OBIVERSE OBIVERSE

PRIVACY POLICY

Your keys. Your data. Your rules.

Effective: March 1, 2026 · Obiverse LLC

TL;DR

  • We identify you by Nostr public key — not your name or email
  • Your private keys and seed phrase never leave your device
  • No tracking cookies, no analytics pixels, no telemetry
  • Your wallet data stays on your device
  • You can walk away any time — your identity is yours
01

WHAT WE COLLECT

Nostr public key. When you sign in via GATE, we receive your Nostr public key (a 64-character hex string). This is your user identifier. We do not collect names, emails, phone numbers, or physical addresses through GATE authentication.

Email (optional). If you choose magic-link authentication, we collect your email address solely to send one-time login links. We do not use it for marketing.

Session data. We issue a JWT session token stored as an httpOnly cookie. It contains your public key and expiration time. No tracking cookies or analytics pixels.

02

WHAT WE DO NOT COLLECT

  • Private keys (never leave your device)
  • Wallet balances or transaction history
  • Mnemonic seed phrases
  • Location data
  • Device identifiers or fingerprints
  • Usage analytics or telemetry
03

LOCAL STORAGE

The Obiverse mobile app stores your encrypted seed phrase, PIN hash, and wallet data exclusively on your device using platform-secure storage (iOS Keychain, Android Keystore). This data is never transmitted to our servers.

The web app uses IndexedDB for local scroll storage. This data stays in your browser.

04

RELAY COMMUNICATION

Authentication events are transmitted via Nostr relays (relay.damus.io, nos.lol). These relays are operated by third parties. Event content is encrypted with NIP-44 (XChaCha20-Poly1305) before transmission. Relay operators cannot read encrypted content but can observe event metadata (kind, timestamp, public key tags).

05

THIRD-PARTY SERVICES

  • Breez SDK (Spark): Lightning/Bitcoin transactions are processed by the Breez SDK running locally on your device. Breez may receive transaction data necessary for Lightning Network operation.
  • Nostr relays: relay.damus.io, nos.lol carry encrypted authentication events.
06

DATA RETENTION

Session scrolls are deleted on logout. Challenge scrolls expire after 5 minutes and are deleted on first use. We do not maintain long-term user profiles or activity logs.

07

YOUR RIGHTS

Your identity is your Nostr keypair. You can revoke access at any time by logging out (which deletes your session). Since we identify you only by public key, there is no account to delete — simply stop using the service.

08

CHILDREN

Obiverse is not directed at children under 13. We do not knowingly collect data from children.

09

CHANGES

We may update this policy. Changes will be posted at this URL. Continued use after changes constitutes acceptance.

10

CONTACT

Obiverse LLC · admin@obiverse.net