TZURTZURBack to TZUR for Agents

TZUR for Agents · 法律

Privacy Policy

Introduction

TZUR for Agents respects your privacy. It is a non-custodial, Bitcoin-only Windows desktop application that holds a separate operational wallet you fund and exposes it to AI agents over a local interface on your own computer. It is designed so that the data needed to operate the wallet stays on your machine. This Privacy Policy explains the limited processing that takes place, what never leaves your device, and how third parties are involved when you choose to connect them.

Data Controller

The data controller responsible for the limited processing described in this notice is Blocksight OÜ, an Estonian private limited company, registry code 17474529, registered at Vesivärava tn 50-301, 10152 Tallinn, Estonia. For data-protection inquiries, write to legal@blocksight.live. For general support, write to contact@tzur.live. The website for the product is https://tzur.live.

Information We Do Not Collect

TZUR for Agents does not collect or store personal information such as names, emails, location data, hardware identifiers, or wallet balances. We cannot access, freeze, or move your funds, and we never receive your seed phrase, private keys, agent instructions, approvals, or audit records.

Local Storage

All wallet data is stored locally on your computer. Sensitive information such as seed phrases and private keys is held in an encrypted secrets file sealed with Windows DPAPI (the Windows Data Protection API), which binds the data to your Windows user account. Where a Trusted Platform Module (TPM) is present, the encrypted seed can additionally be sealed to the TPM for hardware-backed protection. Keys are generated locally using the operating system's secure random number generator (BCryptGenRandom), and the wallet follows the BIP-39, BIP-32, and BIP-84 (Native SegWit, m/84'/0'/0') standards.

Access to the application is protected by an idle auto-lock, a PIN hardened with PBKDF2-HMAC-SHA256 (600,000 iterations), and optional Windows Hello unlock. The recovery phrase is shown with screen-capture protection.

Agents and the Local Interface

Authorized AI agents operate the wallet over a local interface on your computer: a loopback-only Model Context Protocol (MCP) server bound to 127.0.0.1, not reachable from the public internet. Each agent authenticates with a per-agent bearer token that you issue. Agents operate under a default-deny permission model and are limited to the scopes you grant.

Agent permissions, spending limits and allowances, the daily-spend ledger, the owner-approval queue, and the local audit log are all stored locally on your computer. No agent instructions, drafts, approvals, or audit records are sent to Blocksight, and the local MCP server does not contact Blocksight. The audit log of agent activity is tamper-evident, append-only, hash-chained, sealed at rest with Windows DPAPI, held on your computer, and visible only to you. (Because it is local, a factory reset of the application clears it.)

An agent can never read your seed or private keys; no such capability exists in the agent interface.

Third-Party AI Providers

You bring your own AI agent or MCP client (for example, Claude Desktop, Claude Code, or any other MCP client). When you connect an external AI agent, the prompts, conversations, and instructions you send to that agent are processed by that third-party AI provider under its own privacy policy and terms, which you should review before connecting it. Blocksight does not provide, control, endorse, or take responsibility for that third-party AI, and we cannot see or control what it processes or retains.

TZUR for Agents passes the wallet actions an agent requests to your local interface; it does not route your prompts or conversations to Blocksight, and Blocksight receives none of that content. You are responsible for what you instruct or authorize and for protecting the bearer token you issue.

Blockchain Communication

To function as a Bitcoin wallet, the application communicates with public Electrum servers over TLS to retrieve blockchain information such as balances and transactions, verified with Merkle proofs, and with the BlockSight.Live API to retrieve public blockchain explorer data. Electrum servers are treated only as untrusted data providers; transaction signing and broadcasting always happen locally on your device. No seed phrases, private keys, or other wallet secrets are sent to these services. Balances depend on this network synchronization and may lag or be temporarily unavailable.

Optional Exchange Features

Exchange features are optional and remain inactive until you configure a third-party exchange. If you enable them, you transact directly with that third-party exchange under its own terms and privacy policy; Blocksight is not a party to the trade. Any exchange API credentials you provide are sealed within the application and are never reachable by an agent. Each exchange order still requires your own approval, the same as any other spend.

Analytics

TZUR for Agents is privacy-first and collects no usage analytics by default. Analytics are strictly opt-in: the application ships with analytics turned off and transmits nothing unless you explicitly enable them.

If you choose to enable analytics, the anonymous, aggregated data would help the developers understand how the app is used, such as:

  • App launches
  • Wallet creation
  • Wallet restoration
  • Send and receive feature usage
  • Settings interactions
  • App version and operating-system information

This data is aggregated and does NOT include:

  • Bitcoin addresses
  • Wallet balances
  • Transaction amounts
  • Seed phrases
  • Private keys
  • Personal identity
  • Agent instructions, prompts, approvals, or audit records
  • Bearer tokens or exchange credentials

Analytics are off by default. You can review or change this choice at any time in:

Settings > Privacy > Usage analytics

While analytics are off (the default), the application sends no usage analytics.

TZUR for Agents does not include tracking technologies or advertising SDKs.

Security

Private keys are generated locally and exist in memory only during transaction signing, after which the relevant buffers are cleared. Moving funds is off by default and requires either a present-user Windows Hello approval bound to the specific payment, or a payment that fits an allowance you explicitly enabled; in all cases you should verify the payment details the wallet renders, not the agent's words, before approving.

Third-Party Services

The application retrieves public data from, or relies on, the following external services. No wallet data (addresses, balances, keys) is ever sent to them:

  • CoinGecko, Coinbase: Bitcoin price data
  • BlockSight.Live: blockchain explorer data
  • Public Electrum servers: blockchain synchronization data
  • Stripe, Inc.: payment processing for the one-time purchase, governed by Stripe's privacy policy

Any third-party AI provider you connect, and any third-party exchange you configure, are governed by their own privacy policies as described above.

Lawful Basis for Processing

Where any personal data is processed (analytics you opt in to, communications you initiate), the lawful basis is your consent under GDPR Article 6(1)(a). Communication with public Bitcoin infrastructure and processing of payment for your licence are the performance of the contract you entered into when you purchased TZUR for Agents, under Article 6(1)(b).

Your Rights Under GDPR

If you are an individual in the European Economic Area, the United Kingdom, or another jurisdiction with a comparable data-protection regime, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time. To exercise these rights, write to legal@blocksight.live. We will respond within one month of a verifiable request. Note that wallet data, keys, agent records, and audit logs are stored only on your own device and are not held by us, so requests concerning that data are satisfied through controls in the application itself.

Right to Lodge a Complaint

If you believe our processing infringes the GDPR or your local data-protection law, you may lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, https://www.aki.ee/en).

Children's Privacy

TZUR for Agents is intended for users aged 18 and over. Users aged 13 to 18 may use the application only with the consent and supervision of a parent or legal guardian; use by anyone under 13 is prohibited. We do not knowingly process personal data of children under 13, and where consent is the basis for any processing, we rely on the consent of the parent or guardian for users under 18.

Governing Law

This Privacy Policy and any matter arising from it are governed by the laws of the Republic of Estonia.

Last Updated: 8/6/2026