diff --git a/packages/backend/.env.example b/packages/backend/.env.example
index 17fcac5e..f8294778 100644
--- a/packages/backend/.env.example
+++ b/packages/backend/.env.example
@@ -43,4 +43,9 @@ SNAG_RULE_ID="your-snag-rule-id-here"
 
 # x402 gasless USDC deposit (optional)
 FEATURE_X402_DEPOSIT=false
-X402_FACILITATOR_URL=https://facilitator.payai.network
\ No newline at end of file
+X402_FACILITATOR_URL=https://facilitator.payai.network
+
+# Stealth payments via Umbra (optional, Base mainnet only)
+FEATURE_STEALTH=false
+STEALTH_RELAYER_PRIVATE_KEY=
+STEALTH_RPC_URL=https://mainnet.base.org
\ No newline at end of file
diff --git a/packages/backend/prisma/migrations/20260511000000_add_send_privately_to_batch_items/migration.sql b/packages/backend/prisma/migrations/20260511000000_add_send_privately_to_batch_items/migration.sql
new file mode 100644
index 00000000..39af0ca5
--- /dev/null
+++ b/packages/backend/prisma/migrations/20260511000000_add_send_privately_to_batch_items/migration.sql
@@ -0,0 +1,3 @@
+-- Add stealth (send privately) flag to batch_items.
+ALTER TABLE "batch_items"
+ADD COLUMN "send_privately" BOOLEAN NOT NULL DEFAULT false;
diff --git a/packages/backend/prisma/schema.prisma b/packages/backend/prisma/schema.prisma
index 4074d43c..fe037409 100644
--- a/packages/backend/prisma/schema.prisma
+++ b/packages/backend/prisma/schema.prisma
@@ -126,16 +126,17 @@ model Vote {
 }
 
 model BatchItem {
-  id           String   @id @default(cuid())
-  userId       String   @map("user_id")
-  contactId    String?  @map("contact_id")
-  recipient    String
-  amount       String
-  tokenAddress String?  @map("token_address")
-  createdAt    DateTime @default(now()) @map("created_at")
-  updatedAt    DateTime @updatedAt @map("updated_at")
-  contact      Contact? @relation(fields: [contactId], references: [id])
-  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  id             String   @id @default(cuid())
+  userId         String   @map("user_id")
+  contactId      String?  @map("contact_id")
+  recipient      String
+  amount         String
+  tokenAddress   String?  @map("token_address")
+  sendPrivately  Boolean  @default(false) @map("send_privately")
+  createdAt      DateTime @default(now()) @map("created_at")
+  updatedAt      DateTime @updatedAt @map("updated_at")
+  contact        Contact? @relation(fields: [contactId], references: [id])
+  user           User     @relation(fields: [userId], references: [id], onDelete: Cascade)
 
   @@index([userId])
   @@map("batch_items")
diff --git a/packages/backend/src/app.module.ts b/packages/backend/src/app.module.ts
index daa47962..2368378a 100644
--- a/packages/backend/src/app.module.ts
+++ b/packages/backend/src/app.module.ts
@@ -24,8 +24,10 @@ import { AdminModule } from './admin/admin.module';
 import { BalanceAlertModule } from './balance-alert/balance-alert.module';
 import { ScheduleModule } from '@nestjs/schedule';
 import { X402Module } from './x402/x402.module';
+import { StealthModule } from './stealth/stealth.module';
 
 const featureX402 = process.env.FEATURE_X402_DEPOSIT === 'true';
+const featureStealth = process.env.FEATURE_STEALTH === 'true';
 
 @Module({
   imports: [
@@ -53,6 +55,7 @@ const featureX402 = process.env.FEATURE_X402_DEPOSIT === 'true';
     BalanceAlertModule,
     ScheduleModule.forRoot(),
     ...(featureX402 ? [X402Module] : []),
+    ...(featureStealth ? [StealthModule] : []),
   ],
 })
 export class AppModule implements NestModule {
diff --git a/packages/backend/src/batch-item/batch-item.service.ts b/packages/backend/src/batch-item/batch-item.service.ts
index 349407dc..a761164d 100644
--- a/packages/backend/src/batch-item/batch-item.service.ts
+++ b/packages/backend/src/batch-item/batch-item.service.ts
@@ -28,6 +28,7 @@ export class BatchItemService {
         amount: dto.amount,
         tokenAddress: dto.tokenAddress,
         contactId: dto.contactId,
+        sendPrivately: dto.sendPrivately ?? false,
       },
       include: {
         contact: true,
diff --git a/packages/backend/src/config/config.keys.ts b/packages/backend/src/config/config.keys.ts
index bd28b6ac..6e0b3c63 100644
--- a/packages/backend/src/config/config.keys.ts
+++ b/packages/backend/src/config/config.keys.ts
@@ -33,4 +33,9 @@ export const CONFIG_KEYS = {
   X402_ENABLED: 'x402.enabled',
   X402_FACILITATOR_URL: 'x402.facilitatorUrl',
   X402_FACILITATOR_BEARER_TOKEN: 'x402.facilitatorBearerToken',
+
+  // Stealth payments (Umbra)
+  STEALTH_ENABLED: 'stealth.enabled',
+  STEALTH_RELAYER_PRIVATE_KEY: 'stealth.relayerPrivateKey',
+  STEALTH_RPC_URL: 'stealth.rpcUrl',
 } as const;
diff --git a/packages/backend/src/config/config.module.ts b/packages/backend/src/config/config.module.ts
index 7f3af77d..7d3c297d 100644
--- a/packages/backend/src/config/config.module.ts
+++ b/packages/backend/src/config/config.module.ts
@@ -7,6 +7,7 @@ import relayerConfig from './relayer.config';
 import telegramConfig from './telegram.config';
 import snagConfig from './snag.config';
 import x402Config from './x402.config';
+import stealthConfig from './stealth.config';
 import { validationSchema } from './env.validation';
 
 @Module({
@@ -21,6 +22,7 @@ import { validationSchema } from './env.validation';
         telegramConfig,
         snagConfig,
         x402Config,
+        stealthConfig,
       ],
       envFilePath: ['.env.local', '.env'],
       cache: true,
diff --git a/packages/backend/src/config/env.validation.ts b/packages/backend/src/config/env.validation.ts
index d2e45408..78371ed4 100644
--- a/packages/backend/src/config/env.validation.ts
+++ b/packages/backend/src/config/env.validation.ts
@@ -53,4 +53,22 @@ export const validationSchema = Joi.object({
     otherwise: Joi.string().uri().optional(),
   }),
   X402_FACILITATOR_BEARER_TOKEN: Joi.string().optional().allow(''),
+
+  // Stealth payments (optional; module loads only when FEATURE_STEALTH=true)
+  FEATURE_STEALTH: Joi.string().valid('true', 'false').default('false'),
+  STEALTH_RELAYER_PRIVATE_KEY: Joi.alternatives().conditional(
+    'FEATURE_STEALTH',
+    {
+      is: 'true',
+      then: Joi.string()
+        .pattern(/^0x[a-fA-F0-9]{64}$/)
+        .required(),
+      otherwise: Joi.string().optional().allow(''),
+    },
+  ),
+  STEALTH_RPC_URL: Joi.alternatives().conditional('FEATURE_STEALTH', {
+    is: 'true',
+    then: Joi.string().uri().required(),
+    otherwise: Joi.string().uri().optional(),
+  }),
 });
diff --git a/packages/backend/src/config/stealth.config.ts b/packages/backend/src/config/stealth.config.ts
new file mode 100644
index 00000000..2336f518
--- /dev/null
+++ b/packages/backend/src/config/stealth.config.ts
@@ -0,0 +1,7 @@
+import { registerAs } from '@nestjs/config';
+
+export default registerAs('stealth', () => ({
+  enabled: process.env.FEATURE_STEALTH === 'true',
+  relayerPrivateKey: process.env.STEALTH_RELAYER_PRIVATE_KEY ?? '',
+  rpcUrl: process.env.STEALTH_RPC_URL ?? 'https://mainnet.base.org',
+}));
diff --git a/packages/backend/src/stealth/stealth.constants.ts b/packages/backend/src/stealth/stealth.constants.ts
new file mode 100644
index 00000000..2a68a22a
--- /dev/null
+++ b/packages/backend/src/stealth/stealth.constants.ts
@@ -0,0 +1,35 @@
+// Base mainnet is the only chain where Umbra is deployed and we operate.
+export const STEALTH_CHAIN_ID = 8453;
+
+// ABI fragments — we keep these minimal so we don't ship the full Umbra ABI
+// just for two functions.
+export const STEALTH_KEY_REGISTRY_ABI = [
+  {
+    name: 'stealthKeys',
+    type: 'function',
+    stateMutability: 'view',
+    inputs: [{ name: 'registrant', type: 'address' }],
+    outputs: [
+      { name: 'spendingPubKeyPrefix', type: 'uint256' },
+      { name: 'spendingPubKey', type: 'uint256' },
+      { name: 'viewingPubKeyPrefix', type: 'uint256' },
+      { name: 'viewingPubKey', type: 'uint256' },
+    ],
+  },
+  {
+    name: 'setStealthKeysOnBehalf',
+    type: 'function',
+    stateMutability: 'nonpayable',
+    inputs: [
+      { name: 'registrant', type: 'address' },
+      { name: 'spendingPubKeyPrefix', type: 'uint256' },
+      { name: 'spendingPubKey', type: 'uint256' },
+      { name: 'viewingPubKeyPrefix', type: 'uint256' },
+      { name: 'viewingPubKey', type: 'uint256' },
+      { name: 'v', type: 'uint8' },
+      { name: 'r', type: 'bytes32' },
+      { name: 's', type: 'bytes32' },
+    ],
+    outputs: [],
+  },
+] as const;
diff --git a/packages/backend/src/stealth/stealth.controller.ts b/packages/backend/src/stealth/stealth.controller.ts
new file mode 100644
index 00000000..61f3988d
--- /dev/null
+++ b/packages/backend/src/stealth/stealth.controller.ts
@@ -0,0 +1,31 @@
+import { Body, Controller, Get, Param, Post, UseGuards } from '@nestjs/common';
+import { Throttle, ThrottlerGuard } from '@nestjs/throttler';
+import {
+  RegisterStealthKeysDto,
+  type RegisterStealthKeysResponse,
+  type StealthRegistrationStatusResponse,
+} from '@polypay/shared';
+import { StealthService } from './stealth.service';
+
+@Controller('stealth')
+@UseGuards(ThrottlerGuard)
+export class StealthController {
+  constructor(private readonly stealthService: StealthService) {}
+
+  // Heavier limit on register because it triggers an on-chain tx with our gas.
+  @Throttle({ default: { ttl: 60_000, limit: 5 } })
+  @Post('register')
+  async register(
+    @Body() dto: RegisterStealthKeysDto,
+  ): Promise<RegisterStealthKeysResponse> {
+    return this.stealthService.register(dto);
+  }
+
+  @Throttle({ default: { ttl: 60_000, limit: 60 } })
+  @Get('status/:walletAddress')
+  async status(
+    @Param('walletAddress') walletAddress: string,
+  ): Promise<StealthRegistrationStatusResponse> {
+    return this.stealthService.getStatus(walletAddress);
+  }
+}
diff --git a/packages/backend/src/stealth/stealth.module.ts b/packages/backend/src/stealth/stealth.module.ts
new file mode 100644
index 00000000..cabd84e6
--- /dev/null
+++ b/packages/backend/src/stealth/stealth.module.ts
@@ -0,0 +1,9 @@
+import { Module } from '@nestjs/common';
+import { StealthController } from './stealth.controller';
+import { StealthService } from './stealth.service';
+
+@Module({
+  controllers: [StealthController],
+  providers: [StealthService],
+})
+export class StealthModule {}
diff --git a/packages/backend/src/stealth/stealth.service.ts b/packages/backend/src/stealth/stealth.service.ts
new file mode 100644
index 00000000..bfe7dc16
--- /dev/null
+++ b/packages/backend/src/stealth/stealth.service.ts
@@ -0,0 +1,200 @@
+import {
+  Injectable,
+  Logger,
+  BadRequestException,
+  InternalServerErrorException,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import {
+  createPublicClient,
+  createWalletClient,
+  http,
+  hexToSignature,
+  type Address,
+} from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
+import { base } from 'viem/chains';
+import {
+  RegisterStealthKeysDto,
+  type RegisterStealthKeysResponse,
+  type StealthRegistrationStatusResponse,
+  getUmbraAddresses,
+} from '@polypay/shared';
+import { CONFIG_KEYS } from '@/config/config.keys';
+import {
+  STEALTH_CHAIN_ID,
+  STEALTH_KEY_REGISTRY_ABI,
+} from './stealth.constants';
+
+@Injectable()
+export class StealthService {
+  private readonly logger = new Logger(StealthService.name);
+  // viem's generic types over the chain object explode the TS instantiation
+  // depth when stored on a class field. We only use vanilla methods so the
+  // loose type is fine here.
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  private readonly publicClient: any;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  private readonly walletClient: any;
+  private readonly registryAddress: Address;
+  private readonly relayerAddress: Address;
+
+  // In-memory status cache. Registry rarely changes, so a short TTL is enough
+  // to absorb burst lookups during a batch propose.
+  private readonly statusCache = new Map<
+    string,
+    { value: StealthRegistrationStatusResponse; expiresAt: number }
+  >();
+  private readonly cacheTtlMs = 60_000;
+
+  constructor(private readonly config: ConfigService) {
+    const rpcUrl = this.config.getOrThrow<string>(CONFIG_KEYS.STEALTH_RPC_URL);
+    const relayerKey = this.config.getOrThrow<string>(
+      CONFIG_KEYS.STEALTH_RELAYER_PRIVATE_KEY,
+    );
+
+    const account = privateKeyToAccount(relayerKey as `0x${string}`);
+    this.relayerAddress = account.address;
+
+    // Cast away Base's strict L2 chain type — we only use vanilla read/write
+    // methods that work fine regardless of the chain's optimism stack types.
+    this.publicClient = createPublicClient({
+      chain: base as never,
+      transport: http(rpcUrl),
+    });
+    this.walletClient = createWalletClient({
+      chain: base as never,
+      transport: http(rpcUrl),
+      account,
+    });
+
+    const { registry } = getUmbraAddresses(STEALTH_CHAIN_ID);
+    this.registryAddress = registry as Address;
+
+    this.logger.log(
+      `StealthService ready. Relayer ${this.relayerAddress}, registry ${this.registryAddress}`,
+    );
+  }
+
+  async getStatus(
+    walletAddress: string,
+  ): Promise<StealthRegistrationStatusResponse> {
+    const normalized = this.normalizeAddress(walletAddress);
+    const cached = this.statusCache.get(normalized);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.value;
+    }
+
+    const result = (await this.publicClient.readContract({
+      address: this.registryAddress,
+      abi: STEALTH_KEY_REGISTRY_ABI,
+      functionName: 'stealthKeys',
+      args: [normalized as Address],
+    })) as readonly [bigint, bigint, bigint, bigint];
+
+    const [
+      spendingPubKeyPrefix,
+      spendingPubKey,
+      viewingPubKeyPrefix,
+      viewingPubKey,
+    ] = result;
+
+    const registered = spendingPubKey !== 0n && viewingPubKey !== 0n;
+    const response: StealthRegistrationStatusResponse = registered
+      ? {
+          walletAddress: normalized,
+          registered,
+          spendingPubKeyPrefix: Number(spendingPubKeyPrefix),
+          spendingPubKey: this.toHex32(spendingPubKey),
+          viewingPubKeyPrefix: Number(viewingPubKeyPrefix),
+          viewingPubKey: this.toHex32(viewingPubKey),
+        }
+      : { walletAddress: normalized, registered };
+
+    this.statusCache.set(normalized, {
+      value: response,
+      expiresAt: Date.now() + this.cacheTtlMs,
+    });
+    return response;
+  }
+
+  async register(
+    dto: RegisterStealthKeysDto,
+  ): Promise<RegisterStealthKeysResponse> {
+    const existing = await this.getStatus(dto.walletAddress);
+    if (
+      existing.registered &&
+      existing.spendingPubKey?.toLowerCase() ===
+        dto.spendingPubKey.toLowerCase() &&
+      existing.viewingPubKey?.toLowerCase() === dto.viewingPubKey.toLowerCase()
+    ) {
+      throw new BadRequestException(
+        'Wallet already registered with these keys',
+      );
+    }
+
+    const { v, r, s } = this.splitSignature(dto.signature);
+
+    try {
+      const txHash = await this.walletClient.writeContract({
+        address: this.registryAddress,
+        abi: STEALTH_KEY_REGISTRY_ABI,
+        functionName: 'setStealthKeysOnBehalf',
+        args: [
+          this.normalizeAddress(dto.walletAddress) as Address,
+          BigInt(dto.spendingPubKeyPrefix),
+          BigInt(dto.spendingPubKey),
+          BigInt(dto.viewingPubKeyPrefix),
+          BigInt(dto.viewingPubKey),
+          v,
+          r,
+          s,
+        ],
+        chain: base as never,
+        account: this.walletClient.account!,
+      });
+
+      // Invalidate cache so the next status read reflects the new registration.
+      this.statusCache.delete(this.normalizeAddress(dto.walletAddress));
+
+      this.logger.log(
+        `Submitted setStealthKeysOnBehalf for ${dto.walletAddress} tx=${txHash}`,
+      );
+
+      return {
+        txHash,
+        registryAddress: this.registryAddress,
+        chainId: STEALTH_CHAIN_ID,
+      };
+    } catch (err) {
+      this.logger.error(
+        `setStealthKeysOnBehalf failed for ${dto.walletAddress}: ${(err as Error).message}`,
+      );
+      throw new InternalServerErrorException(
+        'Failed to submit stealth registration on chain',
+      );
+    }
+  }
+
+  private normalizeAddress(value: string): string {
+    return value.toLowerCase();
+  }
+
+  private toHex32(value: bigint): string {
+    return `0x${value.toString(16).padStart(64, '0')}`;
+  }
+
+  private splitSignature(signature: string): {
+    v: number;
+    r: `0x${string}`;
+    s: `0x${string}`;
+  } {
+    const split = hexToSignature(signature as `0x${string}`);
+    // viem returns v as bigint; the registry expects uint8.
+    const v = Number(split.v);
+    if (v !== 27 && v !== 28) {
+      throw new BadRequestException('Invalid signature v value');
+    }
+    return { v, r: split.r, s: split.s };
+  }
+}
diff --git a/packages/nextjs/.env.example b/packages/nextjs/.env.example
index 8e1d93db..14335310 100644
--- a/packages/nextjs/.env.example
+++ b/packages/nextjs/.env.example
@@ -3,3 +3,6 @@ NEXT_PUBLIC_NETWORK="testnet"
 
 # x402 gasless USDC deposit (optional)
 NEXT_PUBLIC_FEATURE_X402_DEPOSIT=false
+
+# Stealth payments via Umbra (optional, Base mainnet only)
+NEXT_PUBLIC_FEATURE_STEALTH=false
diff --git a/packages/nextjs/app/receive/page.tsx b/packages/nextjs/app/receive/page.tsx
new file mode 100644
index 00000000..00dc080a
--- /dev/null
+++ b/packages/nextjs/app/receive/page.tsx
@@ -0,0 +1,154 @@
+"use client";
+
+import { useState } from "react";
+import { notFound } from "next/navigation";
+import { isStealthSupportedChain } from "@polypay/shared";
+import { ConnectButton } from "@rainbow-me/rainbowkit";
+import { useAccount, useChainId } from "wagmi";
+import { STEALTH_ENABLED } from "~~/constants";
+import { useStealthStatus } from "~~/hooks/api/useStealthStatus";
+import { useStealthRegistration } from "~~/hooks/app/useStealthRegistration";
+import { formatErrorMessage } from "~~/utils/formatError";
+import { notification } from "~~/utils/scaffold-eth";
+
+const BASE_MAINNET = 8453;
+const DEFAULT_RPC_URL = "https://mainnet.base.org";
+
+export default function ReceivePage() {
+  const { address, isConnected, connector } = useAccount();
+  const chainId = useChainId();
+  const stealthStatus = useStealthStatus(address ?? null);
+  const { register, step, isLoading } = useStealthRegistration();
+  const [copied, setCopied] = useState(false);
+
+  // When the feature flag is off, treat the route as if it didn't exist. We
+  // call all hooks above unconditionally to satisfy rules-of-hooks.
+  if (!STEALTH_ENABLED) {
+    notFound();
+  }
+
+  const wrongChain = isConnected && !isStealthSupportedChain(chainId);
+  const alreadyRegistered = stealthStatus.data?.registered === true;
+
+  const handleRegister = async () => {
+    if (!connector) {
+      notification.error("Wallet not ready");
+      return;
+    }
+    try {
+      const provider = await connector.getProvider();
+      await register({
+        chainId: BASE_MAINNET,
+        rpcUrl: DEFAULT_RPC_URL,
+        injectedProvider: provider,
+      });
+      notification.success("Stealth keys registered on Base");
+    } catch (err) {
+      notification.error(formatErrorMessage(err, "Registration failed"));
+    }
+  };
+
+  const handleCopyAddress = async () => {
+    if (!address) return;
+    await navigator.clipboard.writeText(address);
+    setCopied(true);
+    setTimeout(() => setCopied(false), 2000);
+  };
+
+  return (
+    <main className="min-h-screen flex items-center justify-center p-6 bg-background">
+      <div className="w-full max-w-xl bg-white rounded-2xl shadow-md p-8 flex flex-col gap-6">
+        <header className="text-center">
+          <h1 className="text-3xl font-bold text-grey-950">Receive private payments</h1>
+          <p className="text-grey-700 text-sm mt-2">
+            Set up a one-time receiving identity. Senders using PolyPay can pay you privately via the Umbra stealth
+            address protocol on Base.
+          </p>
+        </header>
+
+        {!isConnected && (
+          <div className="flex flex-col gap-3 items-center">
+            <p className="text-sm text-grey-700">Connect the wallet you want to receive into.</p>
+            <ConnectButton />
+          </div>
+        )}
+
+        {isConnected && wrongChain && (
+          <div className="rounded-lg bg-yellow-50 border border-yellow-300 p-4 text-sm text-yellow-900">
+            Switch to <strong>Base mainnet</strong> to register. Stealth payments are not available on other networks.
+          </div>
+        )}
+
+        {isConnected && !wrongChain && stealthStatus.isLoading && (
+          <div className="text-sm text-grey-600 text-center">Checking registration status…</div>
+        )}
+
+        {isConnected && !wrongChain && alreadyRegistered && (
+          <div className="flex flex-col gap-4">
+            <div className="rounded-lg bg-green-50 border border-green-300 p-4 text-sm text-green-900">
+              You are already set up to receive private payments.
+            </div>
+            <div className="flex flex-col gap-2">
+              <span className="text-xs text-grey-600">Share this wallet address with senders:</span>
+              <div className="flex items-center gap-2">
+                <code className="flex-1 bg-grey-100 px-3 py-2 rounded-md text-sm break-all">{address}</code>
+                <button
+                  onClick={handleCopyAddress}
+                  className="px-3 py-2 rounded-md bg-main-violet text-white text-sm font-medium"
+                >
+                  {copied ? "Copied" : "Copy"}
+                </button>
+              </div>
+            </div>
+            <div className="rounded-lg bg-grey-50 border border-grey-200 p-4 text-sm text-grey-800">
+              <strong className="block mb-1">To check and withdraw incoming payments:</strong>
+              <ol className="list-decimal pl-5 space-y-1">
+                <li>
+                  Open{" "}
+                  <a
+                    href="https://app.umbra.cash"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    className="text-main-violet underline"
+                  >
+                    app.umbra.cash
+                  </a>
+                </li>
+                <li>Connect this same wallet and sign to scan your inbox</li>
+                <li>Withdraw — Umbra&apos;s relayer pays gas and deducts a small fee from the token</li>
+              </ol>
+            </div>
+          </div>
+        )}
+
+        {isConnected && !wrongChain && stealthStatus.isFetched && !alreadyRegistered && (
+          <div className="flex flex-col gap-4">
+            <div className="rounded-lg bg-grey-50 border border-grey-200 p-4 text-sm text-grey-800">
+              <p className="font-medium mb-2">You will be asked to sign two messages:</p>
+              <ol className="list-decimal pl-5 space-y-1">
+                <li>A canonical Umbra message to derive your stealth keys.</li>
+                <li>
+                  An EIP-712 authorization so PolyPay can submit the registration on chain (no gas required from you).
+                </li>
+              </ol>
+              <p className="mt-3 text-xs text-grey-600">
+                Tip: the same wallet seed will always derive the same keys. Back up your seed phrase — losing it means
+                losing access to past stealth payments.
+              </p>
+            </div>
+            <button
+              onClick={handleRegister}
+              disabled={isLoading}
+              className="w-full py-3 rounded-md bg-main-violet text-white font-medium disabled:opacity-60"
+            >
+              {step === "deriving" && "Deriving keys…"}
+              {step === "signing" && "Signing authorization…"}
+              {step === "submitting" && "Submitting on chain…"}
+              {step === "idle" && "Set up to receive"}
+            </button>
+          </div>
+        )}
+      </div>
+    </main>
+  );
+}
diff --git a/packages/nextjs/components/Batch/BatchContainer.tsx b/packages/nextjs/components/Batch/BatchContainer.tsx
index febcefca..ed901a4a 100644
--- a/packages/nextjs/components/Batch/BatchContainer.tsx
+++ b/packages/nextjs/components/Batch/BatchContainer.tsx
@@ -70,7 +70,16 @@ function BatchTransactions({
   onSelectAll: () => void;
   onSelectItem: (id: string) => void;
   onRemove: (id: string) => void;
-  onEdit: (id: string, data: { recipient: string; amount: string; token: ResolvedToken; contactId?: string }) => void;
+  onEdit: (
+    id: string,
+    data: {
+      recipient: string;
+      amount: string;
+      token: ResolvedToken;
+      contactId?: string;
+      sendPrivately?: boolean;
+    },
+  ) => void;
   isLoading?: boolean;
   isRemoving?: boolean;
   accountId: string | null;
@@ -355,7 +364,16 @@ export default function BatchContainer() {
   );
 
   const handleEdit = useCallback(
-    async (id: string, data: { recipient: string; amount: string; token: ResolvedToken; contactId?: string }) => {
+    async (
+      id: string,
+      data: {
+        recipient: string;
+        amount: string;
+        token: ResolvedToken;
+        contactId?: string;
+        sendPrivately?: boolean;
+      },
+    ) => {
       try {
         const amountInSmallestUnit = parseTokenAmount(data.amount, data.token.decimals);
 
@@ -366,6 +384,7 @@ export default function BatchContainer() {
             amount: amountInSmallestUnit,
             tokenAddress: data.token.address,
             contactId: data.contactId,
+            sendPrivately: data.sendPrivately,
           },
         });
 
diff --git a/packages/nextjs/components/NewAccount/SuccessScreen.tsx b/packages/nextjs/components/NewAccount/SuccessScreen.tsx
index 6fe3526f..e6c69bfa 100644
--- a/packages/nextjs/components/NewAccount/SuccessScreen.tsx
+++ b/packages/nextjs/components/NewAccount/SuccessScreen.tsx
@@ -24,6 +24,7 @@ const SuccessScreen: React.FC<SuccessScreenProps> = ({ className, createdAccount
   const router = useAppRouter();
   const [isReceiveModalOpen, setIsReceiveModalOpen] = useState(false);
   const [fundAddress, setFundAddress] = useState("");
+  const [fundChainId, setFundChainId] = useState<number | undefined>(undefined);
 
   const { currentAccount } = useAccountStore();
   const { openManageAccountsWithExpand } = useSidebarStore();
@@ -35,8 +36,9 @@ const SuccessScreen: React.FC<SuccessScreenProps> = ({ className, createdAccount
     router.goToDashboard();
   };
 
-  const handleFund = (address: string) => {
+  const handleFund = (address: string, chainId?: number) => {
     setFundAddress(address);
+    setFundChainId(chainId);
     setIsReceiveModalOpen(true);
   };
 
@@ -108,7 +110,7 @@ const SuccessScreen: React.FC<SuccessScreenProps> = ({ className, createdAccount
 
                       {/* Fund button */}
                       <button
-                        onClick={() => handleFund(acc.address)}
+                        onClick={() => handleFund(acc.address, acc.chainId)}
                         className="shrink-0 bg-primary text-black text-xs font-semibold px-3 py-1.5 rounded-lg hover:bg-pink-400 transition-colors"
                       >
                         Fund
@@ -142,7 +144,7 @@ const SuccessScreen: React.FC<SuccessScreenProps> = ({ className, createdAccount
                   <span className="font-semibold text-base text-center text-white">See your account</span>
                 </button>
                 <button
-                  onClick={() => handleFund(currentAccount?.address || "")}
+                  onClick={() => handleFund(currentAccount?.address || "", currentAccount?.chainId)}
                   className="flex-1 bg-primary flex items-center justify-center px-6 py-2 rounded-xl shadow-lg hover:shadow-xl transition-all hover:scale-[1.02] cursor-pointer"
                 >
                   <span className="font-semibold text-base text-center text-black">Fund your account</span>
@@ -157,6 +159,7 @@ const SuccessScreen: React.FC<SuccessScreenProps> = ({ className, createdAccount
         isOpen={isReceiveModalOpen}
         onClose={() => setIsReceiveModalOpen(false)}
         address={fundAddress || currentAccount?.address || ""}
+        chainId={fundChainId ?? currentAccount?.chainId}
       />
     </div>
   );
diff --git a/packages/nextjs/components/Transfer/StealthToggle.tsx b/packages/nextjs/components/Transfer/StealthToggle.tsx
new file mode 100644
index 00000000..eeb6c554
--- /dev/null
+++ b/packages/nextjs/components/Transfer/StealthToggle.tsx
@@ -0,0 +1,63 @@
+"use client";
+
+import { isStealthSupportedChain, isStealthSupportedToken } from "@polypay/shared";
+import { STEALTH_ENABLED } from "~~/constants";
+import { useStealthStatus } from "~~/hooks/api/useStealthStatus";
+
+interface StealthToggleProps {
+  checked: boolean;
+  onChange: (next: boolean) => void;
+  chainId: number | undefined;
+  tokenAddress: string | undefined;
+  recipientAddress: string | undefined;
+  disabled?: boolean;
+}
+
+// Shared UI for the "Send privately" toggle. Same component drives the
+// single-transfer and batch-edit flows so disable/hint logic stays in one place.
+export function StealthToggle({
+  checked,
+  onChange,
+  chainId,
+  tokenAddress,
+  recipientAddress,
+  disabled = false,
+}: StealthToggleProps) {
+  const chainOk = !!chainId && isStealthSupportedChain(chainId);
+  const tokenOk = chainOk && !!tokenAddress && isStealthSupportedToken(chainId!, tokenAddress);
+
+  const status = useStealthStatus(chainOk && tokenOk && recipientAddress ? recipientAddress : undefined);
+  const recipientOk = status.data?.registered === true;
+
+  // Hide the entire toggle when the global feature flag is off so users never
+  // see the option in environments where stealth isn't wired up. We call hooks
+  // unconditionally above to satisfy React's rules-of-hooks.
+  if (!STEALTH_ENABLED) return null;
+
+  let hint: string | null = null;
+  if (!chainOk) hint = "Stealth payments are only available on Base mainnet.";
+  else if (!tokenOk) hint = "Stealth supports only ETH and USDC.";
+  else if (!recipientAddress) hint = null;
+  else if (status.isLoading) hint = "Checking recipient setup…";
+  else if (!recipientOk) hint = "Recipient has not registered. Send them polypay.app/receive to set up.";
+
+  const inputDisabled = disabled || !chainOk || !tokenOk || !recipientOk;
+
+  return (
+    <div className="flex flex-col gap-1">
+      <label className="flex items-center gap-2 cursor-pointer select-none">
+        <input
+          type="checkbox"
+          checked={checked && !inputDisabled}
+          onChange={e => onChange(e.target.checked)}
+          disabled={inputDisabled}
+          className="h-4 w-4 accent-main-violet disabled:opacity-50"
+        />
+        <span className={`text-sm font-medium ${inputDisabled ? "text-grey-400" : "text-grey-800"}`}>
+          Send privately (stealth)
+        </span>
+      </label>
+      {hint && <span className="text-xs text-grey-500 pl-6">{hint}</span>}
+    </div>
+  );
+}
diff --git a/packages/nextjs/components/Transfer/TransferContainer.tsx b/packages/nextjs/components/Transfer/TransferContainer.tsx
index 7354ebe0..e67d2f2c 100644
--- a/packages/nextjs/components/Transfer/TransferContainer.tsx
+++ b/packages/nextjs/components/Transfer/TransferContainer.tsx
@@ -4,6 +4,7 @@ import React, { useEffect, useState } from "react";
 import Image from "next/image";
 import { ResolvedToken, parseTokenAmount } from "@polypay/shared";
 import { parseEther } from "viem";
+import { StealthToggle } from "~~/components/Transfer/StealthToggle";
 import { ContactPicker } from "~~/components/contact-book/ContactPicker";
 import { TokenPillPopover } from "~~/components/popovers/TokenPillPopover";
 import { Spinner } from "~~/components/ui/Spinner";
@@ -85,6 +86,7 @@ export default function TransferContainer() {
       amount: data.amount,
       token: selectedToken,
       contactId: selectedContactId,
+      sendPrivately: data.sendPrivately,
     });
   };
 
@@ -113,6 +115,7 @@ export default function TransferContainer() {
         amount: valueInSmallestUnit,
         tokenAddress: isNativeETH ? undefined : selectedToken.address,
         contactId: selectedContactId || undefined,
+        sendPrivately: data.sendPrivately,
       });
 
       notification.success(
@@ -143,6 +146,23 @@ export default function TransferContainer() {
   const watchedAmount = form.watch("amount");
   const isAmountValid = watchedAmount !== "" && parseFloat(watchedAmount) > 0;
 
+  const hasInsufficientBalance = (() => {
+    if (!isAmountValid || isLoadingBalances) return false;
+    try {
+      const amountBI = isNativeETH
+        ? parseEther(watchedAmount)
+        : BigInt(parseTokenAmount(watchedAmount, selectedToken.decimals));
+      const balanceBI = isNativeETH
+        ? parseEther(currentBalance)
+        : BigInt(parseTokenAmount(currentBalance, selectedToken.decimals));
+      return amountBI > balanceBI;
+    } catch {
+      return false;
+    }
+  })();
+
+  const canSubmit = isAmountValid && !!watchedRecipient && !hasInsufficientBalance && !isLoading;
+
   return (
     <div className="overflow-hidden relative w-full h-full flex flex-col rounded-lg">
       {/* Background images */}
@@ -209,7 +229,10 @@ export default function TransferContainer() {
           </div>
 
           {form.formState.errors.amount && (
-            <p className="text-red-500 text-xs">{form.formState.errors.amount.message}</p>
+            <p className="text-red-500 text-xs text-center">{form.formState.errors.amount.message}</p>
+          )}
+          {hasInsufficientBalance && !form.formState.errors.amount && (
+            <p className="text-red-500 text-xs text-center">Insufficient {selectedToken.symbol} balance</p>
           )}
         </div>
         {/* Visual divider */}
@@ -245,6 +268,17 @@ export default function TransferContainer() {
           {form.formState.errors.recipient && (
             <p className="text-red-500 text-sm">{form.formState.errors.recipient.message}</p>
           )}
+
+          <div className="w-full mt-3">
+            <StealthToggle
+              checked={!!form.watch("sendPrivately")}
+              onChange={next => form.setValue("sendPrivately", next, { shouldValidate: false })}
+              chainId={selectedAccount?.chainId}
+              tokenAddress={selectedToken.address}
+              recipientAddress={watchedRecipient || undefined}
+              disabled={isLoading}
+            />
+          </div>
         </div>
 
         {/* Action buttons */}
@@ -264,7 +298,7 @@ export default function TransferContainer() {
         <div className="flex gap-2 items-center justify-center w-full max-w-xs">
           <button
             onClick={handleAddToBatch}
-            disabled={isLoading || !isAmountValid || !watchedRecipient}
+            disabled={!canSubmit}
             className="bg-main-black flex items-center justify-center gap-2 px-3 py-2 rounded-[10px] disabled:opacity-50 cursor-pointer border-0 flex-1 transition-colors"
           >
             {isLoading && <Spinner />}
@@ -274,7 +308,7 @@ export default function TransferContainer() {
           </button>
           <button
             onClick={form.handleSubmit(handleTransfer)}
-            disabled={isLoading || !isAmountValid || !watchedRecipient}
+            disabled={!canSubmit}
             className="bg-pink-350 flex items-center justify-center gap-2 px-3 py-2 rounded-[10px] disabled:opacity-50 cursor-pointer border-0 flex-1 hover:bg-pink-450 transition-colors"
           >
             {isLoading && <Spinner />}
diff --git a/packages/nextjs/components/modals/ModalContainer.tsx b/packages/nextjs/components/modals/ModalContainer.tsx
index 3ced74f1..edb8add1 100644
--- a/packages/nextjs/components/modals/ModalContainer.tsx
+++ b/packages/nextjs/components/modals/ModalContainer.tsx
@@ -14,6 +14,7 @@ interface ModalProps {
   desc?: string;
   icon?: string;
   isCloseButton?: boolean;
+  closeButtonClassName?: string;
   className?: string;
   loadingTransaction?: boolean;
   preventClose?: boolean;
@@ -34,6 +35,7 @@ const ModalContainer = forwardRef<ModalRef, ModalProps>(
       desc,
       icon,
       isCloseButton = true,
+      closeButtonClassName,
       className,
       loadingTransaction = false,
       preventClose = false,
@@ -64,6 +66,7 @@ const ModalContainer = forwardRef<ModalRef, ModalProps>(
         <DialogContent
           className={cn("rounded-3xl w-[600px] px-1.5 py-4 shadow-modal", className)}
           showCloseButton={isCloseButton}
+          closeButtonClassName={closeButtonClassName}
           onEscapeKeyDown={e => loadingTransaction && e.preventDefault()}
           onPointerDownOutside={e => loadingTransaction && e.preventDefault()}
         >
diff --git a/packages/nextjs/components/modals/QRAddressReceiverModal.tsx b/packages/nextjs/components/modals/QRAddressReceiverModal.tsx
index d2e89abd..9a3a326e 100644
--- a/packages/nextjs/components/modals/QRAddressReceiverModal.tsx
+++ b/packages/nextjs/components/modals/QRAddressReceiverModal.tsx
@@ -7,11 +7,13 @@ import { notification } from "~~/utils/scaffold-eth";
 
 interface QRAddressReceiverModalProps extends ModalProps {
   address?: string;
+  chainId?: number;
 }
 
-const QRAddressReceiverModal: React.FC<QRAddressReceiverModalProps> = ({ isOpen, onClose, address }) => {
+const QRAddressReceiverModal: React.FC<QRAddressReceiverModalProps> = ({ isOpen, onClose, address, chainId }) => {
   const { currentAccount } = useAccountStore();
-  const networkIcon = currentAccount?.chainId ? getNetworkMeta(currentAccount.chainId).icon : "/logo/polypay-icon.svg";
+  const resolvedChainId = chainId ?? currentAccount?.chainId;
+  const networkIcon = resolvedChainId ? getNetworkMeta(resolvedChainId).icon : "/logo/polypay-icon.svg";
   const handleCopy = () => {
     navigator.clipboard.writeText(address ?? "");
     notification.success("Address copied to clipboard");
diff --git a/packages/nextjs/components/modals/ReceiveMethodModal.tsx b/packages/nextjs/components/modals/ReceiveMethodModal.tsx
index abc09459..3e33979c 100644
--- a/packages/nextjs/components/modals/ReceiveMethodModal.tsx
+++ b/packages/nextjs/components/modals/ReceiveMethodModal.tsx
@@ -35,9 +35,10 @@ const ReceiveMethodModal: React.FC<ReceiveMethodModalProps> = ({
       onClose={onClose}
       title="Select a receive method"
       isCloseButton
-      className="bg-white rounded-3xl w-[min(560px,92vw)] px-5 py-5 shadow-modal"
+      closeButtonClassName="top-1 right-2"
+      className="bg-white rounded-3xl w-[min(560px,92vw)] p-5 shadow-modal"
     >
-      <div className="flex flex-col gap-3 pt-6">
+      <div className="flex flex-col gap-3 pt-5">
         {/* Option 1 — QR */}
         <button
           type="button"
diff --git a/packages/nextjs/components/modals/SwitchAccountModal.tsx b/packages/nextjs/components/modals/SwitchAccountModal.tsx
index dfdb7a9e..41d4fdc4 100644
--- a/packages/nextjs/components/modals/SwitchAccountModal.tsx
+++ b/packages/nextjs/components/modals/SwitchAccountModal.tsx
@@ -123,21 +123,8 @@ const SwitchAccountModal: React.FC<ModalProps> = ({ isOpen, onClose }) => {
             {step === 1 ? "Choose network" : "Choose your account"}
           </span>
 
-          {/* Close button */}
-          <button
-            onClick={onClose}
-            className="w-[38px] h-icon-btn flex items-center justify-center rounded-lg border border-grey-200 hover:bg-grey-100 transition-colors"
-          >
-            <svg width="18" height="18" viewBox="0 0 18 18" fill="none">
-              <path
-                d="M4.5 4.5L13.5 13.5M4.5 13.5L13.5 4.5"
-                stroke="#363636"
-                strokeWidth="1.5"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-              />
-            </svg>
-          </button>
+          {/* Spacer to balance back button so title stays centered */}
+          <div className="w-[38px] h-icon-btn" />
         </div>
 
         {/* Content */}
diff --git a/packages/nextjs/components/popovers/EditBatchPopover.tsx b/packages/nextjs/components/popovers/EditBatchPopover.tsx
index 4873f042..0ee6c2a9 100644
--- a/packages/nextjs/components/popovers/EditBatchPopover.tsx
+++ b/packages/nextjs/components/popovers/EditBatchPopover.tsx
@@ -5,6 +5,7 @@ import Image from "next/image";
 import { TokenPillPopover } from "./TokenPillPopover";
 import { BatchItem, ResolvedToken, ZERO_ADDRESS, getTokenByAddress } from "@polypay/shared";
 import { formatEther, formatUnits } from "viem";
+import { StealthToggle } from "~~/components/Transfer/StealthToggle";
 import { ContactPicker } from "~~/components/contact-book/ContactPicker";
 import { useContacts } from "~~/hooks";
 import { useNetworkTokens } from "~~/hooks/app/useNetworkTokens";
@@ -18,7 +19,13 @@ interface EditBatchPopoverProps {
   item: BatchItem;
   isOpen: boolean;
   onClose: () => void;
-  onSave: (data: { recipient: string; amount: string; token: ResolvedToken; contactId?: string }) => void;
+  onSave: (data: {
+    recipient: string;
+    amount: string;
+    token: ResolvedToken;
+    contactId?: string;
+    sendPrivately?: boolean;
+  }) => void;
   triggerRef: React.RefObject<HTMLButtonElement | null>;
 }
 
@@ -53,6 +60,7 @@ export default function EditBatchPopover({ item, isOpen, onClose, onSave, trigge
       tokenAddress: item.tokenAddress || ZERO_ADDRESS,
       contactId: item.contact?.id || undefined,
       contactName: item.contact?.name || undefined,
+      sendPrivately: item.sendPrivately ?? false,
     },
   });
 
@@ -122,6 +130,7 @@ export default function EditBatchPopover({ item, isOpen, onClose, onSave, trigge
       amount: data.amount,
       token: token,
       contactId: data.contactId || undefined,
+      sendPrivately: data.sendPrivately,
     });
     onClose();
   };
@@ -239,6 +248,14 @@ export default function EditBatchPopover({ item, isOpen, onClose, onSave, trigge
           )}
         </div>
 
+        <StealthToggle
+          checked={!!form.watch("sendPrivately")}
+          onChange={next => form.setValue("sendPrivately", next, { shouldValidate: false })}
+          chainId={selectedAccount?.chainId}
+          tokenAddress={watchedTokenAddress || ZERO_ADDRESS}
+          recipientAddress={watchedRecipient || undefined}
+        />
+
         <div className="flex gap-2 pt-2">
           <button
             onClick={onClose}
diff --git a/packages/nextjs/components/ui/dialog.tsx b/packages/nextjs/components/ui/dialog.tsx
index 5de353c5..ca749b4f 100644
--- a/packages/nextjs/components/ui/dialog.tsx
+++ b/packages/nextjs/components/ui/dialog.tsx
@@ -38,9 +38,11 @@ function DialogContent({
   className,
   children,
   showCloseButton = true,
+  closeButtonClassName,
   ...props
 }: React.ComponentProps<typeof DialogPrimitive.Content> & {
   showCloseButton?: boolean;
+  closeButtonClassName?: string;
 }) {
   return (
     <DialogPortal data-slot="dialog-portal">
@@ -58,7 +60,10 @@ function DialogContent({
           {showCloseButton && (
             <DialogPrimitive.Close
               data-slot="dialog-close"
-              className="h-8 w-8 p-1.5 text-black bg-white cursor-pointer hover:bg-gray-200 absolute top-1 right-3 rounded-md "
+              className={cn(
+                "h-8 w-8 p-1.5 text-black bg-white cursor-pointer hover:bg-gray-200 absolute top-5 right-5 rounded-md",
+                closeButtonClassName,
+              )}
             >
               <X className="w-5 h-5" />
             </DialogPrimitive.Close>
diff --git a/packages/nextjs/constants/features.ts b/packages/nextjs/constants/features.ts
new file mode 100644
index 00000000..f09e757e
--- /dev/null
+++ b/packages/nextjs/constants/features.ts
@@ -0,0 +1,5 @@
+// Centralized feature flag readers. Keep one source of truth so we don't
+// scatter `process.env.NEXT_PUBLIC_*` checks across the codebase.
+export const STEALTH_ENABLED = process.env.NEXT_PUBLIC_FEATURE_STEALTH === "true";
+
+export const X402_DEPOSIT_ENABLED = process.env.NEXT_PUBLIC_FEATURE_X402_DEPOSIT === "true";
diff --git a/packages/nextjs/constants/index.ts b/packages/nextjs/constants/index.ts
index 2ce70976..27f14e21 100644
--- a/packages/nextjs/constants/index.ts
+++ b/packages/nextjs/constants/index.ts
@@ -1 +1,2 @@
 export const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL || "http://localhost:4000";
+export * from "./features";
diff --git a/packages/nextjs/hooks/api/useStealthStatus.ts b/packages/nextjs/hooks/api/useStealthStatus.ts
new file mode 100644
index 00000000..8093b65c
--- /dev/null
+++ b/packages/nextjs/hooks/api/useStealthStatus.ts
@@ -0,0 +1,18 @@
+import { useQuery } from "@tanstack/react-query";
+import { stealthApi } from "~~/services/api";
+
+export const stealthKeys = {
+  all: ["stealth"] as const,
+  status: (walletAddress: string) => [...stealthKeys.all, "status", walletAddress.toLowerCase()] as const,
+};
+
+export function useStealthStatus(walletAddress: string | undefined | null) {
+  const normalized = walletAddress?.toLowerCase() ?? "";
+
+  return useQuery({
+    queryKey: stealthKeys.status(normalized),
+    queryFn: () => stealthApi.getStatus(normalized),
+    enabled: !!normalized && /^0x[a-fA-F0-9]{40}$/.test(normalized),
+    staleTime: 60_000,
+  });
+}
diff --git a/packages/nextjs/hooks/app/transaction/useBatchTransaction.ts b/packages/nextjs/hooks/app/transaction/useBatchTransaction.ts
index 82baa4aa..b4eb73fa 100644
--- a/packages/nextjs/hooks/app/transaction/useBatchTransaction.ts
+++ b/packages/nextjs/hooks/app/transaction/useBatchTransaction.ts
@@ -1,14 +1,27 @@
 import { useState } from "react";
 import { createTransactionSteps } from "./transactionSteps";
-import { BatchItem, TxType, ZERO_ADDRESS, encodeBatchTransfer, encodeBatchTransferMulti } from "@polypay/shared";
+import {
+  BatchItem,
+  TxType,
+  ZERO_ADDRESS,
+  encodeBatchTransfer,
+  encodeBatchTransferMulti,
+  isStealthSupportedChain,
+  isStealthSupportedToken,
+} from "@polypay/shared";
 import { useWalletClient } from "wagmi";
 import { useMetaMultiSigWallet } from "~~/hooks";
 import { useCreateTransaction, useReserveNonce } from "~~/hooks/api";
 import { useGenerateProof } from "~~/hooks/app/useGenerateProof";
 import { useStepLoading } from "~~/hooks/app/useStepLoading";
-import { useIdentityStore } from "~~/services/store";
+import { useAccountStore, useIdentityStore } from "~~/services/store";
 import { formatErrorMessage } from "~~/utils/formatError";
 import { notification } from "~~/utils/scaffold-eth";
+import { buildStealthBatchCall } from "~~/utils/stealth";
+import { deriveStealthEntries } from "~~/utils/stealthEntries";
+
+const UMBRA_TOLL = 0n;
+const DEFAULT_BASE_RPC_URL = "https://mainnet.base.org";
 
 interface UseBatchTransactionOptions {
   onSuccess?: () => void;
@@ -21,6 +34,7 @@ export const useBatchTransaction = (options?: UseBatchTransactionOptions) => {
 
   const { data: walletClient } = useWalletClient();
   const { secret, commitment: myCommitment } = useIdentityStore();
+  const { currentAccount } = useAccountStore();
   const metaMultiSigWallet = useMetaMultiSigWallet();
   const { mutateAsync: createTransaction } = useCreateTransaction();
   const { mutateAsync: reserveNonce } = useReserveNonce();
@@ -48,6 +62,31 @@ export const useBatchTransaction = (options?: UseBatchTransactionOptions) => {
     try {
       const selectedIds = selectedBatchItems.map(item => item.id);
 
+      // Stealth + regular cannot be mixed in one multisig.execute (one call
+      // can only target one contract). Force HR to keep batches single-kind.
+      const stealthItems = selectedBatchItems.filter(i => i.sendPrivately);
+      const regularItems = selectedBatchItems.filter(i => !i.sendPrivately);
+      if (stealthItems.length > 0 && regularItems.length > 0) {
+        notification.error("Cannot mix stealth and regular items in one batch. Propose them separately.");
+        return;
+      }
+
+      const useStealth = stealthItems.length > 0;
+      const chainId = currentAccount?.chainId;
+
+      if (useStealth) {
+        if (!chainId || !isStealthSupportedChain(chainId)) {
+          notification.error("Stealth payments are only available on Base mainnet");
+          return;
+        }
+        for (const item of stealthItems) {
+          if (!isStealthSupportedToken(chainId, item.tokenAddress || ZERO_ADDRESS)) {
+            notification.error("Stealth payments support only ETH and USDC. Remove unsupported items.");
+            return;
+          }
+        }
+      }
+
       // 1. Reserve nonce from backend
       startStep(1);
       const { nonce } = await reserveNonce(metaMultiSigWallet.address);
@@ -55,25 +94,47 @@ export const useBatchTransaction = (options?: UseBatchTransactionOptions) => {
       // 2. Get current threshold and commitments
       const currentThreshold = await metaMultiSigWallet.read.signaturesRequired();
 
-      // 3. Prepare batch data
-      const recipients = selectedBatchItems.map(item => item.recipient as `0x${string}`);
-      const amounts: bigint[] = selectedBatchItems.map(item => BigInt(item.amount));
-      const tokenAddresses = selectedBatchItems.map(item => item.tokenAddress || ZERO_ADDRESS);
-
-      // Check if any ERC20 token in batch
-      const hasERC20 = tokenAddresses.some(addr => addr !== ZERO_ADDRESS);
-
-      // 4. Encode function call based on token types
-      const batchTransferData = hasERC20
-        ? encodeBatchTransferMulti(recipients, amounts, tokenAddresses)
-        : encodeBatchTransfer(recipients, amounts);
+      // 3. Build (to, value, data)
+      let toAddress: `0x${string}`;
+      let txValue: bigint;
+      let txData: `0x${string}`;
+
+      if (useStealth) {
+        const stealthInputs = stealthItems.map(item => ({
+          recipient: item.recipient,
+          tokenAddress: item.tokenAddress || ZERO_ADDRESS,
+          amount: BigInt(item.amount),
+        }));
+        const derived = await deriveStealthEntries(chainId!, DEFAULT_BASE_RPC_URL, stealthInputs);
+        const built = buildStealthBatchCall(
+          chainId!,
+          UMBRA_TOLL,
+          derived.map(d => d.entry),
+        );
+        toAddress = built.to as `0x${string}`;
+        txValue = built.value;
+        txData = built.data as `0x${string}`;
+      } else {
+        const recipients = regularItems.map(item => item.recipient as `0x${string}`);
+        const amounts: bigint[] = regularItems.map(item => BigInt(item.amount));
+        const tokenAddresses = regularItems.map(item => item.tokenAddress || ZERO_ADDRESS);
+
+        const hasERC20 = tokenAddresses.some(addr => addr !== ZERO_ADDRESS);
+        const batchTransferData = hasERC20
+          ? encodeBatchTransferMulti(recipients, amounts, tokenAddresses)
+          : encodeBatchTransfer(recipients, amounts);
+
+        toAddress = metaMultiSigWallet.address;
+        txValue = 0n;
+        txData = batchTransferData as `0x${string}`;
+      }
 
-      // 5. Calculate txHash (to = wallet itself, value = 0, data = batchTransfer call)
+      // 4. Calculate txHash
       const txHash = (await metaMultiSigWallet.read.getTransactionHash([
         BigInt(nonce),
-        metaMultiSigWallet.address,
-        0n,
-        batchTransferData,
+        toAddress,
+        txValue,
+        txData,
       ])) as `0x${string}`;
 
       // 6. Generate ZK proof
@@ -86,8 +147,8 @@ export const useBatchTransaction = (options?: UseBatchTransactionOptions) => {
         type: TxType.BATCH,
         accountAddress: metaMultiSigWallet.address,
         threshold: Number(currentThreshold),
-        to: metaMultiSigWallet.address,
-        value: "0",
+        to: toAddress,
+        value: txValue.toString(),
         proof: Array.from(proof),
         publicInputs,
         nullifier: nullifier.toString(),
diff --git a/packages/nextjs/hooks/app/transaction/useTransferTransaction.ts b/packages/nextjs/hooks/app/transaction/useTransferTransaction.ts
index 261afb6a..91ddb488 100644
--- a/packages/nextjs/hooks/app/transaction/useTransferTransaction.ts
+++ b/packages/nextjs/hooks/app/transaction/useTransferTransaction.ts
@@ -1,22 +1,39 @@
 import { useEffect } from "react";
 import { createTransactionSteps } from "./transactionSteps";
-import { ResolvedToken, TxType, ZERO_ADDRESS, encodeERC20Transfer, parseTokenAmount } from "@polypay/shared";
+import {
+  ResolvedToken,
+  TxType,
+  ZERO_ADDRESS,
+  encodeERC20Transfer,
+  isStealthSupportedChain,
+  isStealthSupportedToken,
+  parseTokenAmount,
+} from "@polypay/shared";
 import { parseEther } from "viem";
 import { useWalletClient } from "wagmi";
 import { useMetaMultiSigWallet } from "~~/hooks";
 import { useCreateTransaction, useReserveNonce } from "~~/hooks/api/useTransaction";
 import { useGenerateProof } from "~~/hooks/app/useGenerateProof";
 import { useStepLoading } from "~~/hooks/app/useStepLoading";
+import { useAccountStore } from "~~/services/store";
 import { formatErrorMessage } from "~~/utils/formatError";
 import { notification } from "~~/utils/scaffold-eth";
+import { buildStealthBatchCall } from "~~/utils/stealth";
+import { deriveStealthEntries } from "~~/utils/stealthEntries";
 
 interface TransferParams {
   recipient: string;
   amount: string;
   token: ResolvedToken;
   contactId?: string | null;
+  sendPrivately?: boolean;
 }
 
+// Toll on Umbra Base is currently 0; revisit if ScopeLift turns it on.
+const UMBRA_TOLL = 0n;
+
+const DEFAULT_BASE_RPC_URL = "https://mainnet.base.org";
+
 interface UseTransferTransactionOptions {
   onSuccess?: () => void;
 }
@@ -34,13 +51,28 @@ export const useTransferTransaction = (options?: UseTransferTransactionOptions)
     onLoadingStateChange: setStepByLabel,
   });
 
-  const transfer = async ({ recipient, amount, token, contactId }: TransferParams) => {
+  const { currentAccount } = useAccountStore();
+
+  const transfer = async ({ recipient, amount, token, contactId, sendPrivately }: TransferParams) => {
     if (!walletClient || !metaMultiSigWallet) {
       notification.error("Wallet not connected");
       return;
     }
 
     const isNativeETH = token.address === ZERO_ADDRESS;
+    const chainId = currentAccount?.chainId;
+
+    if (sendPrivately) {
+      if (!chainId || !isStealthSupportedChain(chainId)) {
+        notification.error("Stealth payments are only available on Base mainnet");
+        return;
+      }
+      if (!isStealthSupportedToken(chainId, token.address)) {
+        notification.error("Stealth payments support only ETH and USDC");
+        return;
+      }
+    }
+
     try {
       // 1. Reserve nonce from backend
       startStep(1);
@@ -54,32 +86,48 @@ export const useTransferTransaction = (options?: UseTransferTransactionOptions)
         ? parseEther(amount).toString()
         : parseTokenAmount(amount, token.decimals);
 
-      // 4. Calculate txHash (different for ETH vs ERC20)
-      let txHash: `0x${string}`;
-
-      if (isNativeETH) {
-        // ETH: to = recipient, value = amount, data = 0x
-        txHash = (await metaMultiSigWallet.read.getTransactionHash([
-          BigInt(nonce),
-          recipient as `0x${string}`,
-          BigInt(valueInSmallestUnit),
-          "0x" as `0x${string}`,
-        ])) as `0x${string}`;
+      // 4. Build (to, value, data) — stealth path replaces the recipient with a
+      //    fresh stealth address and routes through Umbra's batch contract so a
+      //    proper Announcement event is emitted.
+      let toAddress: `0x${string}`;
+      let txValue: bigint;
+      let txData: `0x${string}`;
+
+      if (sendPrivately) {
+        const [{ entry }] = await deriveStealthEntries(chainId!, DEFAULT_BASE_RPC_URL, [
+          {
+            recipient,
+            tokenAddress: token.address,
+            amount: BigInt(valueInSmallestUnit),
+          },
+        ]);
+        const built = buildStealthBatchCall(chainId!, UMBRA_TOLL, [entry]);
+        toAddress = built.to as `0x${string}`;
+        txValue = built.value;
+        txData = built.data as `0x${string}`;
+      } else if (isNativeETH) {
+        toAddress = recipient as `0x${string}`;
+        txValue = BigInt(valueInSmallestUnit);
+        txData = "0x";
       } else {
-        // ERC20: to = tokenAddress, value = 0, data = transfer(recipient, amount)
-        const encodedData = encodeERC20Transfer(recipient, BigInt(valueInSmallestUnit));
-        txHash = (await metaMultiSigWallet.read.getTransactionHash([
-          BigInt(nonce),
-          token.address as `0x${string}`,
-          0n,
-          encodedData as `0x${string}`,
-        ])) as `0x${string}`;
+        toAddress = token.address as `0x${string}`;
+        txValue = 0n;
+        txData = encodeERC20Transfer(recipient, BigInt(valueInSmallestUnit)) as `0x${string}`;
       }
 
+      const txHash = (await metaMultiSigWallet.read.getTransactionHash([
+        BigInt(nonce),
+        toAddress,
+        txValue,
+        txData,
+      ])) as `0x${string}`;
+
       // 5. Generate ZK proof
       const { proof, publicInputs, nullifier, vk } = await generateProof(txHash);
 
-      // 6. Submit to backend
+      // 6. Submit to backend. For stealth, we record the ORIGINAL recipient and
+      //    token in the transaction row (so the UI keeps showing "Alice / USDC"),
+      //    but the on-chain target/value/data are stealth-flavored.
       startStep(4);
       const result = await createTransaction({
         nonce,
@@ -98,7 +146,11 @@ export const useTransferTransaction = (options?: UseTransferTransactionOptions)
       });
 
       if (result) {
-        notification.success("Transfer transaction created! Waiting for approvals.");
+        notification.success(
+          sendPrivately
+            ? "Private transfer created. Waiting for approvals."
+            : "Transfer transaction created! Waiting for approvals.",
+        );
       }
 
       options?.onSuccess?.();
diff --git a/packages/nextjs/hooks/app/useStealthRegistration.ts b/packages/nextjs/hooks/app/useStealthRegistration.ts
new file mode 100644
index 00000000..e253419e
--- /dev/null
+++ b/packages/nextjs/hooks/app/useStealthRegistration.ts
@@ -0,0 +1,152 @@
+"use client";
+
+import { useCallback, useState } from "react";
+import { type RegisterStealthKeysDto, getUmbraAddresses, isStealthSupportedChain } from "@polypay/shared";
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { KeyPair, Umbra } from "@umbracash/umbra-js";
+import { providers } from "ethers";
+import { stealthKeys } from "~~/hooks/api/useStealthStatus";
+import { stealthApi } from "~~/services/api";
+
+// EIP-712 typed data accepted by StealthKeyRegistry.setStealthKeysOnBehalf.
+// Domain + types must match the contract exactly; see Umbra source.
+function buildSetKeysTypedData(
+  chainId: number,
+  verifyingContract: string,
+  message: {
+    registrant: string;
+    spendingPubKeyPrefix: bigint;
+    spendingPubKey: bigint;
+    viewingPubKeyPrefix: bigint;
+    viewingPubKey: bigint;
+  },
+) {
+  return {
+    domain: {
+      name: "Umbra Stealth Key Registry",
+      version: "1",
+      chainId,
+      verifyingContract,
+    },
+    types: {
+      StealthKeys: [
+        { name: "registrant", type: "address" },
+        { name: "spendingPubKeyPrefix", type: "uint256" },
+        { name: "spendingPubKey", type: "uint256" },
+        { name: "viewingPubKeyPrefix", type: "uint256" },
+        { name: "viewingPubKey", type: "uint256" },
+      ],
+    },
+    primaryType: "StealthKeys" as const,
+    message,
+  };
+}
+
+interface RegisterArgs {
+  chainId: number;
+  rpcUrl: string;
+  // window.ethereum-compatible provider (from RainbowKit / connected wallet).
+  injectedProvider: unknown;
+}
+
+interface RegisterResult {
+  txHash: string;
+  walletAddress: string;
+}
+
+// Splits the compressed public key bytes returned by umbra-js into the
+// (prefix, x-coord) pair that the registry stores. Umbra uses uint256 for the
+// x-coord; prefix is 2 or 3 from the leading byte.
+function splitCompressedPubKey(hex: string): {
+  prefix: number;
+  pubKey: string; // 0x-prefixed 32 bytes
+} {
+  // KeyPair.publicKeyHex returns 65-byte uncompressed (04 || X || Y). We need
+  // the compressed form. umbra-js exposes `compressedPublicKey` but typings
+  // are loose; reconstruct here for clarity.
+  const clean = hex.startsWith("0x") ? hex.slice(2) : hex;
+  if (clean.length !== 130) {
+    throw new Error(`Unexpected public key length: ${clean.length}`);
+  }
+  const x = clean.slice(2, 66);
+  const y = clean.slice(66, 130);
+  const yLastByte = parseInt(y.slice(-2), 16);
+  const prefix = yLastByte % 2 === 0 ? 2 : 3;
+  return { prefix, pubKey: `0x${x}` };
+}
+
+export function useStealthRegistration() {
+  const queryClient = useQueryClient();
+  const [step, setStep] = useState<"idle" | "deriving" | "signing" | "submitting">("idle");
+
+  const mutation = useMutation({
+    mutationFn: async ({ chainId, rpcUrl, injectedProvider }: RegisterArgs): Promise<RegisterResult> => {
+      if (!isStealthSupportedChain(chainId)) {
+        throw new Error("Stealth payments not available on this network");
+      }
+
+      setStep("deriving");
+      const browserProvider = new providers.Web3Provider(injectedProvider as never);
+      const signer = browserProvider.getSigner();
+      const walletAddress = (await signer.getAddress()).toLowerCase();
+
+      // Derive Umbra meta-address. This triggers a personal_sign of the
+      // canonical Umbra message; the SDK splits the signature into two keys.
+      const rpcProvider = new providers.JsonRpcProvider(rpcUrl, chainId);
+      const umbra = new Umbra(rpcProvider, chainId);
+      const { spendingKeyPair, viewingKeyPair } = await umbra.generatePrivateKeys(signer as never);
+
+      const spending = splitCompressedPubKey((spendingKeyPair as KeyPair).publicKeyHex);
+      const viewing = splitCompressedPubKey((viewingKeyPair as KeyPair).publicKeyHex);
+
+      const { registry } = getUmbraAddresses(chainId);
+
+      const message = {
+        registrant: walletAddress,
+        spendingPubKeyPrefix: BigInt(spending.prefix),
+        spendingPubKey: BigInt(spending.pubKey),
+        viewingPubKeyPrefix: BigInt(viewing.prefix),
+        viewingPubKey: BigInt(viewing.pubKey),
+      };
+      const typedData = buildSetKeysTypedData(chainId, registry, message);
+
+      setStep("signing");
+      // ethers v5 uses _signTypedData; the underscore is intentional, the
+      // EIP-712 API was experimental when v5 shipped.
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const signature = await (signer as any)._signTypedData(typedData.domain, typedData.types, typedData.message);
+
+      setStep("submitting");
+      const dto: RegisterStealthKeysDto = {
+        walletAddress,
+        spendingPubKeyPrefix: spending.prefix,
+        spendingPubKey: spending.pubKey,
+        viewingPubKeyPrefix: viewing.prefix,
+        viewingPubKey: viewing.pubKey,
+        signature,
+      };
+      const response = await stealthApi.register(dto);
+
+      // Surface the new status everywhere that reads it (Transfer, Batch).
+      await queryClient.invalidateQueries({
+        queryKey: stealthKeys.status(walletAddress),
+      });
+
+      setStep("idle");
+      return { txHash: response.txHash, walletAddress };
+    },
+    onError: () => {
+      setStep("idle");
+    },
+  });
+
+  const register = useCallback((args: RegisterArgs) => mutation.mutateAsync(args), [mutation]);
+
+  return {
+    register,
+    step,
+    isLoading: mutation.isPending,
+    error: mutation.error,
+    data: mutation.data,
+  };
+}
diff --git a/packages/nextjs/hooks/app/useUmbra.ts b/packages/nextjs/hooks/app/useUmbra.ts
new file mode 100644
index 00000000..119a45cb
--- /dev/null
+++ b/packages/nextjs/hooks/app/useUmbra.ts
@@ -0,0 +1,20 @@
+"use client";
+
+import { useMemo } from "react";
+import { getUmbraAddresses, isStealthSupportedChain } from "@polypay/shared";
+import { Umbra } from "@umbracash/umbra-js";
+import { providers } from "ethers";
+
+// We use ethers v5 here because @umbracash/umbra-js is built on ethers v5.
+// The rest of PolyPay uses viem/wagmi — keep this isolated.
+export function useUmbra(chainId: number | undefined, rpcUrl: string | undefined) {
+  return useMemo(() => {
+    if (!chainId || !rpcUrl) return null;
+    if (!isStealthSupportedChain(chainId)) return null;
+
+    const provider = new providers.JsonRpcProvider(rpcUrl, chainId);
+    // Throws if chain unsupported; we guard above so this is informational.
+    getUmbraAddresses(chainId);
+    return new Umbra(provider, chainId);
+  }, [chainId, rpcUrl]);
+}
diff --git a/packages/nextjs/lib/form/schemas.ts b/packages/nextjs/lib/form/schemas.ts
index 6501d25b..2259744d 100644
--- a/packages/nextjs/lib/form/schemas.ts
+++ b/packages/nextjs/lib/form/schemas.ts
@@ -41,6 +41,7 @@ export const transferSchema = z.object({
       message: "Invalid address format",
     }),
   amount: z.string(),
+  sendPrivately: z.boolean().optional(),
 });
 export type TransferFormData = z.infer<typeof transferSchema>;
 
diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json
index 7d219964..c02d2143 100644
--- a/packages/nextjs/package.json
+++ b/packages/nextjs/package.json
@@ -30,6 +30,7 @@
     "@radix-ui/react-tooltip": "^1.2.8",
     "@rainbow-me/rainbowkit": "2.2.7",
     "@tanstack/react-query": "~5.59.15",
+    "@umbracash/umbra-js": "^0.2.2",
     "@uniswap/sdk-core": "~5.8.2",
     "@uniswap/v2-sdk": "~4.6.1",
     "axios": "^1.13.2",
@@ -39,6 +40,7 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "daisyui": "5.0.9",
+    "ethers": "^5.7.2",
     "kubo-rpc-client": "~5.0.2",
     "lucide-react": "^0.556.0",
     "motion": "^12.23.12",
diff --git a/packages/nextjs/scaffold.config.ts b/packages/nextjs/scaffold.config.ts
index 45ed6b46..143f16f0 100644
--- a/packages/nextjs/scaffold.config.ts
+++ b/packages/nextjs/scaffold.config.ts
@@ -82,8 +82,8 @@ const scaffoldConfig = {
   // If you want to use a different RPC for a specific network, you can add it here.
   // The key is the chain ID, and the value is the HTTP RPC URL
   rpcOverrides: {
-    // Example:
-    // [chains.mainnet.id]: "https://mainnet.buidlguidl.com",
+    // Default Alchemy key has no access to Base mainnet (403); public mainnet.base.org rate-limits (429).
+    [chains.base.id]: "https://base-rpc.publicnode.com",
   },
   // This is ours WalletConnect's default project ID.
   // You can get your own at https://cloud.walletconnect.com
diff --git a/packages/nextjs/services/api/index.ts b/packages/nextjs/services/api/index.ts
index 3f742d2f..998bfbbd 100644
--- a/packages/nextjs/services/api/index.ts
+++ b/packages/nextjs/services/api/index.ts
@@ -12,3 +12,4 @@ export { queryClient } from "../queryClient";
 // export { questApi } from "./questApi";
 // export { claimApi } from "./claimApi";
 export { x402Api, encodeXPaymentHeader } from "./x402Api";
+export { stealthApi } from "./stealthApi";
diff --git a/packages/nextjs/services/api/stealthApi.ts b/packages/nextjs/services/api/stealthApi.ts
new file mode 100644
index 00000000..7b08e567
--- /dev/null
+++ b/packages/nextjs/services/api/stealthApi.ts
@@ -0,0 +1,18 @@
+import { apiClient } from "./apiClient";
+import type {
+  RegisterStealthKeysDto,
+  RegisterStealthKeysResponse,
+  StealthRegistrationStatusResponse,
+} from "@polypay/shared";
+
+export const stealthApi = {
+  getStatus: async (walletAddress: string): Promise<StealthRegistrationStatusResponse> => {
+    const { data } = await apiClient.get<StealthRegistrationStatusResponse>(`/stealth/status/${walletAddress}`);
+    return data;
+  },
+
+  register: async (dto: RegisterStealthKeysDto): Promise<RegisterStealthKeysResponse> => {
+    const { data } = await apiClient.post<RegisterStealthKeysResponse>("/stealth/register", dto);
+    return data;
+  },
+};
diff --git a/packages/nextjs/utils/stealth.ts b/packages/nextjs/utils/stealth.ts
new file mode 100644
index 00000000..f6c0f4a1
--- /dev/null
+++ b/packages/nextjs/utils/stealth.ts
@@ -0,0 +1,91 @@
+import { UMBRA_ETH_PLACEHOLDER, ZERO_ADDRESS, getUmbraAddresses, isStealthSupportedChain } from "@polypay/shared";
+import { type Address, type Hex, encodeFunctionData } from "viem";
+
+// Single entry in UmbraBatchSend.batchSend. Matches the on-chain tuple layout.
+export interface StealthBatchEntry {
+  receiver: Address;
+  tokenAddr: Address;
+  amount: bigint;
+  pkx: Hex; // 32 bytes
+  ciphertext: Hex; // 32 bytes
+}
+
+// UmbraBatchSend reverts with NotSorted() unless entries are ordered by
+// (tokenAddr, receiver) ascending. We sort on the client so we never hit it.
+export function sortStealthEntries(entries: StealthBatchEntry[]): StealthBatchEntry[] {
+  return [...entries].sort((a, b) => {
+    const tokenCompare = a.tokenAddr.toLowerCase().localeCompare(b.tokenAddr.toLowerCase());
+    if (tokenCompare !== 0) return tokenCompare;
+    return a.receiver.toLowerCase().localeCompare(b.receiver.toLowerCase());
+  });
+}
+
+const UMBRA_BATCH_SEND_ABI = [
+  {
+    name: "batchSend",
+    type: "function",
+    stateMutability: "payable",
+    inputs: [
+      { name: "_tollCommitment", type: "uint256" },
+      {
+        name: "_data",
+        type: "tuple[]",
+        components: [
+          { name: "receiver", type: "address" },
+          { name: "tokenAddr", type: "address" },
+          { name: "amount", type: "uint256" },
+          { name: "pkx", type: "bytes32" },
+          { name: "ciphertext", type: "bytes32" },
+        ],
+      },
+    ],
+    outputs: [],
+  },
+] as const;
+
+export interface BuiltStealthCall {
+  to: Address;
+  value: bigint;
+  data: Hex;
+}
+
+// Convert PolyPay's "ZERO_ADDRESS means native ETH" convention to Umbra's
+// own placeholder. Token addresses are unchanged otherwise.
+export function toUmbraTokenAddress(tokenAddress: string): Address {
+  if (tokenAddress.toLowerCase() === ZERO_ADDRESS.toLowerCase()) {
+    return UMBRA_ETH_PLACEHOLDER as Address;
+  }
+  return tokenAddress as Address;
+}
+
+export function buildStealthBatchCall(chainId: number, toll: bigint, entries: StealthBatchEntry[]): BuiltStealthCall {
+  if (!isStealthSupportedChain(chainId)) {
+    throw new Error(`Stealth not supported on chain ${chainId}`);
+  }
+  if (entries.length === 0) {
+    throw new Error("buildStealthBatchCall: empty entries");
+  }
+
+  const sorted = sortStealthEntries(entries);
+
+  // Sum native ETH needed: toll + sum(amount) for ETH entries.
+  let ethTotal = toll;
+  for (const entry of sorted) {
+    if (entry.tokenAddr.toLowerCase() === UMBRA_ETH_PLACEHOLDER.toLowerCase()) {
+      ethTotal += entry.amount;
+    }
+  }
+
+  const data = encodeFunctionData({
+    abi: UMBRA_BATCH_SEND_ABI,
+    functionName: "batchSend",
+    args: [toll, sorted],
+  });
+
+  const { batchSend } = getUmbraAddresses(chainId);
+  return {
+    to: batchSend as Address,
+    value: ethTotal,
+    data,
+  };
+}
diff --git a/packages/nextjs/utils/stealthEntries.ts b/packages/nextjs/utils/stealthEntries.ts
new file mode 100644
index 00000000..9cb0b1c3
--- /dev/null
+++ b/packages/nextjs/utils/stealthEntries.ts
@@ -0,0 +1,68 @@
+import { type StealthBatchEntry, toUmbraTokenAddress } from "./stealth";
+import { isStealthSupportedChain } from "@polypay/shared";
+import { KeyPair, RandomNumber, Umbra } from "@umbracash/umbra-js";
+import { providers } from "ethers";
+import type { Address, Hex } from "viem";
+
+export interface StealthRecipientInput {
+  recipient: string; // wallet address of recipient (NOT stealth)
+  tokenAddress: string; // PolyPay convention (ZERO_ADDRESS for ETH)
+  amount: bigint;
+}
+
+interface DerivedStealthOutput {
+  entry: StealthBatchEntry;
+  stealthAddress: Address;
+}
+
+// For each (recipient wallet, amount, token), this:
+//  1. Looks up the recipient's meta-address on the Umbra StealthKeyRegistry.
+//  2. Generates fresh ephemeral entropy.
+//  3. Derives a one-time stealth address from the recipient's spending key.
+//  4. Encrypts the entropy with the recipient's viewing key so they can scan.
+//
+// Result is a list of UmbraBatchSend entries ready to be encoded into a
+// single multisig.execute call.
+export async function deriveStealthEntries(
+  chainId: number,
+  rpcUrl: string,
+  inputs: StealthRecipientInput[],
+): Promise<DerivedStealthOutput[]> {
+  if (!isStealthSupportedChain(chainId)) {
+    throw new Error(`Stealth not supported on chain ${chainId}`);
+  }
+  if (inputs.length === 0) return [];
+
+  const provider = new providers.JsonRpcProvider(rpcUrl, chainId);
+  const umbra = new Umbra(provider, chainId);
+
+  const outputs: DerivedStealthOutput[] = [];
+
+  for (const input of inputs) {
+    // Pull recipient's registered keys. The SDK throws if unregistered —
+    // callers should pre-check via /api/stealth/status before reaching here.
+    const recipientId = input.recipient;
+    const stealthMeta = await (
+      umbra as unknown as {
+        prepareSend: (recipientId: string) => Promise<{
+          stealthKeyPair: KeyPair;
+          pubKeyXCoordinate: Hex;
+          encrypted: { ciphertext: Hex };
+          randomNumber: RandomNumber;
+        }>;
+      }
+    ).prepareSend(recipientId);
+
+    const entry: StealthBatchEntry = {
+      receiver: stealthMeta.stealthKeyPair.address as Address,
+      tokenAddr: toUmbraTokenAddress(input.tokenAddress),
+      amount: input.amount,
+      pkx: stealthMeta.pubKeyXCoordinate,
+      ciphertext: stealthMeta.encrypted.ciphertext,
+    };
+
+    outputs.push({ entry, stealthAddress: entry.receiver });
+  }
+
+  return outputs;
+}
diff --git a/packages/shared/src/constants/index.ts b/packages/shared/src/constants/index.ts
index c63b2893..c851d472 100644
--- a/packages/shared/src/constants/index.ts
+++ b/packages/shared/src/constants/index.ts
@@ -3,3 +3,4 @@ export * from "./room";
 export * from "./token";
 export * from "./campaign";
 export * from "./contract";
+export * from "./umbra";
diff --git a/packages/shared/src/constants/umbra.ts b/packages/shared/src/constants/umbra.ts
new file mode 100644
index 00000000..4b7ac102
--- /dev/null
+++ b/packages/shared/src/constants/umbra.ts
@@ -0,0 +1,54 @@
+import { ZERO_ADDRESS } from "./token";
+
+// Umbra uses this placeholder to represent native ETH in its contract calls
+// and Announcement events. Keep separate from ZERO_ADDRESS, which PolyPay's
+// own token registry uses for native ETH.
+export const UMBRA_ETH_PLACEHOLDER =
+  "0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE";
+
+const BASE_MAINNET = 8453;
+
+export const UMBRA_ADDRESSES: Record<
+  number,
+  { umbra: string; registry: string; batchSend: string }
+> = {
+  [BASE_MAINNET]: {
+    umbra: "0xFb2dc580Eed955B528407b4d36FfaFe3da685401",
+    registry: "0x31fe56609C65Cd0C510E7125f051D440424D38f3",
+    batchSend: "0xDbD0f5EBAdA6632Dde7d47713ea200a7C2ff91EB",
+  },
+};
+
+// Tokens supported by Umbra's hosted relayer on Base mainnet.
+// ZEN is intentionally excluded — relayer does not support it, which would
+// force recipients to fund their stealth address with ETH before withdrawing.
+export const UMBRA_SUPPORTED_TOKENS: Record<number, readonly string[]> = {
+  [BASE_MAINNET]: [
+    ZERO_ADDRESS, // native ETH
+    "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", // USDC
+  ],
+};
+
+export const UMBRA_RELAYER_BASE_URL = "https://mainnet.api.umbra.cash";
+
+export function isStealthSupportedChain(chainId: number): boolean {
+  return UMBRA_ADDRESSES[chainId] !== undefined;
+}
+
+export function isStealthSupportedToken(
+  chainId: number,
+  tokenAddress: string,
+): boolean {
+  const tokens = UMBRA_SUPPORTED_TOKENS[chainId];
+  if (!tokens) return false;
+  const lower = tokenAddress.toLowerCase();
+  return tokens.some((t) => t.toLowerCase() === lower);
+}
+
+export function getUmbraAddresses(chainId: number) {
+  const addrs = UMBRA_ADDRESSES[chainId];
+  if (!addrs) {
+    throw new Error(`Umbra not deployed on chain ${chainId}`);
+  }
+  return addrs;
+}
diff --git a/packages/shared/src/dto/batch-item/create-batch-item.dto.ts b/packages/shared/src/dto/batch-item/create-batch-item.dto.ts
index 2ae81189..1a13b954 100644
--- a/packages/shared/src/dto/batch-item/create-batch-item.dto.ts
+++ b/packages/shared/src/dto/batch-item/create-batch-item.dto.ts
@@ -1,4 +1,5 @@
 import {
+  IsBoolean,
   IsNotEmpty,
   IsOptional,
   IsString,
@@ -26,4 +27,8 @@ export class CreateBatchItemDto {
   @IsOptional()
   @MaxLength(256)
   contactId?: string;
+
+  @IsOptional()
+  @IsBoolean()
+  sendPrivately?: boolean;
 }
diff --git a/packages/shared/src/dto/batch-item/update-batch-item.dto.ts b/packages/shared/src/dto/batch-item/update-batch-item.dto.ts
index dfd93f9b..61917fa8 100644
--- a/packages/shared/src/dto/batch-item/update-batch-item.dto.ts
+++ b/packages/shared/src/dto/batch-item/update-batch-item.dto.ts
@@ -1,4 +1,4 @@
-import { IsOptional, IsString, Matches } from "class-validator";
+import { IsBoolean, IsOptional, IsString, Matches } from "class-validator";
 
 export class UpdateBatchItemDto {
   @IsOptional()
@@ -17,4 +17,8 @@ export class UpdateBatchItemDto {
   @IsString()
   @IsOptional()
   contactId?: string;
+
+  @IsOptional()
+  @IsBoolean()
+  sendPrivately?: boolean;
 }
diff --git a/packages/shared/src/dto/index.ts b/packages/shared/src/dto/index.ts
index e21f0c71..7572781e 100644
--- a/packages/shared/src/dto/index.ts
+++ b/packages/shared/src/dto/index.ts
@@ -8,3 +8,4 @@ export * from "./auth/index";
 export * from "./feature-request/index";
 export * from "./pagination.dto";
 export * from "./reward/index";
+export * from "./stealth/index";
diff --git a/packages/shared/src/dto/stealth/index.ts b/packages/shared/src/dto/stealth/index.ts
new file mode 100644
index 00000000..7d14eaf2
--- /dev/null
+++ b/packages/shared/src/dto/stealth/index.ts
@@ -0,0 +1 @@
+export * from "./register-stealth-keys.dto";
diff --git a/packages/shared/src/dto/stealth/register-stealth-keys.dto.ts b/packages/shared/src/dto/stealth/register-stealth-keys.dto.ts
new file mode 100644
index 00000000..2b98dc46
--- /dev/null
+++ b/packages/shared/src/dto/stealth/register-stealth-keys.dto.ts
@@ -0,0 +1,63 @@
+import {
+  IsInt,
+  IsNotEmpty,
+  IsString,
+  Matches,
+  Min,
+  Max,
+} from "class-validator";
+
+// secp256k1 compressed public key prefix: 0x02 or 0x03 (y-parity).
+const PUBKEY_PREFIX_VALUES = [2, 3] as const;
+
+const HEX_32_BYTES = /^0x[a-fA-F0-9]{64}$/;
+const HEX_ADDRESS = /^0x[a-fA-F0-9]{40}$/;
+const HEX_ANY = /^0x[a-fA-F0-9]+$/;
+
+export class RegisterStealthKeysDto {
+  @IsNotEmpty()
+  @IsString()
+  @Matches(HEX_ADDRESS, {
+    message: "walletAddress must be a 0x-prefixed address",
+  })
+  walletAddress: string;
+
+  @IsInt()
+  @Min(PUBKEY_PREFIX_VALUES[0])
+  @Max(PUBKEY_PREFIX_VALUES[1])
+  spendingPubKeyPrefix: number;
+
+  @IsString()
+  @Matches(HEX_32_BYTES, { message: "spendingPubKey must be 32 bytes hex" })
+  spendingPubKey: string;
+
+  @IsInt()
+  @Min(PUBKEY_PREFIX_VALUES[0])
+  @Max(PUBKEY_PREFIX_VALUES[1])
+  viewingPubKeyPrefix: number;
+
+  @IsString()
+  @Matches(HEX_32_BYTES, { message: "viewingPubKey must be 32 bytes hex" })
+  viewingPubKey: string;
+
+  // EIP-712 signature authorizing PolyPay's relayer to call
+  // StealthKeyRegistry.setStealthKeysOnBehalf for this walletAddress.
+  @IsString()
+  @Matches(HEX_ANY, { message: "signature must be hex-encoded" })
+  signature: string;
+}
+
+export interface StealthRegistrationStatusResponse {
+  walletAddress: string;
+  registered: boolean;
+  spendingPubKeyPrefix?: number;
+  spendingPubKey?: string;
+  viewingPubKeyPrefix?: number;
+  viewingPubKey?: string;
+}
+
+export interface RegisterStealthKeysResponse {
+  txHash: string;
+  registryAddress: string;
+  chainId: number;
+}
diff --git a/packages/shared/src/types/batch-item.ts b/packages/shared/src/types/batch-item.ts
index 05b74b9a..41ae25e1 100644
--- a/packages/shared/src/types/batch-item.ts
+++ b/packages/shared/src/types/batch-item.ts
@@ -5,6 +5,7 @@ export interface BatchItem {
   amount: string;
   tokenAddress?: string;
   contactId?: string;
+  sendPrivately?: boolean;
   contact?: {
     id: string;
     name: string;
diff --git a/yarn.lock b/yarn.lock
index 5970a49a..04325825 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1177,7 +1177,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@ethersproject/abi@npm:5.8.0, @ethersproject/abi@npm:^5.0.9, @ethersproject/abi@npm:^5.1.2, @ethersproject/abi@npm:^5.7.0, @ethersproject/abi@npm:^5.8.0":
+"@ethersproject/abi@npm:5.8.0, @ethersproject/abi@npm:^5.0.1, @ethersproject/abi@npm:^5.0.9, @ethersproject/abi@npm:^5.1.2, @ethersproject/abi@npm:^5.7.0, @ethersproject/abi@npm:^5.8.0":
   version: 5.8.0
   resolution: "@ethersproject/abi@npm:5.8.0"
   dependencies:
@@ -4232,7 +4232,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@noble/secp256k1@npm:~1.7.0":
+"@noble/secp256k1@npm:^1.7.1, @noble/secp256k1@npm:~1.7.0":
   version: 1.7.2
   resolution: "@noble/secp256k1@npm:1.7.2"
   checksum: 34c80b862996e215b9abb4faa53c30155bbf4338bfb973218f91139fd882dbeff01dde63de3745485664aee539621c13e11fc4ee55c87a462a30e414db6459fc
@@ -4991,6 +4991,7 @@ __metadata:
     "@types/node": ~18.19.50
     "@types/react": ~19.0.7
     "@types/react-dom": latest
+    "@umbracash/umbra-js": ^0.2.2
     "@uniswap/sdk-core": ~5.8.2
     "@uniswap/v2-sdk": ~4.6.1
     abitype: 1.0.6
@@ -5007,6 +5008,7 @@ __metadata:
     eslint-config-next: ~15.2.3
     eslint-config-prettier: ~10.1.1
     eslint-plugin-prettier: ~5.2.4
+    ethers: ^5.7.2
     kubo-rpc-client: ~5.0.2
     lucide-react: ^0.556.0
     motion: ^12.23.12
@@ -7550,6 +7552,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@umbracash/umbra-js@npm:^0.2.2":
+  version: 0.2.2
+  resolution: "@umbracash/umbra-js@npm:0.2.2"
+  dependencies:
+    "@noble/secp256k1": ^1.7.1
+    "@unstoppabledomains/resolution": 8.5.0
+    ethers: 5.7.2
+  checksum: 22dcccb1bfff722b6251fc209e95d89c9f11addb0e5e009d172e712d6659cdaea6fdd4593ff851faa9e710e270b49d7b117e0866f1fddae1c3507ecca5e5906d
+  languageName: node
+  linkType: hard
+
 "@ungap/structured-clone@npm:^1.3.0":
   version: 1.3.0
   resolution: "@ungap/structured-clone@npm:1.3.0"
@@ -7739,6 +7752,19 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@unstoppabledomains/resolution@npm:8.5.0":
+  version: 8.5.0
+  resolution: "@unstoppabledomains/resolution@npm:8.5.0"
+  dependencies:
+    "@ethersproject/abi": ^5.0.1
+    bn.js: ^4.4.0
+    cross-fetch: ^3.1.4
+    crypto-js: ^4.1.1
+    elliptic: ^6.5.4
+  checksum: 3deaae15c0ff9699a30306a5c2a4ff09a5fc9bd9f2c4e9ab22621e85bad7109cff5bfe8bebe2f334cf7b76e602e25b9af659a4d5f5dab44738b41a0b60d8d608
+  languageName: node
+  linkType: hard
+
 "@vanilla-extract/css@npm:1.17.3":
   version: 1.17.3
   resolution: "@vanilla-extract/css@npm:1.17.3"
@@ -9797,6 +9823,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"bn.js@npm:^4.4.0":
+  version: 4.12.3
+  resolution: "bn.js@npm:4.12.3"
+  checksum: 0fb6455c6d56e3869589ad736cc2f5ed2b6229daa1af43e93bd373eb5e20bf0ae25b166087189bce9ba3b3f4d971e1b9a12ec6027e52eb182e5535e1494cadbb
+  languageName: node
+  linkType: hard
+
 "bn.js@npm:^5.1.2, bn.js@npm:^5.2.0, bn.js@npm:^5.2.1":
   version: 5.2.2
   resolution: "bn.js@npm:5.2.2"
@@ -11218,6 +11251,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"crypto-js@npm:^4.1.1":
+  version: 4.2.0
+  resolution: "crypto-js@npm:4.2.0"
+  checksum: f051666dbc077c8324777f44fbd3aaea2986f198fe85092535130d17026c7c2ccf2d23ee5b29b36f7a4a07312db2fae23c9094b644cc35f7858b1b4fcaf27774
+  languageName: node
+  linkType: hard
+
 "css-what@npm:^6.1.0":
   version: 6.2.2
   resolution: "css-what@npm:6.2.2"
@@ -11803,7 +11843,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"elliptic@npm:6.6.1, elliptic@npm:^6.5.2, elliptic@npm:^6.5.7":
+"elliptic@npm:6.6.1, elliptic@npm:^6.5.2, elliptic@npm:^6.5.4, elliptic@npm:^6.5.7":
   version: 6.6.1
   resolution: "elliptic@npm:6.6.1"
   dependencies:
@@ -13080,45 +13120,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ethers@npm:^5.5.1, ethers@npm:^5.7.0":
-  version: 5.8.0
-  resolution: "ethers@npm:5.8.0"
-  dependencies:
-    "@ethersproject/abi": 5.8.0
-    "@ethersproject/abstract-provider": 5.8.0
-    "@ethersproject/abstract-signer": 5.8.0
-    "@ethersproject/address": 5.8.0
-    "@ethersproject/base64": 5.8.0
-    "@ethersproject/basex": 5.8.0
-    "@ethersproject/bignumber": 5.8.0
-    "@ethersproject/bytes": 5.8.0
-    "@ethersproject/constants": 5.8.0
-    "@ethersproject/contracts": 5.8.0
-    "@ethersproject/hash": 5.8.0
-    "@ethersproject/hdnode": 5.8.0
-    "@ethersproject/json-wallets": 5.8.0
-    "@ethersproject/keccak256": 5.8.0
-    "@ethersproject/logger": 5.8.0
-    "@ethersproject/networks": 5.8.0
-    "@ethersproject/pbkdf2": 5.8.0
-    "@ethersproject/properties": 5.8.0
-    "@ethersproject/providers": 5.8.0
-    "@ethersproject/random": 5.8.0
-    "@ethersproject/rlp": 5.8.0
-    "@ethersproject/sha2": 5.8.0
-    "@ethersproject/signing-key": 5.8.0
-    "@ethersproject/solidity": 5.8.0
-    "@ethersproject/strings": 5.8.0
-    "@ethersproject/transactions": 5.8.0
-    "@ethersproject/units": 5.8.0
-    "@ethersproject/wallet": 5.8.0
-    "@ethersproject/web": 5.8.0
-    "@ethersproject/wordlists": 5.8.0
-  checksum: fb107bf28dc3aedde4729f9553be066c699e0636346c095b4deeb5349a0c0c8538f48a58b5c8cbefced008706919739c5f7b8f4dd506bb471a31edee18cda228
-  languageName: node
-  linkType: hard
-
-"ethers@npm:~5.7.0":
+"ethers@npm:5.7.2, ethers@npm:~5.7.0":
   version: 5.7.2
   resolution: "ethers@npm:5.7.2"
   dependencies:
@@ -13156,6 +13158,44 @@ __metadata:
   languageName: node
   linkType: hard
 
+"ethers@npm:^5.5.1, ethers@npm:^5.7.0, ethers@npm:^5.7.2":
+  version: 5.8.0
+  resolution: "ethers@npm:5.8.0"
+  dependencies:
+    "@ethersproject/abi": 5.8.0
+    "@ethersproject/abstract-provider": 5.8.0
+    "@ethersproject/abstract-signer": 5.8.0
+    "@ethersproject/address": 5.8.0
+    "@ethersproject/base64": 5.8.0
+    "@ethersproject/basex": 5.8.0
+    "@ethersproject/bignumber": 5.8.0
+    "@ethersproject/bytes": 5.8.0
+    "@ethersproject/constants": 5.8.0
+    "@ethersproject/contracts": 5.8.0
+    "@ethersproject/hash": 5.8.0
+    "@ethersproject/hdnode": 5.8.0
+    "@ethersproject/json-wallets": 5.8.0
+    "@ethersproject/keccak256": 5.8.0
+    "@ethersproject/logger": 5.8.0
+    "@ethersproject/networks": 5.8.0
+    "@ethersproject/pbkdf2": 5.8.0
+    "@ethersproject/properties": 5.8.0
+    "@ethersproject/providers": 5.8.0
+    "@ethersproject/random": 5.8.0
+    "@ethersproject/rlp": 5.8.0
+    "@ethersproject/sha2": 5.8.0
+    "@ethersproject/signing-key": 5.8.0
+    "@ethersproject/solidity": 5.8.0
+    "@ethersproject/strings": 5.8.0
+    "@ethersproject/transactions": 5.8.0
+    "@ethersproject/units": 5.8.0
+    "@ethersproject/wallet": 5.8.0
+    "@ethersproject/web": 5.8.0
+    "@ethersproject/wordlists": 5.8.0
+  checksum: fb107bf28dc3aedde4729f9553be066c699e0636346c095b4deeb5349a0c0c8538f48a58b5c8cbefced008706919739c5f7b8f4dd506bb471a31edee18cda228
+  languageName: node
+  linkType: hard
+
 "ethers@npm:~6.13.2":
   version: 6.13.7
   resolution: "ethers@npm:6.13.7"