🦉PasswordOwlBack to Home

Privacy Policy

Last updated: January 2025

1. Introduction

PasswordOwl is a zero-knowledge password manager. This means that your sensitive data is encrypted on your device before it ever reaches our servers. We have designed our system so that we cannot access, read, or decrypt your passwords, vault names, or any other confidential information you store.

2. Data We Collect

We collect only the minimum data necessary to provide the service:

  • Email address - Used for account identification and authentication.
  • Encrypted vault data - Your passwords and items are encrypted with AES-256-GCM before being stored. We cannot decrypt this data.
  • Password hash - A PBKDF2-derived hash that allows authentication. We never store your plaintext password.
  • Account metadata - Creation date and last update timestamps.

3. What We Never See

Due to our zero-knowledge architecture, we have no access to:

  • Your master password
  • Your secret key
  • Your vault key (decrypted)
  • Names of your vaults
  • Stored passwords, usernames, or notes
  • Website URLs or login details
  • Any plaintext content in your vault

Even if our servers were compromised, attackers would only obtain encrypted data that is computationally infeasible to decrypt without your master password and secret key.

4. How We Use Your Data

The data we collect is used exclusively for:

  • Authenticating you when you log in
  • Storing your encrypted vault data
  • Sending transactional emails (verification, security alerts)

We do not sell, share, or monetize your data in any way. We do not use your data for advertising or analytics purposes.

5. Security Measures

We implement industry-leading security measures:

  • AES-256-GCM encryption - Military-grade encryption for all vault data.
  • Argon2id key derivation - Memory-hard function (64MB, 3 iterations) that resists brute-force attacks.
  • PBKDF2 authentication - Password verified via PBKDF2 (100,000 iterations) over TLS. Only a salted hash is stored server-side.
  • Two-Secret Key Derivation - Requires both master password and secret key to access your vault.
  • HTTPS everywhere - All communications are encrypted in transit.

6. Your Rights

You have the following rights regarding your data:

  • Access - You can access all your data through the application at any time.
  • Export - You can export your vault data in a portable format.
  • Deletion - You can request complete deletion of your account and all associated data.
  • Portability - Your data belongs to you and can be moved to another service.

7. Data Retention

We retain your encrypted data as long as your account is active. If you delete your account, all associated data is permanently removed from our servers within 30 days. Temporary data (such as verification tokens) is automatically deleted after expiration.

8. Third-Party Services

We use the following third-party services:

  • Cloudflare - For hosting and content delivery.
  • Resend - For sending transactional emails.
  • Google OAuth (optional) - For identity verification if you choose to sign in with Google.

These services only receive the minimum data necessary for their function and never have access to your encrypted vault data.

9. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at privacy@passwordowl.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.