Privacy

monero-web is a non-custodial wallet. We do not collect, store, or transmit anything that could be used to identify you, recover your funds, or link you to your Monero activity.

The short version: your seed phrase and private spend key never leave your browser tab. Your private view key is sent to our light-wallet server so it can scan the blockchain for your incoming payments — that server cannot spend your funds. We have no analytics, no cookies, no trackers, no email signup, no accounts.

What we do not collect

Your seed phrase — never transmitted, never logged, never leaves your browser tab. All key derivation runs locally inside your tab using JavaScript that you can read in DevTools.
Your private spend key — stays in your browser tab. Used locally to sign transactions. Never transmitted to any server.
Cookies, fingerprints, or analytics IDs — there are no third-party scripts or cookies on this site at all. Open DevTools → Application → Cookies on any page and the list is empty.
Email addresses — there is no signup, no newsletter, no waitlist.
IP addresses — Cloudflare (our CDN) sees the IP that requests each page, like every web host on the planet does, but we have no logging on top of that and never inspect Cloudflare's analytics for individual visitors.

What the wallet does send over the network

1. Blockchain queries (no wallet data)

The dashboard makes read-only RPC calls to our own Monero node (or public fallback nodes) through a same-origin proxy at /api/proxy:

get_info and get_block_count — current network height and connection state.
get_fee_estimate — the recommended transaction fee.

None of these calls include your address, view key, or any wallet-identifying information.

2. Light-wallet server (view key sent)

To show your balance and transaction history, the dashboard sends your private view key and primary address to our light-wallet server at node.monero-web.com/lws/. The server uses these to scan the blockchain for outputs that belong to your wallet.

What the light-wallet server sees:

Your view key — needed to identify your incoming payments
Your primary address — paired with the view key for scanning
Your signed transaction hex when you send XMR — needed to broadcast to the network

What it does NOT see:

Your spend key — never sent. The server cannot spend your XMR.
Your seed phrase — never sent.
Your session password — used client-side only.

The view key alone cannot spend your Monero — it can only scan for incoming payments. This is the same trust model as MyMonero (which ran for 12 years), Cake Wallet's light-wallet mode, and Edge Wallet. The server is self-hosted on infrastructure we control, not a third-party service.

If you want to avoid sending your view key to our server, you can self-host the entire stack (static site + monerod + monero-lws) on your own hardware.

What Cloudflare can see

monero-web.com is hosted on Cloudflare Pages and sits behind Cloudflare's CDN. As with any CDN, Cloudflare's edge servers see:

The HTTP requests for the static files (HTML, JS, fonts, images)
The HTTP requests for the proxy endpoint (the JSON-RPC payloads going to public Monero nodes)
Visitor IP addresses and standard request metadata

None of the information that flows through Cloudflare contains your seed, your keys, or your wallet contents. It is exactly the same set of information any visit to any website on the public internet exposes.

If your threat model requires hiding even the fact that you visited monero-web.com, route your browser through Tor Browser. The site works fine over Tor — there are no captchas, no JavaScript that breaks under Tor, and no server-side checks that block .onion-style traffic.

Sessions and storage

When you derive a wallet, the resulting keys are stored in your browser's sessionStorage — which means they live only in the current tab and are wiped automatically when you close it. You can also set an optional session password; if you do, your keys are AES-GCM encrypted in sessionStorage using a key derived from that password (PBKDF2-SHA256, 250 000 iterations) and decrypted only on demand.

The wallet has an idle auto-lock that fires after 10 minutes of inactivity. With a session password set, locking only wipes the in-memory keys — you can re-unlock by re-entering the password without re-deriving from your seed. Without a password, locking wipes everything and bounces you back to the seed entry screen.

Third parties

The site itself loads from one origin only: monero-web.com (served by Cloudflare). It does not load any external JavaScript, fonts, analytics scripts, or images. Specifically:

No Google Analytics, Plausible, Fathom, or any other analytics service
No Google Fonts — fonts are self-hosted at /fonts/
No external QR generator — the QR code in the receive modal is rendered by a vendored pure-JavaScript library
No CDN-hosted libraries — every script comes from our own origin

For the curious

Everything described here can be verified by reading the source code on GitHub or by opening DevTools → Network on any page of monero-web.com and watching exactly which requests are made. The full security and threat model is documented in the README and the disclosure policy is in SECURITY.md.

Changes to this page

If anything on this page changes, the change will be visible in the git history of privacy.html in the public repository. There is no other notification mechanism because there is no mailing list and no user accounts.