Privacy Policy

Pass014 is a self-hosted password manager. The people who publish Pass014 operate no servers and collect no data about you. The app either keeps everything on your device with no backend at all, or talks only to a backend you run — and either way your vault is end-to-end encrypted. Everything below follows from that.

Who runs the service
There is no Pass014-operated cloud. The app connects only to a backend server that you — or whoever set up your account — run. In a self-hosted deployment, the operator of that server is the data controller for whatever it stores; the Pass014 publisher is never in your data path.
What the app keeps on your device
Your vault is stored end-to-end encrypted. The iOS Keychain holds this device's keys behind Face ID and your device passcode. The app remembers your backend URL, your last-used username, and your preferences in local app storage. For offline access and autofill it keeps an AEAD-sealed (encrypted) snapshot of each vault in its app-group container. All of this stays on your device and is removed when you sign out or use Wipe all keychain data in Settings.
What the app sends, and to whom
If you connect to a backend, data leaves your device only to that backend, over TLS — and in local-only mode nothing leaves the device at all. When a backend is configured, that server receives your username, your devices' public WebAuthn credentials, sign-in timestamps, the size of your (encrypted) vault, and an audit log of account, device, vault, and membership events. It does not receive your entry contents, entry names, your encryption keys, or anything decryptable — those never leave your device in plaintext. Pass014 has no master password: your vault's encryption key is derived from your passkey (a hardware security key or this device's Secure Enclave / Face ID), never from a password stored on any server or disk — so no one, including a server operator, holds a key that could decrypt your vault.
No analytics, no tracking, no third parties
Pass014 contains no analytics, advertising, crash-reporting, or other third-party SDKs. It does not track you across other companies' apps or websites, shares no data with anyone, and sells no data. There is nothing to opt out of, because nothing is collected.
Device permissions
Camera — to scan and save QR codes and barcodes; images are processed on-device and are neither stored nor transmitted. Face ID — to unlock your vault; biometric data is handled entirely by iOS and is never seen by the app. NFC — to communicate with your hardware security key during WebAuthn ceremonies: registering or adding a recovery key, signing in, and unlocking.
Keeping and deleting your data
You control all of it. Delete entries, vaults, or your whole account on your own backend; sign out or use Wipe all keychain data to clear everything from this device. Because the publisher stores nothing about you, there is no publisher-held copy to request or erase; any data question about a hosted account goes to whoever operates that backend.
Children
Pass014 is a general-purpose utility, is not directed at children, and collects no personal information from anyone.
Changes and contact
We'll post any change to this policy on this page with a new date. Questions about privacy can be raised on the project's GitHub repository.

Last updated: 25 June 2026.