error tracking)
  • Payment processors

Developers. For End Users interacting with Developer applications, we share information with the relevant Developer as necessary to provide the Services. Developers are responsible for their own privacy practices regarding End User data.

Legal Requirements. We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Openfort, our users, or others.

Business Transfers. In connection with any merger, acquisition, financing, or sale of assets, information may be transferred to the acquiring entity.

With Consent. We may share information with your consent or at your direction.

5. Third-Party Services

Our Services utilize the following third-party services:

Google Cloud Platform Confidential Computing

We use Google Cloud Platform's Confidential Computing infrastructure for our TEE Backend Wallets. This provides hardware-level isolation for sensitive cryptographic operations. Google does not have access to data processed within the TEE enclaves. For more information, see Google Cloud's privacy policy at https://cloud.google.com/terms/cloud-privacy-notice.

Sentry

We use Sentry for error monitoring and performance tracking. Sentry may receive error logs, stack traces, and related diagnostic information. For more information, see Sentry's privacy policy at https://sentry.io/privacy/.

PostHog

We use PostHog for product analytics to understand how our Services are used and to improve user experience. PostHog may receive usage data and interaction patterns. For more information, see PostHog's privacy policy at https://posthog.com/privacy.

6. Data Retention

We retain information for as long as necessary to provide our Services and fulfill the purposes described in this Privacy Policy. Specific retention periods depend on the type of information:

  • Account Information: Retained while your account is active and for a reasonable period thereafter to comply with legal obligations
  • Transaction Logs: Retained for up to 7 years for compliance and audit purposes
  • Usage Data: Generally retained for up to 2 years
  • Support Communications: Retained for 3 years after resolution

7. Data Security

We implement appropriate technical and organizational measures to protect information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Trusted Execution Environment (TEE) isolation for sensitive cryptographic operations
  • Access controls and authentication requirements
  • Regular security assessments and penetration testing
  • Employee security training
  • Incident response procedures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights and Choices

8.1 Access and Portability

You may request access to the personal information we hold about you and request a copy in a commonly used format. To make such a request, contact us at privacy@openfort.io.

8.2 Correction

You may request that we correct inaccurate or incomplete personal information. You can update certain account information directly through your dashboard, or contact us for assistance.

8.3 Deletion

You may request deletion of your personal information, subject to certain exceptions required by law or for legitimate business purposes (such as fraud prevention or compliance with legal obligations). Note that we cannot delete information recorded on public blockchains.

8.4 Restriction and Objection

You may request that we restrict processing of your personal information or object to processing in certain circumstances. Where we process data based on legitimate interests, you may object to such processing.

8.5 Marketing Communications

You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us. Note that you may still receive service-related communications.

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

9. International Data Transfers

Openfort is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain additional rights under the General Data Protection Regulation (GDPR) and similar laws.

We process personal data based on the following legal bases:

  • Contract: Processing necessary to perform our contract with you (e.g., providing the Services)
  • Legitimate Interests: Processing necessary for our legitimate interests (e.g., security, fraud prevention, service improvement), where those interests are not overridden by your rights
  • Legal Obligation: Processing necessary to comply with legal obligations
  • Consent: Processing based on your consent (e.g., marketing communications), which you may withdraw at any time

10.2 Additional Rights

In addition to the rights described in Section 8, EEA, UK, and Swiss residents have the right to:

  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with a supervisory authority
  • Receive information about automated decision-making (we do not currently engage in automated decision-making that produces legal effects)

10.3 Data Protection Officer

For questions about our privacy practices or to exercise your rights, you may contact our data protection team at privacy@openfort.io.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

11.1 Categories of Information

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email address, account name, IP address)
  • Commercial information (transaction history, services purchased)
  • Internet or network activity (browsing history, usage data)
  • Professional or employment-related information (company name, job title)

11.2 Your Rights

California residents have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of personal information
  • Opt out of the sale or sharing of personal information (we do not sell personal information)
  • Correct inaccurate personal information
  • Limit use of sensitive personal information (we do not use sensitive personal information for purposes beyond those permitted)
  • Non-discrimination for exercising your privacy rights

11.3 Exercising Your Rights

To exercise your rights, submit a request to privacy@openfort.io. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

12. Children's Privacy

Our Services are not directed to children under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us at privacy@openfort.io, and we will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on our Website with a new "Last Updated" date, and, where appropriate, by email or through the Services. Your continued use of the Services after the effective date of the updated policy constitutes acceptance of the changes.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Openfort (Alamas Labs Inc.)
Email: privacy@openfort.io
Website: https://www.openfort.io
For data subject requests: privacy@openfort.io