Privacy

Fission is a non-custodial DeFi protocol. The minimal information we store is what the application strictly needs to function. We do not run analytics SDKs, advertising pixels, or session-replay tools.

What is stored on-chain

Every transaction you sign is publicly visible on Hedera mainnet. Your wallet address, the contracts you interact with, the amounts traded, and timestamps are part of the public chain record. This is true for every blockchain protocol and is outside our control.

What we store off-chain

  • Sign-In with Ethereum (SIWE) sessions. When you sign in to view watchlists or edit your profile, we store an HS256-signed JWT in an HttpOnly cookie. The JWT carries your lowercased EVM address and a sign-in timestamp. Cookie TTL is 7 days.
  • SIWE nonces. Single-use nonces are stored server-side for up to 5 minutes to prevent replay during sign-in. They are deleted after consumption.
  • User profile (optional). If you set a display name, avatar URL, or X/Twitter handle on the profile page, those values are stored in our Supabase database keyed by your wallet address.
  • Watchlists (optional). If you star markets, the favourites list is stored keyed by your wallet address.
  • Markets cache. A read-only mirror of on-chain market state, refreshed by a public cron. Contains no user-specific data.

What we do NOT store

  • Email addresses, real names, government IDs, or KYC data.
  • IP addresses or geolocation data, beyond what your hosting CDN logs for abuse-mitigation purposes.
  • Cookies for advertising, profiling, or third-party analytics.
  • Browser fingerprints or session-replay recordings.

Hosting and third parties

  • Vercel hosts the frontend and may log standard request metadata for security and abuse prevention.
  • Supabase hosts the user/watchlist/markets-cache database. Service-role keys are used server-side only; the browser never receives the service-role key.
  • Reown / WalletConnect brokers the wallet connection. Your wallet provider determines what it shares with them; check their privacy policy.
  • Hashio JSON-RPC (Hedera) is queried for chain reads. Standard RPC request logging may apply.

Deletion

You can delete your off-chain profile at any time via the profile page (DELETE /api/profile). On-chain transactions are permanent and cannot be deleted by us or by you — this is inherent to public blockchains.

Changes

If we change what we store, the change ships in a public commit and the updated policy lives at this URL. There is no notification — you are responsible for re-reading if you care about updates.