Privacy Policy & Terms

01Overview

reneph ("Password Safe", "us", "we" or "our") develops the Password Safe mobile application and operates the website at passwordsafe.app (together, the "Service"). This Privacy Policy explains how we handle your information when you use the app on Android, iOS and Wear OS, or browse our website.

Password Safe is built offline-first and zero-knowledge: your vault is encrypted on your device and we run no servers that store or receive it. By using the Service, you agree to the practices described here. Unless otherwise defined, terms in this Privacy Policy have the same meaning as in our Terms of Use below.

02Definitions

• Service — the Password Safe mobile application and the passwordsafe.app website.
• Personal Data — information that identifies a living individual.
• Usage Data — data collected automatically (e.g. the duration of a page visit).
• Cookies — small data files stored on your device.
• Vault — the encrypted database of passwords, passkeys and credentials you create in the app.
• Data Controller — the entity that determines the purposes of personal data use. For this policy, that is reneph.
• Data Processor (Service Provider) — a third party that processes data on behalf of the Data Controller.
• Data Subject (User) — any living individual using the Service.

03Information collection and use

Your vault data stays on your device

Password Safe does not collect, transmit or have access to any of the passwords, passkeys, notes or other entries you store in the app. Your entire vault is encrypted with AES-256 on your device using your master password, which never leaves the device. Because the encryption is zero-knowledge, we cannot read your vault and cannot recover it if you lose your master password. As no method of storage can ever be 100% secure, we cannot guarantee absolute security, but your content is never saved on our servers.

Optional cloud sync

Cloud sync is optional, opt-in and off by default. When you enable it, your vault is encrypted on your device before it is uploaded, and it is synced only through a cloud account that you connect and control:

• Your own Dropbox or Google Drive — your cloud provider only ever stores an already-encrypted file. We are not a party to this storage.
• On platforms where system backup is enabled (e.g. Android/Google or Apple iCloud backup), your encrypted app data may be included in that backup. This is controlled by your device settings and can be disabled there.

No accounts, no tracking

The app requires no account or registration to use. We do not embed analytics or advertising SDKs in the app, and we do not collect telemetry about how you use your vault.

04Website data, cookies & fonts

This section applies when you visit our website at passwordsafe.app, as opposed to using the mobile app.

Server log data

For technical reasons, your browser automatically sends certain data to our hosting provider so we can deliver a secure and stable website. These server log files record the type and version of your browser, your operating system, the page you came from (referrer URL), the pages you visit, the date and time of your visit, and the IP address from which you visited. This data is stored temporarily and is not combined with any of your other data.

The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in the improvement, stability, functionality and security of our website. The data is deleted within no more than seven days, unless continued storage is required for evidentiary purposes, in which case the relevant data is excluded from deletion until the incident is resolved.

Cookies

Session cookies. Cookies are small text files (or similar storage technologies) placed on your device by your browser. They may process information such as your browser, language preference or IP address to make the site more user-friendly, efficient and secure — for example, to remember whether you are viewing the site in English or German. The legal basis is Art. 6(1)(b) GDPR where cookies are used to perform a contract, and otherwise Art. 6(1)(f) GDPR, our legitimate interest being the functionality of the site. Session cookies are deleted when you close your browser.

Disabling cookies. You can refuse or delete cookies in your browser settings; the exact steps vary by browser, so please consult your browser's help function. If you restrict cookies, some functions of the site may not be fully usable.

Google Fonts

Our website uses Google Fonts to display certain typefaces, a service provided by Google Ireland Limited / Google LLC ("Google"). When you access the site, your browser establishes a connection to a Google server in order to load the fonts; through this, Google can identify the site the request came from and the IP address to which the fonts are delivered. The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in the optimised and economical operation of our site. Transfers of personal data to the United States are governed by the EU-US Data Privacy Framework and/or the European Commission's standard contractual clauses. Google provides further information in its privacy policy.

05Legal basis for processing (GDPR)

If you are from the European Economic Area (EEA), our legal basis for collecting and using the personal information described in this policy depends on the Personal Data concerned and the specific context in which we collect it. We may process your Personal Data because:

• We need to perform a contract with you (e.g. to provide a Pro upgrade you purchased).
• You have given us permission to do so (consent).
• The processing is in our legitimate interests and is not overridden by your rights.
• We need to comply with the law, including legal obligations and payment processing.

06Data retention & security

We retain your vault data only:

• Locally on your device, or
• In your chosen cloud provider (e.g. Dropbox, Google Drive), in encrypted form.

Website server log data is retained as described above. We do not maintain user accounts, so there is no profile of you held on our systems.

Security of data

The security of your data is important to us, but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. Your vault is protected by AES-256 encryption derived from your master password. While we strive to use commercially acceptable means to protect any Personal Data we do handle, we cannot guarantee its absolute security.

07Your rights under GDPR

If you are a resident of the EEA, you have certain data protection rights. We aim to take reasonable steps to allow you to correct, amend, delete or limit the use of your Personal Data. In certain circumstances, you have the following rights:

• Access, update or delete the information we hold about you.
• Rectification — to have inaccurate or incomplete information corrected.
• Object to our processing of your Personal Data.
• Restriction — to request that we restrict the processing of your information.
• Data portability — to receive a copy of your data in a structured, machine-readable, commonly used format. (In the app, you can export your vault to CSV at any time.)
• Withdraw consent at any time where we relied on your consent.

To exercise these rights, contact us at privacy@passwordsafe.app. Proof of identity may be requested. You also have the right to lodge a complaint with a data protection authority.

08Service providers

We may employ third-party companies to facilitate our Service, provide it on our behalf, or help us deliver the website. These third parties have access to limited data only to perform tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Payments

The Pro upgrade is sold as an in-app purchase processed entirely by the relevant app store. We do not store or collect your payment card details — that information is provided directly to the store, which adheres to PCI-DSS standards. The payment processors involved are:

• Google Play In-App Payments — privacy policy
• Apple App Store In-App Payments — privacy policy

09Advertising

The Password Safe app contains no advertising and no advertising trackers. We may, from time to time, promote the app on third-party platforms (for example via Google Ads or Apple Search Ads). These campaigns are run on the advertising platforms themselves and are not driven by data collected inside the app or your vault. You can manage ad personalisation via the Google Ads Settings page and Apple's Search Ads privacy page.

10Other sites & children

Links to other sites

Our Service may contain links to sites not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over, and assume no responsibility for, the content or privacy practices of any third-party sites or services.

Children's privacy

Our Service does not address anyone under the age of 16 ("Children"). We do not knowingly collect personally identifiable information from anyone under 16. If you are a parent or guardian and become aware that your child has provided us with Personal Data, please contact us so we can address it.

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the effective date above. Changes are effective when posted on this page.

11Terms of Use

In-app purchase & Pro upgrade

Password Safe is free to use, with an optional Pro upgrade that unlocks additional features such as cloud sync, biometric unlock, attachments, password history and additional export formats. The Pro upgrade is a one-time purchase made via in-app purchase — there is no subscription and no recurring charge.

• Android — the purchase is processed through your Google account.
• iOS — the purchase is processed through your Apple account.
• Because Pro is a one-time purchase, it does not auto-renew and is not billed periodically.
• Refunds, where applicable, are handled according to the policies of the relevant app store.

Acceptable use

You agree to use Password Safe only for lawful purposes and not to attempt to circumvent, disable or interfere with security-related features of the app. The app is licensed to you, not sold; this licence is personal and non-transferable.

12Disclaimer & liability

No warranty

Password Safe is provided "as is" without any express or implied warranties. We make no warranty or representation regarding the accuracy or completeness of any information, text, graphics, links or other content that is part of the app, and disclaim any warranty for damages caused by the transmission of computer viruses, worms, time bombs, logic bombs, trojans or other malicious software.

Disclaimer of liability

In no event shall reneph be liable for damages (including but not limited to loss of profits, business interruption or data loss), nor for indirect, special or consequential damages, nor for damages arising from contract, tort or otherwise. The user acknowledges that the software may not be free of errors and may not meet all requirements; installation and use are at the user's own risk.

Although Password Safe is tested with best efforts, it uses database and encryption technologies that may, in rare cases, become corrupted, resulting in data loss. Because your vault is zero-knowledge encrypted, a lost or forgotten master password cannot be recovered by anyone, including us. You are responsible for keeping your master password safe and for maintaining regular encrypted backups of your vault.

Copyright

The software is the property of reneph. It is not permitted to recompile, disassemble, modify, translate or clone the software, in whole or in part, without authorisation.

Contact

Questions about this policy or the terms? Email privacy@passwordsafe.app. For the provider's full legal details, see the Imprint.

Version as of 29 May 2026.