Privacy Policy
Last updated: July 10, 2026
Short version: CredentialBase is a zero-knowledge password manager. We cannot read your passwords, usernames, notes, or card numbers — they are encrypted on your device before reaching our servers. This policy explains what minimal data we do collect and why.
1. What data we collect
We collect only what is necessary to operate the service:
- Email address:Required to identify your account and authenticate you.
- Encrypted vault items:AES-256-GCM encrypted blobs. We cannot decrypt these.
- Session metadata:Device name, IP address, browser user-agent, last-active timestamp. Used to display your active sessions to you.
- Share link metadata:UUID, expiry time, view count, hashed PIN (if set). The encrypted content of shared items cannot be decrypted by us.
- Account timestamps:When your account was created and last updated.
2. What we do not collect
By design, we have no access to:
- Your master password (never transmitted)
- Your encryption key (derived in browser, never leaves your device)
- Plaintext passwords, usernames, or notes
- Decrypted card numbers, expiry dates, or CVVs
- Decryption keys for share links (transmitted only in URL fragments, excluded from HTTP requests)
- Browsing history or website visit data
- Analytics or tracking data from your usage of the extension
3. How we use your data
We use your email to authenticate your sessions and, with your explicit consent, to send you important service updates (security notices, policy changes). We do not send marketing emails without consent.
We use session metadata to display your active sessions to you in the extension and web dashboard, so you can revoke suspicious access.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Third-party services
We use the following third-party services:
- Polar.sh (payment processing): If you subscribe to Pro, billing is handled by Polar.sh. They collect and store your payment information (card number, billing address) under their own privacy policy and PCI compliance. We receive only a subscription status update via webhook — we never see your card details.
- Hosting infrastructure: Our backend runs on cloud infrastructure. Server logs may contain IP addresses and request timestamps for operational purposes. Logs are retained for 30 days.
5. Data retention
Your data is retained as long as your account exists. When you delete your account (Settings → Delete account), all vault items, share links, sessions, and account data are permanently and immediately deleted from our servers. This action is irreversible.
Encrypted backups (if any) are purged within 7 days of account deletion.
6. Your rights
Regardless of your location, you have the right to:
- Access: request a copy of the data we hold about you
- Deletion: delete your account and all data at any time via Settings
- Portability: export your encrypted vault data
- Correction: update your email address via your account settings
- Objection: opt out of any non-essential communications
For GDPR, CCPA, or other privacy regulation requests, contact us at the address below.
7. Security
We use industry-standard security practices for our infrastructure. However, the most important security guarantee of CredentialBase is architectural — your vault data is encrypted before reaching us, so a server-side breach cannot expose your credentials. See our Security page for full technical details.
8. Cookies
The CredentialBase web dashboard uses a single httpOnly cookie to maintain your web session. We do not use advertising cookies or third-party tracking cookies. The Chrome extension uses chrome.storage.local and chrome.storage.session — not browser cookies.
9. Changes to this policy
We will notify you of material changes to this policy via email and in-product notice. Continued use of CredentialBase after changes are published constitutes acceptance of the updated policy. The effective date at the top of this page will always reflect the most recent update.
10. Contact
Privacy questions, data requests, or concerns: privacy@credentialbase.com