BlockWatch Shield — Privacy Policy

Last updated: 2026-05-29

BlockWatch Shield is a Chrome extension that intercepts Web3 signature requests on websites you visit and routes them through the BlockWatch Telegram Mini App for AI-assisted review before your real wallet (MetaMask, Phantom, Tonkeeper, etc.) signs them. This policy explains what data the extension processes, where it goes, and what we do NOT collect.

What we collect

• Telegram account identifier (your numeric user_id, optional username, language code). Obtained when you pair the extension with your Telegram account using a one-time 6-character code generated inside the Mini App.
• Origin of the dApp (e.g. app.uniswap.org) whenever it issues a signature request. Stored together with the request so you can see your dApp activity in the Mini App.
• The signature request payload itself — method name, parameters, calldata, EIP-712 typed data. We need this to show you what is being signed and to run heuristic risk checks (unlimited approve, setApprovalForAll, Permit / Permit2, IDN homographs, MetaMask phishing list).
• A device pairing token stored locally in chrome.storage.local on your machine; the server only keeps its SHA-256 hash.

What we do NOT collect

• Private keys, seed phrases, mnemonics — the extension never sees them; signing always happens inside your real wallet.
• Page contents outside of the signature payload itself.
• Browsing history, tabs, cookies, form inputs.
• IP-level location, fingerprinting beyond a standard server access log.
• Any data from sites where you never trigger a signature request.

Where the data goes

The extension sends intercepted requests to BlockWatch's own backend (hosted on Railway), which stores them in a managed Postgres database and forwards a summary to your Telegram chat. The AI verdict is generated by a third-party LLM provider for the sole purpose of composing a human-language explanation; no personal data beyond the anonymised request payload is included in the prompt.

Data retention

Intercepted requests are retained for up to 30 days for the Activity feed, then automatically deleted. You can revoke the device pairing at any time from the Shield page in the Mini App, which invalidates the paired token immediately. Account deletion (full purge of your data) is available on request via Telegram support.

Permissions justification

• storage — to keep the pairing token in chrome.storage.local across browser restarts.
• host_permissions for amused-generosity-production-1090.up.railway.app and block-watch-web.vercel.app — only these two endpoints are contacted (our API and Mini App). The extension never talks to any other server.
• content_scripts on all URLs — needed to inject a wallet-API wrapper into every page, because we cannot know in advance which sites will request signatures. The script does nothing until/unless a wallet method is invoked.

Open source

The full source code of the extension is available on request and is planned for public release. We do not ship obfuscated bundles to the Chrome Web Store.

Contact

Questions, deletion requests, or anything else — write to @BLWDev_bot on Telegram or email 20team20team@gmail.com.