Kaspa Escrow OfficeForge
Privacy

Kaspa Escrow — Privacy Policy

Applies to the escrow.officeforge.co website and its installable PWA (Kaspa Escrow / Kaspa Гарант). This is the escrow service; the vault at safe.officeforge.co has its own policy. Effective: July 6, 2026. Operator: OfficeForge (contact: sales@officeforge.co).

The short version

Kaspa Escrow is non-custodial and account-less. Your deal keys (deal, funding and chat keys) are generated and used only in your browser and are never transmitted to us. The deal chat is end-to-end encrypted — the server relays ciphertext it cannot read. The one deliberate exception is a dispute: to let the arbiter judge, you may reveal your chat key (never your escrow key), and only then can the revealed conversation be decrypted for the arbiter. No sign-up, no advertising, no third-party analytics SDKs.

What stays only in your browser

The private keys for your side of the deal — the escrow key that signs release/refund/dispute, the funding key (buyer), and the chat key — plus your service token. They live in this browser's local storage and can be removed with "Forget this deal". Your recovery sheet (.txt) is a file you download and keep; it is the only copy of these keys, and we never receive it.

What the server receives and stores

  • Deal terms — type, amount and the conditions text you type. These are stored in the clear (not encrypted): the other party sees them in the invite preview before joining, and the arbiter sees them in a dispute.
  • Public parameters — each side's public keys and the covenant addresses, needed to build and watch the on-chain deal.
  • Service tokens — a random token per side that authorizes reading/acting on the deal. Anyone holding it can act on that side, so keep it on your recovery sheet.
  • Invite link / code — a capability: whoever opens it can join as the counterparty. It expires after 72 hours if unused.
  • Chat ciphertext & encrypted media — the deal chat runs on the Kaspa BlockDAG (Kasia protocol); the server relays and stores only ciphertext and already-encrypted media blobs. It cannot read your messages, photos or videos.
  • Dispute claims — if a dispute is opened, the "what I ask for + why" statement each side submits.
  • Telegram chat ID — only if you connect Telegram notifications for the deal.
  • Standard web-server logs (IP, request path, user agent), kept briefly for abuse protection, not used for profiling.

All on-chain transactions and covenant balances are public data on the Kaspa blockchain by design.

Disputes: reveal & what the arbiter sees

Until a dispute, the server holds only ciphertext and no one can read your chat. In a dispute, resolution needs evidence, so a party may deliberately reveal their chat key (sent to /dispute/reveal) — this is the only time a key leaves your device, and a chat key can never move funds. On reveal, the server decrypts that side's thread and stores the plaintext transcript for the arbiter only, alongside media the arbiter can decrypt with the keys carried inside the revealed messages. The AI mediator reads this to propose a non-binding outcome; a human arbiter reads it only if the case escalates. The revealed transcript is erased when the deal closes, and encrypted media blobs are deleted on a retention timer after closing. The on-chain ciphertext remains (it is the tamper-evident record), but without a revealed key it is unreadable.

What we never collect

Your escrow, funding or chat private keys, seed phrases or recovery sheets (we never ask for them); names, documents or KYC (there are no accounts); contacts, location or files beyond the media you attach to a deal; advertising identifiers.

Third parties

Website fonts load from Google Fonts (your IP is visible to Google on load). The support chat widget uses Cloudflare Turnstile (Cloudflare processes the challenge). Telegram delivers deal notifications if you opt in. The AI mediator runs on a third-party LLM provider, which receives only the deal terms, the revealed transcript and the claims — never any private key. The Kaspa network is public infrastructure. We do not sell or share data with anyone else.

Retention & deletion

A deal's records exist so the deal can run and be watched. The revealed chat transcript is wiped at close; media blobs are deleted on a retention timer after close. To delete a deal's remaining records (including any Telegram link), write to sales@officeforge.co naming the deal. On-chain data cannot be deleted by anyone — that is the nature of a blockchain.

Changes

Updates to this policy are published on this page with a new effective date.