Privacy Policy

1. Introduction

Welcome to Passaver. We are committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our password management service.

2. Information We Collect

2.1 Account Information

• Email Address: Used for account creation and authentication
• Authentication Data: Managed by Firebase Authentication
• Account Creation Date: Timestamp of when you created your account

2.2 Encrypted Password Data

• Encrypted Passwords: Your passwords encrypted with AES-256 encryption using your master password
• Metadata: Title, username, security level, and notes (all encrypted)
• Encryption Version: Technical data about the encryption method used

2.3 Technical Information

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, features used, time spent on the platform
• IP Address: Collected by Firebase for security and analytics

3. What We DO NOT Collect

4. How We Use Your Information

• Service Delivery: To provide and maintain the password management service
• Authentication: To verify your identity and secure your account
• Storage: To securely store your encrypted password data
• Communication: To send important service updates and security notifications
• Improvement: To analyze usage patterns and improve our service
• Security: To detect and prevent fraud, abuse, and security incidents

5. Data Storage and Security

5.1 Encryption

All password data is encrypted using AES-256 encryption with your master password before being transmitted to our servers. This means:

• Encryption happens entirely in your browser (client-side)
• Only encrypted data is stored in our Firebase Firestore database
• We cannot decrypt your data even if we wanted to
• If you forget your master password, your data cannot be recovered

5.2 Infrastructure

We use Google Firebase for our infrastructure, which provides:

• SOC 2 Type II certified data centers
• Automatic encryption at rest and in transit
• Regular security audits and compliance certifications
• DDoS protection and network security

6. Data Sharing and Third Parties

We do not sell, rent, or share your personal information with third parties, except:

• Firebase/Google Cloud: Our hosting and database provider (infrastructure only)
• Legal Requirements: When required by law, court order, or government regulation
• Service Protection: To protect our rights, property, or safety, or that of our users

7. Your Rights (GDPR Compliance)

Under GDPR and similar privacy laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Update or correct your information
• Erasure: Delete your account and all associated data
• Data Portability: Export your encrypted data
• Objection: Opt out of certain data processing activities
• Withdraw Consent: Revoke previously given permissions

To exercise these rights, contact us at: tien.tominh@gmail.com

8. Data Retention

• Active Accounts: Data retained as long as your account is active
• Deleted Accounts: Data permanently deleted within 30 days of account deletion
• Backup Retention: Backups may persist for up to 90 days for disaster recovery
• Legal Obligations: Some data may be retained longer if required by law

9. Cookies and Tracking

We use minimal cookies and local storage for:

• Authentication: Firebase session tokens to keep you logged in
• Preferences: Language selection and UI preferences
• Security: CSRF tokens and security measures

We do not use third-party analytics or advertising cookies.

Analytics & Usage Data

We use Google Analytics (via Google Tag Manager) to understand how users interact with our service. This helps us improve user experience and identify issues.

What We Track:

• Page views and navigation patterns
• Device type, browser, and operating system
• Geographic location (country/city level)
• Time spent on pages and user interactions
• Referral sources (how you found our site)

What We Do NOT Track:

• Your passwords or any encrypted data
• Your personal information or account details
• Any content you enter into forms or fields

10. Children's Privacy

Passaver is not intended for users under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

11. International Data Transfers

Your data may be stored and processed in data centers around the world operated by Google Cloud/Firebase. We ensure appropriate safeguards are in place for international data transfers in compliance with GDPR and other applicable regulations.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. Your continued use of Passaver after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or data practices, please contact:

14. Open Source Transparency

Passaver is 100% open source. You can review our code, security practices, and encryption implementation on our GitHub repository. We believe in transparency and welcome community audits of our security measures.