User tracking

The Stellar Passkey Kit collects no telemetry, no analytics, no behavioural signals. This document is auditable: every piece of client-side state is enumerated below, every network call is catalogued, and the privacy-relevant code paths are linked.

What the SDK stores

Across the four packages (@stellar-passkey/core, @stellar-passkey/ui, the forked PasskeyModule, the reference demo), only two pieces of state ever land in browser persistence:

1. localStorage key @stellar-passkey/lastSession. Stores exactly { credentialId: base64url, rpId: string, createdAt: ISO8601 } — see packages/core/src/storage.ts. credentialId is the WebAuthn rawId returned by the user's authenticator; the kit uses it to drive silent reconnect on subsequent page loads. The contract's C… address is deliberately not stored — it is re-derived from on-chain ("sw_v1","add", credentialId) events on every connectPasskey call, both to support cross-device recovery and to prevent localStorage tampering from redirecting signing to a different contract.
2. localStorage key @stellar-passkey-demo/lastContract.Reference-demo only. The demo persists its own session contract id so it can show the same wallet across reloads without an RPC round- trip. The shipped SDK does not include this key.

No cookies. No IndexedDB. No sessionStorage. No service worker.

What the SDK sends

Outbound requests originate from exactly one place: the SorobanRpc.Server instance reading the URL given to the SDK by the consumer (default https://soroban-testnet.stellar.org). The body of every such request is JSON-RPC payload that Stellar's soroban-rpc specification documents; no user identifier, IP-derived data, or client-side fingerprint is added by the kit.

The reference demo additionally fetches its own JavaScript bundle from Cloudflare Pages; that request is HTTP-static-asset standard and contains nothing the demo controls beyond the URL.

What the demo does not include

• No Google Analytics, Plausible, Fathom, Vercel Web Analytics, or any other analytics SDK.
• No third-party fonts (system fonts via font-family: system-ui).
• No tracking pixels, no error-reporting service.
• No A/B testing, no session replay, no heatmap library.

A view-source and a Network tab in DevTools should reveal exactly two outbound origins: the static-asset host and the Soroban RPC endpoint.

Opt-out behaviour

Because nothing is tracked, there is no opt-out toggle to ship; the absence is the default. If a future minor release introduces any optional analytics (it currently is not planned), it MUST land behind an explicit analytics: true constructor flag and MUST be documented here. Removing the flag is the opt-out.

Auditable code paths

• Storage write surface — packages/core/src/storage.ts.
• Recovery surface (no telemetry) — packages/core/src/recover.ts.
• Demo storage — apps/demo/src/main.ts (search localStorage).