Data Safety
Last updated: June 14, 2026
This page provides a clear summary of how mypass handles data, formatted to align with the data safety requirements of Google Play and the Microsoft Store.
Data Collection
mypass does not collect any data.
- No personal information is collected
- No usage data or analytics are collected
- No crash reports are collected
- No device identifiers are collected
- No advertising IDs are collected
Data Sharing
mypass does not share any data with third parties.
- No data is shared with the developer
- No data is shared with advertisers
- No data is shared with analytics providers
- No data is sold to anyone
Data Storage & Encryption
- All vault data is encrypted on-device using XChaCha20-Poly1305 (256-bit keys) before leaving the device
- The encryption key is derived from your master password using Argon2id
- Encrypted data is synced to a cloud storage provider that you own and control
- The storage backend only ever receives ciphertext — it cannot read your data
- Device-cached keys are stored in the OS secure keychain (such as the Android Keystore) and are protected by biometric authentication or a PIN
Data Deletion
- Uninstalling the app removes all local data from your device
- Remote data can be deleted by you at any time via your storage provider's dashboard
- The developer has no access to your remote data and cannot delete it on your behalf
Network Permissions
mypass uses the network only for the purposes below. It never contacts the developer and never communicates with any analytics, advertising, or tracking service.
- Cloud sync: uploading and downloading your encrypted vault to the cloud storage provider you set up and control. The backend only ever receives ciphertext.
- Device setup (local network): when you transfer your setup to a new device, the two devices connect directly to each other over your local network (Wi-Fi / LAN). The transfer is encrypted and authorized by a one-time code shown on screen; the data does not pass through any server.
- Browser extension (localhost only): on desktop, the app listens on a loopback address (
127.0.0.1) so the optional browser extension can communicate with it. This connection never leaves your computer, is encrypted, and is authorized by a one-time pairing code.
There are no background network requests, push notifications, or phone-home behavior.
Other Permissions
- Camera: Used for scanning QR codes (TOTP setup and importing settings from the desktop client). No images are stored or transmitted.
- Biometrics: Used to gate access to the device-cached unlock key. Biometric data is handled entirely by the OS and is never accessed by mypass.
Contact
Questions about data safety: [email protected]