Privacy
Policy

1. Who We Are

AlgoVoi is a browser extension developed by Christopher Hopley — ilovechicken.co.uk. It provides a non-custodial Web3 wallet for the Algorand and Voi blockchain networks, along with native support for the x402, MPP (Machine Payments Protocol), and AP2 (Agent Payments Protocol) HTTP payment standards.

The source code is publicly available at github.com/chopmob-cloud/AlgoVoi under the Business Source Licence 1.1.

For the purposes of UK GDPR, the data controller is Christopher Hopley, ilovechicken.co.uk. Contact: support@algovoi.co.uk

2. Data We Do Not Collect

AlgoVoi does not:

• Collect, transmit, or store any personally identifiable information on external servers
• Track your browsing activity, visited URLs, or transaction history on any server we control
• Sell, share, or license any user data to third parties
• Use analytics, advertising, or crash-reporting services
• Require account registration or email address

3. Data Stored Locally on Your Device

All sensitive data is stored exclusively in your browser's chrome.storage.local, which is private to the extension and never accessible to websites you visit.

• Encrypted wallet vault — Your private keys and seed phrases are encrypted using PBKDF2 (600,000 iterations) key derivation followed by AES-GCM 256-bit encryption before being written to local storage. The plaintext is never written to disk.
• Wallet preferences — Active account index, selected network (Algorand / Voi), and connected site list are stored in local storage. The connected site list is stored inside the encrypted vault.
• Session state — WalletConnect pairing topics and pending transaction queues are held in memory during your browser session and are not persisted after the extension service worker is unloaded.
• Unlock rate-limiting — A failed-attempt counter is held in chrome.storage.session (cleared when the browser closes) to prevent brute-force password attempts.
• AI agent sessions — Active WalletConnect agent session topics are stored locally so sessions can be restored if the service worker is restarted. No agent transaction data is persisted.

4. Network Requests Made by the Extension

AlgoVoi communicates only with the following external services, solely to fulfil wallet functionality. No personal data accompanies these requests beyond what is inherent to blockchain transactions (e.g. your public wallet address).

• Algorand node & indexer (mainnet-api.algonode.cloud, mainnet-idx.algonode.cloud) — to query balances, submit signed transactions, and retrieve on-chain data. Your public wallet address is transmitted as part of standard blockchain queries.
• Voi node & indexer (mainnet-api.voi.nodely.dev, mainnet-idx.voi.nodely.dev) — same purpose for the Voi network.
• WalletConnect relay (*.walletconnect.com, *.walletconnect.org) — to enable QR-code wallet pairing with dApps and AI agents via the WalletConnect v2 protocol. Session payloads are end-to-end encrypted; WalletConnect's relay infrastructure sees only encrypted metadata (session topic, timing). Your private keys are never transmitted. See WalletConnect's privacy policy.
• enVoi name resolution (mcp.ilovechicken.co.uk) — when you resolve a .voi human-readable name, the name is sent to the MCP endpoint to retrieve the corresponding address. A small VOI payment accompanies this request. Your private key is never transmitted; only the signed payment transaction (containing your public address) and the name to resolve are sent.
• x402 / MPP payment endpoints — when you approve an x402 or MPP payment, the extension constructs and submits a signed transaction directly to the blockchain node, then presents proof of payment to the merchant's server. Only the signed transaction (containing your public address) and on-chain transaction ID are transmitted to the merchant. Your private key never leaves your device.
• AP2 (Agent Payments Protocol) merchants — when you approve an AP2 payment credential request, the extension signs a PaymentMandate using your private key and returns the signed credential to the requesting page. The credential contains your public wallet address and a cryptographic signature. Your private key never leaves your device.
• A2A (Google Agent-to-Agent) skills (api1.ilovechicken.co.uk) — AI agents may invoke AlgoVoi A2A skills (verify-payment, create-checkout, check-status) over the Google A2A v0.3 protocol. These calls originate from the agent runtime, not the extension; only public payment token and status data are exchanged. No wallet keys or personal data are transmitted.
• AlgoVoi Cloud API (cloud.algovoi.co.uk) — cloud dashboard interactions (signup, KYC document upload, payment status) are sent to the cloud gateway, which proxies them to the primary API over a private VPC link. Standard server-side data handling applies (see §8).
• Allbridge bridge (mcp.ilovechicken.co.uk) — when you use the bridge tab to transfer USDC cross-chain, unsigned transactions are built server-side and returned to the extension for local signing. Your public address is transmitted to construct the transaction; your private key never leaves your device.
• Wallet icon CDNs (https://static.defly.app, https://*.walletconnect.com) — wallet application icons may be loaded from these CDNs to display in the pairing and approval UI.

5. Fetch Interceptor (x402 and MPP Payment Detection)

AlgoVoi injects a lightweight script into HTTPS pages that intercepts fetch responses to detect HTTP 402 (Payment Required) status codes. This interceptor:

• Reads only the HTTP status code and specific payment-related response headers (PAYMENT-REQUIRED, WWW-Authenticate: Payment)
• Does not read, store, or transmit the body of any web page or any other response header
• Does not collect your browsing history or visited URLs
• Only activates when a website explicitly returns a 402 payment challenge

When a 402 response is detected, the URL of the payment-gated resource is displayed in the approval popup so you can confirm what you are paying for. This URL is used only for display purposes and is not transmitted to any external server.

6. AI Agent Signing

AlgoVoi supports WalletConnect Web3Wallet integration, allowing AI agents to connect to your wallet via a QR code or pairing URI. When an AI agent requests a transaction signature:

• A confirmation popup is always shown — no transaction is signed without your explicit approval
• The agent's name, URL, and the full transaction details (type, amount, recipient) are displayed before you approve
• Signed transactions are returned to the agent via the WalletConnect relay (end-to-end encrypted). Your private key is never exposed to the agent
• You can disconnect any agent session at any time from the Agents tab in the popup

7. Permissions Used and Why

• storage — to persist the encrypted vault and preferences locally
• alarms — to maintain active AI agent signing sessions: a periodic alarm fires while an agent is connected and is cleared automatically when you disconnect all agents
• tabs — to route payment results back to the correct browser tab and to broadcast chain-change events to open pages
• windows — to open payment and signing approval popup windows
• Host permissions (Algorand, Voi, WalletConnect, enVoi domains) — to make API calls to the blockchain nodes, WalletConnect relay, and name resolution service listed above. Each host is used only for its stated purpose
• Content script on https://*/* — to inject the window.algorand ARC-0027 provider and payment protocol fetch interceptor into web pages, enabling dApps to request transaction signing and websites to offer x402/MPP payment flows. The content script does not read or modify page content; it only passes explicitly typed messages to the extension background

8. Server-Side Data (ilovechicken.co.uk Services)

When you use ilovechicken.co.uk services (MCP server, payment gateway APIs, ecommerce adapters), the following applies:

• Access logs — standard nginx/server access logs are retained for security and fraud prevention. Logs contain IP addresses, timestamps, and request paths. PII is purged after 90 days
• No PII in audit logs — structured audit event logs (payment challenges, verifications, key events) contain no personally identifiable information
• Public wallet addresses — your public Algorand/Voi address is used to construct and verify on-chain transactions. It is not considered private data as it is publicly visible on the blockchain
• Law enforcement disclosure — data may be disclosed to law enforcement authorities to the extent required or permitted by applicable law. See our Terms & Conditions Section 5
• KYC/KYB documents — individuals and sole traders who complete KYC onboarding via cloud.algovoi.co.uk submit identity documents (government ID, selfie, proof of address, source of funds) which are stored on our primary server encrypted at rest. Encryption uses Fernet symmetric authenticated encryption (AES-128-CBC with HMAC-SHA256) applied before any file touches disk; plaintext exists only in memory while a request is being processed. The encryption key for KYC/KYB documents is held separately from the key used for tenant secrets, so a compromise of one class of data cannot expose the other. Multi-key rotation is supported for zero-downtime key rolls. Documents are reviewed automatically for individual accounts and manually for company accounts. All KYC/KYB documents are retained under AML hold for a minimum of 5 years after the relationship ends (MLRs Reg 40(2)) and are never used for any purpose other than compliance verification
• Cloud gateway — the AlgoVoi Cloud API (cloud.algovoi.co.uk) processes signup, login, KYC uploads, and payment status queries on behalf of cloud-registered tenants. All data is forwarded to the primary API over a private VPC link and stored on the primary platform database. The cloud gateway itself retains no separate copy of personal data beyond session tokens
• Merchant data processors — where we act as a data processor on behalf of merchants using the payment gateway, a Data Processing Agreement (DPA) is available on request

9. Children's Privacy

AlgoVoi is not directed at children under 18 years of age. Use by persons under 18 is prohibited under our Terms & Conditions. We do not knowingly collect any information from children.

10. Your Rights

Under UK GDPR you have the following rights regarding any personal data we hold:

• Access — request a copy of the data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — request your data in a machine-readable format
• Objection — object to processing of your data
• Restriction — request that we restrict processing of your data

To exercise any of these rights, contact us at support@algovoi.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

11. Changes to This Policy

If we make material changes to this policy, we will update the "Last updated" date above and publish the updated policy at this URL. Continued use of the extension after changes constitutes acceptance of the revised policy.

12. Contact