Scion Multi-chain Wallet Website

body { font-family: sans-serif; max-width: 860px; margin: 2rem auto; padding: 0 1.5rem; background: #1e252e; color: #f4f7f9; line-height: 1.7; } h1 { font-size: 2rem; margin-bottom: 0.25rem; } .subtitle { color: #a8b0ba; margin-bottom: 2rem; } h2 { font-size: 1.2rem; margin: 2rem 0 0.5rem; border-bottom: 1px solid #3f505f; padding-bottom: 0.4rem; } h3 { font-size: 1rem; margin: 1.25rem 0 0.4rem; } p, li { color: #a8b0ba; } ul, ol { padding-left: 1.25rem; } a { color: #5b8aaf; } table { width: 100%; border-collapse: collapse; font-size: 0.9rem; margin-bottom: 1rem; } th, td { text-align: left; padding: 0.5rem 0.75rem; border: 1px solid #3f505f; color: #a8b0ba; } th { background: #252e38; color: #f4f7f9; } code { background: #252e38; color: #5b8aaf; padding: 0.1rem 0.35rem; border-radius: 3px; font-size: 0.85em; } Privacy PolicyEffective date: June 24, 20261. IntroductionThis Privacy Policy describes how Scion Wallet ("we", "us" or "our") collects, uses, stores, and shares personal data when you use:

the Scion Wallet Chrome browser extension

the website and web services at scion.digital

associated backend services that support authentication, subscription management, OTP verification, and transaction scheduling

Scion Wallet is a non-custodial, multi-chain cryptocurrency wallet extension. It supports reversible and OTP-secured transactions across multiple blockchain networks using a custom smart contract architecture. This policy is written to fully comply with the Chrome Web Store User Data Privacy requirements.Beta Version Notice: Scion Wallet and scion.digital are in beta and under continuous development. Features and data handling practices may evolve as the service matures. We will update this policy as needed to reflect any material changes.By installing the extension or registering on scion.digital, you agree to this Privacy Policy.2. Summary of Key Privacy Commitments

Your wallet private keys, seed phrases, and account secrets never leave your device.

All sensitive wallet data is encrypted locally inside the extension using AES-256-GCM before storage.

The only personal data we collect and store on our servers is your name and email address.

Transaction scheduling data sent to our backend is handled anonymously and is not linked to your identity.

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

3. Data We Collect3.1 Personal DataWe collect the following personal data from all registered users:

Data

Purpose

Full name

Account registration and identity

Email address

Authentication, OTP delivery, enterprise invitation, subscription access control

This data is collected when you register on scion.digital, either manually (email and password) or via Google Sign-In.3.2 Enterprise Verification DocumentsEnterprise users are required to submit identity or business verification documents as part of the enterprise registration process on scion.digital. These documents are reviewed by our admin team to verify the legitimacy of the enterprise before subscription purchase and wallet feature access are permitted. The type of documents required will be specified during the enterprise onboarding flow on scion.digital.This data is:

used solely for identity and business verification purposes

accessible only to authorised Scion admin staff

not shared with other users, including normal users under that enterprise

retained in accordance with our data retention practices

3.3 Authentication and Session DataTo enable secure login and session management, we also process:

Email and password credentials (passwords are hashed server-side and never stored in plain text)

Google OAuth tokens when you choose Google Sign-In

Session access tokens used for authenticated API communication between the extension and our backend

Access tokens are stored locally in the extension's chrome.storage.local and used exclusively to authorize backend API requests. On logout, all access tokens and session data are deleted from local storage.3.4 Subscription Payment Wallet AddressEnterprise users who purchase a subscription plan pay using selected cryptocurrencies. To process and verify your subscription payment, we collect the wallet address you connect during checkout on scion.digital. This wallet address is:

used solely to verify and track subscription payments on scion.digital

completely separate from any wallet accounts you manage inside the Scion Wallet extension

not linked to your in-extension wallet accounts, private keys, or transaction history in any way

3.5 Transaction Scheduling MetadataWhen you initiate a Normal (Reversible) Transaction, the extension sends minimal metadata to our backend to schedule the automated release of funds after the hold period. This metadata includes:

On-chain transaction hash

Smart contract transaction ID

Contract address

Blockchain network and chain type (EVM or TVM)

RPC URL for the target network

Scheduled release timestamp

Backend task identifier

This data is processed anonymously. It is not linked to your name, email address, or any personally identifiable information on our servers. It exists only to allow the backend scheduler to execute the release transaction on the smart contract at the appropriate time.3.6 Data We Do Not CollectWe do not collect, transmit, or store:

Wallet private keys or seed phrases / mnemonic phrases

In-extension wallet account names or addresses

Full transaction histories

On-chain balances

Any biometric data

4. How We Use Your Data4.1 Registration and LoginYour name and email are used to create and authenticate your account on scion.digital. All logins require OTP verification as a second step. After password verification, a 6-digit OTP is sent to your email address and must be verified before access is granted. This applies to both initial registration and subsequent logins.4.2 OTP VerificationLogin OTP: Every login session requires an OTP sent to your registered email. This is mandatory and cannot be disabled.Secure Transaction OTP: When you initiate a Secure Transaction, the extension requires OTP verification before sending funds. Once verified, a configurable exemption window applies (default: 60 minutes) during which subsequent secure transactions on the same device do not require a new OTP. This window is user-configurable in the extension's Advanced Settings and is stored locally as part of the app configuration.4.3 Platform RolesThe scion.digital platform has four defined roles. This policy applies to data collected and processed for all roles.

Enterprise User — A business or organization account. Enterprise users must submit verification documents and receive admin approval before they are permitted to purchase a subscription. Once approved and subscribed, they can access wallet features and invite normal users into their organization.

Normal User — An individual user invited by an enterprise user. Normal users can access wallet features while the enterprise they belong to has an active subscription.

Support User — An internal Scion support staff role on scion.digital. Support users can access account and subscription information necessary to assist users with service-related issues. They do not have access to wallet private keys, seed phrases, or in-extension wallet data.

Admin — An internal Scion administrator role. Admins manage the platform, review and approve enterprise verification documents, oversee subscriptions, and maintain the service. Admins do not have access to wallet private keys, seed phrases, or in-extension wallet data.

4.4 Enterprise Onboarding and Access Control

Registration: The enterprise user registers on scion.digital with their name and email.

Document submission: The enterprise user submits the required verification documents through the scion.digital dashboard.

Admin review: An admin reviews the submitted documents and approves or rejects the enterprise account. Wallet features and subscription purchase are not available until approval is granted.

Subscription purchase: Upon approval, the enterprise user purchases a subscription plan using the accepted cryptocurrency by connecting a payment wallet address.

Wallet access: After a successful subscription payment, the enterprise user gains access to wallet features in the Scion Wallet extension.

User invitations: The enterprise user can send email invitations to normal users. Invited users can register or log in and gain wallet feature access under the enterprise's active subscription.

Subscription expiry: When the enterprise subscription expires, wallet feature access is automatically revoked for the enterprise user and all normal users under them.

Enterprise owners can view the list of users in their organization via the scion.digital dashboard. They cannot access those users' wallet addresses, private keys, or transaction history. No link is maintained between a user's identity and their in-extension wallet accounts on our servers.4.5 Normal (Reversible) Transaction Flow

Initiation: The sender initiates the transaction from the extension. The transfer amount plus a smart contract fee is sent to the deployed smart contract on the chosen network. Our backend issues a one-time authorization signature that the smart contract verifies before accepting the transaction. Each signature is single-use and replay-protected.

Hold period: The smart contract holds the funds for a 24-hour lock period.

Scheduled release: Our backend schedules a job to call releaseTransaction on the smart contract after the hold period using an admin/backend wallet address.

Automatic release: After the hold period, the backend executes the release. The receiver's wallet address receives the transfer amount. The smart contract fee is awarded to the caller of releaseTransaction as reimbursement for the on-chain gas cost of executing the release.

Cancel: The sender may call cancelTransaction at any time before the hold period expires. Both the transfer amount and the smart contract fee are fully refunded to the sender. The standard blockchain gas fee paid at initiation is non-refundable.

Speed up: The sender may call speedUpTransaction at any time after a minimum delay of 1 minute from initiation. The transfer amount is released immediately to the receiver and the smart contract fee is refunded to the sender. Standard blockchain gas fees remain non-refundable.

Emergency withdrawal: In the event the contract is paused by the contract owner, the owner can trigger emergencyWithdraw which returns both the transfer amount and the smart contract fee to the original sender.

4.6 Secure Transaction Flow

The sender is required to verify the transaction with an OTP sent to their email (subject to the configurable exemption window described in Section 4.2).

After OTP verification, funds are sent directly and instantly to the receiver's wallet address on-chain.

There is no hold period, no cancellation window, and no smart contract intermediary.

4.7 Sharing with scion.digitalYour name and email are shared with our website services at scion.digital to verify your subscription status, manage your enterprise membership and user roles, and control access to wallet features.5. Data Storage5.1 Server-Side StorageOn our backend servers, we store only:

Your name and email address

Your account role (enterprise user, normal user, support user, or admin)

Enterprise verification documents (enterprise users only; accessible to admin staff only)

Your subscription status and enterprise membership details

Your subscription payment wallet address (enterprise users only)

Transaction scheduling metadata (processed anonymously, not linked to your identity)

We do not store wallet private keys, seed phrases, in-extension wallet account addresses, or transaction histories on our servers.5.2 Local Storage Inside the ExtensionAll sensitive wallet data is stored locally on your device inside the extension across multiple storage layers:IndexedDB vault (Scion_storage): All vault contents are encrypted with AES-256-GCM before being written. The vault stores wallet private keys (encrypted), seed phrase / mnemonic (encrypted), and HD wallet derivation paths (encrypted).chrome.storage.local: Used for application state that persists across sessions. Stores encrypted wallet account details, network configurations, token data, subscription details, access token, user ID and email, and app manifest settings (auto-lock duration, balance display preference, OTP exemption window, testnet display toggle).chrome.storage.session: Used for runtime-only state. Automatically cleared when the extension locks or the browser session ends. Stores last user interaction timestamp and wallet unlock session state.localStorage (browser): Used only for transient UI state. Stores OTP resend expiry timestamp (cleared after successful OTP verification or page navigation).5.3 Encryption DetailsAll cryptographic operations are performed inside the extension's service worker using the Web Crypto API, ensuring raw key material is never exposed to the extension's UI layer.

Algorithm: AES-256-GCM (authenticated encryption with integrity protection)

Key derivation: PBKDF2 with SHA-256, 600,000 iterations, unique random 16-byte salt per vault

Key: The derived key is held only in the service worker's memory while the wallet is unlocked and is cleared immediately on lock.

IV: A fresh cryptographically random 12-byte IV is generated for every individual encryption operation.

Salt storage: The salt is stored alongside the encrypted vault data to allow key re-derivation at unlock time. It does not compromise security without the user's password.

When the wallet is locked — manually, on idle timeout (default: 15 minutes, user-configurable), or when the browser session ends — the in-memory decryption key is cleared. Data cannot be decrypted without the user's app password.5.4 Data Retention

Server-side personal data (name, email, subscription status) is retained as long as your account is active.

Transaction scheduling metadata is stored anonymously in our backend for transaction execution and failure monitoring.

Local extension data exists solely on your device and is fully under your control.

6. Data Sharing and Third Parties6.1 scion.digital (Our Own Service)Your name and email are shared with our website at scion.digital to manage your account, subscription, and wallet feature access.6.2 Email Service ProvidersYour email address is shared with our transactional email provider solely to deliver OTP codes for login verification and Secure Transaction confirmation, enterprise invitation emails, and critical account notifications (e.g. password reset). We use reputable email providers that prohibit them from using your data for any other purpose.6.3 Google (Optional)If you choose Google Sign-In, your Google profile information (name and email) is shared with Google under Google's own privacy policy. We receive only the name and email returned by Google's OAuth flow and use it for the same purposes as manually registered account data.6.4 Public Blockchain NetworksWhen you send any transaction, the transaction data (sender address, receiver address, amount, transaction hash, and any contract interaction data) is broadcast to the public blockchain you have selected. This data is publicly visible on-chain and is beyond our control once broadcast.6.5 What We Do Not Share

We do not sell your personal data.

We do not share private keys, seed phrases, or wallet secrets with any third party.

We do not share your in-extension wallet account details or transaction history with enterprise owners or any other users.

We do not share data for advertising, profiling, or any purpose unrelated to operating the service.

7. Security Practices

Non-custodial architecture: We never hold your private keys and cannot sign transactions on your behalf outside of the smart contract's automated backend release mechanism.

AES-256-GCM encryption with PBKDF2 key derivation (600,000 iterations, SHA-256) protects all local wallet data.

Service worker isolation: All cryptographic operations run inside the extension's isolated service worker context and are not accessible to web page scripts.

Message validation and rate limiting: The service worker validates the schema and origin of all incoming extension messages, rate-limits requests per sender (max 1,000 per 10 seconds), and rejects any sender that is not the extension itself.

Input sanitization: All messages are sanitized against prototype pollution and function injection before processing.

Allowlisted functions: Only a fixed set of wallet functions can be invoked via the service worker message interface. Arbitrary code execution is not possible through the message layer.

Session auto-lock: The wallet automatically locks after a configurable idle period (default: 15 minutes), clearing the in-memory decryption key. The lock duration is user-configurable in General Settings.

OTP for all logins: Every login session requires OTP verification via email.

HTTPS only: All communication with our backend uses HTTPS/TLS.

8. User Rights and Choices8.1 Access and CorrectionYou may request a copy of the personal data we hold about you (name, email, subscription status, role) by contacting us at support@scion.digital.8.2 Local Data ControlAll wallet data stored locally inside the extension is under your full control. You may uninstall the extension from your browser at any time, which permanently deletes all locally stored wallet data. We cannot recover this data on your behalf. Before uninstalling, ensure you have securely backed up your seed phrase.9. Children's PrivacyThe Scion Wallet extension and scion.digital are not targeted towards children, and users must be at least 18 years old to register and use our services. We do not knowingly solicit data from or market to any person under the age of 18.By installing the extension or registering on scion.digital, you represent and confirm that you are at least 18 years of age.If we become aware that we have collected personal data from someone under the age of 18, we will deactivate the account in question and take reasonable measures to promptly delete all associated personal data from our records, unless we are legally required to retain it.If you believe that we may have collected personal data from a user under the age of 18, please contact us immediately using the contact information provided in Section 11 of this policy.10. Changes to This PolicyWe may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. When we make material changes, we will update the effective date at the top of this document. Continued use of the extension or website after the effective date constitutes acceptance of the updated policy.11. Contact InformationIf you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Website: https://scion.digital

Email: support@scion.digital

LinkedIn: Scion Wallet on LinkedIn