diff --git a/README.md b/README.md
index 0aba8ee..0fce9ab 100644
--- a/README.md
+++ b/README.md
@@ -113,6 +113,18 @@ All user-facing text avoids crypto jargon wherever possible:
 - Error messages are full sentences ("Please enter your password." not "password
   required")
 
+#### Full Identifiers Policy
+
+Addresses, transaction hashes, contract addresses, and all other cryptographic
+identifiers are displayed in full whenever possible — never truncated. Address
+poisoning attacks exploit truncated displays by generating fraud addresses that
+share the same prefix and suffix as a legitimate address. If a user only sees
+`0xAbCd...1234`, an attacker can create an address with the same visible
+characters and trick the user into sending funds to it. Showing the complete
+identifier defeats this class of attack. Truncation is only acceptable in
+space-constrained contexts where the full identifier is accessible one tap away
+(e.g. a tooltip or copy action).
+
 #### Data Model
 
 The core hierarchy is **Wallets → Addresses**: