Passlette Get started

Privacy Policy

Last updated: May 2026

What we collect

When you create an account, we store:

  • Your email address — used to identify your account and to match invite links sent to you.
  • An Argon2id hash derived from your password — used to verify your identity at sign-in. This hash cannot be reversed to recover your password.
  • Your RSA public key — used to encrypt vault keys for groups you belong to.
  • Your encrypted RSA private key — encrypted client-side with a key derived from your master password before upload. We cannot decrypt it.
  • Encrypted vault entries — credentials you store are encrypted in your browser before being sent to us. We cannot read them.
  • Audit log events — timestamps and identifiers for create, update, and delete actions on vault entries. No credential content is included.
  • TOTP configuration — if you enable two-factor authentication, we store your encrypted TOTP secret and the timestamp when 2FA was enabled. The secret is stored encrypted and used only to verify your login codes.

What we cannot read

Because Passlette uses zero-knowledge encryption, we have no technical ability to read your passwords, usernames, or notes. Your vault is encrypted with keys that never leave your device in plaintext. See the Security page for a full explanation.

How we use your data

  • Your email is used to identify your account, match group invites, and send transactional messages — account verification, invite notifications, and account recovery links. We do not send marketing email.
  • Your password hash is used solely to authenticate you at sign-in.
  • Vault data is stored on your behalf and returned to your browser when you sign in. We do not analyse, sell, or share it with third parties.

Third parties

We do not use advertising networks, analytics services, or any third-party scripts. All requests from your browser go only to this server.

[Placeholder: when Stripe billing is added, note that payment data is handled by Stripe and subject to their privacy policy; we do not store card details.]

Cookies

Passlette uses a single session cookie to keep you signed in. It is HTTP-only, scoped to this domain, and expires after seven days of inactivity. We do not use tracking cookies, advertising cookies, or any third-party cookies.

Data retention

Your data is retained for as long as you have an account. You can delete your account at any time from your account settings page. Deletion is immediate and permanent: your encrypted key material is wiped, your vault entries are removed, and your email address is released so you can re-register if you choose. This satisfies your right to erasure under GDPR.

Security

All data is transmitted over HTTPS. Vault entries are encrypted at rest with AES-256-GCM. We follow current best practices for web application security, including CSRF protection, Content Security Policy headers, and rate limiting on authentication endpoints.

Changes to this policy

We will notify you by email before material changes to this policy take effect and update the date at the top of this page. Continued use of Passlette after changes take effect constitutes acceptance.