Privacy policy

My Password Vault Privacy Policy

Applies to My Password Vault (the “Product”), including its web application and companion clients distributed by Skyface, LLC (“we,” “us,” “our”).

Summary

My Password Vault is built as a local‑first vault: your entries are encrypted on your device before they ever leave your control. Optional cloud sync stores ciphertext only tied to your sign‑in—we intentionally design the system so that we cannot read your decrypted passwords without your master password, which we never receive.

This Policy explains what categories of information exist, where they live, what we rely on partners for, and limits of our responsibility so you know what we stand behind—and what stays with you by design or by law.

1. Data we touch (and purpose)

  • Account & sign‑in: When you create an account (email and password and/or Google sign‑in through our auth provider), we process identifiers such as your user ID, email address, and sign‑in method metadata needed to authenticate you and operate your account.
  • Encrypted vault payloads: When you use cloud sync, we store encrypted vault blobs and coarse metadata needed to reconcile versions (for example timestamps and entry counts)—not plaintext passwords or TOTP secrets.
  • License & purchase records: If you buy the permanent PRO upgrade, our systems store license status, purchase date, Stripe Checkout session reference, and purchase amount tied to your account email. Stripe processes card payments; we do not receive or store full payment card numbers.
  • Transactional email: If you use email sign‑in or password reset, our email provider delivers messages to the address you supply (for example verification or reset links).
  • Operational & support: If you email us at contact@skyface.com, we process the contents of messages to reply and improve the Product.
  • Technical logs: Hosting, database, and payment partners may retain standard telemetry (IPs, timestamps, error logs) typical of web applications.

2. What stays on your device & what we deliberately do not have

The Product derives encryption keys from your master password locally. We do not collect, store, or receive your master password in plaintext. We also do not receive decryption keys usable to read vault entries stored on-device.

Protected fields—including entry passwords and TOTP secrets—are encrypted on your hardware using protocols such as AES‑GCM‑256 with PBKDF2‑SHA‑256‑based derivation on the client. When you use sync, the server mirrors ciphertext; without your secrets, it cannot meaningfully decrypt your vault.

3. Third‑party services

  • Authentication & database (Supabase): Account sign‑in and storage of encrypted vault records and license metadata.
  • Google: If you choose Google sign‑in, Google’s privacy terms apply to that authentication flow.
  • Payments (Stripe): Checkout and payment processing for the one‑time PRO purchase; Stripe’s privacy policy and terms apply to payment data they handle.
  • Email (Resend): Delivery of transactional messages such as sign‑in and password‑reset email.
  • Infrastructure/hosting/CDN: The Product may be delivered through hosting and edge networks (for example Vercel or similar providers).

These vendors process limited data as processors or sub‑processors to operate the Product; their terms also apply.

4. Analytics, ads, selling data

We do not sell personal information and we do not run third‑party advertising inside the vault experience. We do not knowingly buy/sell credential lists—your passwords are yours.

5. Backups & exports

Optional backups you create locally (offline JSON exports) are controlled by you. If you attach them to mail or clouds, you choose that risk profile; we cannot secure copies you voluntarily copy elsewhere.

6. Retention & account deletion

We retain account, ciphertext, and license records while your account stays active, unless we must keep limited records where law requires (for example fraud prevention). Payment partners may retain billing records under their own policies.

You can permanently delete your account from Settings → Account → Delete account in the Product. That removes your encrypted cloud backup, license record on our systems, and your sign‑in account. Local vault data on your device is cleared as part of that flow on the device where you confirm deletion. If you cannot complete in‑app deletion, contact contact@skyface.com and we will assist where reasonably possible.

7. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or restrict certain processing of personal information. Because we cannot decrypt your vault, we can only help with account‑level data we actually hold (for example email, license status, encrypted blobs). Submit requests to contact@skyface.com; we may need to verify your identity.

8. Children’s privacy

The Product is not directed to children under 13 (or minors under locally applicable thresholds). We do not knowingly collect children's personal information.

9. Security & your responsibilities

Security is layered: cryptography in the browser, TLS in transit (when you use HTTPS), and access controls enforced by databases. No system is perfect.

Your responsibilities include choosing a strong master password, guarding devices, safeguarding exports, verifying authenticator apps after loss, and phishing awareness. Mis‑configuration, malware, phishing, reused passwords, losing your authenticator/backups, or using HTTP sites can defeat good designs—those risks lie outside our control once data leaves protections we provide by default.

10. What Skyface warrants & what we disclaim (short form)

We commit to honesty and industry‑standard safeguards, including designing the Product around client‑side encryption and minimal server knowledge.

  • We do not warrant uninterrupted or error‑free availability, or immunity from undisclosed vulnerabilities in browsers, OSes, cryptography libraries, providers, or your own misuse.
  • To the maximum extent permitted by law, we disclaim liability for indirect, incidental, special, consequential, or punitive damages, and for losses arising solely from unauthorized access after your credentials/export files are compromised on your devices.
  • Jurisdiction carve‑outs: Some regions do not allow certain disclaimers; where prohibited, limits apply only to extent allowed.

See our Terms of Use for additional warranty and liability limits.

11. International users

Servers and processors may reside in the United States or other jurisdictions. By using cloud features you acknowledge cross‑border transfer where necessary to operate the Product under standard contractual safeguards offered by processors.

12. Changes

We may update this Privacy Policy materially; we post updates here with a revised “Last updated” date. Continuing to use the Product after changes means acceptance of the revised policy where allowed by law.

13. Contact

Questions about privacy or exercising rights:
Email contact@skyface.com
Website https://skyface.com/