TZURTZURBack to TZUR for Windows

TZUR for Windows · Legal

Security Principles

Non-Custodial Design

TZUR Wallet is fully non-custodial. Your private keys are never stored on servers, and TZUR has no ability to access, freeze, or move your funds. There are no accounts to create, no cloud storage of wallet data, and no server-side record of your Bitcoin holdings. Your keys exist only on your computer, protected by Windows security and, where enabled, your computer's TPM. If TZUR's servers disappeared tomorrow, your Bitcoin would remain fully accessible. You can recover your wallet using your seed phrase and any BIP-39 compatible wallet application.

Key Generation & Derivation

Private keys are generated locally on your computer. Cryptographic randomness is provided by the operating-system secure random number generator (BCryptGenRandom on Windows). TZUR follows BIP-32 for hierarchical deterministic key derivation, meaning your entire wallet is derived from a single master seed. For address generation, TZUR implements BIP-84 to produce Native SegWit (bech32) addresses using the derivation path m/84'/0'/0'. This is fully deterministic: the same seed will always produce the same sequence of addresses. No key material is ever generated on or transmitted to a remote server.

Seed Phrase Security

Your 12-word seed phrase is generated locally according to the BIP-39 standard. This seed phrase is the sole recovery mechanism for your wallet. TZUR does not store, transmit, or have any access to your seed phrase. The phrase is displayed once during wallet creation and can be viewed again in Settings for backup purposes. It is never sent over the network, never written to server logs, and never included in analytics data. If you lose your seed phrase and your computer, your Bitcoin cannot be recovered by anyone, including TZUR.

Memory Handling

Private key material is treated as toxic data. Keys are loaded from secure storage only when needed for transaction signing. Once the transaction is signed, all key material is immediately cleared from memory. Private keys are never cached in application state, never written to temporary files, never logged, and never persisted in unprotected storage.

Secure Storage

Sensitive wallet data, including the encrypted seed, is stored in a local secrets file sealed with Windows DPAPI (the Windows Data Protection API). DPAPI binds the data to your Windows user account, so it cannot be lifted to another machine or swapped offline. On computers equipped with a Trusted Platform Module (TPM), you can additionally seal the encrypted seed to the TPM. The TPM key is non-exportable and never leaves the hardware, so a copied secrets file cannot be attacked offline on another machine, even with the PIN. The application is gated by a PIN, hardened with PBKDF2-HMAC-SHA256 at 600,000 iterations, and, where available, by Windows Hello. TZUR does not store sensitive data in plain files or any unprotected storage mechanism.

App Lock & Capture Protection

TZUR locks itself behind your PIN (and Windows Hello, where enabled) at launch and after a period of inactivity. The auto-lock interval is configurable (1 minute, 10 minutes, 1 hour, or 6 hours). The application also enables screen-capture protection on sensitive screens to reduce the risk of shoulder-surfing and screen-recording malware.

Network & Electrum Trust Model

TZUR communicates with public Electrum servers to retrieve blockchain data. Electrum servers are not trusted. They serve as data providers only. All transaction construction and signing happens locally on your computer. TZUR never sends private keys, seed phrases, or personal data over the network. Connections use TLS. Transaction integrity is verified using Merkle proofs.

Privacy-Respecting Analytics

TZUR Wallet may collect anonymous usage analytics to improve the application. Analytics are entirely optional and can be disabled at any time in Settings.

Analytics never include:

  • Wallet addresses or public keys
  • Account balances or UTXO data
  • Transaction amounts, destinations, or history
  • Seed phrases or any key material
  • Private keys or derivation paths
  • Personal identity, name, or location

TZUR Wallet does not include advertising SDKs, third-party tracking technologies, or fingerprinting libraries. We do not sell, share, or monetize any user data.

Responsible Disclosure

If you discover a security vulnerability in TZUR Wallet, please report it to contact@tzur.live. We take all reports seriously and will respond promptly.

Last Updated: 4/6/2026