Your wallet may not directly connect to a Monero node, but it appears to still connect to a server operated by you or your partner (which then needs access to a Monero node). Whether a wallet directly connects to a “node” or not is irrelevant.
Directly Fetching Decoys
Coin Wallet appears to directly fetch a list of decoys from the API. It fetches 16 and uses 15 of them in a ring when sending (plus the real one). Upon receiving the signed transaction, your server learns exactly which input is truly being spent in the rings; it’s the one that your server didn’t send in the decoy response!
Now, in your case, you already knew what the real spend was in the vast majority of cases, since you can see the incoming transactions (the transaction hash that the user requests data for).
Contrast this to Cake Wallet, or monero-wallet-cli, or the Monero GUI. They use a much more sophisticated system of requesting a histogram of outputs from the remote node. The wallet then selects decoys to use. This process does not reveal to the node which of the ring members are decoys.
References:
I’m not trying to be rude, but it’s clear to me that Coin Wallet is not designed for privacy (at least compared to other common Monero wallets), and thus it doesn’t make much sense to include as a Privacy Guides recommendation. It may be designed for convenience, but I think it’s important for users of your wallet to know that you effectively have an omniscient view of their wallet activity when they are using your app.
It would be a different story if your wallet allowed users to run their own server and manually connect their Coin Space wallet to that server, but that doesn’t appear to be the case.
If you don’t want to deal with syncing and don’t want to set up a lws server, use Edge Wallet. Sure they take your Monero view key, but that’s the same impact to privacy in practice as your approach. Plus you don’t need to manually paste in the transactions you receive, and you don’t need to pay fees of up to $100 for outgoing transactions.