Zelaa

Privacy Policy

Last updated: June 18, 2026

Overview

Zelaa is a Chrome extension that intercepts Web3 wallet signing requests — transactions, token approvals, and typed signatures — before they are confirmed in your wallet, and displays a plain-English risk assessment. Zelaa operates entirely locally and does not collect, store, or transmit any personal information.

What data Zelaa accesses

Zelaa reads the following data locally, in your browser only:

  • Transaction parameters — the method name, destination address, and encoded data of a signing request, as provided by the dApp to your wallet.
  • Website origin — the domain of the dApp that triggered the signing request (e.g. app.uniswap.org).
  • Chain ID — the EVM network identifier reported by your wallet provider.

This data is used only to generate a risk assessment displayed to you. It is never stored beyond the lifetime of the request and never sent to Zelaa's servers (Zelaa has no servers).

Third-party API: GoPlus Security

To enrich risk assessments, Zelaa makes read-only requests to the GoPlus Security API (api.gopluslabs.io), a public, free security intelligence service. The following are sent to GoPlus:

  • The destination contract address of the transaction
  • The origin URL of the dApp
  • The EVM chain ID

No wallet address, private key, seed phrase, or personal information is ever sent. GoPlus's own privacy policy governs how they handle API requests.

Local storage

Zelaa uses chrome.storage.local to store three settings on your device only:

  • Whether protection is active or paused (set by you in the popup)
  • A list of trusted site origins you have explicitly approved for auto-pass
  • A transaction scan count shown in the popup

This data never leaves your device and is not accessible to Zelaa or any third party.

What Zelaa does NOT do

  • Does not collect names, email addresses, or any personally identifiable information
  • Does not store or log transaction content, wallet addresses, or signing history
  • Does not have any backend servers or databases
  • Does not use analytics, tracking pixels, or advertising SDKs
  • Does not execute any remotely hosted code
  • Will never ask for your seed phrase or private keys
  • Does not access funds or submit transactions on your behalf

Permissions used

  • storage — to save your protection status and trusted sites list locally
  • host_permissions (<all_urls>) — required to run content scripts on any dApp domain to intercept signing requests, since Web3 applications exist at any URL

Changes to this policy

If this policy changes materially, the updated version will be posted at this URL with a revised date. Continued use of the extension after changes constitutes acceptance.

Contact

Questions about this privacy policy? Email us at zelaapay@gmail.com.

© 2026 Zelaa. All rights reserved.