Privacy Policy.

A versão em português desta política está disponível em /apps/btc-wallet-tracker/privacy-policy/pt.

BTC Wallet Tracker (the “App”) is a read-only Bitcoin wallet tracker. We operate no servers of our own — wallet addresses, settings, and authentication state live only on your device. The free tier shows ads, and an optional “Pro” subscription removes them; both rely on the third-party services described below.

This policy explains what personal data we and our third-party providers process, why, on what legal basis, for how long, with whom it is shared, and the rights you have over it. It is written to meet the disclosure requirements of Brazil's Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018, “LGPD”) and applicable equivalent regimes such as the EU/UK GDPR.

The controller (controlador) for the processing described below is:

• Anderson dos Santos Cruz — registered in Brazil under CNPJ 42.477.200/0001-80, principal place of business in the State of São Paulo, Brazil.
• Contact: contact@andersondevexp.com.

The third-party services listed in section 05 act as independent controllers or as our operators (operadores) for their respective parts of the processing, as noted there.

The subsections below describe each processing activity, the legal basis we rely on under LGPD Art. 7 (and, where applicable, the corresponding GDPR Art. 6 ground), and where the data goes.

3.1 Wallet addresses and balances

• Data: the public Bitcoin addresses you add, an optional alias, and the balance and transaction history fetched from public block explorers.
• Purpose: to provide the App's core function of showing your portfolio.
• Legal basis: execution of the agreement and provision of the service you requested (LGPD Art. 7, V; GDPR Art. 6(1)(b)). Public block explorers receive only the addresses you choose to track.
• Storage: on your device only — we do not retain a copy.

3.2 PIN and authentication

• Data:your PIN, stored only as a salted SHA-256 hash in your device's secure storage (the iOS Keychain on Apple devices, the Android Keystore on Android, via expo-secure-store); failed-attempt counters; and lockout state.
• Purpose: to protect access to the App.
• Legal basis: execution of the agreement (LGPD Art. 7, V) and our legitimate interest in protecting the confidentiality of the App (LGPD Art. 7, IX; GDPR Art. 6(1)(f)).
• Storage: on your device only.

3.3 Pro subscription

• Data: an anonymous app-instance identifier generated by RevenueCat, the purchase receipt issued by Apple (on iOS) or the purchase token issued by Google Play (on Android) when you subscribe or restore, and your selected app language (so the paywall renders in that language).
• Purpose: to process the Pro subscription, validate entitlements, and display the paywall in the right language.
• Legal basis: execution of the Pro subscription contract (LGPD Art. 7, V; GDPR Art. 6(1)(b)).

3.4 Advertising (free tier only)

• Data: the Google Mobile Ads SDK loads only for free-tier users and may receive device identifiers (such as the advertising ID where available), the device IP address, coarse location derived from IP, and diagnostic data. The App requests non-personalized ads only for both the banner and the interstitial.
• Purpose: to fund the free version of the App through a single banner and a single interstitial shown after adding a wallet.
• Legal basis: our legitimate interest in monetizing the free tier through non-personalized advertising (LGPD Art. 7, IX; GDPR Art. 6(1)(f)). Because ads are served non-personalized, the App does not seek tracking consent under iOS App Tracking Transparency.
• Opt-out: subscribing to Pro removes all ads — no AdMob requests are made on Pro accounts.

3.5 Settings and preferences

• Data: your selected currency, theme, language, and the cached Bitcoin price.
• Purpose: to remember your preferences across launches.
• Legal basis: execution of the agreement and provision of the service (LGPD Art. 7, V).
• Storage: on your device only.

On-device data — wallet addresses, settings, PIN hash, lockout state — is kept on your device until you delete it from within the App, uninstall the App, or reset your device. We never receive a copy and have nothing to delete on our side.

Data held by the third-party services in section 05 is retained according to their own policies. For example, RevenueCat retains subscription records for the period necessary to operate the subscription and meet legal obligations; AdMob retains advertising data per Google's policies.

The App relies on the following third-party services. Each is listed with its role under LGPD and a link to its privacy policy.

• Blockstream.info — public Bitcoin block explorer (independent controller). Receives the public wallet addresses you choose to track and returns balances and transaction history. See blockstream.info.
• CoinGecko — public price API (independent controller). Used to fetch the global Bitcoin price and price history; no user-specific data is sent. See the CoinGecko privacy policy.
• mempool.space — public Bitcoin block explorer (independent controller). When you tap a transaction in the per-wallet Transactions screen, the App opens https://mempool.space/tx/<txid> in your device's default browser. The App does not load mempool.space in an in-app webview and does not communicate with mempool.space until you tap a row. See mempool.space.
• RevenueCat — subscription infrastructure (operator under LGPD; processor under GDPR). Receives an anonymous app-instance identifier, the purchase receipt issued by Apple, and your selected app language. It does not receive wallet addresses, balances, or your PIN. See the RevenueCat privacy policy.
• Google AdMob — ad network (independent controller for ad delivery). Loaded only for free-tier users — Pro subscribers see no ads and AdMob serves no requests on their behalf. The App requests non-personalized ads only for both the banner and the interstitial. AdMob may collect device identifiers, IP address, and similar diagnostic data per Google's policies. See the Google privacy policy.
• Apple — on iOS, operates the App Store and processes Pro subscription payments (independent controller). See Apple's privacy policy.
• Google (Google Play) — on Android, operates the Google Play Store and processes Pro subscription payments (independent controller). See the Google privacy policy.

All third-party services listed above are based outside Brazil. Personal data forwarded to them is therefore subject to international transfer rules.

We rely on the following legal grounds for these transfers under LGPD Art. 33: execution of the agreement with you (Art. 33, V) for RevenueCat, Apple, and Google (Google Play); provision of the service you requested (Art. 33, V combined with Art. 7, V) for Blockstream, CoinGecko, and mempool.space; and our legitimate interest (Art. 33, V combined with Art. 7, IX) for AdMob's non-personalized ad delivery on the free tier. Each provider implements its own technical and contractual safeguards as described in its own privacy policy.

The App is a native iOS and Android application and does not use HTTP cookies. It does not run first-party analytics, tracking pixels, or any SDK intended to build a profile of you.

On the free tier, the Google Mobile Ads SDK may access device-level advertising identifiers (the iOS IDFA on Apple devices and the Google Advertising ID on Android, where the operating system makes them available) and the device IP address. The App does not prompt you under iOS App Tracking Transparency and does not rely on tracking consent — ads are served non-personalized in both the banner and the interstitial. On Android, you can opt out of personalized advertising at any time in your system Settings (Settings → Privacy → Ads). Pro subscribers do not load the ads SDK at all.

The App requests camera access solely to scan Bitcoin address QR codes. The decoded text is used to fill the address field and is discarded immediately afterwards. No images, video, or scan history is stored or transmitted.

The App uses the operating system's biometric APIs for authentication — Face ID or Touch ID on iOS, and BiometricPrompt (fingerprint or face unlock) on Android. Biometric data is handled entirely by the operating system and is never accessible to, or processed by, the App.

To protect your wallet info if your device is lost or stolen, repeated wrong PIN attempts trigger an escalating lockout (30 seconds, then 2 minutes, then 4 minutes). The lockout state is stored on-device and persists across App restarts, so it cannot be bypassed by force-closing the App. The counter resets after a correct PIN, or automatically after 10 minutes without any failed attempts.

The App is available in English, Spanish, Portuguese (Brazil), French, and German. On first launch it reads your device language setting (via the operating system's standard locale APIs) to pick a default. You can change the language at any time from Settings → Language, including a “System” option that follows your device. Your choice is stored locally on your device. The selected language is forwarded to RevenueCat's SDK so the subscription paywall renders in the same language as the rest of the App.

Under LGPD Art. 18 (and, where applicable, the corresponding provisions of the GDPR), you have the right to:

• confirm whether we process personal data about you and access it;
• request correction of incomplete, inaccurate, or outdated data;
• request anonymization, blocking, or deletion of unnecessary or excessive data, or of data processed in non-compliance with LGPD;
• request portability of your data to another service provider, subject to commercial and industrial secrecy;
• request deletion of personal data processed on the basis of your consent (except where retention is required by law);
• obtain information about the public and private entities with which we share your data;
• be informed about the possibility of not providing consent and the consequences of refusal, where consent is the legal basis relied upon;
• revoke consent at any time, where consent is the legal basis relied upon.

Because your on-device data — wallet addresses, settings, PIN hash — never leaves your device, you can exercise the rights of deletion and rectification yourself directly inside the App or by uninstalling the App. For data held by the third-party services listed in section 05, please direct requests both to us (so we can assist) and to the relevant provider, who may need to act on its own systems.

To exercise these rights, contact contact@andersondevexp.com. We will respond within the timeframes prescribed by applicable law.

The App is not directed to children. We do not knowingly process personal data of children below the minimum age set by the applicable data-protection law. If you become aware that a child has provided personal data to us, contact us so we can take appropriate action.

We apply reasonable technical and administrative measures to protect personal data, including: storing the PIN only as a salted SHA-256 hash in your device's secure storage (the iOS Keychain on Apple devices and the Android Keystore on Android, via expo-secure-store); persisting lockout state to mitigate brute-force attempts; using HTTPS for all network calls; and relying on the operating system's app sandbox and secure-storage primitives for on-device data. No system is perfectly secure.

If we become aware of a security incident affecting personal data we process that is likely to result in a relevant risk or damage to data subjects, we will notify the Brazilian National Data Protection Authority (ANPD) and affected users within the timeframes and with the information required by LGPD Art. 48.

The person designated as our Encarregado pelo Tratamento de Dados Pessoais under LGPD Art. 41 is Anderson dos Santos Cruz. You can reach the Encarregado for any privacy-related request at contact@andersondevexp.com.

You have the right to file a complaint about our processing of personal data with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados — ANPD), available at gov.br/anpd. If you reside in another country, you may also have the right to file a complaint with your local data-protection authority.

Any updates to this policy will be reflected on this page with an updated date. Material changes will, where required by applicable law, be communicated in advance through the App or its hosted policy page.

If you have questions about this privacy policy or wish to exercise any of the rights described above, contact us at contact@andersondevexp.com.