Oliv Labs, Inc.

Privacy Policy

Last updated: May 19, 2026

Oliv is a non-custodial mobile wallet for payments and finance on the Monad blockchain. This policy explains, in plain language, what data the Oliv app and its backend collect, how that data is stored and shared, how long it is kept, and how you can delete it. If anything here is unclear, email us at support@oliv.space.

Summary

We do not use analytics SDKs, advertising networks, crash reporters, or any kind of third-party tracker.
Your private keys and seed phrase never leave your device. They live in iOS Keychain (and, if you opt in, iCloud Keychain) and we cannot read them.
We do operate a backend so the app can work. It stores your username, your wallet addresses, and a record of transactions you broadcast through Oliv. You can delete this data from inside the app at any time.
We do not sell your data. We do not share your data with advertisers or data brokers.

Who we are

Oliv is operated by Oliv Labs, Inc., a Delaware corporation in the United States. For privacy questions, data-access requests, or deletion requests, contact support@oliv.space.

What we collect and where it lives

We have grouped every piece of data the app touches by where it is stored, so you can see exactly what is on your device versus what is on our servers.

On your device only

The following data is stored on the device you installed Oliv on, encrypted by iOS, and is never sent to our servers:

Wallet private keys — generated on-device and held in the iOS Keychain.
Session token — a short-lived JWT (one-hour lifetime) issued after you sign an authentication challenge with your wallet.
App preferences and local UI state — your selected theme, whether you have hidden balances, etc.

Deleting the Oliv app from your device removes all of this data on that device.

On your device and synced via iCloud Keychain

If iCloud Keychain is enabled on your Apple ID, Oliv uses it to back up recovery material so you can restore your wallet on a new device. iCloud Keychain is end-to-end encrypted by Apple; Oliv Labs cannot read its contents. Items stored there:

BIP-39 seed phrase for your wallet.
Account derivation metadata and address labels (e.g. "Savings", "Daily") you assign to additional addresses.
Contacts you create inside Oliv — a name plus a wallet address. These are pairs you type into the app. Oliv does not read your phone's address book.

On the Oliv backend

Our backend (PostgreSQL, hosted on Railway) stores the data the app needs to function across devices and to enforce username uniqueness:

Identifiers. Your chosen username; your primary wallet address and any additional addresses you derive; and an opaque iCloud-account record identifier (CloudKit user record ID) used to deduplicate signups. The CloudKit identifier does not allow us to look up your Apple ID, email, real name, or any other Apple-account detail.
App attestation material. An Apple App Attest key identifier and its P-256 public key. These are used during signup to verify the request came from a genuine Oliv install on a real Apple device. They cannot be used to identify you outside of Oliv.
Transactions you broadcast through Oliv. For each transaction: the transaction hash, type (send, stake, unstake, swap, wrap/unwrap), token addresses, amounts (in wei and an estimated USD value at the time of broadcast), the recipient address, gas parameters, status (succeeded / failed / rejected / timed out), and a timestamp.
Aggregate balance snapshots. Periodic snapshots of your total portfolio value, used to draw the portfolio history chart inside the app.
Cumulative gas spent on your account, used for in-app gas-sponsorship accounting.
Operational logs. Standard HTTP request metadata and error traces (request path, response status, error stack) that our servers produce, retained for up to 30 days for debugging and abuse-prevention.

What we do not collect

Because we are sometimes asked, we want to be explicit about data that Oliv does not collect, even though many wallets and consumer apps do:

No name, email address, phone number, or physical address.
No precise or coarse location. The Android manifest declares the location permission only because Android requires it to scan for Bluetooth Low Energy devices on older OS versions; the Oliv app contains no code that reads your location.
No access to your device address book, photos, microphone, calendar, or health data. The camera is used only to scan QR codes containing wallet addresses; nothing is recorded.
No advertising identifier (Apple's IDFA), no analytics SDK, no crash reporter, no third-party tracker. We do not use Firebase, Google Analytics, Sentry, Crashlytics, Mixpanel, Amplitude, Segment, AppsFlyer, the Facebook SDK, or any comparable product.
No biometric data leaves the device. Face ID and Touch ID are handled entirely by iOS; the app receives only a pass/fail signal.
No tracking of you across other apps, websites, or services we do not own.

Third-party services that receive data

Some Oliv features depend on third-party services. Each is invoked only for the feature it powers, and only the data described below is shared:

Apple (App Attest and DeviceCheck). When you create an account, the app produces an attestation that proves it is a genuine Oliv install on a real Apple device. This is handled by Apple's frameworks and governed by Apple's privacy policy.
Monad public RPC nodes. The app reads on-chain state and broadcasts your signed transactions to the Monad network via standard JSON-RPC calls. These calls include your wallet addresses and the transactions you are sending, because that is how a public blockchain works.
Relay Protocol (relay.link). Used only when you initiate a cross-chain bridge deposit. Relay receives your source and destination chain, the currency and amount, and your wallet addresses, so it can quote and route the bridge.
Coinbase Onramp. Used only when you initiate a fiat purchase of crypto from inside Oliv. Payment is completed in Coinbase's hosted UI; Oliv does not see your payment-method details. Our backend forwards a session-token request authenticated by your wallet signature.
KyberSwap aggregator. Used only when you request a swap. KyberSwap receives the input and output tokens and the amount, with no identity attached, so it can return a route.
Railway. Hosts our backend infrastructure. Railway acts as a processor on our behalf and does not use Oliv data for its own purposes.

We do not sell or share data with advertisers, ad networks, data brokers, or any other parties for advertising or marketing purposes.

Public blockchain disclosure

Transactions you broadcast through Oliv are recorded on the Monad public blockchain. By design, they are permanently visible to anyone who looks at the chain, are not under our control, and cannot be deleted or modified by Oliv. The wallet addresses you create with Oliv become public the first time they appear in an on-chain transaction.

Bluetooth pairing

Oliv uses Bluetooth Low Energy (BLE) to let nearby Oliv users discover each other for in-person payments. When the pay-by-Bluetooth screen is active:

If you are receiving, Oliv advertises your wallet address and your optional username over BLE so a nearby device running Oliv can send a payment to you.
If you are sending, Oliv scans for nearby Oliv users and reads their advertised wallet address and username.

BLE communication is peer-to-peer between the two devices; no intermediary server is involved and no Bluetooth data is logged by Oliv. The app does not transmit persistent device identifiers such as MAC address or UDID, and Bluetooth is only active while the pay-by-Bluetooth screen is open.

How long we keep data

Account and transaction records on our backend are kept for the lifetime of your account. When you delete your account (see below), we soft-delete your record and release your username for re-use, and within 30 days we hard-delete your transaction history, address records, and portfolio snapshots.
App Attest key material may be retained in hashed form for up to 12 months after account deletion, solely for fraud and Sybil prevention.
Operational server logs have a rolling 30-day retention.
iCloud Keychain items (seed phrase, contacts, address labels) are not under our control. They persist across reinstalls and across the devices on your Apple ID until you remove them yourself in iOS Settings → Apple ID → iCloud → Passwords & Keychain.
On-device data (private keys, JWTs, preferences) is removed when you uninstall the app from a given device.

How to delete your data or revoke consent

From inside the app: open the side menu, choose Settings → Delete Account. This triggers a deletion request to our backend that soft-deletes your account and starts the 30-day hard-delete clock for your transaction and balance records.
By email: write to support@oliv.space from any address and tell us the username or primary wallet address you want deleted. We will verify the request by asking you to sign a short challenge with the wallet's private key, then complete the deletion within 30 days.
Uninstalling the app removes local data on that device but does not by itself delete your account on our backend. To remove backend data, use option 1 or 2.
To remove iCloud-Keychain-synced data (seed phrase, contacts, address labels), open iOS Settings → Apple ID → iCloud → Passwords & Keychain and remove the Oliv entries.

Your rights

Wherever you live, you can email support@oliv.space to request a copy of the data we hold about you, to correct it, to delete it, or to ask us to stop processing it. We will respond within 30 days.

If you are in the European Economic Area, the United Kingdom, or Switzerland: our legal basis for processing account, username, and transaction-record data is performance of the contract you enter into when you use Oliv. Our legal basis for processing App Attest material is our legitimate interest in preventing fraud and Sybil attacks against the service. You have the right to lodge a complaint with your local data protection authority.

If you are in California: we do not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act, and we have not done so in the past 12 months. You have the right to know what we collect, to delete it, and not to be discriminated against for exercising these rights.

Children

Oliv is intended for users who are 18 years of age or older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an Oliv account, contact support@oliv.space and we will delete the account.

Security

Wallet keys are held in hardware-backed Keychain storage. Seed-phrase backup uses Apple's end-to-end-encrypted iCloud Keychain. All communication between the app and our backend is over HTTPS. Session tokens expire after one hour. No system is perfectly secure, however — do not share your seed phrase with anyone, including someone who claims to be from Oliv. We will never ask for it.

Non-custodial wallet

Oliv is a non-custodial wallet. We do not hold, control, or have access to your funds, your seed phrase, or your private keys at any time. They exist only on your device and, if you have iCloud Keychain enabled, in Apple's end-to-end-encrypted iCloud Keychain backup. If you lose access to your seed phrase and your iCloud Keychain backup, your funds cannot be recovered by Oliv Labs or by anyone else.

Changes to this policy

We will update the "Last updated" date at the top of this page whenever this policy changes. If the change is material, we will surface a notice inside the app before it takes effect.

Contact

Oliv Labs, Inc.
Delaware, USA
support@oliv.space