Privacy Policy

Last updated: January 11, 2026

1. Introduction

SecurePass ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our password manager Chrome extension and related services.

By using SecurePass, you agree to the collection and use of information in accordance with this policy.

2. Our Zero-Knowledge Architecture

SecurePass is built on a zero-knowledge security model. This means:

• Your master password is never transmitted to our servers or any third party. It stays on your device.
• All encryption and decryption happens locally on your device using AES-256-GCM encryption.
• We cannot access your passwords even if compelled by law, because we simply don't have the keys.
• If you lose your master password, we cannot recover your data for you.

3. Information We Collect

3.1 Information You Provide

• Email Address: If you create an account for cloud sync (Premium feature), we collect your email address for authentication purposes.
• Payment Information: If you subscribe to Premium, payment processing is handled by third-party providers (e.g., Stripe). We do not store your credit card details.

3.2 Information Stored Locally

• Encrypted Vault: Your passwords and credentials are encrypted and stored locally in your browser using chrome.storage.local.
• Settings: Your preferences (auto-lock timeout, clipboard clearing settings, etc.) are stored locally.
• Master Password Hash: A cryptographic hash of your master password (not the password itself) is stored locally for verification.

3.3 Information We Do NOT Collect

• Your master password
• Your unencrypted passwords or credentials
• The websites you visit
• Your browsing history
• Personal identification beyond your email (for Premium users)

4. Cloud Sync (Premium Feature)

If you enable cloud sync:

• Your encrypted vault is uploaded to our secure cloud infrastructure (Firebase/Google Cloud).
• The vault remains encrypted at all times - we store only the encrypted blob.
• We cannot decrypt your vault because we don't have your master password.
• Data is transmitted over HTTPS/TLS encryption.
• You can delete your cloud data at any time from the extension settings.

5. How We Use Your Information

We use the limited information we collect to:

• Authenticate your account for cloud sync features
• Process Premium subscription payments
• Send important service announcements (e.g., security updates)
• Provide customer support when you contact us

We do NOT use your information for:

• Advertising or marketing to third parties
• Selling to data brokers
• Behavioral tracking or profiling

6. Data Security

We implement industry-leading security measures:

• AES-256-GCM Encryption: Military-grade encryption for all stored credentials
• PBKDF2 Key Derivation: 600,000 iterations to protect against brute-force attacks
• Zero-Knowledge Sync: Cloud data is encrypted before upload
• Rate Limiting: Protection against brute-force master password attempts
• HTTPS Only: Credentials are only captured on secure connections
• Auto-Lock: Vault locks automatically after inactivity
• Clipboard Clearing: Copied passwords are automatically cleared

7. Third-Party Services

SecurePass uses the following third-party services:

• Firebase (Google): For user authentication and encrypted vault storage (Premium cloud sync). See Firebase Privacy Policy.
• Stripe: For payment processing (Premium subscriptions only). See Stripe Privacy Policy.

These services only receive encrypted data or payment information necessary for their function.

8. Data Retention

• Local Data: Stored until you uninstall the extension or clear browser data.
• Cloud Data: Retained while your Premium subscription is active. Deleted within 30 days of account deletion request.
• Account Information: Retained while your account is active. Deleted upon request.

9. Your Rights

You have the right to:

• Access: Export your vault data at any time from the extension
• Delete: Remove all local data by uninstalling the extension
• Delete Cloud Data: Request deletion of cloud-synced data by contacting us
• Portability: Export your vault in JSON format for migration
• Opt-Out: Use the free tier without providing any personal information

10. Children's Privacy

SecurePass is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date
• Sending an email notification for significant changes (if you have an account)

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@securepass.app
• Support: support@securepass.app