#ash Bags
  • GitHub
  • Such Software

Privacy Policy

Effective 2026-07-02.

The short version

Hash Bags is a non-custodial wallet. Your seed phrase and private keys live on your device and never touch us. We don't run servers that store user data. We run no analytics, no automatic telemetry, and no crash-reporting SDK — the only diagnostic data we ever receive is an error report you choose to send us (see "Opt-in error reports" below). We don't have accounts, emails, passwords, or logins.

Where data does leave your device, it goes to (a) the blockchain nodes you query to read balances and broadcast transactions, and (b) third-party services you explicitly opt in to — Trocador for swaps and, where available, MoonPay for buying and selling with fiat. Those providers have their own privacy policies, linked below.

What Hash Bags itself collects

Nothing. Hash Bags has no backend. There are no accounts to sign up for, no servers we run that your wallet contacts for tracking purposes, and no analytics SDK embedded in the app. Specifically, we do not integrate Sentry, Firebase Analytics, Crashlytics, Amplitude, Mixpanel, Google Analytics, or any equivalent.

The one exception is outside our control: if you install Hash Bags from the Apple App Store or Google Play, those stores may give us aggregate, anonymized statistics (download counts, crash rates, OS versions) based on your device's own settings. That data comes from Apple and Google, is not individually identifying, and is not something Hash Bags collects or transmits.

Opt-in error reports

If Hash Bags hits an unexpected error, it may ask whether you'd like to send us a report. Nothing is sent unless you tap "Send" — which copies a technical error trace to your clipboard and opens hash.boats/report in your browser, where you paste it and submit. The report contains a technical stack trace, the wallet type (e.g. "monero" — not an address), and your device model, OS version, and app version. It does not contain your seed phrase, private keys, PIN, addresses, or balances. We store the submitted report on our own server and relay it to our team to fix bugs; the receiving endpoint also sees your IP address, as any web request does. To have a report you sent deleted, email support@such.software.

What stays on your device

  • Your seed phrase / mnemonic.
  • Derived private keys and public addresses for every chain.
  • Local transaction history.
  • Wallet labels, contact book, app preferences.
  • Your PIN / biometric unlock state.

These are stored in your device's secure storage (Keychain on iOS / macOS, Keystore on Android, encrypted file storage on Windows / Linux) plus the app's local data directory. They are not transmitted anywhere by Hash Bags. Uninstalling the app deletes them; your seed phrase still works to restore the wallet on another device.

What goes over the network when you use the app

Blockchain node queries

To show your balance, fetch transactions, and broadcast new transactions, the app connects to one or more nodes per chain. The operator of whichever node you're using can see your IP address and the queries you make (which may include the addresses you control).

The default node lists ship in the app at first launch. For Monero the default is a public privacy-leaning community node (node.sethforprivacy.com). For Wownero, community nodes from the Wownero project. For Bitcoin, Litecoin, etc., a mix of well-known public Electrum / RPC providers including Blockstream, Stack Wallet, and others. You can switch to a node you trust — or run your own — from Settings → Connection & Sync at any time. For maximum privacy we recommend running your own node.

Price data

The app fetches current crypto-to-fiat exchange rates from prices.neroswap.com (a Cloudflare Worker operated by Such Software that aggregates Kraken and other public sources). The worker sees your IP and the list of currencies you're displaying. It does not see your addresses or balances.

Trocador (swaps)

When you initiate an in-app swap between two coins, Hash Bags sends the order details (input currency, output currency, amount, your destination address) to Trocador's API. Trocador may store this order data and is subject to its own privacy policy at trocador.app/en/privacypolicy/. Trocador typically does not require KYC for swaps below their configured limits but can ask for verification in larger-volume or regulator-flagged cases.

MoonPay (buying and selling with fiat)

Where available, Hash Bags lets you buy or sell crypto for government-issued (fiat) currency through MoonPay, an independent provider. This feature is optional and may not be offered in every region or app version. When you use it, the buy/sell page opens in your device's external web browser and the transaction takes place with MoonPay, not with us.

MoonPay performs its own identity verification (KYC) and anti-money-laundering (AML) checks: it collects your name, date of birth, address, government-issued ID, payment details, and may require a live selfie, and it sees your IP address. That data is collected and held by MoonPay, not by us. Hash Bags only sees the resulting order ID and, for a purchase, passes your receiving wallet address (or, for a sale, your sending address) and the amount into the MoonPay order. MoonPay's handling of your data is governed by MoonPay's Privacy Policy.

To open the MoonPay flow, Hash Bags first calls a small signing endpoint we operate at exchange-helper.such.software, which cryptographically signs the MoonPay widget link (a MoonPay anti-tampering requirement). That endpoint sees your IP address and the order parameters (currencies, amount, and wallet address) needed to build the link; it does not see, and MoonPay does not send us, your identity documents or payment details.

Third parties you choose to enable

If you connect to a custom non-default node, configure a hardware wallet, or paste a third-party WalletConnect / dApp link, those endpoints see whatever your interactions with them entail. Hash Bags neither manages nor monitors those connections.

Children

Hash Bags is not directed to people under 18. We don't knowingly collect data from minors; there is no account creation in which such data could be collected. If you believe a minor has used the app and you want to delete any associated state, uninstalling the app on the relevant device removes all local data.

Your rights

Because we don't run accounts or store personal data about you on our servers, there is generally nothing for us to delete or export on request — every byte of identifying state is on your own device, under your control. To the extent we ever act as a controller of any personal data (for example, a support email you choose to send us), residents of the EU/UK and California may contact support@such.software to exercise the rights that apply to them.

For data held by third parties you've used through the app (Trocador, MoonPay, node operators), contact those providers directly using the privacy contact in their respective policies. EU residents (GDPR Articles 15–22) and California residents (CCPA / CPRA) have rights against those providers — exercise them through the providers' own processes.

Changes to this policy

We'll post any update to this page with a new effective date. Material changes will be announced via @such_software and the app's release notes. Continued use of Hash Bags after a change indicates acceptance of the revised policy.

Contact

Privacy questions: support@such.software

Hash Bags is developed and maintained by Such Software LLC.

Home Source Privacy Terms Report a bug Contact

Hash Bags is a fork of Cake Wallet · Maintained by Such Software LLC · MIT-licensed app code · third-party components under their own licenses