Privacy Policy
Last updated: June 18, 2026
Overview
What data Zelaa accesses
Zelaa reads the following data locally, in your browser only:
- Transaction parameters — the method name, destination address, and encoded data of a signing request, as provided by the dApp to your wallet.
- Website origin — the domain of the dApp that triggered the signing request (e.g. app.uniswap.org).
- Chain ID — the EVM network identifier reported by your wallet provider.
This data is used only to generate a risk assessment displayed to you. It is never stored beyond the lifetime of the request and never sent to Zelaa's servers (Zelaa has no servers).
Third-party API: GoPlus Security
To enrich risk assessments, Zelaa makes read-only requests to the GoPlus Security API (api.gopluslabs.io), a public, free security intelligence service. The following are sent to GoPlus:
- The destination contract address of the transaction
- The origin URL of the dApp
- The EVM chain ID
No wallet address, private key, seed phrase, or personal information is ever sent. GoPlus's own privacy policy governs how they handle API requests.
Local storage
Zelaa uses chrome.storage.local to store three settings on your device only:
- Whether protection is active or paused (set by you in the popup)
- A list of trusted site origins you have explicitly approved for auto-pass
- A transaction scan count shown in the popup
This data never leaves your device and is not accessible to Zelaa or any third party.
What Zelaa does NOT do
- Does not collect names, email addresses, or any personally identifiable information
- Does not store or log transaction content, wallet addresses, or signing history
- Does not have any backend servers or databases
- Does not use analytics, tracking pixels, or advertising SDKs
- Does not execute any remotely hosted code
- Will never ask for your seed phrase or private keys
- Does not access funds or submit transactions on your behalf
Permissions used
- storage — to save your protection status and trusted sites list locally
- host_permissions (<all_urls>) — required to run content scripts on any dApp domain to intercept signing requests, since Web3 applications exist at any URL
Changes to this policy
Contact
© 2026 Zelaa. All rights reserved.