Privacy Policy
Effective Date: March 9, 2026 · Last Updated: April 29, 2026
This Privacy Policy (“Policy”) describes how Toshi CSS (“Company,” “we,” “us,” or “our”) collects, uses, and protects information when you use the GrandmaStake platform and related services (the “Service”). By creating an account or using the Service, you consent to the practices described in this Policy.
1. Information We Collect
1.1 Account Information
When you create a GrandmaStake account, we collect:
- Email address — used for account identification, login, and service notifications.
- Password (hashed) — your password is processed through bcrypt before storage. We never store your plaintext password and cannot recover it.
1.2 Wallet Data
When you create a GrandmaStake-managed wallet, we store:
- Solana public key— your wallet’s public address on the Solana blockchain.
- Encrypted wallet blob — a doubly-encrypted representation of your private key. Your private key is encrypted inside a hardware-isolated enclave (AWS Nitro Enclave) using a key derived from your passphrase via Argon2id and AES-256-GCM-SIV. That encrypted blob is then wrapped with a second layer of server-side AES-256-GCM envelope encryption. We never store your private key in plaintext, and we cannot decrypt your wallet without your passphrase.
What we do NOT store: Your passphrase, your 12-word recovery phrase, or your private key in any recoverable form. Your passphrase is used only transiently inside the enclave during signing operations to derive a decryption key, and is then discarded. Your recovery phrase is generated inside the enclave and displayed to you once — we have no record of it after that moment.
1.3 Staking and Transaction Records
We maintain records of staking operations performed through the Service, including stake account addresses, delegation amounts, unstaking requests, and Solana transaction signatures. This data is used to display your staking history and account activity within the application.
1.4 Session and Authentication Data
We use cookies and tokens to authenticate your session:
- JWT access tokens — short-lived tokens stored in HttpOnly, Secure, SameSite=Strict cookies, inaccessible to JavaScript.
- Refresh tokens — longer-lived single-use tokens stored in HttpOnly cookies, used to obtain new access tokens. Token families are tracked to detect theft.
- CSRF tokens — used to protect state-changing requests against cross-site request forgery.
1.5 Infrastructure Logs
Our hosting infrastructure may capture standard server logs including IP addresses, browser type, operating system, and request timestamps. These logs are retained by our infrastructure provider in the ordinary course of operations and are not used by Toshi CSS for tracking, profiling, or marketing.
2. How We Use Your Information
- Account management: to authenticate you, manage your session, and send account-related notifications.
- Wallet operations: to look up your public key, relay your staking instructions to the Solana network, and display your balance and history.
- Security: to enforce rate limits, detect suspicious activity, and protect against unauthorized access.
- Compliance: to meet applicable legal, regulatory, and sanctions obligations.
We do not use your data for advertising, sell it to third parties, or use it for any purpose other than operating the Service.
3. RPC Proxy
The Platform routes Solana RPC requests through a server-side proxy to protect our RPC endpoint credentials. These requests are forwarded in real time and are not logged or stored by the proxy. The proxy does not record wallet addresses, transaction data, or any other payload content.
4. Cookies
GrandmaStake uses authentication cookies only — HttpOnly, Secure, SameSite=Strict cookies that carry your session tokens. These cookies are required for the Service to function and cannot be disabled while using the authenticated portions of the application.
We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookie-based services.
5. Data Sharing and Disclosure
We do not sell your personal data. We may share information only as follows:
- Blockchain: Staking transactions are broadcast to the public Solana blockchain. Your wallet public address and on-chain transaction details are publicly visible. This is inherent to how blockchains work and is not controlled by Toshi CSS.
- Infrastructure providers: Our hosting provider may collect standard server logs as described in Section 1.5. AWS infrastructure is used for secure enclave operations; no user data beyond the encrypted blob is processed by AWS.
- Legal requirements: We may disclose information in response to a lawful court order, subpoena, or other legal process requiring disclosure.
6. Data Security
We employ multiple layers of security to protect your data:
- Database encryption at rest (TDE): All database tables, transaction logs, binary logs, and temporary files are encrypted using MariaDB Transparent Data Encryption (AES-CTR).
- Column-level envelope encryption: Wallet blobs receive an additional AES-256-GCM encryption layer at the application level, separate from TDE, using keys that are stored independently from the database.
- Hardware-isolated enclave:All private key operations occur exclusively inside an AWS Nitro Enclave. The enclave’s cryptographic identity is published on-chain so your browser can verify it independently before sending your passphrase.
- Mutual TLS between services: All inter-service communication uses mTLS with client certificates. All external traffic is encrypted via TLS.
- Minimal privilege: Each service accesses only the database tables it requires. The backend API never has access to raw wallet blobs.
No security system is perfect. While we take significant precautions, we cannot guarantee absolute security against all possible threats. This is why your recovery phrase — stored securely offline — is your ultimate guarantee of access to your funds, independent of our systems.
7. Data Retention
We retain your account data for as long as your account is active. If you request account deletion, we will remove your email address, password hash, encrypted wallet blob, and staking records from our systems within a reasonable period, subject to any legal obligations to retain records.
On-chain data (your public key, staking transactions, and SOL balance) exists on the Solana blockchain and cannot be deleted by Toshi CSS. That data is public and permanent by design.
8. Your Rights
You may contact us to request access to, correction of, or deletion of your personal data (email address, staking records). We will respond to verified requests within 30 days. We cannot delete on-chain data, and we cannot provide your private key or recovery phrase because we do not store them in any recoverable form.
If you have any privacy-related concerns, contact us at info@toshicss.com.
9. Children’s Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, contact us and we will promptly delete it.
10. Third-Party Links
The Service may contain links to third-party websites or services (e.g., Solana explorers, wallet providers, the Ramp Network fiat on-ramp). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies independently.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last Updated” date at the top of this page reflects the most recent revision. Your continued use of the Service after the updated Policy is posted constitutes acceptance of the changes. For material changes, we will make reasonable efforts to notify you by email.
12. Contact
For privacy-related inquiries:
- Privacy: info@toshicss.com
- General: info@toshicss.com