Privacy Policy

Last updated: April 28, 2025

ConfPass ("we", "our", "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

1. What we collect

• Account information: Your username and email address when you register.
• Encrypted vault data: Your passwords and vault entries, encrypted on your device before transmission. We cannot read this data.
• Usage metadata: Timestamps of vault sync operations, session tokens, and IP address hashes for security purposes.
• Device identifiers: A hardware ID hash used to detect unauthorized session access. This is not linked to personal identity.

2. What we do NOT collect

• Your master password — it never leaves your device.
• Plaintext vault contents — all data is encrypted client-side.
• Browser history, visited URLs, or autofill content.
• Any data for advertising or profiling purposes.

3. How we use your data

• To provide and maintain the ConfPass service.
• To send email verification and security alerts (e.g. breach notifications).
• To detect and prevent unauthorized access to your account.

4. Data storage and security

Encrypted vault data is stored on servers located in the European Union. We use AES-256-GCM encryption, TLS 1.3 for transport, and rotating authentication tokens. Access to production systems is strictly limited.

5. Data retention

Your data is retained as long as your account exists. You may delete your account at any time from the app settings, which permanently erases all associated data within 30 days.

6. Third-party services

ConfPass uses HaveIBeenPwned (HIBP) for breach checking. Password hashes are sent as k-anonymity prefix queries — your full password is never transmitted. No other third-party analytics or tracking services are used.

7. Browser extension

The ConfPass browser extension communicates exclusively with the local ConfPass desktop app and pass.conftag.pro. It does not transmit browsing data to any external service.

8. Your rights

You have the right to access, correct, or delete your personal data at any time. To exercise these rights, contact us at emre.conf@gmail.com.

9. Contact

For privacy questions, email emre.conf@gmail.com.