Privacy Policy

RugTruth does not collect, store, or transmit any personally identifiable information (PII) from its users. The RugTruth Extension operates entirely under Manifest V3 strict local execution. It only extracts public token contract addresses (mint or pair strings) from the URLs or visible DOM of supported charting websites — specifically DEX Screener, GMGN.ai, DEXTools, GeckoTerminal, and Photon. These contract addresses are public on-chain identifiers, not private user data. No private keys, wallet credentials, browser history, cookies, session tokens, or any other sensitive information is ever accessed, read, or transmitted by the extension or the RugTruth website.

The public contract addresses extracted by the extension are used solely to query publicly available blockchain data via standard RPC endpoints and the RugTruth analytics API. This data includes on-chain metrics such as holder distribution, liquidity pool status, and wallet clustering — all of which is already publicly viewable on the Solana blockchain. We do not sell, rent, or share any data with third parties. We do not build user profiles, tracking identifiers, or behavioural models. The extension performs its functions anonymously without any user account requirement.

All communication between the RugTruth Extension and our servers is conducted over encrypted HTTPS connections. The extension itself runs in an isolated content-script sandbox with no access to your browser's secure storage or authenticated sessions on third-party sites. Because the extension does not handle private keys, wallet seeds, or authentication credentials, there is no sensitive financial data at risk. Our backend infrastructure follows industry-standard security practices including TLS encryption, input validation, and rate limiting to ensure the integrity of public data queries.

The RugTruth Chrome Extension is built entirely on Manifest V3 (MV3), Google's modern extension platform. It uses a strict local service worker for background tasks, a scoped content script for DOM interaction, and does not rely on remote code execution, eval functions, or externally loaded scripts. All code is bundled and reviewed at submission time. Permissions are scoped strictly to the supported charting domains and the minimum required host access. No broad permissions such as "<all_urls>" are requested.

RugTruth uses Supabase (https://supabase.com), a trusted open-source backend platform, to provide secure user authentication and account management for the analytics dashboard. When you create an account, sign in, or reset your password, the following information is processed by Supabase on our behalf: - Email address (required for account identification and password recovery) - A securely hashed password (we never store or transmit your plaintext password) - OAuth identifiers if you choose to sign in with Google (your Google email and unique account ID — no contacts, calendar, or profile data beyond what Google's standard sign-in scope provides) - Session tokens (stored locally in your browser to keep you signed in) - Basic technical metadata such as IP address and timestamps, used by Supabase for abuse prevention and rate limiting Supabase acts as a data processor under our instructions and is contractually bound to safeguard this information. Authentication data is hosted on Supabase's infrastructure (typically in EU or US regions, depending on routing) and protected by industry-standard encryption in transit and at rest. You can review Supabase's privacy practices at https://supabase.com/privacy. We do not sell, share, or use authentication data for advertising, profiling, or any purpose other than operating your RugTruth account. You may delete your account at any time by contacting hello@rugtruth.com, which will permanently remove your authentication record and any associated data. Aside from Supabase, the only other external services we contact are public blockchain data providers (Helius, DexScreener, Solscan) used to fetch on-chain analytics. These calls contain only public token contract addresses — never your account details.