Privacy Policy

Passwall is designed with privacy at its core. We use a zero-knowledge architecture, which means we cannot access your vault data, passwords, or other sensitive information you store in Passwall.

1.1 Account Information

When you create an account, we collect:

• Email address (used for authentication and communication)
• Name (optional, for personalization)
• Master password hash (for authentication only, not for decryption)
• Account creation date and last login date

1.2 Encrypted Vault Data

We store your encrypted vault data, but we cannot decrypt it. This includes:

• Encrypted passwords, usernames, and other credentials
• Encrypted secure notes and documents
• Metadata (item names, folders) - may be encrypted or plain based on your settings
• Number of items in your vault (count only, not contents)

1.3 Usage Information

• Device and browser information (for security and compatibility)
• IP address and location (for fraud prevention and security)
• Usage statistics (feature usage, performance metrics)
• Error logs and crash reports (for debugging and improvements)

1.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card information. Stripe may collect:

• Credit card details (stored by Stripe, not Passwall)
• Billing address
• Payment history and transaction records

2.1 To Provide Our Services

• Authenticate your identity and provide access to your account
• Sync your encrypted vault across devices
• Process payments and manage subscriptions
• Provide customer support

2.2 To Improve Our Services

• Analyze usage patterns to improve features
• Debug technical issues and improve performance
• Develop new features based on user feedback

2.3 To Communicate With You

• Send important service updates and security alerts
• Respond to your inquiries and support requests
• Send marketing communications (with your consent, opt-out anytime)

2.4 For Security and Fraud Prevention

• Detect and prevent unauthorized access
• Monitor for suspicious activity
• Comply with legal obligations

Passwall cannot access your vault data. Your vault is encrypted and decrypted on your device using your master password. We only store encrypted data that we cannot decrypt.

What This Means:

• We cannot see your passwords, usernames, or other sensitive data
• We cannot recover your master password if you forget it
• We cannot decrypt your data, even if legally compelled
• Law enforcement requests can only provide encrypted data (useless without your password)

We do not sell your personal information. We may share information only in these limited circumstances:

4.1 Service Providers

We work with trusted third-party service providers:

• Stripe - Payment processing
• Cloud Infrastructure Providers - Hosting and data storage
• Email Service Providers - Transactional emails
• Analytics Services - Usage analytics (anonymized)

These providers are contractually obligated to protect your information and use it only for the specified purposes.

4.2 Legal Requirements

We may disclose information if required by law:

• In response to valid legal process (subpoena, court order)
• To protect rights, property, or safety of Passwall, users, or the public
• In connection with fraud investigation or prevention

Note: Due to our zero-knowledge architecture, we can only provide encrypted data that is useless without the user's master password.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

5.1 Where We Store Data

• Primary servers: European Union (GDPR compliant)
• Backup servers: Geographically distributed
• Encrypted at rest and in transit (TLS 1.3)

5.2 How Long We Keep Data

• Active accounts: As long as your account is active
• Deleted accounts: 30 days grace period, then permanently deleted
• Backups: Maintained for 90 days for disaster recovery
• Legal obligations: May retain certain data as required by law

5.3 Security Measures

• AES-256 encryption for all vault data
• PBKDF2-SHA256 with 600,000+ iterations
• TLS 1.3 for all network communications
• Regular security audits and penetration testing
• 24/7 security monitoring and incident response

Under GDPR and other privacy laws, you have the following rights:

6.1 Access and Portability

• Request a copy of your personal data
• Export your vault data in standard formats (CSV, JSON)

6.2 Correction and Deletion

• Update your account information anytime
• Delete your account and all associated data
• Request deletion of specific data

6.3 Control and Consent

• Opt-out of marketing communications
• Control cookie preferences
• Withdraw consent for data processing

To exercise these rights, contact us at privacy@passwall.io

Passwall is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Adequacy decisions where applicable
• Encryption in transit and at rest

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the service. Your continued use of Passwall after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or how we handle your information:

• Email: privacy@passwall.io
• Data Protection Officer: dpo@passwall.io
• Company: Passwall Ltd
• Address: 128 City Road, London EC1V 2NX, United Kingdom