What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR for users in the EEA and United Kingdom, CCPA and CPRA for California residents, and potentially other state privacy laws. Enforcement authorities include the relevant EU supervisory authorities (including Ireland's Data Protection Commission, where Consensys has European operations), the UK Information Commissioner's Office, and the California Privacy Protection Agency. The policy's treatment of wallet addresses as potentially personal…

How does MetaMask's MetaMask Privacy Policy affect users?

The policy establishes that transaction requests are processed through Infura by default, resulting in the collection and association of IP addresses with wallet addresses. Users who wish to alter this data collection arrangement may configure MetaMask to use alternative RPC providers by navigating to Settings, selecting Networks, and replacing the default Infura RPC endpoint with an alternative provider.

How often is MetaMask's MetaMask Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when MetaMask updates this document?

Yes. Watcher subscribers ($9.99/month) can add MetaMask to their watchlist and receive same-day email alerts whenever this document or any other MetaMask document changes.

CA-D-000280

MetaMask Privacy Policy

MetaMask

Last change detected April 19, 2026 Privacy policy

SHA-256: 279eb0f8be6bb76bcc6… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at MetaMask ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

1 High severity

4 Medium severity

2 Low severity

Summary

This document establishes MetaMask's data collection and handling practices for users of the MetaMask crypto wallet. The policy specifies that MetaMask collects IP addresses and Ethereum wallet addresses during transactions routed through MetaMask's default RPC provider (Infura), which establishes a data linkage between these identifiers within Consensys infrastructure. Users may modify this configuration by selecting alternative RPC providers through MetaMask's Networks settings.

Technical / Legal Breakdown

This document is MetaMask's privacy policy, governing the collection, use, and disclosure of personal data by Consensys Software Inc. in connection with MetaMask wallet software, browser extensions, and related services, relying on legal bases including consent, contractual necessity, and legitimate interests. The policy states that MetaMask collects network request data including IP addresses and wallet addresses when users interact with MetaMask's default RPC provider (Infura), also operated by Consensys, and that this data may be used for analytics, fraud prevention, legal compliance, and improving services; the policy further states that users can configure alternative RPC providers to avoid this collection. A notable operational feature is the vertical integration between MetaMask and Infura: because both are Consensys products, wallet interaction data and network infrastructure data may be combined within a single corporate family, which is operationally distinct from wallet providers using independent third-party RPC endpoints. The policy engages GDPR and UK GDPR for EEA and UK users, CCPA/CPRA for California residents, and references data subject rights including access, deletion, correction, and portability; Consensys states it does not sell personal data but reserves the right to share it with affiliates, service providers, and in corporate transaction contexts. Material compliance considerations include the adequacy of consent mechanisms for MetaMask's international user base, the classification of wallet addresses as personal data under GDPR, and the sufficiency of disclosures around Infura's role as a data processor or controller.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 1 provision

Infura IP Address and Wallet Address Collection Compare →

Every time you make a transaction through MetaMask using the default settings, both your IP address and your wallet address are sent to Infura, which is owned by the same company as MetaMask. This means your real-world internet location and your crypto identity are linked in Consensys's systems unless you manually change a setting.

Added May 9, 2026 Standard Seen across 198 platforms

Medium — 4 provisions

Data Sharing with Affiliates and Service Providers Compare →

MetaMask can share your personal data with other Consensys-owned companies and with outside vendors that help run its services. These third parties are supposed to keep your data confidential, but the policy permits broad internal sharing across the Consensys corporate family.

Added May 9, 2026 Standard Seen across 246 platforms
Data Transfer in Corporate Transactions Compare →

If MetaMask or Consensys is sold or merges with another company, your personal data can be transferred to the new owner. The policy only commits to notifying you if the law requires it, not as a default.

Added May 9, 2026 Standard Seen across 246 platforms
Data Subject Rights (Access, Deletion, Portability) Compare →

Depending on where you live, you may be able to ask MetaMask to show you, correct, delete, or give you a copy of your personal data. The ability to exercise these rights depends on your jurisdiction.

Added May 9, 2026 Standard Seen across 223 platforms
International Data Transfers Compare →

Your personal data may be transferred to the United States or other countries where privacy laws are less protective than where you live. MetaMask says it uses standard contractual clauses as a safeguard where legally required.

Added May 9, 2026 Standard Seen across 246 platforms

Low — 2 provisions

No Sale of Personal Data

MetaMask says it does not sell your personal data, which is a specific legal term under CCPA and similar laws meaning it does not exchange data for money. However, it does share data with partners and service providers.

Added May 9, 2026 Rare
User Option to Switch RPC Provider

MetaMask gives users the ability to replace the default Infura connection with a different network provider, which would prevent Infura from collecting your IP address and wallet address going forward.

Added May 9, 2026 Rare