Privacy Policy

Last updated: March 15, 2026

1. Our Commitment

SandPass is a zero-knowledge password manager. This means we cannot read, access, or decrypt your stored passwords, notes, cards, or any vault data — even if compelled to do so. Your master password never leaves your device.

2. What We Collect

  • Email address (hashed): Used for account creation and email verification. Stored as a SHA-256 hash — we cannot read your actual email after registration.
  • Encrypted vault data: Your passwords, notes, cards, and identities are encrypted with AES-256-GCM on your device before being sent to our servers. We store only encrypted blobs.
  • Device metadata: Browser type, OS, and a device identifier for session management and trusted device features. This is network-level metadata already visible to any server you connect to.
  • Login history: Timestamps, success/failure status, and IP addresses of login attempts. Used for security monitoring and shown in your account settings.

3. What We Never Collect

  • Your master password (never transmitted, not even as a hash — OPAQUE protocol)
  • Your decrypted vault data (passwords, notes, cards, identities)
  • Your browsing history or the websites you visit
  • Keystrokes or form data outside of SandPass

4. Encryption

All vault data is encrypted using AES-256-GCM with a unique random IV per operation. Your encryption key is derived from your master password using Argon2id (64 MiB, 3 iterations) — a memory-hard KDF that resists GPU and ASIC attacks. Authentication uses the OPAQUE protocol (RFC 9807), ensuring your password is never transmitted in any form.

5. Data Storage

Encrypted vault data is stored on secured servers. Session data is stored in Redis with HMAC-SHA256 signed tokens. All server communications use HTTPS/TLS.

6. Third-Party Services

  • HaveIBeenPwned: Breach detection uses k-anonymity (only a 5-character SHA-1 prefix is sent). Your full password hash never leaves your device.
  • Google Analytics: We use GA4 on our marketing website (sandpass.io) to understand traffic. The browser extension does not include any analytics or tracking.

7. Data Deletion

You can delete your account at any time. This permanently removes all encrypted vault data, device records, session data, and login history from our servers. This action is irreversible.

8. Data Breach

In the unlikely event of a server breach, attackers would obtain only encrypted blobs. Without your master password (which we never store or transmit), this data is computationally impossible to decrypt. We will notify affected users within 72 hours of discovering any breach.

9. Contact

For privacy-related inquiries, contact us at support@sandpass.io.