Privacy Policy

1. Introduction and Data Controller

At Passary, we believe that your data belongs to you and privacy is a fundamental right. This Privacy Policy explains in detail how Passary ("we", "us", or "our") handles information when you use our local-first password manager application (the "Service").

Data Controller

The Short Version: We don't collect, process, or store your personal data. Your vault is stored locally on your device, encrypted with keys only you possess. We have zero access to your passwords or vault contents.

2. Scope of This Policy

This Privacy Policy applies to the Passary web application available at passary.com and any related services we provide. It describes our data handling practices in compliance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR")
• Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
• Other applicable data protection laws and regulations

3. What Data We Collect and Process

3.1 Personal Data We Do NOT Collect

Passary operates on a zero-knowledge, local-first architecture. We do NOT collect, process, transmit, or store:

• Your passwords, credentials, or vault contents
• Your master password or encryption keys
• Personal identification information (name, email, phone number)
• Payment or billing information (the Service is currently free)
• Usage analytics or behavioral tracking data
• IP addresses or device identifiers
• Location data
• Cookies for tracking purposes

3.2 Technical Data Stored Locally on Your Device

The following data is stored exclusively on your local device using your browser's storage mechanisms (LocalStorage, IndexedDB):

• Encrypted Vault Data: Your passwords, usernames, notes, and other vault entries, encrypted with AES-256-GCM
• Application Preferences: UI settings, theme preferences, and other application state
• Essential Cookie Consent: A localStorage item recording your acknowledgment of our use of essential local storage

Important: This data never leaves your device unless you explicitly export your vault file. We have no access to this data.

3.3 Server Logs (Minimal Technical Data)

When you access our website, standard web server logs may temporarily record:

• IP address (anonymized or deleted within 24 hours)
• Browser type and version
• Operating system
• Date and time of access
• Requested page/resource

Purpose: Security monitoring, preventing abuse, and technical error diagnosis only.

Legal Basis: Legitimate interest (Article 6(1)(f) GDPR) in maintaining the security and functionality of our infrastructure.

Retention: Server logs are automatically deleted within 7 days.

4. How We Process Your Data

4.1 Local-First Architecture

Passary is designed as a local-first application. All encryption, decryption, and data processing occurs entirely within your web browser or on your local device. Your vault data is:

• Encrypted using AES-256-GCM with your master password-derived key
• Never transmitted to our servers or any third-party servers
• Stored in your browser's local storage or exported to files you control

4.2 Encryption and Security

• Key Derivation: Argon2id algorithm processes your master password to derive encryption keys
• Encryption: AES-256-GCM (Authenticated Encryption with Associated Data)
• Zero Knowledge: We mathematically cannot decrypt your vault without your master password

4.3 No Third-Party Data Sharing

We do not share, sell, rent, or trade any user data with third parties. Period.

We do not use:

• Google Analytics or similar tracking services
• Social media pixels or tracking cookies
• Advertising networks
• Third-party authentication providers (no OAuth)
• Content Delivery Networks (CDN) that process personal data

5. Legal Basis for Processing (GDPR Article 6)

Where we do process any data (minimal server logs), our legal basis is:

• Legitimate Interest (Article 6(1)(f)): Security monitoring and technical error diagnosis to maintain service availability
• Essential for Service (Article 6(1)(b)): Local storage is necessary to provide the password management functionality you requested

6. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. However, due to our zero-knowledge architecture, most traditional data rights are not applicable because we don't possess your personal data:

To exercise any of these rights, please contact us at privacy@passary.com

7. Data Retention

• Vault Data: Stored locally on your device indefinitely until you delete it
• Server Logs: Automatically deleted within 7 days
• Cookie Consent: Stored in your browser until you clear it or revoke consent

8. International Data Transfers

Since your data never leaves your device and we don't collect personal data, there are no international data transfers. The web application files are served from servers located in the European Union (Hungary).

9. Security Measures

We implement industry-standard security measures:

• HTTPS/TLS: All connections to passary.com are encrypted in transit
• Client-Side Encryption: AES-256-GCM encryption performed in your browser
• No Data Storage: Zero-knowledge architecture means we can't suffer data breaches of user credentials
• Regular Security Audits: Code and infrastructure reviewed for vulnerabilities
• Content Security Policy: Strict CSP headers to prevent XSS attacks

Important: If you lose your master password or vault file, we CANNOT recover it. This is by design - it ensures we have zero access to your data.

10. Children's Privacy

Passary does not knowingly collect data from children under 16 years of age. Given our zero-knowledge architecture, we have no way to determine user age. If you are a parent or guardian and believe your child has used Passary, please contact us. However, since we don't collect data, no action would typically be necessary.

11. Automated Decision-Making and Profiling

We do not engage in any automated decision-making or profiling as defined under GDPR Article 22. We do not use algorithms to analyze or predict your personal preferences, behavior, or characteristics.

12. Third-Party Links

Our Service may contain links to external websites. We are not responsible for the privacy practices of these third-party sites. We encourage you to read their privacy policies when you leave our site.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. Changes will be posted on this page with an updated "Last updated" date.

Material changes will be communicated through a notice on our homepage. Your continued use of Passary after changes constitutes acceptance of the updated policy.

14. Data Breach Notification

While our zero-knowledge architecture makes traditional data breaches of user credentials impossible, if we experience any security incident affecting our infrastructure, we will:

• Notify the relevant supervisory authority within 72 hours (if required under GDPR Article 33)
• Inform users if the breach poses a high risk to their rights and freedoms (GDPR Article 34)
• Take immediate steps to mitigate any potential harm

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

16. Consent and Acknowledgment

By using Passary, you acknowledge that you have read, understood, and agree to this Privacy Policy and our Terms of Service. Given the local-first nature of our service, your primary consent is to the use of browser local storage for essential functionality.