Data Safety

This page provides a clear summary of how mypass handles data, formatted to align with the data safety requirements of Google Play, Apple App Store, and Microsoft Store.

---

Data Collection

mypass does not collect any data.

• No personal information is collected
• No usage data or analytics are collected
• No crash reports are collected
• No device identifiers are collected
• No advertising IDs are collected

Data Sharing

mypass does not share any data with third parties.

• No data is shared with the developer
• No data is shared with advertisers
• No data is shared with analytics providers
• No data is sold to anyone

Data Storage & Encryption

• All vault data is encrypted on-device using XChaCha20-Poly1305 (256-bit keys) before leaving the device
• The encryption key is derived from your master password using Argon2id
• Encrypted data is synced to a cloud storage provider that you own and control
• The storage backend only ever receives ciphertext — it cannot read your data
• Device-cached keys are stored in the OS secure keychain (Android Keystore / iOS Keychain) and are protected by biometric authentication

Data Deletion

• Uninstalling the app removes all local data from your device
• Remote data can be deleted by you at any time via your storage provider's dashboard
• The developer has no access to your remote data and cannot delete it on your behalf

Network Permissions

mypass requires network access solely to sync your encrypted vault with your cloud storage provider. No other network communication occurs. There are no background network requests, push notifications, or phone-home behavior.

Other Permissions

• Camera: Used for scanning QR codes (TOTP setup and importing settings from the desktop client). No images are stored or transmitted.
• Biometrics: Used to gate access to the device-cached unlock key. Biometric data is handled entirely by the OS and is never accessed by mypass.

Contact

Questions about data safety: [email protected]