Privacy Policy

1. Introduction

SecurePass ("we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our password management service.

2. Information We Collect

2.1 Account Information

• Email address (used for account identification and communication)
• Name (first and last name for account personalization)
• Password (hashed and salted, never stored in plain text)
• Account preferences and settings
• Organization and team affiliations

2.2 Encrypted Vault Data

• Password entries (encrypted with your master key)
• Secure notes and attachments
• Website URLs and associated metadata
• Custom fields and categories
• Sharing permissions and access logs

2.3 Technical Information

• IP address and device information
• Browser type and version
• Operating system and platform
• Login timestamps and session duration
• Feature usage statistics (anonymized)

3. Zero-Knowledge Architecture

Your passwords are encrypted with your master key and cannot be accessed by SecurePass:

• We use client-side encryption before data leaves your device
• Your master key is never transmitted or stored on our servers
• We cannot decrypt or access your stored passwords
• Even our employees cannot view your sensitive data
• Government requests cannot be fulfilled for encrypted data

4. How We Use Your Information

4.1 Service Provision

• Authenticate your identity and secure your account
• Synchronize your encrypted data across devices
• Provide customer support and technical assistance
• Enable team and organization features
• Process payments and manage subscriptions

4.2 Security and Compliance

• Monitor for suspicious activity and security threats
• Enforce our Terms of Service and acceptable use policies
• Comply with legal obligations and regulatory requirements
• Conduct security audits and vulnerability assessments

4.3 Communication

• Send security alerts and account notifications
• Provide product updates and feature announcements
• Deliver customer support responses
• Send marketing communications (with consent)

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information only in these limited circumstances:

5.1 Service Providers

• Cloud hosting providers (AWS, Azure) for encrypted data storage
• Payment processors for subscription billing
• Analytics services for anonymized usage statistics
• Customer support tools for service delivery

5.2 Legal Requirements

• Court orders and legal processes
• Law enforcement requests (metadata only)
• National security requirements
• Protection of our legal rights

5.3 Organization Accounts

• Organization administrators can access shared team data
• Audit logs are available to organization admins
• User management data is shared within organizations
• Private passwords remain encrypted and inaccessible

6. Data Security Measures

6.1 Encryption

• AES-256 encryption for all sensitive data
• TLS 1.3 for data transmission
• Separate encryption keys for different data types
• Regular key rotation and security updates

6.2 Access Controls

• Multi-factor authentication for all accounts
• Role-based access control for employees
• Regular access reviews and permission audits
• Principle of least privilege implementation

6.3 Infrastructure Security

• SOC 2 Type II compliant data centers
• 24/7 security monitoring and incident response
• Regular penetration testing and vulnerability assessments
• Secure development lifecycle practices

7. International Data Transfers

We may transfer your information to countries outside your residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses and adequacy decisions. All transfers maintain the same level of protection as required by applicable data protection laws.

8. Data Retention

We retain your information for as long as necessary to provide our services:

• Account data: Retained while your account is active
• Vault data: Retained until you delete items or close your account
• Audit logs: Retained for 2 years for security purposes
• Billing records: Retained for 7 years as required by law
• Deleted data: Permanently deleted within 30 days

9. Your Privacy Rights

9.1 Access and Portability

• Access your personal information we hold
• Export your data in a portable format
• Receive copies of your data

9.2 Correction and Deletion

• Correct inaccurate personal information
• Delete your account and associated data
• Request deletion of specific data items

9.3 Control and Consent

• Withdraw consent for marketing communications
• Object to processing for legitimate interests
• Restrict processing in certain circumstances

10. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain your login session
• Remember your preferences and settings
• Improve our service performance
• Provide analytics insights (anonymized)
• Detect and prevent fraud

11. Third-Party Services

We integrate with third-party services that have their own privacy policies:

• reCAPTCHA for spam protection (Google Privacy Policy applies)
• Email services for notifications
• Analytics platforms for service improvement
• Payment processors for billing

12. Data Breach Response

In the event of a data breach:

• We will notify affected users within 72 hours
• Regulatory authorities will be notified as required
• We will provide clear information about the breach
• Remediation steps will be taken immediately
• A detailed incident report will be published

13. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal information from children. If we discover we have collected information from a child, we will delete it immediately. Parents who believe their child has provided information should contact us.

14. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising privacy rights
• Right to request specific pieces of personal information

15. European Privacy Rights (GDPR)

European users have additional rights under GDPR:

• Right to rectification of inaccurate data
• Right to data portability
• Right to object to processing
• Right to restrict processing
• Right to lodge a complaint with supervisory authorities

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or in-app notification. Your continued use of the service after changes constitutes acceptance of the updated policy.

17. Contact Information

For privacy-related questions or to exercise your rights, contact us: