Privacy Policy
Effective: May 6, 2026 · Applies to: walour.io, the Walour Chrome extension, the @walour/sdk npm package, the Walour worker API, and the Walour on-chain oracle program.
1. Who we are
Walour is a real-time security oracle for Solana. References to “we”, “us”, and “our” mean Walour. To contact us: walour786@gmail.com or on X: @walourApp.
2. What we collect and why
Walour consists of several components. The table below lists every data point collected across all of them.
| Data | Source | Purpose | Stored? |
|---|---|---|---|
| Unsigned transaction bytes | Chrome extension | AI-powered risk analysis | No, discarded after response |
| dApp hostname | Chrome extension | Domain phishing check | Cache, 24-hour TTL |
| Token / program addresses | Chrome extension | Token risk check | Cache, 24-hour TTL |
| Wallet public key | Chrome extension | Blocked-transaction audit log | Database, 12 months |
| Block reason + timestamp | Chrome extension | Blocked-transaction audit log | Database, 12 months |
| App version | Chrome extension | Version telemetry | Database, 12 months |
| IP address | All HTTP requests | Standard infrastructure logging | Not stored by Walour |
| Threat addresses (on-chain) | Community reports / oracle | Public threat registry | Permanent (see Section 7) |
| Aggregate threat stats | walour.io stats page | Public dashboard | No personal data shown |
| SDK API requests | @walour/sdk | Risk lookups by third-party developers | Rate-limited (see Section 9) |
Walour does not collect browser history, keystrokes, private keys, seed phrases, passwords, payment information, or any data unrelated to transaction security analysis.
Automated risk scoring. Transaction data is analysed by an AI model (Anthropic Claude) which produces a risk recommendation: GREEN, AMBER, or RED. This constitutes automated processing of transaction data. It is not an automated decision with legal effect. You retain sole authority to approve or reject the transaction at all times. The AI output is advisory only.
3. No user accounts
Walour has no registration, login, password, or user profile system anywhere across the product. No persistent user identity is created. Wallet public keys are pseudonymous on-chain identifiers. Walour does not attempt to link them to real-world identities and does not store them alongside any personally identifying information.
4. Third-party processors
The following processors receive data as part of the transaction analysis pipeline.
| Processor | Data shared | Notes |
|---|---|---|
| Anthropic | Unsigned transaction bytes, token addresses, dApp hostname | AI transaction decoding (Claude). Anthropic does not use API request data to train models by default. Data transmitted over HTTPS. anthropic.com/legal |
| Security intelligence provider | Token / contract addresses | Risk scoring for tokens and programs. |
| Blockchain RPC provider | On-chain addresses | On-chain lookups for program and token data. |
| Database provider | Blocked-transaction events | Postgres-compatible database, SOC 2 compliant. |
| Cache provider | Risk scores (TTL-bounded) | No personally identifiable information in cache keys. |
| Hosting provider | Edge function execution | 30-day infrastructure log retention. |
We do not sell, rent, or transfer your data to any party not listed above. Data is never shared with advertisers, data brokers, or analytics platforms.
5. Cookies and tracking
walour.io does not use cookies, pixel trackers, fingerprinting scripts, or third-party analytics. No tracking of any kind occurs when you visit the website. The Chrome extension does not set cookies on pages you visit.
6. Data retention
- Transaction bytes: deleted immediately after analysis. Never written to disk or logs.
- Domain and token risk cache: 24-hour TTL.
- Blocked-transaction telemetry: retained for 12 months, then permanently deleted.
- On-chain oracle records: permanent (see Section 7).
- Infrastructure logs: retained per each provider's policy (typically 30 days).
7. On-chain data and blockchain immutability
Threat addresses submitted to the Walour oracle are written to the Solana blockchain. By the immutable nature of public blockchains, this data cannot be deleted or modified after submission.
We apply a confidence threshold before any on-chain write. If you believe a record is erroneous, contact us at walour786@gmail.com or via @walourApp on X. We will add a retraction record on-chain and suppress the address from all Walour interfaces and API responses. However, we cannot erase the underlying chain state.
For users in GDPR/UK GDPR jurisdictions: on-chain oracle writes are processed under the legitimate interests basis (Article 6(1)(f), fraud prevention infrastructure). Where an erasure request cannot be fulfilled due to blockchain immutability, we rely on Article 17(3)(e) (retention necessary for the establishment, exercise, or defence of legal claims relating to fraud prevention) as well as the technical impossibility of erasure inherent to the blockchain medium.
8. Legal bases for processing (GDPR)
- Legitimate interests (Article 6(1)(f)): real-time fraud prevention on behalf of wallet users; blocked-transaction telemetry for aggregate security metrics; on-chain oracle writes.
- Contract performance (Article 6(1)(b)): worker API calls initiated by SDK developers.
- No marketing, profiling, or consent-based processing takes place.
9. SDK developers and API consumers
Developers who install @walour/sdk or query the Walour worker API directly are independent data controllers for their own users. Walour is not a processor for downstream developer applications.
Acceptable use of the API and SDK is limited to on-chain security analysis. Use for scraping, building phishing tools, denial-of-service attacks, or any unlawful purpose is prohibited and may result in access termination.
10. Dialect Blinks / Solana Actions
Transactions initiated via Walour Blinks (Solana Actions) flow through the same worker API pipeline described in Section 2. No additional data is collected beyond what a direct extension call would send.
11. International data transfers
Our processors, including Anthropic, may process data in the United States. Transfers from the EU/EEA are covered by Standard Contractual Clauses (SCCs) or adequacy decisions maintained by each processor, as described in their respective privacy policies. Transfers from the UK are covered by the UK International Data Transfer Agreement (IDTA) or equivalent safeguards.
12. Children
Walour is not directed at children under 13 (COPPA) or under 16 (GDPR). We do not knowingly collect data from minors. If you believe a minor has submitted data, contact us and we will delete it from our systems to the extent technically possible.
13. Your rights
Depending on your jurisdiction you may have the right to access, rectify, restrict, port, or erase data we hold about you. To exercise any right, contact us at walour786@gmail.com with the subject “Privacy Request” and, where applicable, the wallet public key associated with your request.
Erasure of on-chain data: Subject to the limitations described in Section 7, we will honor erasure requests for database telemetry records and suppress the address from all Walour-controlled interfaces.
No automated decisions with legal effect: Threat scores produced by Walour are advisory. You can always override a verdict and sign a transaction regardless of the risk rating. No automated decision produces a legal or similarly significant effect on you.
Right to complain: If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EU, you may lodge a complaint with your local data protection authority.
CCPA (California): We do not sell or share personal information for cross-context behavioral advertising. No “Do Not Sell” opt-out is required.
14. Security
All data is transmitted over HTTPS/TLS. Transaction bytes are never written to persistent storage. All server-side credentials are held in environment variables and are never included in the Chrome extension package or exposed to the browser.
15. Limited Use (Chrome Web Store)
The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. Data collected through the Walour Chrome extension is used exclusively for transaction risk analysis and is not used for personalised advertising, credit scoring, or any purpose unrelated to on-chain security.
16. Changes to this policy
Material changes will be communicated via a notice on walour.io. The effective date at the top of this page will be updated. Continued use of any Walour product after the effective date constitutes acceptance of the revised policy.
17. Contact
Privacy questions or data subject requests:
- Email: walour786@gmail.com
- X: @walourApp
- X (founder): @Sahir__S
Response time: within 30 days for GDPR/CCPA requests, within 7 days for general enquiries.