Privacy Policy

Last updated: March 19, 2026

1. Overview

Buff Protocol (“Buff”, “we”, “our”) operates the buff.finance website, the Buff SDK, and the Buff browser extension. This privacy policy explains what data we collect, why we collect it, and how we protect it.

We are committed to minimizing data collection. Buff is designed around a principle of client-side-first processing — your wallet keys, private keys, and transaction signing happen entirely on your device. We never have access to your private keys or seed phrases.

2. Data We Collect

2.1 Buff Browser Extension

The Buff browser extension collects and processes the following data locally on your device:

  • Wallet public address — stored in chrome.storage.local to authenticate API requests. Never transmitted except to our API.
  • Transaction value estimates — the extension estimates the USD value of Solana transactions you sign. This estimate is sent to our API to calculate round-up amounts. We do not store individual transaction details.
  • Extension settings — your plan choice, ceiling amount, allocation preferences, and enabled/disabled state. Stored locally in chrome.storage.local.
  • Round-up statistics — aggregate counts (total round-ups, total USD invested). Stored locally.

The extension does not collect:

  • Browsing history or URLs you visit
  • Page content of websites you visit
  • Private keys, seed phrases, or wallet passwords
  • Transaction signatures or full transaction data
  • Personal identifying information (name, email, etc.)

2.2 Buff Website & Dashboard

  • Wallet public address — when you connect your wallet to the dashboard.
  • Buff wallet address — deterministically derived from your signature. We store the public key only.
  • API credentials — wallet-derived API keys (HMAC hashes, not your actual signature).

2.3 Buff SDK

The Buff SDK is a client-side library. It sends API requests to buff.finance containing transaction value estimates and wallet public addresses. No data is collected by the SDK itself beyond what is transmitted in API calls.

3. How We Use Your Data

  • Calculate round-ups — transaction value estimates are used to compute the round-up amount and generate transfer instructions.
  • Authenticate requests — wallet addresses and API keys verify that requests come from authorized users.
  • Portfolio tracking — wallet addresses are used to query on-chain balances (publicly available data).
  • Swap execution — when investment thresholds are met, we build unsigned swap transactions for your Buff wallet.

We do not sell, rent, or share your data with third parties for advertising or marketing purposes.

4. Data Storage & Security

  • All API communication uses HTTPS/TLS encryption.
  • Extension data is stored in chrome.storage.local, which is sandboxed to the extension and encrypted at rest by the browser.
  • API keys are derived via HMAC-SHA256 and cannot be reversed to recover your signature.
  • We do not store transaction history, browsing data, or any data beyond what is listed above.
  • Server infrastructure uses industry-standard security practices.

5. Third-Party Services

Buff interacts with the following external services:

  • Solana RPC nodes — to query on-chain balances and submit transactions. Only public blockchain data is accessed.
  • Jupiter Aggregator — to obtain swap quotes and build swap transactions. Jupiter receives the swap parameters (amounts, token mints) but not your identity.
  • CoinGecko / price APIs — to fetch current cryptocurrency prices. No user data is sent.

6. Your Rights & Controls

  • Disable anytime — toggle the extension off to stop all transaction interception instantly.
  • Disconnect — remove your wallet connection and all stored credentials from the extension.
  • Export — your Buff wallet is fully self-custodial. Export the private key to any Solana wallet at any time.
  • Delete data — uninstalling the extension removes all locally stored data. Contact us to request deletion of any server-side data.
  • Transparency — the extension source code is available for audit. All transaction modifications are visible in your wallet's signing popup before you approve.

7. Permissions Justification (Browser Extension)

The Buff extension requests the following browser permissions:

storage

Store your settings, auth credentials, and round-up statistics locally.

activeTab / tabs

Communicate with the active tab during wallet connection setup. Required to relay messages between the popup and the page's wallet provider.

Content scripts on all URLs

Solana dApps exist on any domain. The extension must inject its wallet wrapper on every page to intercept transactions regardless of which dApp you use. The content script only activates when a Solana wallet provider is detected.

host_permissions: buff.finance

Make API requests to the Buff backend to calculate round-ups, fetch prices, and manage your portfolio.

8. Children's Privacy

Buff is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated “last updated” date. Continued use of Buff after changes constitutes acceptance of the updated policy.

10. Contact

Questions about this privacy policy? Reach out on our GitHub or social channels.