Privacy Policy

1. Introduction and Data Controller

Last Updated: February 26, 2026

This Privacy Policy explains how Blitz Wallet handles data in both the Blitz Wallet mobile application ("App") and the Blitz Wallet website ("Website"). These may differ in scope, and each section below makes clear whether it applies to the App, the Website, or both.

Data Controller: Blitz Wallet LLC, 230 W Maple Road, Troy, MI 48084, United States.
Privacy Contact: support@blitzwalletapp.com

Blitz Wallet LLC is the data controller responsible for personal information collected through the App and Website as described in this Privacy Policy. The App is provided as a free service and is intended for use as is.

2. Information We Collect

Information Collected Automatically

When you use the App or visit the Website, certain information is collected automatically:

• Device Identifiers: Firebase Crashlytics collects a Firebase installation ID (a persistent device identifier), device model, operating system version, and app version. You may disable Crashlytics at any time in the App settings.
• Website Analytics: The Blitz Wallet website uses Google Analytics to understand traffic sources and user demographics. Google Analytics may collect your IP address, device type, browser type, operating system, and behavioral session data. IP anonymization is enabled. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on. See Google Analytics' Privacy Policy.
• Website Cookies: The Website uses first-party analytics cookies set by Google Analytics (such as _ga and _gid) to measure website traffic. No other cookies are used on the Website. The App itself does not use cookies.

Information You Store in the App

The following types of information may be stored in the Blitz Wallet database. Not all items are required. We indicate which are optional and which are necessary for core functionality.

• Blitz Store Information (automatic): Purchases such as gift cards, messaging services, VPNs, or generative AI credits. All data is encrypted with your private key. For generative AI, you may choose whether to save a chat. All other purchases are automatically stored. You may delete gift cards, VPNs, and messages from the database at any time.
• Contacts (automatic for saved contacts; optional for profile): Saved contacts are encrypted with your private key and cannot be viewed by others. Your public contact profile includes your bio, name, Spark address, Spark identity public key, unique username, and UUID. The name and bio are customizable; other fields are automatically stored to enable LNURL addresses and contact lookups. Your profile is publicly visible to other Blitz users.
• Contact Profile Image (optional): Users may optionally store a profile image with Blitz. If provided, the image is saved in our database and is publicly visible as part of your profile.
• NIP-05 / Nostr (optional): A username and public key associated with your NIP-05 (Nostr) address. Adding this is completely optional. Once added, this association is propagated across a decentralized network of Nostr relays that Blitz does not operate or control, and cannot instruct to delete data. This association may persist permanently across the Nostr network.
• Point-of-Sale (partial automatic): Your item list, receiving address, store currency, and store name. Items are optional; store currency defaults to USD; store name is automatically generated on first load. You may customize at any time.
• Push Notifications (optional): Notification settings and your push notification token. The push token is encrypted with the notification service's key, so only your device and the Blitz backend can access it. The push token does not contain personal information and cannot be used to identify you. Push notifications are optional and can be disabled at any time in your device settings.
• Crash Reporting (automatic, opt-out available): We use Firebase Crashlytics to monitor App stability. Crashlytics collects non-personal device information (device model, OS version, app version, and a Firebase installation ID). This data is used only for debugging and App improvement and is retained for 90 days. You can disable Crashlytics at any time in the App settings.
• Paymeent Pools: Any payment pool created will be stored in Blitz's database. This included closedAt, contributor count, created at, creator name, creator UUID, current pool amount, pool derive index, pool goal amount, pools identity pubkey, last contribution, pool denomination(fiat), pool id, pool title, pool spark address, pool status, and transferTxId.
• Blitz Gifts: Any gifts you create are stored in Blitz's database. This includes the gift amount, created by, created time, denomination, description, amount, expiry time, gift number, gift identity pubkey, last updated, sat display, sttae, and gift uuid.

Temporarily Stored Information

• Blitz Contact Payments: Payment actions (sending, requesting, accepting, or declining payments) are temporarily stored on Blitz servers, encrypted using a shared key between the involved users. Only the parties involved can decrypt this information. All contact payment data is automatically deleted after 7 days.
• Point-of-Sale Payments: Sales made through the Point-of-Sale feature are temporarily stored to sync payment details when the admin wallet comes back online. Data is encrypted and accessible only by the admin. Automatically deleted after 30 days.
• LNURL Payments: LNURL payments are temporarily stored until you open the App, at which point the payment data is deleted from the database and saved locally on your device. This temporary storage is necessary to include payment descriptions.

Blockchain and On-Chain Data

Because Blitz Wallet is self-custodial and built on public blockchain networks, your wallet addresses and transactions are permanently and publicly recorded on the Bitcoin blockchain, the Spark Network, and other networks you use. This data is immutable — it cannot be deleted or modified by Blitz Wallet or anyone else, including in response to deletion requests under applicable privacy law (see Section 8).

Public blockchain data may be analyzed by third-party blockchain analytics firms (such as Chainalysis, Elliptic, and others) to associate addresses with real-world identities through transaction pattern analysis. Bitcoin's UTXO model means that spending from multiple addresses in a single transaction can link those addresses together in analytics tools. You should assume that any on-chain transaction is permanently and publicly associated with the wallet address from which it was sent or received.

3. How We Use Your Information

We use your information to:

• Provide, operate, and improve the App and Website
• Enable core wallet features including Lightning payments, Spark transactions, swaps, and the Savings Feature
• Deliver push notifications for incoming payments and wallet events
• Monitor App stability and fix crashes (Crashlytics)
• Understand Website traffic and user demographics (Google Analytics)
• Comply with applicable laws, regulations, and legal obligations
• Detect and prevent fraud, abuse, and security incidents

We do not sell your personal information to third parties. We do not use your information for behavioral advertising.

4. How We Share Your Information

We share your information only as described below:

• Third-Party Service Providers: We share data with the service providers listed in Section 5 solely to provide the features they enable. Each provider is an independent data controller subject to their own privacy policies.
• Legal Requirements: We may disclose your information when required by law, court order, or governmental authority, or when necessary to protect the rights, property, or safety of Blitz Wallet, our users, or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change via the App or Website.

We never sell personal information to data brokers or advertisers.

5. Third-Party Links & Services

Blitz Wallet integrates with the following third-party services. Each service is an independent data controller responsible for its own privacy practices. We recommend reviewing their privacy policies. Blitz Wallet is not responsible for the content or practices of third-party sites or services.

• Brale, Inc. – Issuer of the USDB stablecoin available through the App. When you hold or transact in USDB, Brale may collect blockchain addresses, transaction metadata, and other information necessary to issue and manage USDB. ( Privacy Policy)
• Flashnet (Flashnets Markets, Inc.) – Required for handling swaps between Bitcoin and USDB and for the USDB Savings Feature yield operations. Flashnet is a Republic of Panama corporation; data may be processed outside the US and EU. Flashnet may collect blockchain transaction metadata, wallet identifiers, and usage analytics in connection with swaps and savings operations executed through our App. Flashnet is an independent data controller responsible for its own compliance obligations. ( Privacy Policy)
• Spark (Lightspark) – Required for sending and receiving Lightning and Spark payments. Because payments are coordinated through Spark, your transactions should not be considered private. Lightspark may have access to routing information and transaction metadata as part of operating the Spark coordinator service. Lightning Network channel openings and closings are on-chain events publicly visible to anyone; individual Lightning payments have stronger privacy properties. If Spark's services are unavailable, you may need to perform a unilateral exit to recover funds. ( Unilateral Exit Guide)
• Breez SDK – Used to facilitate Liquid Network payment functionality. Breez Technology may process network connectivity data, payment routing metadata, and usage data as part of providing this service. ( Privacy Policy)
• Boltz API – To facilitate swaps between Rootstock and Lightning. ( Privacy Policy)
• The Bitcoin Company – To purchase gift cards. ( Privacy Policy)
• LNVPN – To purchase VPNs, eSIMs, and cards. ( Website)
• sms4Sats – To send and receive SMS numbers anonymously. ( Website)
• Apple Push Notification Service (APNs) – To deliver push notifications on iOS devices.
• Google Firebase Cloud Messaging (FCM) – To deliver push notifications on Android devices. ( Privacy Policy)
• Google Analytics – Used on the Website only to understand traffic and user demographics. IP anonymization is enabled. You may opt out via the Google Analytics Opt-out Add-on. ( Privacy Policy)
• Firebase Crashlytics – Used in the App for crash reporting. Collects device model, OS version, app version, and a Firebase installation ID. Opt-out available in App settings. ( Privacy Policy)

6. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy or as required by applicable law:

• Store purchases (gift cards, VPNs, messages): Retained until deleted by you or until account closure.
• Contact data: Retained until deleted by you or until account closure.
• Public profile data: Retained while the profile is active. Deleted from Blitz servers within 30 days of a valid deletion request.
• Push notification tokens: Deleted within 30 days of notification opt-out or App uninstall.
• Crash reports (Crashlytics): Retained for 90 days per Firebase's standard data retention policy.
• LNURL payment metadata: Deleted upon App open (typically minutes to hours).
• Blitz Contact Payments and POS Payments: Automatically deleted after 7 days.
• Blockchain and on-chain data: Permanently public. Cannot be deleted by Blitz Wallet or anyone else. See Section 7.

7. Self-Custodial Wallet and Blockchain Privacy

Self-Custodial Architecture

Blitz Wallet is self-custodial, meaning only you have access to your funds. When creating a wallet, you receive a 12-word seed phrase stored on the iOS Keychain or Android Keystore. Blitz Wallet never transmits your seed phrase, private keys, or wallet backup to Blitz servers. You are solely responsible for securing and backing up your seed phrase offline.

Because your seed phrase is stored on a device connected to the internet, Blitz is considered a hot wallet and cannot be guaranteed to be 100% secure.

On-Chain Data Is Permanent and Public

Transactions made through the Bitcoin, or Spark networks are permanently and publicly recorded on their respective blockchains. This means:

• Immutability: On-chain transaction data cannot be deleted, modified, or removed by Blitz Wallet or anyone else — ever. This is a technical limitation that applies even in response to legally valid deletion requests under GDPR or CCPA. See Section 8 for how this affects your privacy rights.
• Transaction Graph Analysis: Public blockchain data can be analyzed by third-party blockchain analytics firms to associate wallet addresses with real-world identities through transaction pattern analysis, spending behavior, and counterparty relationships.
• UTXO Linkage: Bitcoin's UTXO model means that spending from multiple addresses in a single transaction can link those addresses together in analytics tools, reducing effective privacy.
• Spark Network: Spark is a coordinated network operated by Spark operators. Spark operators may have visibility into routing information and transaction metadata as part of operating the coordinator service. Spark transactions should not be assumed to be fully private.

8. Security

We implement industry-standard security measures to protect data stored on our servers, including encryption of user data with user-controlled private keys where applicable.

No security system is completely immune to compromise. In the event of a data security incident affecting personal information stored on our servers, Blitz Wallet will:

• Notify affected users in accordance with applicable law (including Michigan's Data Breach Notification Act, EU/UK GDPR Arts. 33-34, and applicable state breach notification statutes)
• Report to applicable supervisory authorities within required timeframes (72 hours for GDPR-covered incidents)
• Take prompt steps to contain and remediate the incident

Note that security incidents affecting Blitz servers do not affect your self-custodial funds — your seed phrase and private keys are never transmitted to or stored on our servers.

9. Application Permissions

Camera Access

Required to scan Lightning payment requests and Blitz contact QR codes. Camera data is processed locally on your device and is never transmitted to Blitz servers.

Network Access

Required for:

• Connection to the Breez SDK (Lightning payments)
• Connection to Boltz API (swaps)
• Connection to Spark (Lightning and Spark payments)
• Connection to Flashnet (USDB swaps and Savings Feature)
• Connection to Blitz servers (profile, store, and payment sync)
• Linking to third-party sites

Microphone

To allow you to use the voice feature with ChatGPT. Microphone data is transmitted to OpenAI in accordance with their privacy policy.

Filesystem

To save purchased VPN configuration files for easy upload into WireGuard. Files are stored locally on your device.

Notifications

To provide a seamless Lightning Network experience, you may receive push notifications when the App is in the background or closed. Blitz uses Apple Push Notification Service (APNs) and Google Firebase Cloud Messaging (FCM) for this purpose.

To enable notifications, Blitz Wallet stores a unique push notification token in our database. This token is linked to your device only and is used solely for delivering notifications. It does not contain personal information and cannot be used to identify you. You may disable notifications at any time in your device settings or within the App.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal information we hold about you.
• Right to Deletion: Request deletion of your personal information, subject to legal exceptions and the blockchain limitation described below.
• Right to Correction: Request correction of inaccurate personal information.
• Right to Data Portability: Request your data in a structured, machine-readable format (GDPR users).
• Right to Object or Restrict Processing: Object to or request restriction of certain processing activities (GDPR users).
• Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
• Right to Non-Discrimination: You will not be penalized for exercising your privacy rights.

Important Limitation — Blockchain Data Cannot Be Deleted: On-chain transaction data (wallet addresses, transaction hashes, amounts, and related metadata) is permanently recorded on public blockchains and cannot be deleted by Blitz Wallet or anyone else. Deletion requests cannot be fulfilled for this category of data. This is a technical constraint of public blockchain architecture and is not unique to Blitz Wallet.

How to Submit a Request

To exercise any of the above rights, contact us at:

• Email: support@blitzwalletapp.com
• Web form: Contact page

We will respond to verifiable requests within 45 days. We may extend this by an additional 45 days for complex requests, and will notify you of the extension. We may need to verify your identity before fulfilling a request.

California Residents — CCPA Rights

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: The specific pieces and categories of personal information collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
• Right to Delete: Request deletion of personal information we have collected, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: Blitz Wallet does not sell personal information. We do not share personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm.
• Right to Non-Discrimination: Exercising your CCPA rights will not result in denial of services or different pricing.

Categories of Personal Information Collected (past 12 months): Identifiers (device identifiers, IP addresses, push tokens); profile and social data (usernames, bios, profile images, public keys); commercial information (purchase history); internet or network activity information (crash reports, server logs, website analytics); and inferences drawn from the above to provide App features.

Business Purpose for Collection: To provide and improve the App; to enable wallet, payment, swap, and savings features; for security monitoring; and for legal compliance.

To submit a CCPA request, contact us at blake@blitzwalletapp.com or via our contact page.

EU/UK GDPR Rights

This section applies to personal information that you voluntarily provide in connection with your use of Blitz Wallet, including your name, username, profile image, and bio. No personal information is required to use the core functionality of the App; you are free to use the App without providing any optional personal information.

The processing of optional personal information is supported by the following lawful bases:

• Consent: You voluntarily provide personal information, and processing is based on your explicit consent. You may withdraw consent at any time by contacting us; withdrawal does not affect the lawfulness of prior processing.
• Legitimate Interests: Processing may also be necessary for our legitimate interests, such as maintaining user profiles, delivering notifications, and ensuring App security, provided such interests are not overridden by your rights and freedoms.
• Legal Obligation: We may process data as necessary to comply with applicable laws, including responding to lawful requests from governmental authorities.

If you are in the EU or UK and wish to exercise your GDPR rights or lodge a complaint, contact us at support@blitzwalletapp.com. You also have the right to lodge a complaint with your local supervisory authority.

11. Children's Privacy

The App is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will promptly delete such information. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at support@blitzwalletapp.com.

12. International Data Transfers

Blitz Wallet LLC is based in the United States. If you are located outside the United States, your personal information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

We also use third-party services — including Flashnet (Republic of Panama) — that may process data outside the US and EU. By using the App, you acknowledge that your information may be transferred to and processed in these jurisdictions.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with a revised "Last Updated" date at the top. For material changes, we will provide notice through the App or via email where feasible. We encourage you to review this Privacy Policy periodically. Your continued use of the App after a change is posted constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@blitzwalletapp.com
• Web form: blitzwalletapp.com/pages/contact/
• Mail: Blitz Wallet LLC, 230 W Maple Road, Troy, MI 48084, United States