The Galeon Covenant

Our public commitment to you. What we store, what we see, what we promise.

TL;DR

What We Promise

  • Your spending keys never leave your device
  • ZK proofs hide withdrawal destinations
  • Ragequit guarantees you can always exit

What You Accept

  • Your funds come from legitimate sources
  • You're not a sanctioned person or entity
  • You'll handle your own tax obligations

Privacy is choosing what you share. By using Galeon, you confirm your funds are legitimate. In return, we commit to full transparency about your data.

Inspired by the Ethereum Foundation's Privacy Commitment and the Trustless Manifesto.

What We Store

Encrypted Viewing Keys

We store your viewing keys encrypted with our server key (APP_KEY). This allows us to detect incoming payments to your Ports. Without these keys, we couldn't tell you when you've been paid.

Implication: Galeon can see incoming payments to your Ports and link them to your account.

Never: Spending Keys

Your spending keys are derived from your wallet signature during each session. They exist only in your browser's memory and are cleared when you close the tab. We never transmit, store, or have access to spending keys.

Implication: Galeon cannot move your funds. Only you can authorize withdrawals.

Session Data

We store your wallet address, Port configurations, and session tokens (JWTs). Payment receipts are stored to enable Shipwreck Reports for tax compliance.

Implication: Standard account data for service functionality.

What We Can See

Incoming Payments

When someone pays your Port, we detect it to notify you and update your balance.

Visible to Galeon

Deposit Amounts

When you deposit to the Privacy Pool, the amount is visible on-chain and to us.

Visible to Galeon

Withdrawal Destinations

ZK proofs hide which deposit you're withdrawing. We cannot link withdrawals to deposits.

Hidden from Galeon

Who You Pay From Pool

When you withdraw to pay someone, only you know the recipient. The relayer sees the destination but cannot link it to you.

Hidden from Galeon

ASP Policy

The Association Set Provider (ASP) controls which deposits can be withdrawn from the Privacy Pool. Our policy:

Default: Auto-Approve

All deposits from verified Port addresses are automatically approved for withdrawal. No vetting period, no manual review. Privacy by default.

Future: Sanctions Screening

Current (Hackathon): All deposits from verified Port addresses are auto-approved without sanctions checking.

Planned (Production): Addresses on OFAC or equivalent sanctions lists will be blocked from depositing. We will never retroactively block withdrawals for deposits that were accepted. If you deposited, you can withdraw.

Ragequit Guarantee

Even if blocked from standard withdrawal, you can always ragequit: withdraw your exact deposit back to the original depositing address. This sacrifices privacy but guarantees you can never lose access to your funds.

Your Responsibilities

By using Galeon, you represent and warrant that:

  • 1.Your funds come from legitimate sources and are not the proceeds of illegal activity.
  • 2.You are not a Specially Designated National (SDN) or otherwise subject to sanctions under applicable law, and you are not acting on behalf of any such person or entity.
  • 3.You will comply with all applicable tax and reporting obligations in your jurisdiction. Shipwreck Reports are provided to assist with this.
  • 4.You understand that privacy is not anonymity. Galeon provides financial privacy for legitimate use cases, not a tool for evading legal obligations.

Trustless Principles

Following the Trustless Manifesto, we measure success not by transactions per second, but by trust reduced per transaction.

Self-Sovereignty

Achieved

You authorize your own actions exclusively. Spending keys never leave your device.

Verifiability

Achieved

All contracts verified on-chain. Public data enables confirmation of outcomes.

Walkaway Test

Achieved

Ragequit guarantees exit without our approval. You can always recover funds.

Censorship Resistance

Achieved

Direct contract interaction always available. Relayer is convenience, not requirement.

No Indispensable Intermediaries

Planned

Permissionless relayer network. Anyone can run a relayer and compete.

No Critical Secrets

Planned

Decentralized ASP with multiple independent operators.

Delegation may exist. Dependence must not. We offer convenience through relayers and hosted scanning, but permissionless protocol access is always available.

Our Promises

01

No Subjective Blocking

We will never block deposits or withdrawals based on politics, personal beliefs, or pressure from non-governmental entities. Only legally required sanctions compliance.

02

No Data Sales

We will never sell, share, or monetize your transaction data. Your privacy is the product, not your data.

03

Transparent Operations

All smart contracts are verified and open source. ASP root updates are published on-chain. You can verify everything.

04

Self-Custody Always

Your funds are always under your control. We cannot freeze, seize, or move your assets. The ragequit function guarantees exit even if we disappear.

05

Progressive Decentralization

We're actively working to remove ourselves as a trusted party. Permissionless relayers, decentralized ASP, and time-locked governance are on the roadmap.

Verify Yourself

Don't trust, verify. All contracts are verified on Mantle Mainnet:

Privacy PoolDeposits, withdrawals, ZK proofs
0xE271...59C0
EntrypointPool registry, ASP roots
0x8633...fb21
RegistryStealth addresses, payments
0x9bcD...1e9D

View full contract list on About page

Questions?

Privacy and compliance, not privacy vs compliance.

Get StartedLearn More