Privacy Policy — Sigma9 Browser Extension
Last updated: July 9, 2026
Sigma9 (the "Extension", "we", "us") is a browser extension that provides a simple, self-custodial, gasless USDC wallet. This Privacy Policy describes how information is handled when you use the Extension.
Sigma9 is an independent project developed and maintained by an individual. There is currently no associated legal entity or company.
1. Core Principles
- Self-custody by design. Your seed phrase and private keys are generated and remain exclusively on your device.
- Minimal data processing. The Extension is built to require as little information as possible from you and about you.
- No central servers for your keys. We do not operate any infrastructure that stores, receives, or has access to your private keys or seed phrases.
- Transparency. We document exactly what third-party services are used and why.
- You are in sole control and sole responsibility. The Extension is fully self-custodial software. You alone hold your keys, you alone authorize every transaction, and you are solely and fully responsible for everything done through your wallet — including safeguarding your seed phrase, verifying every recipient and amount, and the consequences of any transaction. The developer has no custody, no control, and no ability to access, freeze, reverse, or recover your funds or your wallet.
2. Information We Do NOT Collect
We do not collect, store, or transmit:
- Your name, email address, phone number, or any other personal identifiers.
- Your seed phrase, private keys, or any material that can be used to reconstruct your wallet.
- Analytics, usage statistics, crash reports, or telemetry data.
- Browsing history or data from other websites (beyond what is strictly necessary to interact with the blockchains you choose).
No analytics, tracking pixels, cookies for profiling, or third-party analytics services are used inside the Extension.
3. Local Storage and Access Control
- The encrypted seed vault is stored in the browser's local extension storage (
chrome.storage.local). It never leaves your device in unencrypted form. - Encryption uses standard Web Crypto APIs (AES-GCM). The encryption key is derived from your password using a memory-hard key-derivation function (scrypt), or derived from your platform authenticator (WebAuthn PRF) when Touch ID / biometric unlock is enabled.
- The decrypted seed and keys exist only in the Extension's in-memory runtime session while the wallet is unlocked. They are cleared when you lock the wallet and when the browser is closed, and are never written to disk in unencrypted form.
- Local authentication is required to unlock: a WebAuthn platform authenticator (for example Touch ID on macOS) where supported, or your password as the fallback.
- Nothing is sent to any server during unlock or transaction signing.
- Clipboard. The Extension can read from and write to your clipboard only in direct response to an action you take: writing when you tap "copy" on your wallet address or seed phrase, and reading when you tap "paste" for a recipient address or when importing an existing seed phrase. Clipboard access is never used in the background, the clipboard contents are never transmitted anywhere, and it is triggered solely by you activating a copy or paste control.
You are solely responsible for backing up your seed phrase. Loss of the seed phrase means permanent loss of access to funds.
4. Third-Party Services and Transaction Data
To enable gasless (sponsored) USDC transactions, cross-chain movement, and to read on-chain state, the Extension must contact external infrastructure providers. These providers receive only the information required to construct, sponsor, attest, submit, and display your transactions.
The data typically includes:
- Public wallet addresses (yours, and the recipient's when you send)
- Token amounts and chain identifiers
- Transaction parameters and signatures (necessary to authorize the operation)
- Your device's IP address — inherent to any network request (see below)
Private keys and your seed phrase never leave your device.
The providers currently used are:
- Circle — the CCTP v2 / Iris attestation API (
iris-api.circle.com) for cross-chain USDC transfers, together with the Circle Paymaster used to sponsor gas in USDC. Circle receives only the transaction data required for bridging and sponsorship. See Circle's privacy policy at circle.com/legal/privacy-policy. - Pimlico — the bundler used to submit gasless Ethereum-style transactions (ERC-4337 user operations). It receives your signed operation and address.
- Kora — the relayer for gasless operations on Solana. The Kora endpoint is user-configurable: you may point the Extension at a different or self-hosted compatible relayer.
- RPC nodes — for reading blockchain state and broadcasting transactions. Public default endpoints are used, and you can configure your own custom RPC URLs for any supported network in Settings.
- Blockchain explorer APIs — public block-explorer endpoints are queried to display balances and transaction history for an address you view.
IP addresses. Like any software that makes network requests, whenever the Extension contacts the providers above your device's IP address is necessarily visible to those providers at the network layer. We operate no servers of our own, and we do not collect, log, or profile your IP address. How each third party handles the IP address is governed by that provider's own privacy policy. If you wish to further limit this exposure, you may route the Extension's traffic through a VPN or configure your own RPC endpoints.
All of the above are independent third parties. We do not control their privacy practices beyond the data we choose to send them. Because the Extension is self-custodial and the relayer and RPC endpoints are configurable by you, the exact data flows depend on your configuration.
Once a transaction is submitted, the resulting on-chain data (addresses, amounts, timestamps) is public and permanent by the nature of public blockchains.
5. No User Accounts or KYC
The Extension does not require or support creation of accounts, usernames, or any form of identity verification for its core wallet functionality. There is no KYC process.
6. Availability — Not Offered in the European Union / EEA / United Kingdom
The Extension is not offered to, and may not be used by, persons located in or resident of the European Union, the European Economic Area (EEA), or the United Kingdom. By installing or using the Extension you represent and warrant that you are not located in, and are not a resident of, any of those jurisdictions.
Sigma9 is developed by an independent individual with no legal entity, no dedicated infrastructure for user data processing, and no capacity to take on the registrations, representative appointments, and ongoing compliance obligations that those jurisdictions impose on software providers (including under the EU/UK General Data Protection Regulation). Accordingly, the Extension is simply not made available there, and no rights, remedies, or obligations arising specifically under those regimes are offered or accepted.
You are responsible for ensuring that your use of the Extension complies with all applicable laws in your jurisdiction. The developer may block, restrict, or discontinue availability in any jurisdiction at its sole discretion. This policy is provided in the interest of transparency and is not legal advice.
We cannot and do not verify your location. Precisely because the Extension is purely self-custodial and collects no personal data, the developer has no means — and no obligation — to verify your country, residence, or identity, and does not attempt to. Your confirmation that you are not located in or resident of a prohibited jurisdiction is relied upon entirely as your own representation. If you access or use the Extension from a prohibited jurisdiction in breach of this section, you do so unlawfully and entirely at your own risk, and you alone bear full responsibility and any resulting damages. The general "as is" and no-liability terms in Section 10 apply to you in addition to this.
7. Your Data Stays With You
The Extension keeps your keys and data on your own device, and we operate no servers or databases of user information. There is therefore no account, and no personal data held by us. You are in full control of your local data at all times: you can erase everything stored by the Extension simply by removing the wallet and uninstalling it.
Where a third-party provider (see Section 4) receives data such as your IP address, that data is handled solely under that provider's own privacy policy. Data recorded on a public blockchain (addresses, amounts, timestamps) is immutable and cannot be altered or erased by us or by anyone.
8. Children
The Extension is not directed to, and is not intended for use by, children. It is intended only for individuals who are of legal age to manage their own digital assets in their jurisdiction. We do not knowingly collect any information from children.
9. Security
We use industry-standard cryptographic libraries and browser security features. However, no software is completely secure. You should:
- Keep your browser and operating system up to date.
- Use strong local authentication (biometric unlock and/or a strong password).
- Never share your seed phrase.
- Be vigilant against phishing and malicious websites.
10. "As Is" — No Warranty and No Liability (All Jurisdictions)
The Extension is free, open, self-custodial software provided "as is" and "as available," without warranty of any kind, express or implied, including but not limited to any warranties of merchantability, fitness for a particular purpose, security, availability, or non-infringement. You use it entirely at your own risk.
To the maximum extent permitted by applicable law, in no event and in no jurisdiction shall the developer be liable for any claim, loss, or damages of any kind — including loss of funds or digital assets, loss of your seed phrase, failed, delayed, or incorrect transactions, bugs, downtime, or the acts of any third-party provider — arising from or in connection with the Extension or your use of it. This applies whether the claim is based in contract, tort, or any other theory, and regardless of your location.
This reflects the same terms already granted under the project's software license. Nothing in this document is intended to exclude any liability that cannot lawfully be excluded (such as for fraud or willful misconduct); where a jurisdiction does not permit certain exclusions, this section applies to the maximum extent that jurisdiction allows.
11. Changes to This Policy
We may update this Privacy Policy when necessary (for example, when adding support for additional chains or when third-party providers change their practices). The date at the top of this document indicates the last revision. Material changes will be noted in the Extension or on the project website where feasible.
12. Contact
For questions, feedback, or privacy-related inquiries, use the feedback form at sigma9.app/feedback.
We do not maintain a public support email to reduce spam. Please use the form above.
This Privacy Policy is the authoritative version for the Sigma9 browser extension.
It is published at a stable public URL — https://sigma9.app/privacy-policy/extension — and is referenced from the Chrome Web Store listing and inside the Extension. Separate privacy policies cover the Sigma9 mobile app on the Apple App Store (https://sigma9.app/privacy-policy/ios) and on Google Play (https://sigma9.app/privacy-policy/android); this document applies only to the browser extension.
Sigma9 — gasless USDC only. Keys stay on your device.