Rescue Wallet Privacy Policy

Purpose

Rescue Wallet helps a user operate a local EVM rescue wallet for compromised-wallet claim and sweep flows. Its purpose is limited to preparing, signing, simulating, submitting, and tracking user-approved rescue transactions.

Data Stored Locally

Rescue Wallet stores the following data in Chrome local extension storage on the user's device:

• Encrypted compromised-wallet and sponsor-wallet private keys.
• Password salt and encrypted password verifier.
• Wallet addresses, selected chain, safe recipient, RPC settings, API keys entered by the user, connected site origins, transaction mode settings, rescue history, and recent rescue result details.
• Unlock lockout counters and timestamps used to slow repeated unlock attempts.
• A local privacy-mode preference in the extension page's local storage.

Private keys are encrypted locally before they are stored. The extension does not send private keys to the developer. While the wallet is unlocked, the extension keeps the derived encryption key and address-bearing signing wrappers in service-worker memory; private-key hex is decrypted only for a signing operation and then discarded by the signing path.

User-entered third-party API keys, such as Alchemy RPC keys and optional OpenSea API keys, are stored as plaintext local extension settings. They are read-only provider credentials and are not protected like wallet private keys. Users should restrict and rate-limit these keys in the provider dashboard where possible, monitor quota usage, and avoid entering keys they consider sensitive.

Data Sent To Third Parties

To provide rescue functionality, the extension may send blockchain-related requests to RPC providers selected in settings or included as public defaults. Those requests can include wallet addresses, contract addresses, transaction payloads, chain IDs, block tags, and signed transactions.

If NFT scanning is used, wallet addresses and NFT contract data may be sent to configured NFT data providers such as OpenSea or Alchemy, depending on the selected chain and settings.

If public RPC mode or the optional backend helper is used, transaction, balance, nonce, and simulation requests may be sent to the backend URL or RPC endpoint configured by the user. The default development backend is local to the user's computer. A remote backend or RPC provider can observe wallet addresses, contract addresses, chain IDs, read calls, simulations, and submitted signed transactions.

When a dapp origin is connected to Rescue Wallet, the extension may answer balance-related JSON-RPC reads for the connected compromised wallet with sponsor-backed values. This is used so compatible dapps can build a rescueable transaction even when the compromised wallet itself lacks gas. Balance spoofing is limited to connected origins and does not rewrite third-party website API responses.

The extension uses EIP-7702 authorization for rescue transactions. EIP-7702 is a 2025 Ethereum standard that lets a wallet temporarily delegate its code to a contract. Authorizations are chain- and nonce-bound, and rescue signatures expire quickly, but users should revoke or replace temporary delegation after rescue if the chain tooling provides that option.

Data Not Collected By The Developer

Rescue Wallet does not include advertising analytics, sale of user data, or developer-operated account tracking in the extension package. The developer does not intentionally collect browsing history, private keys, passwords, or seed phrases.

Permissions

The extension requests permissions needed to store encrypted wallet data, maintain auto-lock behavior, and inject an Ethereum provider into compatible dApp pages so users can approve rescue flows. Permission justifications match the Chrome Web Store listing.

Security

Sensitive data is stored locally. User data sent over the network is sent through HTTPS RPC, explorer, NFT API, or user-configured endpoints when available. Users should only configure RPC or backend URLs they trust.

Unlock lockout slows repeated attempts through the live extension UI. It does not protect against offline password guessing if an attacker copies the Chrome profile and local extension storage, so users should choose a strong password and keep the browser profile/device protected.

User Controls

Users can lock the wallet, disconnect sites, change settings, remove the extension, or clear extension storage from Chrome to delete local extension data.

Limited Use

The use of information received from Chrome APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

Contact

For support or privacy questions, use the project support page: github.com/uzzaarr/rescue-wallet-extension/issues