Privacy Policy

1. Quick summary

This service uses client-side end-to-end encryption. Secrets (credentials, passwords) are encrypted in your browser before they are sent to our servers. We store only encrypted data and project public keys - we never store your 3-word mnemonic (master secret). As a result, we cannot decrypt your secrets without your 3-word phrase.

Important: If you lose your 3-word mnemonic, we cannot recover your encrypted data. Please backup your 3-word phrase in a secure location (password manager, secure notes, hardware token, etc.).

2. What we collect

• User account data: email address, name (if provided), and authentication data (password hash used for login only; we store password hashes as part of authentication - we never store plaintext login passwords).
• Project metadata: project names, membership lists, timestamps.
• Public keys: project public keys (necessary so clients can encrypt secrets for a project).
• Encrypted secrets: ciphertexts and any associated non-sensitive metadata (labels, created_at, updated_at).
• Usage & diagnostics: logs, error reports, and anonymized analytics to help operate and improve the service.

3. What we do not collect or store

• We do not collect or store your 3-word mnemonic (master secret) (unless you explicitly paste and store it locally in your browser - this remains client-side only).
• We do not have access to plaintext secrets that you encrypt client-side, nor to your 3-word mnemonic.

4. How encryption works (overview)

Encryption uses modern, vetted cryptography (libsodium / X25519 / Curve25519 and authenticated encryption). The main steps:

1. When a project is created, a public/private key pair (or project key) is generated in the browser, and a 3-word mnemonic (master secret) is created for you.
2. The public key is uploaded to our servers; the private key and your 3-word mnemonic stay on your device (using local storage).
3. All secrets are encrypted in the browser with the project public key before being transmitted to the server.
4. To read secrets, a client must have the corresponding private key and your 3-word mnemonic, and perform decryption locally.

We also store additional server-side encryption (e.g., Laravel AES encrypt) as a defense-in-depth layer, but this does not replace end-to-end encryption or your 3-word mnemonic protection.

5. Backups, retention & deletion

We retain encrypted data and public keys until you delete them or your account. Because we cannot decrypt without your 3-word mnemonic, backups of the database are also encrypted from the perspective of your secrets.

• Account/project deletion: When you delete a project or account we will remove the associated records (public keys and ciphertexts) from our database and backups will be cycled according to our retention policy.
• Retention for compliance: In certain circumstances we may retain data to comply with legal obligations; retained data will remain encrypted.

6. Sharing and invited users

Invited users can be granted access to a project according to the app’s sharing workflow. Access requires possession of the project private key (or another secure transfer mechanism you and the super user agree on).

If you share your private key with another user to grant access, that user will be able to decrypt and view the project secrets. You are responsible for sharing keys securely.

7. Logging, analytics & third parties

We log events necessary to operate the service (authentication events, API usage, error traces). Logs do not contain plaintext secrets; where applicable they contain identifiers or references only.

We may use trusted third-party services (analytics, email delivery, hosting, KMS) to operate the service. Those providers process limited data on our behalf and are contractually required to protect it.

8. Your responsibilities

• Back up your 3-word mnemonic securely (password managers, secure notes, hardware tokens).
• Keep your account credentials (login password, 2FA) secure.
• If you share your 3-word mnemonic, do so only with trusted parties; you are responsible for any access granted by that phrase.

9. Data subject rights & legal bases

Depending on where you live, you may have rights over your personal data (access, correction, deletion, portability). To exercise these rights, contact us (see below). We will respond in accordance with applicable law.

10. Security practices

• Client-side encryption uses libsodium (well-regarded cryptographic primitives).
• Server-side secrets (if any) use Laravel’s built-in encryption for defense in depth.
• Access to production systems is limited, audited, and protected by best-practice controls (strong authentication, logging).

Note: No online system is 100% secure. Our approach minimizes risk but cannot protect against every possible threat (for example, loss of your 3-word mnemonic or compromise of both client and user backups).

11. Children

Our service is not intended for children under 16. We do not knowingly collect personal data from children under the applicable age without parental consent.

12. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the app or via email.

13. Contact

If you have questions about this Privacy Policy or your data, please contact us at: privacy@pwdly.app