Privacy Policy

Last updated: February 15, 2026

The short version: WARDKEY uses zero-knowledge vault encryption. We cannot read, access, or decrypt your vault data. Your master password never leaves your device. We collect the minimum data needed to provide our service. Optional AI features, when activated, send anonymized metadata (never passwords) to our servers for analysis.

1. Who We Are

WARDKEY ("we," "us," "our") operates the WARDKEY password manager application, browser extension, and related services (collectively, the "Service"). We are located at 444 Alaska Avenue, Suite #AHA780, Torrance, CA 90503, USA. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

For any privacy-related questions, contact us at: wardkey047@gmail.com

2. Zero-Knowledge Vault Encryption

WARDKEY is built on a zero-knowledge vault encryption model. This means:

Your master password is never transmitted to our servers
All vault data (passwords, cards, notes, TOTP keys) is encrypted on your device using AES-256-GCM before any data leaves your device
Encryption keys are derived locally using PBKDF2 with 600,000 iterations (SHA-256)
We store only the encrypted blob — we have no ability to decrypt it
If you lose your master password, we cannot recover your data

Note: Zero-knowledge vault encryption applies to your vault data. If you choose to use optional AI-enhanced features (Password Analyzer, Security Report, Phishing Detector), anonymized metadata about your vault is sent to our servers for analysis. See Section 12 for details.

3. Information We Collect

3.1 Information You Provide

Data	Purpose	Required
Email address	Account creation, login, password reset, important service notifications	Yes (for cloud sync)
Name	Personalization	No
Password (hashed)	Authentication — stored as bcrypt hash, never in plaintext	Yes (for cloud sync)
Payment information	Pro plan billing (processed by third-party payment processor)	Only for Pro plan

3.2 Encrypted Vault Data

When cloud sync is enabled, your encrypted vault blob is stored on our servers. This blob is encrypted with AES-256-GCM using a key derived from your master password. We cannot read, access, or decrypt this data. The encrypted blob includes:

Encrypted passwords, usernames, and URLs
Encrypted payment cards, secure notes, TOTP keys
Encrypted metadata (creation dates, modification dates, categories)

3.3 Automatically Collected Information

Data	Purpose	Retention
IP address	Security, rate limiting, abuse prevention	30 days
Device/browser type	Sync log, troubleshooting	30 days
Sync timestamps	Conflict resolution, sync status	90 days
Error logs	Debugging and service reliability	30 days

3.4 Breach Scanner

When you use the breach scanner, partial SHA-1 hashes of your passwords (the first 5 characters only) are sent to our server, which queries the Have I Been Pwned Pwned Passwords API using a k-anonymity model. Your full passwords or full hashes are never transmitted. The k-anonymity approach means neither our server nor HIBP can determine your actual passwords from the prefixes sent.

3.5 Emergency Access

When you add an emergency contact, we send email notifications to the contact's email address on your behalf (invitation, access request notifications, approvals, and denials). The email addresses of your emergency contacts are stored on our servers to facilitate this feature.

3.6 Share Links

When you create a share link, the encrypted credential data is stored on our server. The decryption key is embedded in the URL fragment (the part after the # symbol) and is never sent to our server. Only the recipient with the full URL can decrypt the shared data.

3.7 Information We Do NOT Collect

Your master password (never transmitted)
Decrypted vault contents
Browsing history or website visits
Keystrokes or form data (the extension only interacts with login fields when it detects them)
Analytics or tracking data from the extension
Data from other extensions or tabs

4. How We Use Your Information

We use collected information solely to:

Provide the Service: Account authentication, cloud vault sync, and device management
Maintain security: Detect and prevent unauthorized access, brute-force attacks, and abuse
Communicate with you: Service notifications, security alerts, and support responses
Improve the Service: Aggregate, anonymized usage patterns (never individual data)
Process payments: For Pro plan subscribers, through our payment processor

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising or profiling.

5. Data Sharing and Disclosure

We may share information only in these limited circumstances:

Service providers: Hosting infrastructure, payment processors, and email delivery services that process data on our behalf under strict contractual obligations
Legal requirements: When required by law, regulation, legal process, or enforceable government request. Note: even if compelled, we can only provide the encrypted vault blob — we cannot decrypt it
Business transfers: In connection with a merger, acquisition, or sale of assets (your data protections would continue under the new entity)
With your consent: When you explicitly authorize us to share specific information

6. Data Storage and Security

Account data and encrypted vaults are stored on secure servers with encryption at rest
All data in transit is encrypted using TLS 1.2 or higher
Authentication passwords are hashed using bcrypt with appropriate cost factors
Access to production systems is restricted and monitored
We conduct regular security reviews of our codebase

7. Data Retention

Data Type	Retention Period
Account information	Until account deletion
Encrypted vault	Until account deletion or vault deletion
Sync logs	90 days
Server logs (IP, errors)	30 days
Payment records	As required by tax/financial regulations (typically 7 years)

When you delete your account, your encrypted vault is permanently deleted immediately. Account metadata and related data are deleted within 30 days. Some information may be retained in encrypted backups for up to 90 days before being purged.

8. Your Rights

Depending on your jurisdiction, you have the following rights:

8.1 All Users

Access: Request a copy of the personal data we hold about you
Correction: Update or correct inaccurate personal data
Deletion: Delete your account and all associated data
Export: Export your vault data (decrypted locally on your device)
Withdraw consent: Disable cloud sync at any time; your local vault remains yours

8.2 European Economic Area (GDPR)

If you are in the EEA, you additionally have the right to:

Data portability: Receive your data in a structured, machine-readable format
Restrict processing: Request restriction of processing in certain circumstances
Object: Object to processing based on legitimate interests
Lodge a complaint: File a complaint with your local data protection authority

Legal basis for processing: We process your data based on (a) contractual necessity (providing the Service), (b) legitimate interests (security, service improvement), and (c) your consent (optional features like cloud sync).

8.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Delete personal information we have collected
Opt-out of the sale or sharing of personal information — we do not sell or share personal information
Correct inaccurate personal information we hold about you
Non-discrimination: We will not discriminate against you for exercising your privacy rights

To submit a verifiable consumer request, email wardkey047@gmail.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days (extendable by an additional 45 days if needed). You may also designate an authorized agent to submit a request on your behalf — the agent must provide written authorization signed by you.

In the preceding 12 months, we have not sold any personal information. We do not use or disclose sensitive personal information for purposes other than providing the Service.

8.4 Other Jurisdictions

We respect privacy rights under all applicable laws, including but not limited to: LGPD (Brazil), PIPEDA (Canada), POPIA (South Africa), and the Australian Privacy Act. If you have jurisdiction-specific questions, contact us at wardkey047@gmail.com.

9. Browser Extension Privacy

The WARDKEY browser extension:

A content script runs on web pages to detect login forms; it only interacts with form fields when credentials are available or when you initiate autofill
Does not collect browsing history, page content, or analytics
Does not communicate with any third-party servers — only with api.wardkey.io for vault sync
Stores vault data locally in chrome.storage.local (encrypted)
Session data (auto-unlock) is stored in chrome.storage.session and cleared when the browser closes
Requires only the minimum permissions needed: activeTab, storage, contextMenus, alarms, clipboardWrite
Uses a host permission (<all_urls>) to detect login forms and offer autofill on any website you visit — the extension does not read page content or browsing history

10. Children's Privacy

WARDKEY is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at wardkey047@gmail.com.

11. International Data Transfers

Your encrypted vault data may be stored on servers located outside your country of residence. Where we transfer data internationally, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Encryption of all data at rest and in transit
The zero-knowledge vault encryption ensures transferred vault data cannot be read by anyone — including us

12. Third-Party Services

We use the following third-party services:

Service	Purpose	Data Shared
Hosting provider	Server infrastructure	Encrypted vault blobs, account data
Payment processor	Pro plan billing	Payment information (never vault data)
Email service	Transactional emails (account verification, emergency access notifications)	Email address
Kit.com (ConvertKit)	Marketing email collection (landing page signup forms)	Email address, signup source
Anthropic (Claude AI)	AI-enhanced vault analysis (optional)	Anonymized vault metadata; raw text for Phishing Detector (see AI Analysis section)

All third-party providers are bound by data processing agreements and are prohibited from using your data for any purpose other than providing their service to us.

AI Analysis Services

When you use WARDKEY's AI-enhanced features, data is sent to our servers and processed using Anthropic's Claude AI. You can use WARDKEY without ever activating AI features — they are entirely optional.

Password Analyzer & Security Report: Anonymized vault metadata (password strength scores, character class distributions, item counts, reuse counts, age metrics) is sent. Your actual passwords are never sent.
Phishing Detector: The text or URL you paste into the analyzer is sent to our servers for AI analysis. Do not paste content containing passwords or sensitive credentials. Only paste suspicious emails, messages, or URLs you want checked for phishing indicators.

Data Sent to AI	Data Never Sent
Password length, character class distribution, strength score	Actual passwords, usernames, URLs
Number of vault items per category	Vault item names or contents
Reuse counts, age metrics	Any personally identifiable information

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page with a new "Last updated" date
Sending an email notification for significant changes
Displaying a notice in the application

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. For material changes that affect how we process your data based on consent, we will seek your explicit agreement before the changes take effect.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

Email: wardkey047@gmail.com
Address: 444 Alaska Avenue, Suite #AHA780, Torrance, CA 90503, USA

For GDPR-related inquiries, you may also contact your local data protection authority.