Effective Date: June 25, 2026 • Security Version: 2.0.0
At PassCrypt, privacy is not a policy; it is a mathematical invariant. We operate a zero-knowledge architecture. All encryption and key derivations happen entirely within your local browser sandbox utilizing the compiled WebCrypto API. Your Master Password and Data Encryption Keys (DEK) are never transmitted, viewed, or cached on our network lines under any circumstances.
We do not collect personal metadata, IP analytics, or track browser activities. The database stores only the minimal schema required to operate your sandbox synchronization:
When you initiate a vault unlock sequence, the local Master Key decodes the Data Encryption Key. The DEK is held exclusively in the browser's volatile SessionStorage. It is designed to automatically wipe and zero-out on:
We do not distribute, sell, or license vault metadata. Because we do not hold the cryptographic keys to decode your vault, we cannot disclose decrypted data to government authorities or third-party auditors. Even in the event of an infrastructure breach, the adversary obtains only high-entropy ciphertext blocks which are mathematically unreadable.
You retain complete sovereignty over your keys. You can execute a local vault export at any time. The exporter downloads your data as a decrypted JSON or CSV file onto your physical storage drive. We impose no export bounds or vendor locks.