BlockMind
Trust & security

Trust & security

How BlockMind protects your data and crypto with balance-only connections, a private workspace per agent, and explicit exchange-key scope.

BlockMind is built around a strict product boundary: the application reads balances and positions and never initiates trades, withdrawals, or transfers. Your agent has no execution tools. This page explains that model, the important Firi credential exception, and what we store.

Balance-only by design

When you connect a wallet or an exchange, or paste a public address:

  • Wallet connections share a public address. We never receive private keys or seed phrases and cannot sign wallet transactions or approve contracts.
  • For Binance, Coinbase, Kraken, OKX, KuCoin, MEXC, Crypto.com, and Bitstamp, use a provider-scoped read-only API key with trading and withdrawals disabled.
  • Firi does not offer a read-only API-key scope. BlockMind stores the credentials encrypted and enforces balance-only behavior in the application; it never initiates trades, withdrawals, or transfers.

Provider-scoped read-only keys and public wallet addresses cannot authorize fund movement. Firi credentials deserve extra care because Firi does not enforce that restriction at key level. Revoke any exchange credential immediately if you suspect your exchange account or BlockMind account has been compromised.

Wallet connections use the industry-standard WalletConnect protocol and share only your public address. Hardware wallets work the same way. You can remove a connected wallet or exchange at any time.

Your agent's boundaries

Your agent is an analyst, not a trader:

  • It does research, not financial advice. It will not tell you what to buy or sell. Its analyses and verdicts are inputs to your decision.
  • It cannot execute trades — even if you ask it to. There is no execution capability of any kind.
  • AI can be wrong. Analyses may be inaccurate or outdated; always verify before acting on anything important.

Your workspace is private

Each agent runs in its own private workspace, dedicated to one account:

  • Your conversations, your agent's memory, your Notebook, and your portfolio context live in your workspace and are not shared with other users.
  • When your agent sleeps (or your plan lapses), the workspace's data is saved, not shared or repurposed.

What we store

  • Your email address, for sign-in and for briefs.
  • Portfolio and watchlist data — the addresses you connect and the holdings we read from them.
  • Your conversations with your agent, its memory, and your Notebook.
  • Documents you attach in chat.
  • Exchange API credentials you provide, encrypted at rest. Eight supported exchanges provide read-only key scopes; Firi's balance-only restriction is enforced by BlockMind in the application.

Who processes your data

We use a small set of service providers to run BlockMind: payment processing (Stripe), cloud hosting, AI model providers accessed through a managed gateway, web-search providers, the agent's email service, and a cloud-browser service. Providers process data only to deliver their function.

Analytics, honestly

We use product analytics tied to your account to understand how BlockMind is used and improve it. Our marketing pages also use advertising pixels (such as Meta's) for ad measurement.

Signing in

  • Passwordless: a 6-digit code to your email, or Google sign-in. There's no password to steal or reuse.
  • Sessions expire and refresh automatically; signing in again is always just a code away.

Deleting your data

Email contact@blockmind.app from your account email to request deletion of your account and data. You can also delete your agent's workspace yourself at any time — see Agent lifecycle.

Reporting a security concern

Found a vulnerability? We appreciate responsible disclosure: email contact@blockmind.app with a description, steps to reproduce, and how to reach you.

Common questions

Can BlockMind or my agent steal my crypto?

BlockMind and your agent do not initiate trades, withdrawals, transfers, or wallet signatures. Use provider-scoped read-only exchange keys wherever they are available. Firi is the exception: its key is not scopeable as read-only, so BlockMind enforces balance-only behavior in the application.

What if BlockMind gets hacked?

An attacker could expose the data listed under "What we store." Public wallet addresses and provider-scoped read-only exchange keys cannot authorize fund movement. Firi credentials are more sensitive because Firi does not offer a read-only scope; revoke them promptly if you suspect a compromise.

Can I use BlockMind anonymously?

You need a working email (briefs and sign-in codes go there), but any email service works. Your wallet addresses and portfolio data live in your private workspace and aren't shared with other users.

Should I use a hardware wallet?

For significant holdings, yes — and it changes nothing about how BlockMind works, since we only ever read public addresses.

On this page