Privacy
Last updated May 2026
TxGuardian is a transaction-safety tool. It analyzes Solana transactions before you sign them. The most important sentence on this page is the next one.
By default, your transactions never leave your browser.
The verdict engine ships inside the extension. When a dApp asks you to sign, the analysis runs in your service worker — not on our server. There are two optional opt-ins (hosted analyzer for users without a Solana RPC; AI prose explanation via your own Gemini key) that broaden the trust circle in different ways. Both are off by default. This page describes exactly what flows where in each configuration.
What flows where, by mode
| Configuration | TxGuardian server | Your RPC provider | Google (Gemini) |
|---|---|---|---|
| Extension default (local engine, no AI) | Never contacted | Sees the tx for simulation + registry lookup | Never contacted |
| Extension + AI translator enabled (your key) | Never contacted | Sees the tx (as above) | Sees decoded summaries + flags (your key used) |
| Extension hosted fallback (opt-in) | Sees the full transaction bytes | (via our server, not yours) | (via our server, our key) |
| Web demo at /scan or /playground | Sees the full transaction bytes | (via our server, not yours) | (via our server, our key) |
Your wallet's public key (the fee payer) is part of the transaction payload in every mode because it has to be — it identifies you on-chain. We never collect it separately.
What does NOT get sent
- No private keys. TxGuardian has no signing surface and no access to wallet internals. Signing always happens inside your wallet.
- No browsing history. The extension only activates on a signing request — it does not read page content, log URLs, or track navigation.
- No personally-identifying data. No name, email, or account ID is sent. Your wallet's public key is part of the transaction payload because it has to be — it identifies the fee payer on-chain — but it is not separately collected, stored, or correlated.
- No analytics or telemetry. No third-party trackers, no analytics SDK, no session replays. The analyzer endpoint logs only operational metrics (HTTP status, latency) on the hosting provider.
Storage
The browser extension uses chrome.storage.local to remember one thing: the analyzer endpoint URL, if you have overridden it from the popup. Nothing else is persisted on your device.
The analyzer endpoint applies a short-lived in-memory cache on verdicts (keyed by the deterministic transaction hash) to avoid re-running identical analyses. Cache entries are not shared, aggregated, or sold.
Third parties
The analyzer makes outbound calls to:
- A Solana RPC provider (Helius / QuickNode / official endpoints) to fetch account metadata and simulate the transaction. The transaction payload is sent to the RPC.
- Google Generative Language API (Gemini 2.5 Flash) for the plain-English explanation. Only pre-decoded instruction summaries are sent — never raw transaction bytes, never account labels controlled by an attacker. Memo content is stripped before this step.
If you self-host the analyzer (you can — the source is public), you control which RPC and which LLM provider receive the payload. The extension popup lets you point at your own instance.
Permissions used by the extension
host_permissions: <all_urls>— required because the extension must inject into every site that could host a Solana dApp to intercept the wallet's signing request. The injected script only activates when a wallet asks to sign; it does not read or modify page content otherwise.storage— used to persist the user-configured analyzer endpoint. No other data is stored.
Open source
Every line of TxGuardian — extension, web demo, SDK, on-chain program — is open source under the MIT license. The privacy claims on this page are auditable. Source at github.com/Omar-Elhorbity/TxGuardian.
Contact
Privacy questions or security reports: open a private security advisory on the GitHub repo, or email omarhusseinelhorbity@gmail.com.