Privacy Policy

Effective date: June 8, 2025 · PassHex is a product of Lakeshore IT Consulting

The short version: PassHex is a zero-knowledge password manager. Your passwords are encrypted in your browser before they ever leave your device. We cannot read your vault. We do not sell your data. We collect only what is necessary to run your account and process your subscription.

1. Who We Are

PassHex ("PassHex", "we", "us", or "our") is operated by Lakeshore IT Consulting. You can contact us at [email protected].

2. Information We Collect

We collect the minimum information required to provide the service:

Account information: Your email address and display name, provided at registration.
Authentication data: A hashed (bcrypt) copy of your password. We never store your password in plaintext.
Subscription data: Your Stripe customer ID and subscription ID, used to manage billing. We do not store payment card details — these are handled entirely by Stripe.
Vault payload: An encrypted blob (AES-256-GCM) of your password vault. This is encrypted client-side with your master password before it is sent to our server. We cannot decrypt it. We do not have access to your master password.
API token: A bearer token used by the browser extension to authenticate vault requests.
Login metadata: Last login timestamp and failed login count, used for security lockout.

3. Information We Do Not Collect

We do not collect the contents of your vault in readable form.
We do not collect your master password — ever.
We do not use analytics, tracking pixels, or third-party advertising scripts.
We do not track your browsing activity.
We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. Browser Extension

The PassHex browser extension stores two items locally on your device using chrome.storage.local: your PassHex server URL and your API token. These never leave your device except when making authenticated requests to your PassHex account. The extension:

Injects a key icon into password fields on websites you visit so you can autofill credentials.
Reads the current page URL to match stored credentials — this happens entirely in your browser.
Decrypts your vault in memory only — decrypted data is never written to disk or sent anywhere.
Clears all decrypted vault data from memory when the browser is closed or the extension is locked.

5. How We Use Your Information

To create and manage your account.
To store and return your encrypted vault payload.
To process subscription payments via Stripe.
To enforce account security (rate limiting, lockout on repeated failed logins).
To send transactional emails (sign-in verification codes, account notices). We do not send marketing emails.

6. Third-Party Services

We use the following third-party services to operate PassHex:

Stripe — payment processing. Stripe's privacy policy applies to payment data: stripe.com/privacy
DigitalOcean — cloud hosting. Your data is stored on servers operated by DigitalOcean in the United States.

7. Data Retention

Your account data is retained for as long as your account is active. If you delete your account, all associated data — including your encrypted vault — is permanently deleted within 30 days. Stripe may retain billing records for longer periods as required by law.

8. Security

PassHex uses AES-256-GCM encryption with PBKDF2-SHA256 (600,000 iterations) for vault encryption, bcrypt for password hashing, and TOTP-based two-factor authentication. All connections to PassHex are encrypted via HTTPS/TLS. Despite these measures, no system is perfectly secure — you are responsible for keeping your master password confidential.

9. Your Rights

You may request deletion of your account and all associated data at any time by contacting us at [email protected]. You may also export your vault data at any time from within the app.

10. Children

PassHex is not directed at children under 13. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this policy from time to time. The effective date at the top of this page will reflect when changes were last made. Continued use of PassHex after changes constitutes acceptance of the updated policy.

12. Contact

Questions about this policy? Email us at [email protected].