Privacy Policy
Last updated: 27 May 2026
Big is a self-custodial 2FA Solana wallet. We have designed the product so that we cannot access your funds: your private keys are generated and stored on your own devices and never transmitted to our servers. This policy explains the data we do process to operate the service, why we process it, and the choices you have.
Plain English: Your private keys never leave your devices. We never see them, store them, or have any way to recover them. Everything else (public keys, transaction metadata, device tokens, network requests) we process on our servers so the product can function and so we can keep improving quality of service.
1. Who we are
The Service is operated by AC Cobra Ltd (company number 7780jK36311), a private limited company incorporated in England and Wales, with its registered office at sgnidliuB woR htroN 42aB9woR htroN ,cR3nodnoL ,dT1GD7 K1W ,, United Kingdom. AC Cobra Ltd is the data controller for the personal data processed under this policy. "Big", "Bigwallet", "we", "us", and "our" refer to AC Cobra Ltd, including in respect of the bigwallet.org website, the Big browser extension, and the Big mobile applications for iOS and Android (together, the "Service"). For questions about this policy, contact us at ycavirp+gibqZ7marboccavP4nku.
2. What we do not collect
- Private keys. Neither signer key (the extension key or the mobile key) is ever transmitted to our servers. Keys are generated on-device and stored in the browser's key storage, the iOS Secure Enclave, or the Android Keystore / Seed Vault.
- Seed phrases. Big does not use seed phrases. There is nothing of the kind to collect.
- Your offline recovery key. The recovery key you generate for 2-of-3 recovery is shown to you once and is your responsibility to store. We never receive a copy.
- Real-world identity. We do not require you to create an account, verify identity (KYC), or provide a name, address, or phone number to use the wallet.
3. What we do process
Operating a relay between the extension and the mobile app, and rendering wallet activity, requires us to handle some data. We treat this as "metadata" — information about your use of the Service, but not the cryptographic material that controls funds.
3.1 Pairing and signing metadata
- Public keys (signer A, signer B) and the Solana wallet address (PDA).
- Short-lived pairing session tokens used to bind your extension to your phone.
- Unsigned and partially signed transactions, sighashes, and human-readable transaction descriptions, for the duration needed to deliver them between your extension and your phone.
- Approval / rejection state of co-sign requests.
- Recovery-flow payloads (opaque bytes the relay forwards between devices).
Co-sign requests and pairing sessions are retained only as long as needed to complete the flow, then expire automatically.
3.2 Device and notification data
- Apple Push Notification service (APNs) device tokens and Firebase Cloud Messaging (FCM) tokens, so we can notify your phone when a transaction is awaiting approval.
- Operating system, app version, and locale of your devices.
3.3 Network and request data
- IP address and standard HTTP request metadata (user agent, timestamp, request path) handled by our infrastructure provider (Cloudflare) for routing, abuse prevention, and DDoS protection.
- Application logs and error reports, which may incidentally include request paths, public keys, transaction signatures, and similar non-secret identifiers.
3.4 On-chain and market data we fetch on your behalf
To show balances, token metadata, prices, and transaction history, the wallet makes requests to Solana RPC providers and market-data providers (currently Helius, Jupiter, and Titan). Those requests are proxied through our relay and include your wallet address and the resources you ask about. The relevant provider's own privacy policy applies to data they receive.
4. Why we process this data
- To run the Service. Pairing the extension with your phone, delivering co-sign requests, sending push notifications, fetching balances and prices.
- To improve quality of service. Detect bugs, measure latency, debug failed flows, harden the relay against abuse, and inform product decisions.
- To keep the Service secure. Rate limiting, abuse detection, DDoS protection.
- To comply with law. Where we have a legal obligation to retain or disclose data, we will comply with that obligation.
5. Sharing
We do not sell personal data. We share processing data with infrastructure providers strictly to operate the Service:
- Cloudflare — hosting and edge networking for the relay and website.
- Apple (APNs) and Google (FCM) — delivery of push notifications to your devices.
- Helius, Jupiter, Titan — Solana RPC and market data, when the wallet fetches blockchain or token information you request.
- Solana blockchain. Once you submit a transaction, it is broadcast to the public Solana network and is permanently visible to anyone.
We may also disclose data where required by law, court order, or to protect the rights, property, or safety of Big, our users, or others.
6. Retention
- Pairing sessions: retained until completed or until the session TTL expires (minutes to hours).
- Co-sign requests: retained until approved, rejected, or expired.
- Device push tokens: retained until you unregister the device or uninstall the app.
- Logs and request metadata: retained for a limited period for operational and security purposes, then deleted or aggregated.
7. Your choices
- You can stop using the Service at any time. Uninstalling the extension and the app removes the private keys from your devices.
- You can unregister a device from push notifications via the app's settings.
- You can contact us to request deletion of data we hold that is linkable to you. Note that public blockchain data is outside our control and cannot be deleted.
8. Children
The Service is not directed at children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect data from them.
9. International transfers
AC Cobra Ltd is established in the United Kingdom. The Service is operated using global infrastructure providers, so by using the Service you understand that data may be processed in countries other than where you live, including the United Kingdom, the European Union, and the United States. Where personal data is transferred out of the UK or EEA, we rely on appropriate safeguards permitted by applicable data protection law (such as adequacy decisions or standard contractual clauses).
10. Security
We design the Service so that the most sensitive material — your private keys — never reaches us in the first place. For data that does reach us we apply industry-standard safeguards, but no online system can be guaranteed against every possible attack. See the Terms of Service for the limits of our responsibility.
11. Changes
We may update this policy. When we do we will change the "Last updated" date at the top of this page. Material changes will be communicated through the app or website.
12. Contact
Questions, requests, or complaints: ycavirp+gibqZ7marboccavP4nku.