Skip to content
SpendTheBits

Trust Center

Verifiable trust, not just a promise.

Self-custody only matters if it actually holds. Here’s exactly what we store, what we never touch, and how to reach us about security.

What the backend stores

  • Public addresses & extended public keys (xpubs)
  • Transaction hashes and public on-chain metadata
  • Account basics for sign-in (email/phone for OTP)
  • Encrypted ciphertext for optional recovery — never the key to decrypt it

What it never stores

  • Your seed phrase or mnemonic
  • Any private key
  • Your passphrase
  • Signed transaction hex

How it holds

Keys are generated and kept on your device

Your seed and passphrase are created on-device and held in the OS keychain (biometric-gated, device-only, never cloud-backed). They never reach our servers.

The crypto layer is physically isolated

The signing code is a pure keys-in → signed-bytes-out layer that is forbidden from importing any network or storage client — enforced in CI. It cannot phone home even by mistake.

Prepare → sign → relay

Servers only prepare unsigned context and relay what your device signs. There is no code path by which we could move your funds.

Data minimisation

We collect the minimum needed to operate: public chain data plus what's required for sign-in. We never sell your data.

Report a security issue

Found a vulnerability? We want to hear from you. Email hello@spendthebits.com with “Security” in the subject and steps to reproduce. Please give us a reasonable window to fix before any public disclosure.