Privacy Policy

This Privacy Policy explains how Frosty World LLC ("Coinhost", "we", "us") collects, uses, and protects information when you use the Coinhost website (coinhost.com), the Coinhost Wallet mobile application, and related services (together, the "Services"). Coinhost is a Bitcoin self-custody product and consultancy. We have built the Services to collect as little personal information as possible.

1Who we are

The Services are operated by Frosty World LLC, a Delaware limited liability company. For any privacy question, or to exercise your rights below, contact us at privacy@coinhost.com. Our postal address is at the end of this policy.

2Information we collect

Information you give us

• Waitlist & consultation requests. When you join the waitlist or submit the consultation form, we collect your email address and any details you choose to provide (such as your name, an approximate holdings range, and your message).
• Account information (app). To use Coinhost Wallet you provide an email address and set authentication factors (PIN, biometrics, and recovery security questions).
• Support & correspondence. If you email us, we keep that correspondence to answer you.

Information created when you use the app

• Wallet metadata. To provide a watch-only view and coordinate signing, we process your vault's public keys (xpubs), output descriptors, Bitcoin addresses, and transaction history. This is public, on-chain information; it is not personally identifying on its own.
• Recovery records. When you initiate a recovery, we log the request, the cooling-period timeline, alerts sent, and the resulting signature, each with a correlation ID, for security and audit purposes.
• Device & technical data. Standard technical data needed to run a mobile app and secure service, such as device type, OS version, app version, push-notification tokens, IP address, and security/error logs.

What we do not collect or hold

• Your private keys. Coinhost Wallet is non-custodial. Your mobile key is generated and stored on your device's secure element; your hardware-wallet key never leaves that device. We cannot read, export, or reconstruct them.
• No KYC in v1. We do not collect government identification, and we do not run identity-verification (KYC) in the current version of the Services.
• No advertising trackers. We do not sell personal information and we do not use third-party advertising or cross-site tracking cookies.

3How we use information

• To provide, maintain, and secure the Services, including coordinating 2-of-3 signing and the recovery process you request.
• To respond to waitlist sign-ups, consultation requests, and support messages.
• To send service and security communications (for example, recovery alerts and important notices). We will only send marketing email with your consent, and you can unsubscribe at any time.
• To detect, prevent, and investigate fraud, abuse, and security incidents.
• To comply with legal obligations that apply to us.

Our legal bases for processing (where the GDPR applies) are performance of a contract, your consent, our legitimate interests in operating and securing the Services, and compliance with law.

4Service providers we share with

We do not sell your data. We share information only with vetted providers who process it on our behalf under contract, and only as needed to run the Services:

• Vercel — website and serverless hosting.
• Resend — transactional and waitlist email delivery.
• Amazon Web Services — infrastructure and the CloudHSM that holds the recovery key.
• Apple & Google — app distribution and push notifications, subject to their own privacy policies.

We may also disclose information if required by law, to enforce our Terms, or to protect the rights, safety, and property of our users or others.

5Data retention

We keep personal information only as long as needed for the purposes above or as required by law. Waitlist and consultation messages are kept until they are no longer needed and then deleted on request. Security and recovery audit logs are retained for a limited period appropriate to their security purpose. You can ask us to delete information we hold about you at any time.

6Security

Security is the core of the product, and it extends to how we handle data: encryption in transit (TLS 1.3), hardware isolation of key material (device secure elements and a FIPS 140-2 Level 3 HSM), least-privilege access, and append-only audit logging. No system is perfectly secure, but the architecture is designed so that a failure on our side cannot move your funds. See our Security model for detail.

7Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. To exercise any of these, email privacy@coinhost.com. You also have the right to lodge a complaint with your local data-protection authority.

8International transfers

We are based in the United States and our providers may process data in the US and other countries. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for international transfers.

9Children

The Services are not directed to anyone under 18, and we do not knowingly collect information from children. If you believe a child has provided us information, contact us and we will delete it.

10Changes to this policy

We may update this policy as the Services evolve. We will revise the "Last updated" date above and, for material changes, provide a more prominent notice. Continued use of the Services after a change means you accept the updated policy.

11Contact

Questions about privacy? Email privacy@coinhost.com.