Privacy Policy
Last updated: March 25, 2026
1. Our Zero-Knowledge Philosophy
Secure PasswordManager is built on a **Zero-Knowledge** architecture. This means we have designed the system so that your sensitive data—specifically your master password and the credentials stored in your vault—is never accessible to us.
We do not store your master password in plaintext or in any form that allows us to decrypt it. All encryption and decryption of your vault occurs locally in your session or is protected by keys derived from your master password that we cannot replicate.
2. Encryption and Data Protection
We employ industry-standard cryptographic techniques to ensure your data remains private:
- Argon2id Key Derivation: Your master password is used to derive a strong symmetric key using Argon2id, a memory-hard function resistant to GPU-based brute-force attacks.
- AES-256 Encryption: Your vault entries are encrypted using Advanced Encryption Standard (AES) with 256-bit keys. Each entry uses a unique Initialization Vector (IV) to prevent pattern recognition.
- Secure Sessions: Decrypted keys are only stored in secure, HttpOnly, SameSite=Strict session cookies that expire automatically after inactivity.
3. Information We Collect
To provide our service, we collect the following limited information:
| Data Type | Purpose |
|---|---|
| Email & Username | Used for account identification, recovery, and security notifications. |
| Encrypted Vault Data | The encrypted blobs containing your stored credentials. We cannot read the content. |
| Audit Logs | Timestamps, IP addresses, and actions (e.g., login attempts) used for security monitoring and fraud prevention. |
4. Third-Party Authentication (SSO)
If you choose to sign in via Google, GitHub, or Microsoft, we receive your email and basic profile information from these providers. This data is used solely to link your identity to your secure vault. We do not share your vault data with these providers.
5. Email Notifications
We use your registered email to send critical security alerts, such as successful logins from new devices, vault exports, or account deletion confirmations. We will never sell your email address to third parties for marketing purposes.
6. Data Retention and Deletion
You have full control over your data. You can delete your account at any time through the settings dashboard. Upon deletion, all your associated vault entries, master password hashes, and audit logs are permanently purged from our primary database.
7. Contact Us
If you have any questions regarding this Privacy Policy or our security practices, please contact us at support@securepaswordapp.com.