Important: You are responsible for your private key

We do not store or hold your private keys. If you lose or forget your private key, we cannot recover your encrypted data. By using this service you accept responsibility for safely backing up your private keys.

Privacy Policy

Last updated: September 22, 2025

1. Quick summary

This service uses client-side end-to-end encryption. Secrets (credentials, passwords) are encrypted in your browser before they are sent to our servers. We store only encrypted data and project public keys — we never store private keys. As a result, we cannot decrypt your secrets without your private key.

Important: If you lose your private key, we cannot recover your encrypted data. Please backup your private key in a secure location (password manager, secure notes, hardware token, etc.).

2. What we collect

User account data: email address, name (if provided), and authentication data (password hash used for login only; we store password hashes as part of authentication — we never store plaintext login passwords).
Project metadata: project names, membership lists, timestamps.
Public keys: project public keys (necessary so clients can encrypt secrets for a project).
Encrypted secrets: ciphertexts and any associated non-sensitive metadata (labels, created_at, updated_at).
Usage & diagnostics: logs, error reports, and anonymized analytics to help operate and improve the service.

3. What we do not collect or store

We do not collect or store project private keys (unless you explicitly paste and store them locally in your browser — this remains client-side only).
We do not have access to plaintext secrets that you encrypt client-side.

4. How encryption works (overview)

Encryption uses modern, vetted cryptography (libsodium / X25519 / Curve25519 and authenticated encryption). The main steps:

When a project is created, a public/private key pair (or project key) is generated in the browser.
The public key is uploaded to our servers; the private key stays on your device (using local storage).
All secrets are encrypted in the browser with the project public key before being transmitted to the server.
To read secrets, a client must have the corresponding private key and perform decryption locally.

We also store additional server-side encryption (e.g., Laravel AES encrypt) as a defense-in-depth layer, but this does not replace end-to-end encryption.

5. Backups, retention & deletion

We retain encrypted data and public keys until you delete them or your account. Because we cannot decrypt without the private key, backups of the database are also encrypted from the perspective of your secrets.

Account/project deletion: When you delete a project or account we will remove the associated records (public keys and ciphertexts) from our database and backups will be cycled according to our retention policy.
Retention for compliance: In certain circumstances we may retain data to comply with legal obligations; retained data will remain encrypted.

6. Sharing and invited users

Invited users can be granted access to a project according to the app’s sharing workflow. Access requires possession of the project private key (or another secure transfer mechanism you and the super user agree on).

If you share your private key with another user to grant access, that user will be able to decrypt and view the project secrets. You are responsible for sharing keys securely.

7. Logging, analytics & third parties

We log events necessary to operate the service (authentication events, API usage, error traces). Logs do not contain plaintext secrets; where applicable they contain identifiers or references only.

We may use trusted third-party services (analytics, email delivery, hosting, KMS) to operate the service. Those providers process limited data on our behalf and are contractually required to protect it.

8. Your responsibilities

Back up your project private keys securely (password managers, secure notes, hardware tokens).
Keep your account credentials (login password, 2FA) secure.
If you share private keys, do so only with trusted parties; you are responsible for any access granted by that key.

9. Data subject rights & legal bases

Depending on where you live, you may have rights over your personal data (access, correction, deletion, portability). To exercise these rights, contact us (see below). We will respond in accordance with applicable law.

10. Security practices

Client-side encryption uses libsodium (well-regarded cryptographic primitives).
Server-side secrets (if any) use Laravel’s built-in encryption for defense in depth.
Access to production systems is limited, audited, and protected by best-practice controls (strong authentication, logging).

Note: No online system is 100% secure. Our approach minimizes risk but cannot protect against every possible threat (for example, loss of private keys or compromise of both client and user backups).

11. Children

Our service is not intended for children under 16. We do not knowingly collect personal data from children under the applicable age without parental consent.

12. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the app or via email.

13. Contact

If you have questions about this Privacy Policy or your data, please contact us at: