← Back to home

Privacy Policy

Effective from April 2026.

This document explains what data is processed when you use PASSmap, why, and for how long. The zero-knowledge architecture means the service is technically designed so we cannot read the contents of your vault.

01.Summary

Your passwords, 2FA codes and notes are encrypted in your browser using a key derived from your master password. Only encrypted bytes ever reach our servers.

We do not sell data, do not show ads and do not run advertising profiling. We have no access to your master password or recovery key.

02.What we process

Account data: email address, encrypted account password hash, 2FA verification status, account creation and last sign-in timestamps.

Vault data: encrypted node records (ciphertext + IV) and key derivation parameters (KDF settings, salt). The contents are unreadable to us.

Technical data: a security event log (sign-ins, failed attempts, 2FA changes, vault exports) — metadata only, used to detect abuse.

03.What we never see

Your master password. Your recovery key. Decrypted passwords, logins, notes, 2FA codes, or any content you put in the vault.

Decryption happens exclusively in your browser. The key stays in tab memory and is wiped on sign-out, automatic lock (5 min idle / 60 s hidden tab) or page reload.

05.Sub-processors

We use a database and authentication infrastructure provider acting as a processor. Traffic is encrypted with TLS 1.3 and data is stored in the EU.

We do not use third-party analytics or advertising tools. The site does not set marketing cookies.

06.Retention

Account data is retained until the account is deleted. After deletion, encrypted vault records and credentials are removed without backup. Security logs are kept for up to 12 months.

07.Your rights

You have the right to access, rectify, erase, port and restrict the processing of your data. You can export your vault to JSON at any time (encrypted, or decrypted on your device).

You have the right to lodge a complaint with the data protection authority competent for your country of residence.

08.Security

We use AES-256-GCM, PBKDF2-SHA256 (600,000 iterations), mandatory TOTP 2FA, Row-Level Security in the database, a strict CSP, automatic session locking and breached-password checks (Have I Been Pwned).

09.Changes

We publish updates on this page. Material changes are announced by email before they take effect.

Questions about how we process your data? Reach out via the support form.

Contact us