Skip to main content

Privacy Policy

Last updated: April 9, 2026

Our Commitment

Seccret is a zero-knowledge password manager. This means your vault data is encrypted on your device before it ever reaches our servers. We cannot read, access, or decrypt your passwords, secure notes, or any stored credentials. Your master password never leaves your browser.

1. Information We Collect

Account Information

  • Username and email address — used for authentication and account recovery
  • First and last name (optional) — used for display purposes only
  • Profile avatar (optional) — stored on the server for display
  • Hashed account password — your login password is hashed using bcrypt; the plain text is never stored

Vault Data (Encrypted)

  • Vault credentials, notes, and custom fields — encrypted client-side with AES-256-GCM before transmission. We store only the ciphertext.
  • Vault master password hash — derived via PBKDF2 with 600,000 iterations. The plain master password never leaves your browser.
  • Encryption keys — your encryption key is wrapped (protected) with your master password. We cannot unwrap it without your master password.
  • Folder names — stored in plain text to enable server-side organization
  • Item names and types — stored in plain text to enable search and filtering

Security & Session Data

  • Login activity — IP address, browser/OS type, and login status (success/failure) for security monitoring
  • Active sessions — browser fingerprint and last active timestamp to allow session management
  • Trusted devices — device identifier hashes for MFA bypass on recognized devices
  • Audit log — records of security-relevant actions (login, password change, sharing events) with IP and timestamp

Two-Factor Authentication

  • TOTP secret — encrypted and stored server-side when you enable 2FA
  • Backup codes — hashed and stored for emergency access
  • Passkey credentials — public key and credential ID (private key stays on your device)

2. Information We Never Collect

  • Your vault master password (it never leaves your browser)
  • Decrypted vault data (passwords, API keys, notes, card numbers, etc.)
  • Your raw encryption keys
  • Browsing history or activity outside of Seccret
  • Third-party tracking cookies or analytics
  • Advertising identifiers

3. How We Use Your Information

  • Authentication — to verify your identity when you log in
  • Account recovery — to send password reset emails to your registered address
  • Security monitoring — to detect unusual login patterns and notify you of suspicious activity
  • Credential expiry reminders — to notify you when stored credentials haven't been rotated within your configured period
  • Emergency access — to facilitate trusted contact access in case of emergency, with your configured wait period
  • Sharing — to enable secure credential sharing between users using end-to-end encryption (RSA-OAEP + AES-256-GCM)

4. Data Sharing & Third Parties

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

Limited third-party services used:

  • Cloudflare Turnstile — CAPTCHA verification on registration to prevent automated abuse.
  • Have I Been Pwned — password breach checking uses the k-anonymity API (only the first 5 characters of a SHA-1 hash are sent, never the full password or hash).

5. Data Retention

  • Account data — retained as long as your account exists
  • Deleted vault items — soft-deleted items are kept in trash for 30 days, then permanently purged
  • Audit logs — automatically purged after 365 days
  • Read notifications — automatically purged after 90 days
  • Login activity — most recent 50 entries retained per user
  • Password reset tokens — automatically purged after 24 hours
  • Expired external share links — purged 30 days after expiration
  • Stale emergency access entries — rejected or revoked entries purged after 90 days
  • Item version history — last 5 versions retained per item

6. Data Security

We implement multiple layers of security to protect your data:

  • Zero-knowledge encryption — AES-256-GCM with keys derived via PBKDF2 (600,000 iterations)
  • Two-tier key hierarchy — your master password derives a key that unwraps a random vault key; changing your master password doesn't re-encrypt all items
  • End-to-end encrypted sharing — RSA-OAEP public key exchange ensures only intended recipients can decrypt shared items
  • HTTPS enforcement — all connections are encrypted in transit
  • CSRF protection — all state-changing requests are protected against cross-site request forgery
  • Content Security Policy — CSP headers with nonces to prevent XSS attacks
  • Rate limiting — vault unlock attempts are limited to 5 per 15 minutes; API tokens are limited to 100 requests per minute
  • Security headers — HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers

7. Your Rights

You have full control over your data:

  • Access — view all your stored data through the vault interface at any time
  • Export — download a complete copy of your data in JSON format from Profile → Audit & Data
  • Correction — update your account information and vault entries at any time
  • Deletion — permanently delete your account and all associated data from Profile → Audit & Data. This action is irreversible.
  • Revocation — revoke active sessions, trusted devices, API tokens, and shared credentials at any time

8. Cookies

Seccret uses only essential cookies required for the application to function:

  • Session cookie — maintains your authenticated session (httpOnly, secure)
  • CSRF cookie — prevents cross-site request forgery attacks
  • Remember-me cookie (optional) — keeps you logged in across browser sessions if you choose to enable it

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

9. Local Storage

The following data is stored locally in your browser and never sent to our servers:

  • Theme preference — your light/dark/auto theme choice
  • Vault view settings — grid/list view mode, sort preference, expanded folders
  • Offline cache — encrypted vault data cached in IndexedDB for offline read-only access (PWA mode)
  • Bookmarklet key — vault key temporarily stored in localStorage when the autofill bookmarklet is enabled (cleared on vault lock)

10. Children's Privacy

Seccret is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can take appropriate action.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically for any changes. Continued use of Seccret after changes constitutes acceptance of the updated policy.