Privacy Policy

    Important: You are responsible for your 3-word mnemonic

    We do not store your 3-word mnemonic (master secret). It's required to decrypt your data each time you log in, as encryption happens in your browser (client-side) using a key derived from it. If you lose it, your data cannot be recovered. You are responsible for backing it up securely.

    Last updated:

    TL;DR
    • We never see or store your 3-word mnemonic. (master secret).
    • Almost all data we store is fully encrypted. (Your email, timestamp dates & subscription status are the only exceptions).
    • Data is encrypted in your browser before it reaches our servers. (aka; client-side encryption).
    • If you lose your 3-word phrase, we cannot recover your data. (Please back it up securely!)
    • We only collect minimal account info (like email) to operate the service.
    • No ads, no selling your data, ever.
    • No cookies, no third-party tracking, no fingerprinting. (Analytics is cookieless and fully anonymous — see §7.)
    • The browser extension only reads login form fields — it does not read page content, body text, or track your browsing history. (See §8 for full extension details.)

    1. Quick summary

    This service uses client-side end-to-end encryption. Secrets (credentials, passwords) are encrypted in your browser before they are sent to our servers. We store only encrypted data and project public keys - we never store your 3-word mnemonic (master secret). As a result, we cannot decrypt your secrets without your 3-word phrase.

    Important: If you lose your 3-word mnemonic, we cannot recover your encrypted data. Please backup your 3-word phrase in a secure location (password manager, secure notes, hardware token, etc.).

    2. What we collect

    • User account data: email address, name (if provided), and authentication data (password hash used for login only; we store password hashes as part of authentication - we never store plaintext login passwords).
    • Project metadata: encrypted project names, membership lists (which are simply mappings of user UUIDs to project UUIDs - no personal information), and timestamps.
    • Public keys: project public keys (necessary so clients can encrypt secrets for a project).
    • Encrypted secrets: ciphertexts and any associated non-sensitive metadata (labels, created_at, updated_at).
    • Usage & diagnostics: logs, error reports, and anonymized analytics to help operate and improve the service.

    3. What we do not collect or store

    • We do not collect or store your 3-word mnemonic (master secret). It is never written to localStorage or any persistent browser storage.
    • We do not have access to plaintext secrets that you encrypt client-side, nor to your 3-word mnemonic.

    4. How encryption works (overview)

    Encryption uses modern, vetted cryptography (libsodium / X25519 / Curve25519 and authenticated encryption). The main steps:

    1. When a project is created, a public/private key pair (or project key) is generated in the browser, and a 3-word mnemonic (master secret) is created for you.
    2. The public key is uploaded to our servers. Your 3-word mnemonic is never stored anywhere by us — it exists only in your memory (or wherever you choose to back it up). Your private/master key lives only in volatile browser memory (RAM) during an active session and is never written to localStorage or any persistent browser storage.
    3. Nothing is persisted between sessions. Every time you open the app — including after closing a tab, refreshing the page, or reopening your browser — you must re-enter your 3-word mnemonic. There is no "remember me" mechanism; the phrase is always required to re-derive the decryption key.
    4. All secrets are encrypted in the browser with the project public key before being transmitted to the server.
    5. To read secrets, a client must re-derive the master key from the 3-word mnemonic and use the corresponding project key, all performed locally in the browser.

    5. Backups, retention & deletion

    We retain encrypted data and public keys until you delete them or your account. Because we cannot decrypt without your 3-word mnemonic, backups of the database are also encrypted from the perspective of your secrets.

    • Account/project deletion: When you delete a project or account we will remove the associated records (public keys and ciphertexts) from our database and backups will be cycled according to our retention policy.
    • Retention for compliance: In certain circumstances we may retain data to comply with legal obligations; retained data will remain encrypted.

    6. Sharing and invited users

    Invited users can be granted access to a project according to the app’s sharing workflow. Access requires possession of the project private key (or another secure transfer mechanism you and the super user agree on).

    If you share your private key with another user to grant access, that user will be able to decrypt and view the project secrets. You are responsible for sharing keys securely.

    7. Cookies, analytics & third parties

    We do not set any cookies on this website. We do not use localStorage, sessionStorage, IndexedDB, or any other form of persistent client-side storage for tracking, advertising, or cross-site profiling. The only thing we may write to localStorage is a one-byte preference flag if you dismiss our privacy notice — it contains no personal data.

    Analytics — Umami (self-hosted, cookieless). We use Umami to count page views and understand which pages are popular. Umami is privacy-friendly by design:

    • No cookies and no client-side storage are used.
    • No personal data is collected — no names, no emails, no fingerprints, no advertising IDs.
    • The data sent is limited to: page URL, referrer, browser language, screen size, and country (derived server-side from IP and then discarded — IP addresses are not stored).
    • Visitors cannot be tracked across sessions, devices, or websites.
    • We honour the browser's Do Not Track signal — analytics events are not sent if DNT is enabled.

    Lawful basis: legitimate interest (GDPR Art. 6(1)(f)) — operating and improving a free public website. Because no information is stored on or read from your device, this analytics is exempt from the prior-consent requirement of the ePrivacy Directive (PECR in the UK).

    Fonts and third-party CDNs. We do not load fonts, scripts, or stylesheets from Google Fonts, Google Analytics, Facebook, or any other third-party CDN. All fonts are self-hosted, so your IP address is never exposed to a third party just by visiting our marketing site.

    Operational sub-processors. To run the service we rely on a small set of trusted providers: Cloudflare (hosting and CDN, EU/global), Sanity.io (CMS for blog/news content, EU), and an email delivery provider for transactional emails. These providers process limited data on our behalf under data processing agreements and never receive plaintext secrets.

    Server-side logs. We log events necessary to operate the service (authentication events, API usage, error traces). Logs do not contain plaintext secrets, master keys, or your 3-word mnemonic.

    8. TOTP phone-as-scanner

    When adding a TOTP secret to a credential, Pwdly can generate a short-lived pairing link you scan with your phone camera. The phone-side page is anonymous — no account or sign-in is required on the phone. The pairing session exists only as a temporary database row (maximum five minutes) and is consumed and deleted once the secret is transferred. The TOTP secret itself is end-to-end encrypted between your phone and your desktop browser using a key embedded only in the URL fragment; the server receives and stores only ciphertext.

    • Camera access is requested by your phone's browser and used solely to scan the authenticator QR code.
    • No images or video are transmitted to our servers — only the encrypted TOTP secret.
    • The pairing session row (a random UUID and ciphertext) is deleted immediately after use, or automatically after five minutes.
    • No personal data is collected or stored as part of this flow.

    9. Browser extension

    If you install the Pwdly browser extension, the following additional data practices apply.

    What the extension accesses on websites

    The extension requests optional permission to run on all websites (<all_urls>). This permission is necessary for its core purpose: detecting login forms and autofilling your saved credentials on any site you visit. You are explicitly prompted to grant this permission when the extension is first installed, and you can revoke it at any time from Chrome's extension settings.

    • The extension reads login form fields (username, email, and password inputs) on the active page to detect a login attempt and offer to save credentials.
    • It does not read or transmit any other page content, body text, links, or page metadata to our servers.
    • It does not record or transmit which websites you visit.

    What the extension stores locally

    • Encrypted credential cache (chrome.storage.session): A copy of your encrypted credentials is cached in Chrome's session storage to enable fast autofill. This cache is cleared automatically when the browser is closed or you lock your vault. Decrypted credentials are held only in volatile session memory and are never written to persistent storage.
    • Authentication session (chrome.storage.local): Your Supabase session token is stored locally so you remain signed in between browser restarts.
    • Pending credential queue (chrome.storage.local): Credentials captured from a login form but not yet confirmed are held temporarily until you accept or dismiss the save prompt.

    What the extension does not do

    • It does not read, store, or transmit page content, browsing history, cookies, or any data beyond login form fields.
    • It communicates only with Pwdly's own servers — the same endpoints used by the web app — and with no third parties.
    • Your 3-word mnemonic is never stored by the extension; it follows the same zero-knowledge design as the web app.

    10. Your responsibilities

    • Back up your 3-word mnemonic securely (password managers, secure notes, hardware tokens).
    • Keep your account credentials (login password, 2FA) secure.
    • If you share your 3-word mnemonic, do so only with trusted parties; you are responsible for any access granted by that phrase.

    11. Data subject rights & legal bases

    Depending on where you live, you may have rights over your personal data (access, correction, deletion, portability). To exercise these rights, contact us (see below). We will respond in accordance with applicable law.

    12. Security practices

    • Client-side encryption uses libsodium (well-regarded cryptographic primitives).
    • Access to production systems is limited, audited, and protected by best-practice controls (strong authentication, logging).

    Note: No online system is 100% secure. Our approach minimizes risk but cannot protect against every possible threat (for example, loss of your 3-word mnemonic or compromise of both client and user backups).

    13. Children

    Our service is not intended for children under 16. We do not knowingly collect personal data from children under the applicable age without parental consent.

    14. Changes to this policy

    We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the app or via email.

    15. Contact

    If you have questions about this Privacy Policy or your data, please contact us at: privacy@pwdly.app

    No cookies. No tracking. No banners (almost).

    We use privacy-friendly, cookieless analytics (Umami) to count page views — no personal data, no profiling, no third-party scripts. Read more.