brd wallet | privacy

[hugeblack]

I am doing some Bitcoin wallet tests in order to review them, I downloaded BRDwallet^[1], but some legal points^[2] have caught my attention on this page:

sage Data
We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device ("Usage Data").

This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

In fact, I do not read the terms of service for most of the wallets because they are open source, but is it normal for wallets to collect such data?
I don’t know why there is no warning before downloading or managing privacy?

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

The problem in this part? I think that due to the different rules, most countries are not the same levels of data protection, so legally, this wallet has the right to sell or share your data, with the possibility that they will know your addresses.


[1] https://brd.com/
[2] https://brd.com/privacy

[TryNinja]

This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

Usually, services do that to see which features their users use the most, so they can focus on implementing similar features or make the existent ones better. If you have no idea what your customers want, you can end up wasting time and effort in useless features that no one cares about. It's pretty default when a company doesn't explicitly care about privacy. If it's a privacy-oriented one, they obviously should try to minimize the data they collect, but BRD looks more like a service-based wallet (buy crypto from the app) which focus on being used by the regular Joe rather than the tech-savvy Bitcoiner.

[pooya87]

that seems to be about their website (which is their cookie policy) not their wallet. the wallet is claimed to not connect to any kind of server and directly connect to the bitcoin network (possibly through bloom filters) in which case there is no data for the company to use.

[hugeblack]

If it's a privacy-oriented one, they obviously should try to minimize the data they collect, but BRD looks more like a service-based wallet (buy crypto from the app) which focus on being used by the regular Joe rather than the tech-savvy Bitcoiner.

This is the reason for my question because when using the wallet, a link to privacy is not explained or put in place. However, the wallet can collect your data and hand it over to anyone without telling you that, just as it happened with Facebook–Cambridge Analytica data scandal^[1].

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

Also, they can keep the data and if you want to erase it, you should contact the support team.

the wallet is claimed to not connect to any kind of server and directly connect to the bitcoin network (possibly through bloom filters) in which case there is no data for the company to use.

According to the definition on the first page, the word "us", "we", or "our" means the company and the mobile application, in addition to that the site is useless and they have no webwallet.

Breadwinner AG ("us", "we", or "our") operates the brd.com website and the BRD mobile application (the "Service").

[1] https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal

[joniboini]

The use the "Service" terms to describe both their website and mobile apps. It's kinda ambiguous but judging from the text outlined I also think they probably refer to their website. But I won't be surprised if they do collect the apps itself and use this ambiguity to defend their decision.

[o_e_l_e_o]

The Privacy Policy is a cookie cutter template that many many sites use. It is a comprehensive "catch all" that essentially covers them to do all the usual privacy-invading things that most websites do - fingerprint you, track you, share your data with Google for analysis, and so on. Pick a random sentence from the policy and do a web search for it, and you'll find thousands of examples for a wide variety of sites, such as:

https://www.chess.com/privacy
https://consequenceofsound.net/privacy-policy/
https://ninjaiphider.web.app/privacy.html

As joniboini says:

Service means the brd.com website and the BRD mobile application operated by Breadwinner AG.

So yes, if you use their app, they are permitted to record your IP, your mobile device unique ID and other unique identifiers, your location, what you are doing on the app, and they are permitted to store and transfer that data and share with companies such as Google.

That's not to say they are doing all those things, but it is certainly concerning that they are using a Privacy Policy designed to allow them to do those things if they wanted to.

[Pmalek]

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

This part that you quoted doesn't mention that the data will be shared/sold to third-parties, only that it is likely that it will be stored in a different geographical location than where you are. This can mean a data center or their own servers located outside of their HQ. Unfortunately, it can be interpreted in different ways, and you are right. Who knows who these 'computers' belong to.   

[o_e_l_e_o]

This part that you quoted doesn't mention that the data will be shared/sold to third-parties, only that it is likely that it will be stored in a different geographical location than where you are.

However, the rest of their Privacy Policy does give them permission to share and sell your data. See the following quotes:

We may use the services of various Service Providers in order to process your data more effectively.

We may use third-party Service Providers to monitor and analyze the use of our Service.

Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

Further, in relation to the part you quoted - transferring data to other jurisdictions - see the following quote from two lines below that (emphasis mine):

Breadwinner AG will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

This strongly suggests that the servers they are using in other jurisdictions are not owned by them but belong to third parties.

All in all, this isn't exactly the kind of thing you want to hear from your wallet provider.

[Pmalek]

@o_e_l_e_o
Unfortunately, all those quotes suggest that the data can be shared (and probably is) with third parties. Nice find.
I agree that it is not ideal but I don't think BRD is the only wallet that does that. That doesn't make it OK in any way. Welcome to a new season of Big Brother.