Passlette Get started

Privacy Policy

Last updated: April 2026

What we collect

When you create an account, we store:

  • Your email address — used to identify your account and to match invite links sent to you.
  • An Argon2id hash derived from your password — used to verify your identity at sign-in. This hash cannot be reversed to recover your password.
  • Your RSA public key — used to encrypt vault keys for groups you belong to.
  • Your encrypted RSA private key — encrypted client-side with a key derived from your master password before upload. We cannot decrypt it.
  • Encrypted vault entries — credentials you store are encrypted in your browser before being sent to us. We cannot read them.
  • Audit log events — timestamps and identifiers for create, update, and delete actions on vault entries. No credential content is included.

What we cannot read

Because Passlette uses zero-knowledge encryption, we have no technical ability to read your passwords, usernames, or notes. Your vault is encrypted with keys that never leave your device in plaintext. See the About page for a full explanation.

How we use your data

  • Your email is used to identify your account and match group invites.
  • Your password hash is used solely to authenticate you at sign-in.
  • Vault data is stored on your behalf and returned to your browser when you sign in. We do not analyse, sell, or share it with third parties.

Third parties

We do not use advertising networks, analytics services, or any third-party scripts. All requests from your browser go only to this server.

Data retention

Your data is retained for as long as you have an account. We do not currently offer self-service account deletion. To request deletion of your account and all associated data, please open an issue on our GitHub repository or contact us directly. We will process your request promptly.

Security

All data is transmitted over HTTPS. Vault entries are encrypted at rest with AES-256-GCM. We follow current best practices for web application security, including CSRF protection, Content Security Policy headers, and rate limiting on authentication endpoints.

Changes to this policy

If we make material changes to this policy, we will update the date at the top of this page. Continued use of Passlette after changes constitutes acceptance of the updated policy.