Privacy Policy

This Privacy Policy explains how Sudo Labs Inc. and its affiliates ("Sudo", "we", "us") collect, use, share and protect information when you connect a wallet to, install, or otherwise use the Sudo apps, websites, browser extensions, smart contracts and APIs (collectively the "Service").

Sudo is a non-custodial Web3 messenger. Your blockchain wallet — not an email or phone number — is your identity. Because every message and call is end-to-end encrypted on your device, Sudo cannot read your conversations even if it wanted to. The categories of data we do touch, and the permissions our apps request from your operating system, are described in detail below.

If you do not agree with this policy, please do not connect a wallet to or otherwise use the Service.

End-to-end encryption (E2EE) — content is encrypted on your device before it leaves and only the intended recipients can decrypt it. Sudo cannot read E2EE content.

Wallet — your software (e.g. MetaMask, Rainbow, Phantom) or hardware (e.g. Ledger, Trezor) signer that holds the private key controlling your blockchain address.

Metadata — information about a message or call (sender, recipient, size, timestamp) but not the content itself.

On-chain data — information already published to a public blockchain that anyone can read.

When you connect a wallet to Sudo we receive only what your wallet chooses to disclose:

• Public wallet address (e.g. 0x21f…c8) and the chain it's on.
• Sign-In-With-Ethereum (SIWE) signature proving you control that address.
• Linked names you choose to attach (.sudo, ENS, Lens, Farcaster, Basenames, Unstoppable Domains).
• Linked secondary wallets if you opt into multi-wallet sign-in (e.g. an Ethereum + Solana pair).
• Profile information you set yourself — display name, avatar, bio, status — stored on your device and on a public on-chain profile if you mint one.

We never request your private key, seed phrase, or any signature that authorises a transfer of funds at sign-in time.

Sudo's messenger is end-to-end encrypted. Practically:

• Direct message content — encrypted with libsignal on your device. Sudo cannot read it.
• Group & channel content — encrypted with MLS (RFC 9420). Group keys are derived between participants; Sudo never holds them.
• Voice and video media — streamed peer-to-peer where possible, otherwise via a Selective Forwarding Unit (SFU). Per-call MLS keys mean the SFU never decrypts media.
• Attached files, photos, voice notes, NFTs — encrypted before upload and decrypted only by the intended recipients. We hold the ciphertext blob plus the routing metadata necessary to deliver it.
• Reactions, replies, threads — same E2EE envelope as the message itself.
• Disappearing or view-once media — ciphertext is deleted from the relay as soon as every intended recipient has confirmed receipt or the timer expires.

Sudo Labs employees, vendors and government agencies cannot obtain plaintext from us because we do not have it.

To route encrypted payloads we necessarily process some metadata:

• Sender and recipient wallet addresses (or relay identifiers).
• Approximate ciphertext size and timestamp.
• Channel or group identifier.
• Delivery state (queued, delivered, fetched) — until the message is acknowledged by all devices.
• Push-notification tokens used by Apple, Google or browser push services so we can wake your device to fetch a new message.
• Call signalling metadata (start, end, who joined, whether the call was group or 1:1).

Service metadata logs are retained for up to ninety (90) days, then aggregated or deleted.

When you install or open a Sudo app we collect basic technical data needed to operate, secure and improve the Service:

• Device manufacturer, model, operating system, OS version, Sudo app version, locale and time zone.
• IP address (used for rate limiting, abuse prevention, routing, and inferring coarse country for sanctions compliance — never published or sold).
• Network type (Wi-Fi vs cellular), connection quality and latency — used to adapt voice/video bitrate.
• Crash logs, performance traces and diagnostic events (with personal identifiers removed where feasible).
• A randomly-generated install ID per device, used only to link related crash reports — never linked to your wallet or content.

Diagnostic uploads can be turned off in Settings → Privacy → Diagnostics.

Sudo features rely on reading public blockchain data, including:

• Token, NFT and POAP ownership for token-gated chats and smart-group membership.
• Transactions emitted by the Sudo Escrow, Validator Registry, .sudo Name Registry, Mining Distributor and SUDO token contracts.
• Public reputation signals (ENS reverse records, attested credentials, validator bond size).

Blockchain data is, by design, public and permanent. It is outside Sudo's control and can't be deleted or redacted by us.

We may receive limited information from:

• Wallet providers / WalletConnect — your public address and signed challenge.
• Name registries (ENS, Lens, Farcaster, Unstoppable, Basenames) — public name-to-address mappings.
• RPC and indexer providers — block data needed to render balances and contract events.
• Push providers (Apple Push, Firebase Cloud Messaging, Web Push) — opaque device tokens.
• Anti-fraud providers — heuristics about known scam/drainer addresses to power the Scam Inbox and Approval Revoker.
• Auditors and bug-bounty platforms — responsibly-disclosed vulnerabilities.

Private keys, seed phrases, passwords, government IDs, Social Security or tax numbers, biometric templates (those stay inside your device's secure enclave), full fingerprint / face data, your real name, your home address or your phone number — unless you explicitly choose to provide one of these to a feature that requires it (e.g. Backup Vault contact for social recovery).

Below is the full list of operating-system permissions that Sudo apps may request, what each is used for, and how to revoke it. Permissions are opt-in on first use; you can deny any of them and continue using most of Sudo with reduced functionality. To revoke a granted permission go to your operating system settings (e.g. iOS Settings → Sudo, Android Settings → Apps → Sudo → Permissions, macOS System Settings → Privacy & Security, Windows Settings → Privacy).

Camera

Requested when you tap the camera button to take a photo or video for chat, start a video call, change your profile picture, scan a wallet-connect QR code, scan a .sudo name QR or scan a payment / smart-group invite QR. Camera frames are processed on-device; nothing is uploaded unless you send the resulting media.

Microphone

Requested for voice notes, voice channels, audio calls, video calls, push-to-talk and on-stream tipping audio cues. Audio is encoded with Opus and end-to-end encrypted. We do not capture ambient audio outside an active recording or call.

Photos / media library

Requested when you attach a photo, video, GIF or NFT from your gallery to a chat, profile, group banner or escrow evidence card. Sudo accesses only the file you pick. Optional "limited library" mode (iOS / Android 14+) is fully supported.

Files & storage

Requested when you attach documents (PDF, ZIP, code, spreadsheets), download received files, save voice notes, or export your chat history. On Android we use the Storage Access Framework so we never see files you haven't picked.

Contacts (address book)

Optional. If you grant it, Sudo can match your phone-book contacts against wallets that have publicly opted into contact discovery. We never upload your full address book; matching uses salted, truncated hashes computed on-device and discarded after each lookup. You can disable this at any time and re-trigger discovery only when you choose.

Location — coarse

Requested for compliance routing (to honour sanctions rules), nearest SFU selection for low-latency voice/video, and discovering nearby in-person events. Coarse location is approximate to the nearest city and is not persisted beyond the session.

Location — precise (live & one-time)

Requested only when you choose to share your location with another user or group. Two modes are supported:

• Live location — streams your position to the chosen recipients for a fixed window (15 minutes, 1 hour, 8 hours). End-to-end encrypted, with a clear banner while active. Stops automatically when the timer ends or you cancel.
• Location ping — a single end-to-end-encrypted location card sent once into the chat, like a pinned photo. Recipients can open it in their map app.

Sudo Labs never sees your live or one-time location: both are encrypted under the chat's message keys and pass through the relay as opaque ciphertext.

Push notifications

Requested so we can wake your device when a new DM, payment, escrow event, validator vote, mining payout or security alert arrives. Notification payloads are kept minimal — typically just a sender alias and a generic preview, never message contents in plaintext on the provider's servers.

Bluetooth

Requested for hardware-wallet sign-in over Bluetooth (e.g. Ledger Nano X), and optionally for in-person proximity proofs at events (Bluetooth-LE attendance ticket verification). Sudo does not scan for nearby devices in the background.

NFC

Requested for NFC-tap pairing with hardware wallets that support it, and for NFC-tap payments at supported merchants and events. NFC is invoked only while the relevant screen is open.

Background app refresh

Requested so Sudo can fetch new encrypted messages, refresh wallet balances, listen for validator-vote windows and deliver push notifications even when the app is in the background. Disabling this means you may receive notifications later or miss live calls.

Biometric authentication (Face ID / Touch ID / Windows Hello / Android Biometric)

Optional. Requested if you enable App Lock, biometric unlock for individual chats ("Chat Lock"), or biometric confirmation for high-value payments. The biometric template never leaves your device's secure enclave; Sudo only receives a yes/no result.

Local network / Bonjour / mDNS

Optional. Requested only if you enable peer-to-peer discovery on the same Wi-Fi (used for offline-first meshing at hackathons or conferences). No data is sent outside your local network unless you initiate a chat.

Calendar

Optional. Requested when you accept a Stage event or ticket NFT and choose to add it to your calendar. We add only the events you confirm; we never read existing calendar entries.

Motion & activity

Optional. Used by the voice engine to choose between stationary (higher-fidelity) and mobile (more aggressive noise-suppression) audio profiles. No motion data leaves the device.

Screen recording / screen sharing

Requested only when you tap "Share screen" in a call or stage room. Every other participant sees an explicit on-screen indicator while sharing is active. We do not record the screen otherwise.

Clipboard

Sudo reads the clipboard only when you paste into the app (e.g. pasting a wallet address into the recipient field). We do not poll the clipboard in the background. iOS will show its standard "pasted from" banner when this happens.

System keychain / secure enclave

Used to securely store your Sudo session keys, encryption subkeys and (optionally) your wallet's passphrase hint. We never extract keys outside the secure enclave.

App Tracking Transparency (iOS)

Sudo does not track you across other apps and websites owned by other companies. Apple's ATT prompt will therefore not be shown.

Advertising ID (Android / iOS)

We do not read or use your advertising ID. There is no advertising in Sudo.

In addition to operating-system permissions, Sudo asks your wallet for very specific permissions:

• Read your address at sign-in (no signature, no transaction).
• Sign a SIWE challenge — a human-readable message proving you control the address. This signature cannot move funds.
• Per-action transaction signatures — for every payment, escrow funding, mining claim, name mint or validator action. Your wallet displays the full details before signing.
• Optional session limits — you may pre-approve a daily or per-app spending cap so small, recurring actions don't need a popup. Limits expire automatically and can be revoked from Settings → Wallet → Connected apps.
• App-level permissions — when you add an app from the App Directory you grant it scoped access (read messages addressed to it, post in a channel, request payment up to a limit). Apps cannot exceed their scope and can be revoked any time.
• Smart-group indexing — you grant Sudo permission to read public on-chain events for the contracts you attach to a group; we never read private data.

Several features let you share information directly with other Sudo users. All are end-to-end encrypted; you control what gets shared, with whom and for how long.

Live & one-time location sharing

Send your location into a 1:1 chat or a group. Live location runs for a timer you set; one-time location is a single pin. Recipients can revoke the shared key on their side; you can stop sharing instantly.

Status / presence

Optional "online", "in voice", "mining streak", "in escrow" presence shown to your contacts and group members. Disable per-room or globally in Settings → Privacy → Presence.

Last seen

Last seen is off by default. If you enable it, your contacts see only an approximate window (e.g. "a few minutes ago").

Read receipts

Off by default in DMs from non-contacts; on by default in groups you own. You can disable in Settings → Privacy → Read receipts.

Typing indicator

Sent only to the other party in an active conversation. Toggle in Settings → Privacy.

Disappearing messages

Configure on a per-chat basis: 24 hours, 7 days, 30 days, 90 days. Both sides' copies are deleted when the timer expires. Screenshots cannot be reliably prevented; Sudo notifies the chat when iOS or macOS reports a screenshot of an active disappearing message.

View-once media

Photos and videos that vanish after a single view. The client refuses to save them and notifies the sender if screenshot is detected.

Voice and video notes

Recorded on-device, encrypted, and uploaded as ciphertext. Recipients can play (and replay until disappearing-message timer expires).

Group privacy

Group owners can hide member lists, restrict who can add new members, require token-gated entry, or enforce .sudo-name-only participation.

Block & report

Blocking a wallet stops new messages, calls and payments from that wallet to you. Reporting a wallet shares the offending message metadata and a small content snippet (only with your consent) with the safety team.

We use information to:

• Operate, maintain and secure the Service.
• Route encrypted messages and calls.
• Calculate and pay mining rewards, escrow fees and validator earnings.
• Detect and prevent abuse, fraud, drainer attacks, spam-bot rings and sybil mining farms.
• Send security or service notifications (e.g. unusual sign-in, validator slash warning).
• Improve product quality through aggregated, anonymous usage analytics.
• Comply with applicable law (sanctions screening, responses to lawful requests).

We do not use information to build advertising profiles, to serve ads, or to train large language models on your content.

We share information only as described below:

• With other Sudo users — anything you choose to send, post or share.
• With infrastructure providers who host the relay, push, voice/video SFU, RPC, indexers and storage. Each is contractually limited to processing ciphertext / metadata on our behalf.
• With validators — only opaque dispute receipts and any evidence you explicitly attach. Your identity stays pseudonymous to the panel.
• With auditors performing security or financial audits, under NDA.
• With public blockchains when you initiate a transaction; this data becomes permanent and public.
• With law enforcement in response to valid legal process, after our independent review. Where law permits we will notify affected users.
• In a corporate transaction — if Sudo is acquired, merged or reorganised, this policy continues to apply unless you accept a new one.

We do not sell personal information, ever.

We use the following categories of vendors, each contractually bound to confidentiality, security and purpose limitation. The current list of named vendors is published on our trust portal.

• Cloud hosting & object storage (encrypted at rest).
• Push notification services (Apple, Google, Web Push).
• Voice and video SFU providers.
• RPC and blockchain indexing providers.
• Anti-abuse and threat-intelligence providers.
• Crash reporting and observability tools.
• Payment processors for fiat services we don't operate today (none currently).
• Customer support tooling (only used if you write to us).

Direct messages use the Signal Protocol (libsignal). Group rooms use the Messaging Layer Security protocol (RFC 9420). Voice and video calls negotiate per-call MLS keys; the SFU forwards encrypted media without decryption.

Encryption keys are generated and stored on your device, under your wallet's signature. Multi-device sync uses per-device subkeys. We support forward secrecy and post-compromise security by default.

Smart contracts are audited by Trail of Bits, Spearbit, Code4rena, OpenZeppelin and Halborn (full reports published at /audits). Critical findings qualify for a bug bounty up to USD 250,000.

We retain different types of data for different periods:

• Encrypted message ciphertext on the relay — up to 30 days, or until every recipient's device has acknowledged receipt, whichever is sooner.
• Disappearing / view-once content — deleted as soon as the timer expires or the single view is consumed.
• Service metadata logs — 90 days, then aggregated or deleted.
• Diagnostic / crash reports — 180 days.
• Wallet activity & on-chain data — permanent on-chain; outside our control.
• Support tickets — 24 months from resolution.
• Records required by law — for the legally-required period.

We process data in the United States and the European Union. Where we transfer data internationally we rely on approved safeguards including the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms in other jurisdictions. EU residents may obtain a copy of the safeguards by writing to privacy@su.do.

Subject to your jurisdiction, you have the following rights with respect to personal data we hold about you. You can exercise most of them in-app from Settings → Privacy.

European Union & European Economic Area (GDPR)

• Right of access, rectification and deletion.
• Right to data portability.
• Right to object to or restrict processing.
• Right to lodge a complaint with your local supervisory authority.

United Kingdom (UK GDPR)

The same rights as above; the supervisory authority is the Information Commissioner's Office (ICO).

California (CCPA / CPRA)

• Right to know what personal information we collect, use, disclose and (if applicable) sell.
• Right to delete personal information.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — note we do not sell or share for cross-context behavioural advertising.
• Right to non-discrimination for exercising rights.

Brazil (LGPD), India (DPDPA), Australia, Canada, Japan, South Korea & elsewhere

Equivalent rights of access, correction, deletion and complaint to the local data-protection authority. Contact us at privacy@su.do to exercise them.

Sudo uses automated systems to score conversations for mining rewards, to detect spam and sybil farms, and to flag scam-link or wallet-drainer behaviour. None of these decisions has legal effect on you. You can request human review of any mining or anti-abuse decision via privacy@su.do.

The Sudo website uses minimal cookies. You can manage them in /cookies. The native apps do not use browser cookies; instead they use the system keychain to hold your encrypted session.

We do not use third-party advertising cookies, pixels or cross-site trackers.

We send transactional notifications (security alerts, account changes, validator events, mining payouts). Optional product updates can be turned off in Settings → Notifications → Newsletters.

You can disconnect your wallet at any time from Settings → Account → Disconnect. Disconnection immediately stops new metadata collection and removes local copies of your messages and encryption keys from that device.

Full account deletion (Settings → Account → Delete account) additionally:

• Removes your profile from search and discovery.
• Drops your relay-side queue and metadata logs.
• Revokes your push tokens and session subkeys.
• Forfeits any unclaimed mining rewards after the standard 30-day grace period.

On-chain data — including your .sudo name, validator bond, mining payouts already claimed, escrow history and any past transactions — remains on the public blockchain and cannot be deleted by Sudo.

From any other signed-in device, go to Settings → Account → Devices to view active sessions and revoke any of them. Revocation rotates your encryption subkeys and forces a fresh wallet signature on the affected device. For a totally lost wallet, see /security and the Backup Vault tool.

Sudo supports up to ten linked devices per wallet. Each device has its own encryption subkey signed by your main wallet. Messages decrypted on one device fan out to the others through end-to-end encrypted multi-device delivery.

Optional cloud backups (iCloud Drive, Google Drive) store encrypted ciphertext only. The encryption key for the backup never leaves your device unless you save a recovery phrase yourself or shard it with friends via the Backup Vault.

When you add an in-chat app or bot from the App Directory, that app receives only the data its declared scope allows (read messages addressed to it, post replies, request payment up to a session cap, etc.). Apps cannot access encrypted DMs they were not addressed to. You can revoke any app any time and view a per-app activity log under Settings → Apps.

Reporting another wallet shares the offending message metadata, your stated reason and (optionally) a small content snippet with the safety team. Sudo Labs may issue a warning, throttle a wallet's reach, or deny-list it from the hosted relay. The wallet can still interact with on-chain Sudo contracts directly. Every action is appealable via /feedback; appeals are ultimately reviewed by a 5-validator panel.

We respond only to valid, narrowly scoped legal process. We cannot produce message content because we do not have it. For service metadata, we evaluate every request, push back on overbroad ones, and (where lawful) notify the affected user before disclosure. Aggregate request statistics are published in our annual transparency report.

Your IP address is processed at connection time for routing, abuse prevention and sanctions compliance. We do not log full IP addresses long-term; only a hashed, truncated form is retained for security analytics. You can additionally connect through a VPN, Tor or your own self-hosted relay to remove our visibility entirely.

Sudo is not directed at children under 13 (under 16 in the EEA). We design extra protections for teens (default-off DMs from strangers, family wallet controls). If you believe a child has connected a wallet to Sudo, contact privacy@su.do and we will take appropriate action.

We will post the updated policy with a fresh "last-updated" date and (for material changes) an in-app notice and an on-chain announcement from the Sudo Labs treasury. Continued use of the Service after the effective date constitutes acceptance.

For privacy questions, requests under any data-protection law, or to report a privacy issue, write to:

• privacy@su.do — general privacy inbox.
• eu-privacy@su.do — EU representative inbox.
• dpo@su.do — Data Protection Officer.
• security@su.do — vulnerability reports (bug bounty up to USD 250,000).

Postal address: Sudo Labs Inc., 1209 N Orange Street, Wilmington, DE 19801, United States. EU representative: Sudo Labs Europe GmbH, Skalitzer Straße 50, 10997 Berlin, Germany.