369 Wallet369 Wallet

Privacy Policy

Last updated: May 11, 2026

In one paragraph

369 Wallet is a non-custodial wallet published by Alpsoft Inc. We never see your seed phrase, private keys, or passcode — they live only on your device, encrypted. We collect a small amount of anonymous diagnostic telemetry (crashes, install counts) so we can find bugs and improve the App, and we use third-party services for things we cannot do ourselves (blockchain data, push delivery, fiat on-ramps, swap quotes). The rest of this page is the precise version of that paragraph.

1. Things we explicitly do NOT collect

The following data exists only on your device. It is never transmitted to or stored by Alpsoft, and there is no backup we can hand to anyone — including ourselves.

  • Your 12 / 24-word mnemonic recovery phrase
  • Any private key derived from that mnemonic
  • Your passcode (only a salted hash is stored locally)
  • Biometric data — Face ID / fingerprint never leaves the OS, the App only receives a success / failure signal
  • Names, email addresses, phone numbers, KYC documents (we never ask)
  • Camera images, video, or any media — the camera is used only for local QR-code scanning

If anyone — including someone claiming to be from 369 Wallet support — asks you for any of the above, they are not us.

2. Diagnostic and analytics telemetry we DO collect

The App reports crash data, performance traces, and high-level usage signals (e.g. that the App launched, that a screen was shown, that a wallet was created) to two third-party services:

  • Google Firebase (Analytics, Crashlytics, Cloud Messaging) — crash logs, diagnostic events, screen views, and per-install pseudonymous identifiers (Firebase Installation ID, FCM registration token, Crashlytics installation UUID).
  • AppsFlyer (Android only) — install attribution and campaign measurement. AppsFlyer receives the Android Advertising ID (AAID), install attribution metadata, and aggregate in-app event signals (e.g. that an install completed, that a wallet was created). We do not send wallet addresses, account identifiers, or customer user IDs to AppsFlyer.

No telemetry we send containsyour mnemonic, private keys, passcode, transaction amounts, USD balances, transaction hashes, or recipient addresses. The AAID can be reset or deleted at any time from your Android device settings (Settings → Privacy → Ads → Reset/Delete advertising ID).

3. Push notifications

If you opt in, the App registers a device token with Firebase Cloud Messaging so we can deliver transaction notifications and important security alerts. You can revoke this at any time in your device settings or in the App's Notifications screen.

4. Backend service

The App talks to a backend service we operate to call third-party APIs that require partner credentials (we hold those credentials on the server so they don't ship inside the App binary) and to manage push subscriptions. This service receives ordinary HTTP request metadata; it does not log request bodies. Operational logs are retained only as long as needed for abuse / rate-limit investigation, then deleted.

5. Public blockchain data

When the App needs to read a balance, fetch a transaction history, fetch a price, or broadcast a transaction, it sends a request to a public blockchain node provider or price-data provider. These providers see the wallet address contained in the request. They do not see your private key — that never leaves your device. Each provider's privacy policy applies independently to that request.

6. Optional third-party flows

If you choose to use a feature that involves a partner, the partner collects whatever data their service requires — including KYC where the law mandates it.

FlowPartnerData they collect
Buy crypto with fiatTransakEmail, payment method, KYC documents, wallet address being credited
Cross-chain swapDEX aggregatorsSource / destination wallet addresses, swap amounts
StakeEverstakeStaker wallet address, stake amount
Connect to dAppWalletConnect (Reown)Project ID, peer dApp metadata
Install attribution & campaign measurement (Android only)AppsFlyerAndroid Advertising ID (AAID), install attribution metadata, aggregate in-app event signals (no wallet addresses)

We pass through whatever the partner requires; we do not interpose ourselves on top to collect any additional data. Each partner's privacy policy applies to its portion of the flow.

7. Device permissions

7.1 Camera

Used only for local QR-code scanning — wallet addresses, session links, recovery phrase QR codes during import. We do not record, save, upload, or transmit any photo, video, or camera feed. The camera is never accessed in the background.

7.2 Biometric authentication

If you enable biometric unlock, the data is processed exclusively by the OS. The App never receives, stores, or transmits biometric data — only a success / failure signal.

8. Data retention

You can wipe all local data at any time via Settings → Reset Wallet. This destroys the encrypted seed and all caches on your device. Once destroyed it cannot be recovered without your original mnemonic.

Diagnostic telemetry sent to Firebase is retained per Firebase defaults. Backend service operational logs are retained only as long as necessary for abuse and rate-limit investigation, then deleted.

9. Security

The App stores sensitive data on device using platform-native secure storage (iOS Keychain / Android Keystore) under industry-standard encryption. All network traffic uses HTTPS / TLS. We follow OWASP MASVS guidance for mobile wallet security. For responsible-disclosure security reports, contact security@369wallet.xyz.

10. Your rights & data deletion

Because we collect no personally-identifiable information, the practical exercise of access / correction / deletion / portability rights is limited. Concretely:

  • Local wallet data (seed, keys, passcode, cached balances): you can wipe everything at any time via Settings → Reset Wallet or by uninstalling the App. This is fully local — no request to us is needed.
  • Pseudonymous telemetry (Firebase + AppsFlyer): to purge analytics, crash logs, attribution metadata and push tokens tied to your install, email help@alpsoft.io with the subject “Data deletion request”. We will purge anything tied to that install within 30 days and confirm by reply. You do not need a 369 Wallet account to make this request (we don't have user accounts).
  • Partial deletion without losing access to the wallet: in the same email, you can ask us to purge only specific categories (e.g. attribution data but keep crash logs) so the App continues to function for you while we remove the categories you no longer want collected.
  • Portability: you can export your seed phrase at any time and import it into any compatible wallet — your assets are not locked into our product.
  • Opting out of advertising-ID-based attribution: Android Settings → Privacy → Ads → Reset or delete advertising ID. Once cleared, AppsFlyer can no longer attribute the install to a campaign.

EU/EEA, UK, California, and Korea residents have additional statutory rights under GDPR / UK-GDPR / CCPA / PIPA respectively (see §11 and §12).

11. Korean Personal Information Protection Act (PIPA)

  • Personal Information Manager: Alpsoft Inc.
  • Purpose of processing: As a non-custodial wallet, no personal information is processed beyond the diagnostic / attribution telemetry described in §2 and the optional third-party flows in §6. Wallet data (seed, keys, passcode) is stored locally on the user's device and never transmitted.
  • Entrustment of processing (위탁): We entrust the processing of certain pseudonymous technical identifiers to the following sub-processors, each strictly limited to the purpose listed in §2 / §6:
    • Google LLC — Firebase Analytics, Crashlytics, Cloud Messaging
    • AppsFlyer Ltd. — Android install attribution (Android only)
    • Transak — fiat on-ramp KYC (only when the user initiates a Buy flow)
    • Everstake — staking provider (only when the user initiates a Stake flow)
    • Reown (formerly WalletConnect) — dApp pairing relay
  • International transfers: The above sub-processors may store and process data outside the Republic of Korea (United States, European Union, Israel). By using the App you consent to this cross-border processing to the extent strictly necessary to deliver the service.
  • Rights of data subjects: Users may exercise PIPA rights (access, correction, deletion, suspension of processing) by contacting help@alpsoft.io.

12. GDPR (EU/EEA users)

  • Data controller: Alpsoft Inc.
  • Legal basis: Legitimate interest (providing the wallet service) and your consent for opt-in services like push notifications.
  • Your GDPR rights: Access, rectification, erasure, restriction of processing, portability, and objection. Contact us to exercise.

13. Children

The App is not directed at children under 13 (US) / 14 (Korea) / 16 (EU). We do not knowingly collect data from children. If you believe a child has used the App, contact us and we will delete any associated data.

14. International data transfers

Network requests made through the App may be processed by servers located in various countries. By using the App, you acknowledge that such processing may occur outside your country of residence.

15. Changes to this policy

We will update this document and bump the Last updated date at the top whenever we change anything that materially affects what we collect or how. For significant changes we will additionally show an in-app notice on the next launch.

16. Contact

Privacy / data requests: help@alpsoft.io

Security disclosures: security@369wallet.xyz