[01]
TL;DR
We don't run a backend. We don't store your password, your private keys, your encrypted blobs, or any personal data. Your claim links live inside the URL fragment, which never reaches our server.
The rest of this document explains exactly what touches what, what third parties are involved, and what your rights are. The shortest honest summary: there is almost nothing for us to share, leak, or subpoena.
[02]
Scope of this policy
This Privacy Policy applies to the CLAIMA marketing site at claima.fun and to the in-browser application at /c, /c/new, and /c/mine. It covers any personal data we receive about you, directly or indirectly, through your use of the Service.
This policy does not cover third-party tools you choose to use in combination with CLAIMA — such as Phantom, Solflare, Backpack, Helius, or the Solana network itself. Each of those operates under its own privacy practices, which you should review separately.
[03]
No accounts, no profiles
CLAIMA does not require, allow, or support user accounts. There is no sign-up form, no email address, no username, no profile. We have no way to link the actions of one visitor to those of another, beyond what your own wallet activity reveals on a public blockchain.
[04]
What we collect
When you load a page on claima.fun, our hosting provider (Vercel) automatically receives certain technical information in HTTP request headers, in line with standard web practice. This typically includes:
- Your IP address
- Your user agent (browser and OS version)
- The URL path you visited (e.g.
/c/new) - A referrer URL, if your browser sends one
We do not place this information into our own database. Vercel retains it according to its own retention schedule, primarily for security and abuse-prevention purposes.
We do not collect form contents (amounts, passwords, notes) — those are processed entirely in your browser and never leave your device.
[05]
URL fragments & encryption
When you create a claim link, the temporary wallet's secret key and optional note are encrypted in your browser using AES-256 in GCM mode. The encryption key is derived from your password via PBKDF2 (SHA-256, 250,000 iterations).
The resulting payload — encrypted secret, temporary wallet public key, lamport amount, network name — is encoded as base64url and placed in the URL fragment (the part after #). By design, browsers do not transmit URL fragments to web servers. This means we — and any operator of any host between you and us — never see the encrypted blob, even when you share the link.
If you forward a link to a recipient and they open it, the same rule applies on their device: only their browser sees the encrypted payload.
[06]
Local storage
The /c/mine page lists claim links you created on this device. We store this list in your browser's localStorage under the key claima.history.v1. The list contains, for each entry, the full claim URL (which includes the encrypted blob), the lamport amount, the network, an optional note, and a creation timestamp.
We never read this storage from any server — it is local to your browser. You can clear it at any time from the "Clear all" button on the /c/mine page, by removing individual entries, or by clearing site data in your browser settings.
The application also does not set any session cookies or authentication cookies of any kind.
[07]
Wallet connections
When you click "Connect wallet," the Solana wallet adapter library in your browser communicates directly with your installed wallet extension (Phantom, Solflare, etc.). The extension exposes your public key and signing capability to the page. We do not intercept or persist this information server-side.
The wallet extension itself records the fact that the CLAIMA origin has been "trusted." You can revoke that trust in the extension's settings at any time. This action does not notify us.
[08]
Third-party RPC providers
To read balances and broadcast transactions, the application uses a Solana JSON-RPC endpoint. By default this is either the public Solana endpoint (api.devnet.solana.com / api.mainnet-beta.solana.com) or, if configured by the operator, a Helius endpoint.
These requests originate from your browser. The RPC provider therefore sees your IP address, the calls you make, and the public keys you query. Their privacy policy governs what they do with that data. We do not proxy these calls.
[10]
Children
CLAIMA is not directed at children under the age of 13 (or 16 in jurisdictions where that is the applicable threshold under GDPR-K), and we do not knowingly process the personal data of children. If you believe a child has been provided with access to CLAIMA, please contact us so we can address the situation.
[11]
Data retention
We do not retain personal data ourselves, because we do not collect it. Vercel's server logs are retained according to its own schedule (currently 30 days for standard access logs at the time of writing). The Solana blockchain is, by its nature, a permanent public record — once a transaction is included in a block, it cannot be removed.
[12]
International users
CLAIMA is accessible globally. Because we do not maintain a database of personal data, there is nothing for us to transfer internationally on your behalf. Any data that does flow to a third party (wallet extension, RPC provider) flows directly from your browser to that provider; we are not the data exporter.
[13]
Your rights
Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and the right to data portability and to lodge a complaint with your local data-protection authority.
Because we do not hold personal data about you, requests for access, correction, or deletion will typically be answered with confirmation that we have nothing to act on. For data held by the third parties listed above (your wallet provider, the RPC endpoint, Vercel), please address requests directly to them.
[14]
Changes to this policy
We may update this Privacy Policy from time to time, especially if we add features that change what data is processed (for example, if we ever introduce server-side persistence or analytics). When we do, we will update the "Last updated" date at the top of this page and, for material changes, provide notice in the user interface.
[15]
Contact
For any privacy-related question, reach out via the X / Twitter or X / Twitter link in the footer of the landing page. For sensitive reports, please contact us privately rather than disclosing publicly.