Privacy policy

My Password Vault Privacy Policy

Applies to My Password Vault (the “Product”), including its web application and companion clients distributed by Skyface, LLC (“we,” “us,” “our”).

Summary

My Password Vault is built as a local‑first vault: your entries are encrypted on your device before they ever leave your control. Optional cloud sync stores ciphertext only tied to your sign‑in—we intentionally design the system so that we cannot read your decrypted passwords.

This Policy explains what categories of information exist, where they live, what we rely on partners for, and limits of our responsibility so you know what we stand behind—and what stays with you by design or by law.

1. Data we touch (and purpose)

  • Account & sign‑in: If you use Google (or similar) through our auth provider, identifiers such as provider user IDs and typically your email/name may be processed to create and secure your account.
  • Encrypted vault payloads: When you enable sync (e.g., via Supabase), we store encrypted JSON blobs and coarse metadata needed to reconcile versions (timestamps/counts)—not plaintext credentials.
  • Operational & support: If you email us at contact@skyface.com, we process the contents of messages to reply and improve the Product.
  • Technical logs: Hosts/CDNs/services may retain standard telemetry (IPs, timestamps, error logs) typical of web apps.

2. What stays on your device & what we deliberately do not have

The Product derives encryption keys from your master password locally. We do not collect, store, or receive your master password in plaintext. We also do not receive decryption keys usable to read vault entries stored on-device.

Protected fields—including entry passwords and TOTP secrets — are encrypted on your hardware using protocols such as AES‑G‑CM‑256 with PBKDF2‑SHA‑256‑based derivation on the client. If you configure sync, the server mirrors ciphertext; without your secrets, it cannot meaningfully decrypt your vault.

3. Third‑party services

  • Authentication & database: We use Supabase (or equivalent services you configure via environment) for OAuth and storage of encrypted vault records.
  • Identity providers: Google OAuth is subject to Google’s privacy terms when you authenticate.
  • Infrastructure/hosting/CDN: Delivery may flow through vendors you select (for example hosting on Vercel or another edge network).

These vendors process limited data as processors or sub‑processors to operate the Product; their terms also apply.

4. Analytics, ads, selling data

We do not sell personal information and we do not run third‑party advertising inside the vault experience. We do not knowingly buy/sell credential lists—your passwords are yours.

5. Backups & exports

Optional backups you create locally (offline JSON exports) are controlled by you. If you attach them to mail or clouds, you choose that risk profile; we cannot secure copies you voluntarily copy elsewhere.

6. Retention

We retain account and ciphertext records while your account stays active unless we must keep limited records where law requires (e.g., fraud prevention). You may stop using sync or request account closure workflows provided by Supabase/Google as applicable—we will assist through support where we reasonably can under provider constraints.

7. Children’s privacy

The Product is not directed to children under 13 (or minors under locally applicable thresholds). We do not knowingly collect children's personal information.

8. Security & your responsibilities

Security is layered: cryptography in the browser, TLS in transit (when you use HTTPS), and access controls enforced by databases. No system is perfect.

Your responsibilities include choosing a strong master password, guarding devices, safeguarding exports, verifying authenticator apps after loss, and phishing awareness. Mis‑configuration, malware, phishing, reused passwords, losing your authenticator/backups, or using HTTP sites can defeat good designs—those risks lie outside our control once data leaves protections we provide by default.

9. What Skyface warrants & what we disclaim (short form)

We commit to honesty and industry‑standard safeguards, including designing the Product around client‑side encryption and minimal server knowledge.

  • We do not warrant uninterrupted or error‑free availability, or immunity from undisclosed vulnerabilities in browsers, OSes, cryptography libraries, providers, or your own misuse.
  • To the maximum extent permitted by law, we disclaim liability for indirect, incidental, special, consequential, or punitive damages, and for losses arising solely from unauthorized access after your credentials/export files are compromised on your devices.
  • Jurisdiction carve‑outs: Some regions do not allow certain disclaimers; where prohibited, limits apply only to extent allowed.

See your applicable terms of use (if separately published in app stores or marketing sites) for detailed caps/time limits.

10. International users

Servers and processors may reside in the United States or other jurisdictions. By using cloud features you acknowledge cross‑border transfer where necessary to operate the Product under standard contractual safeguards offered by processors.

11. Changes

We may update this Privacy Policy materially; we post updates here with a revised “Last updated” date. Continuing to use the Product after changes means acceptance of the revised policy where allowed by law.

12. Contact

Questions about privacy or exercising rights:
Email contact@skyface.com
Website https://skyface.com/