← Back to home

Privacy Policy

Last updated: May 14, 2026

1. Who we are

PassCryp ("we", "us") provides a zero-knowledge password and secrets vault at passcryp.com. For privacy questions, email support@passcryp.com.

2. Data we collect

  • Account data: email address, display name, optional avatar.
  • Encrypted vault data: opaque ciphertext blobs (titles, secrets, notes, tags). We cannot read these.
  • Authentication metadata: sign-in timestamps, IP address, user agent, device fingerprint (for new-device alerts).
  • Subscription data: Stripe customer ID, subscription status, plan tier, billing period.
  • Audit log: non-sensitive vault actions (create, update, delete) for your own security review.

3. Data we do NOT collect

  • Your master password — it is never transmitted to our servers and we never store it, on our side or yours. It exists only in your browser's memory while you unlock your vault.
  • Plaintext passwords, secrets, notes, or any decrypted vault content.
  • Your encryption keys — they are derived from your master password locally.

4. How encryption works

Vault items are encrypted in your browser using AES-GCM with a Data Encryption Key (DEK). The DEK is wrapped by a Key Encryption Key derived from your master password using Argon2id. Only ciphertext is sent to our servers. If you forget your master password and have no Recovery Kit, your data is unrecoverable — by design.

5. Cookies and local storage

We use first-party local storage to keep you signed in and to cache your unlocked vault key in memory for the session. We do not use advertising or third-party tracking cookies.

6. Third-party processors

  • Cloud infrastructure provider: encrypted database, authentication, and file storage.
  • Stripe: payment processing for subscriptions.
  • Google: optional OAuth sign-in.
  • Have I Been Pwned: anonymized k-anonymity password breach checks (only the first 5 chars of a SHA-1 hash leave your device).

7. Data retention

Account and vault data are retained for as long as your account is active. Deleted vault items remain in Trash for 30 days, then are permanently removed. You may delete your account at any time from Settings → Danger Zone, which permanently erases all your data within 30 days.

8. Your rights

Depending on your jurisdiction (GDPR, CCPA, etc.), you have the right to access, correct, delete, or export your data, and to object to processing. Most of these rights can be exercised directly in-app from Settings, or by emailing support@passcryp.com.

9. Security

We use industry-standard encryption in transit (TLS) and at rest. Vault content is additionally end-to-end encrypted on your device. No system is perfectly secure; report suspected vulnerabilities to support@passcryp.com.

10. Children

PassCryp is not directed at children under 13 (or under 16 in the EEA).

11. Changes

We may update this policy. Material changes will be communicated by email or in-app notice prior to taking effect.

12. Contact

support@passcryp.com