Privacy Policy

1. Who We Are

Passa ("we", "our", "us") is a browser extension that stores and auto-fills passwords. All primary vault operations happen locally on your device.

2. What Data We Collect

Passa operates on a strict data-minimisation principle. We distinguish between data that stays on your device and data that may leave it.

Data stored only on your device (never sent to us):

• Your encrypted vault (passwords, usernames, URLs, notes)
• Your master password (never stored - used only transiently to derive encryption keys)
• Extension settings (auto-lock timeout, autofill preferences, sync provider choice)

Data you choose to sync via a third-party provider:

• If you enable Google Drive or Dropbox sync, your encrypted vault file is uploaded to your own account on that provider. We never have access to your provider account or to the file contents.

Data Passa may collect to operate accounts, licensing, and product updates:

• Your email address for accounts, waitlist, support, or license delivery
• Account authentication data, such as a password verifier or hash
• License status needed to enable paid features
• Payment records handled by our payment processor, where applicable

Data we do not collect:

• Your plaintext passwords, master password, or vault encryption keys
• Your decrypted vault contents
• Browser history or browsing behaviour

3. How We Use Your Data

We use account, license, waitlist, support, and payment-related data only to provide Passa, send product updates, validate paid features, respond to support requests, and process purchases. We do not sell your personal data. The encrypted vault stored on your device or in your cloud storage account is used solely to provide the password manager functionality.

4. Third-Party Cloud Providers

Sync features (Google Drive, Dropbox) are entirely optional. When enabled:

• You authenticate with the provider using OAuth - Passa never sees your provider password.
• Only your encrypted vault file is transferred. The encryption key never leaves your device.
• The provider's own privacy policy governs how they handle the file in your account.

5. Data Retention

Your vault data lives in your browser's local storage and, optionally, in your cloud provider account. You can delete all local data at any time via Settings → Privacy & Legal → Delete All My Data. To remove cloud copies, delete the file from your Google Drive or Dropbox account directly.

6. Your Rights (GDPR & CCPA)

Most vault-related rights are exercised directly on your own device because we do not hold your decrypted vault. For account, license, support, waitlist, and payment-related data, contact us and we will help you exercise applicable privacy rights.

• Right to access - Export your vault at any time via Settings → Backup & Export.
• Right to deletion - Delete all local vault data via Settings → Privacy & Legal → Delete All My Data.
• Right to portability - Your exported vault is a standard JSON file you can use with compatible tools.
• Do Not Sell / Do Not Share - We do not sell or share personal data. This applies equally to California residents under CCPA / CPRA.

7. Children's Privacy

Passa is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect data from children.

8. Security

Vault data is protected with AES-256-GCM encryption and keys derived via PBKDF2 with a high iteration count.

9. Changes to This Policy

If we make material changes we will update the "Effective date" at the top of this page and, where feasible, display an in-extension notice. Continued use of Passa after a change constitutes acceptance of the updated policy.

10. Contact

Questions about this policy? Email us at support@usepassa.com.