Privacy Policy

Effective February 2026

What We Collect

Nothing. Secure Authenticator operates entirely within your browser. We do not collect, transmit, or store any user data on external servers.

Local Storage

Your TOTP/HOTP secrets are encrypted with AES-256-GCM using a key derived from your passphrase (PBKDF2, 100,000 iterations, random 16-byte salt) and stored in Chrome's local storage on your device. Your passphrase is held in memory only and never written to disk.

Network Requests

Secure Authenticator makes zero network requests. No analytics, no telemetry, no crash reporting, no update checks. All fonts and assets are bundled with the extension.

Permissions

• storage — Save your encrypted vault locally on your device
• clipboardWrite — Copy codes to your clipboard when you click an account
• downloads — Export encrypted backup files when you request one
• activeTab — Capture the visible tab to scan QR codes from web pages

We request only the permissions we use. None of these permissions allow us to read your browsing history, access other tabs, or monitor your activity.

Analytics

None. We do not use Google Analytics, Mixpanel, Sentry, or any tracking or crash-reporting service.

Third Parties

We do not share any data with third parties. There is no data to share.

Clipboard

When you copy a code, Secure Authenticator automatically clears the clipboard after 30 seconds to prevent accidental exposure.

Session Persistence

Your passphrase is temporarily stored in Chrome's session storage to avoid re-entry when reopening the popup. This data is automatically cleared when you close your browser or after 30 minutes of inactivity.

Children's Privacy

Secure Authenticator does not knowingly collect any information from children under the age of 13.

Changes to This Policy

If we update this privacy policy, changes will be posted on this page with the effective date updated above.

Contact

For privacy inquiries, contact privacy@2favault.app.