Skip to main content
Sovran is designed with privacy as a core principle. This page documents the privacy-preserving features and architectural decisions.

Privacy Principles

No Data Collection

Zero analytics, telemetry, or tracking. No user data leaves your device.

Local-First Storage

All data stored locally on-device. No cloud servers, no remote databases.

Privacy-Preserving Ecash

Cashu protocol provides unlinkable, untraceable transactions.

Encrypted Messaging

End-to-end encrypted Nostr DMs with forward secrecy (NIP-17).

Zero Data Collection

Sovran collects zero analytics, telemetry, or user data. There are no tracking libraries, no crash reporters, no usage statistics.

What We DON’T Collect

No analytics or usage tracking
No IP addresses or network metadata
No location data (unless you opt-in to local stamps)
No personal information
No transaction history on remote servers
No contact lists or social graphs
No crash reports or error logs

Code Verification

You can verify zero tracking by auditing the codebase:
Search for Tracking Libraries
# No analytics SDKs
grep -r "analytics" package.json
grep -r "mixpanel\|amplitude\|segment" .

# No crash reporters
grep -r "sentry\|bugsnag\|crashlytics" .

# No ad networks
grep -r "admob\|facebook.*sdk" .
Result: No tracking dependencies found

Local-Only Storage

All user data is stored exclusively on your device:
expo-secure-store (iOS Keychain / Android Keystore)Stores:
  • BIP-39 mnemonic seed phrase
  • Derived Nostr keys (cached)
  • Derived Cashu mnemonic (cached)
  • Migration flags
Never synced to cloud, never backed up via iCloud/Google.

No Cloud Backups

Sovran explicitly excludes sensitive data from cloud backups:
iOS Keychain Configuration (helper/secureStorage.ts:11-15)
const IOS_SECURE_OPTIONS = {
  requireAuthentication: false,
  authenticatePrompt: 'Authenticate to access your Sovran wallet',
  // expo-secure-store defaults to kSecAttrAccessibleWhenUnlockedThisDeviceOnly
  // This prevents iCloud Keychain sync
} as const;
  • iOS: Secure enclave items marked WhenUnlockedThisDeviceOnly (no iCloud sync)
  • Android: Keystore items are device-specific (no Google backup)

Privacy-Preserving Ecash (Cashu)

Cashu protocol provides strong privacy guarantees similar to physical cash:

How Cashu Protects Privacy

When you receive ecash:
  1. Your wallet generates a random secret
  2. Blinds the secret before sending to mint
  3. Mint signs the blinded value (can’t see original)
  4. You unblind the signature to get valid token
Result: Mint cannot link the issued token to your identity.
When you spend ecash:
  • You reveal the secret (to prove ownership)
  • Mint verifies signature and burns token
  • Mint cannot link this spend to the original issuance
Result: No transaction graph, no spending history.
Privacy properties:
  • ✅ Mint cannot track spending patterns
  • ✅ Mint cannot identify payer/payee
  • ✅ Amounts are private (encrypted in proofs)
  • ⚠️ Mint can see total wallet balance changes (not individual transactions)
  • ⚠️ Different mints can’t see each other’s transactions
Unlike Bitcoin:
  • No public transaction ledger
  • No address reuse tracking
  • No chain analysis
  • No UTXO clustering
Ecash transactions are completely off-chain.
See Cashu Overview for more on the privacy-preserving ecash protocol.

Encrypted Nostr Messaging

Direct messages use end-to-end encryption with forward secrecy:

NIP-17 Gift-Wrapped Messages

/**
 * Nostr Direct Messages hook.
 * Handles DM composition, sending, retrieval, and deletion
 * via Nostr. Uses gift-wrapped messages (kind 1059) for privacy.
 */

Privacy Features

  • NIP-44: XChaCha20-Poly1305 encryption (forward secrecy)
  • Gift wrapping: Sender identity hidden from relay
  • Random timestamps: Obfuscates message timing
  • Seal + Wrap: Double-layer encryption
Relays see encrypted blobs only. They cannot read message content, identify sender/receiver, or correlate conversations.

Optional Location Privacy

Location stamps are disabled by default and fully privacy-preserving:

Location Jittering

/**
 * Location privacy utility.
 * Jitters GPS coordinates by ±50 meters to prevent exact location tracking.
 */

export function jitterLocation(lat: number, lon: number): { lat: number; lon: number } {
  // ±50 meters in degrees (approximately)
  const latJitter = (Math.random() - 0.5) * 0.0009; // ~50m at equator
  const lonJitter = (Math.random() - 0.5) * 0.0009;

  return {
    lat: lat + latJitter,
    lon: lon + lonJitter,
  };
}

Location Privacy Guarantees

Disabled by default (opt-in only)
Coordinates jittered ±50 meters (randomized)
Stored locally only (never transmitted to mints)
Used for transaction notes only (not for tracking)
Can be bulk-deleted from settings
Even with jittering, repeated location stamps can reveal patterns (home, work, etc.). Use sparingly if privacy is critical.

App-Level Privacy Controls

AppGate Architecture

Sovran uses privacy-first gating at app launch: 
const AppGate: React.FC<AppGateProps> = ({ children }) => {
  const { isReady, isLoading } = useNostrKeysContext();
  const isTermsAccepted = useSettingsStore((state) => state.isTermsAccepted());
  const acceptTerms = useSettingsStore((state) => state.acceptTerms);
  const hasSeenOnboarding = useSettingsStore((state) => state.hasSeenOnboarding);
  const completeOnboarding = useSettingsStore((state) => state.completeOnboarding);

  if (!isTermsAccepted) {
    return (
      <TermsConditionsScreen
        onClose={() => {
          acceptTerms(new Date().toISOString());
        }}
      />
    );
  }

  if (!hasSeenOnboarding) {
    return <OnboardingScreen onComplete={completeOnboarding} />;
  }

  if (isLoading || !isReady) {
    return null;
  }

  return <>{children}</>;
};
Gate order:
  1. Terms acceptance (privacy policy disclosure)
  2. Onboarding (optional, privacy education)
  3. Key initialization (local key derivation)
  4. Passcode lock (optional, device protection)
No data transmitted during any gate.

Settings Privacy Controls

User-configurable privacy settings:
SettingDefaultPurpose
Location StampsOFFEnable/disable location tagging
Passcode LockOFFApp access protection
Quick Access P2PKOFFShow receive pubkey on home screen
Regenerate P2PKONNew receive key after each payment
All settings stored locally in AsyncStorage. No settings are shared with mints, relays, or third parties.

Privacy Threat Model

What Sovran Protects Against

Analytics companies tracking usage
Mint operators tracking spending patterns
Relay operators reading messages
Network observers (ISP, VPN) seeing transaction details
Cloud providers accessing backups
Third-party SDKs collecting telemetry

What Sovran Does NOT Protect Against

Device-level malware or spyware
Compromised mints (can refuse service, but not steal)
Network-level correlation (use Tor for network privacy)
Physical device access (use passcode + device lock)
Social engineering attacks

Privacy Best Practices

1

Use Multiple Mints

Spread funds across mints to limit per-mint visibility.
2

Swap Between Mints

Regularly swap tokens between mints to break linkability.
3

Enable Passcode Lock

Protect app access from physical device theft.
4

Minimize Location Stamps

Only enable if absolutely needed; jittering helps but isn’t perfect.
5

Use Tor (Advanced)

Route Sovran traffic through Tor for network-level privacy.
6

Regular Key Rotation

Use multiple accounts for different contexts (personal/business).

Privacy Comparison

FeatureSovranCustodial WalletsBitcoin On-Chain
Data collectionNoneExtensiveNone (but public chain)
Transaction privacyHigh (Cashu)Low (KYC)Low (chain analysis)
Network privacyModerateLowLow (IP leakage)
Message privacyHigh (NIP-17)N/AN/A
Cloud backupsDisabledOften enabledDepends on wallet
Third-party SDKsZeroManyVaries

Regulatory Considerations

Sovran is a privacy tool, not an anonymity tool. Strong privacy does not guarantee anonymity.
  • Mints may implement KYC/AML (check mint policies)
  • Lightning on-ramps may require identification
  • Legal obligations vary by jurisdiction
  • Users responsible for compliance in their region
Privacy is a human right. Sovran provides tools; users must understand their local legal context.

Privacy Audits

Sovran’s privacy architecture can be audited:
  1. Source code: Fully open on GitHub
  2. Network traffic: Monitor with tools like mitmproxy
  3. Local storage: Inspect with device file explorers
  4. Dependencies: Review package.json for tracking libs
Community-run audits and privacy research are welcomed. Report findings via GitHub Issues.

Security Overview

Overall security architecture

Cashu Privacy

Privacy-preserving ecash protocol

Nostr Encryption

End-to-end encrypted messaging

Location Stamps

Optional transaction geotagging

Build docs developers (and LLMs) love

Get started for freeTalk to us