Privacy Policy — UnveilPass

1. Who We Are

UnveilPass is a zero-knowledge password manager operated by UnveilTech.

Website: https://unveilpass.com
Contact: support@unveiltech.com
Data Protection: support@unveiltech.com
SIRET: 820 274 280

2. Zero-Knowledge Architecture

    Your data is yours. All vault data (passwords, secure items, identities, notes, files) is encrypted in your browser using AES-256-GCM before being sent to our server. We cannot read, access or decrypt your vault content. Your master password is never stored or transmitted — only an irreversible Argon2id hash is used for authentication.

3. What Data We Collect

3.1 Data you provide

Data	Purpose	Storage
Email address	Account identification, login, notifications	Encrypted at rest (AES-256-GCM)
Master password	Authentication	Never stored — only irreversible Argon2id hash

3.2 Data encrypted client-side (zero-knowledge)

The following data is encrypted in your browser BEFORE being sent to our server. We cannot read it:

Vault entries (websites, usernames, passwords, notes, TOTP secrets)
Secure Items (bank accounts, credit cards, documents, vehicles, properties, subscriptions, appliances, custom items)
Identities (name, address, phone, official document numbers)
Secure Notes
File attachments
Shared credentials and team vault data
SecureSend files (encrypted file transfers)

3.3 Data collected automatically

Data	Purpose	Retention
IP address	Security (rate limiting, audit log)	90 days
Browser / User Agent	Device identification, audit log	90 days
Approximate location (city/country)	Audit log, automatic dark mode	90 days
Activity timestamps	Audit log (login, changes, sharing)	90 days

3.4 Data we do NOT collect

We do not use cookies
We do not use analytics trackers (Google Analytics, etc.)
We do not track your browsing history
We do not sell or share your data with advertisers
We do not serve ads

4. How We Use Your Data

Data	Purpose	Legal Basis (GDPR)
Email	Authentication, notifications, breach alerts	Contract (account creation)
Password hash	Authentication	Contract
Encrypted vault data	Service delivery	Contract
IP address	Security, rate limiting, abuse prevention	Legitimate interest
Audit log	Account security, compliance	Legitimate interest
Approximate location	Automatic dark mode, security	Legitimate interest

5. Third-Party Services

We use the following third-party services. No vault data (passwords, entries, notes) is ever shared with third parties.

Service	Location	Data Shared	Purpose
Stripe	USA	Email, payment information	Billing and subscription management
Have I Been Pwned (HIBP)	USA	First 5 characters of password SHA-1 hash only (k-anonymity)	Breach scanning — your actual password is never exposed
AI service provider	USA	Chat messages (only when you use the support assistant)	Optional in-app support assistant
MaxMind GeoIP	Local database	IP address (processed locally on our server, no external call)	Geolocation for audit log and dark mode
sunrise-sunset.org	External API	Approximate latitude/longitude derived from your IP	Calculate sunrise/sunset times for automatic dark mode

    About breach scanning: We use a technique called k-anonymity. Only the first 5 characters of a SHA-1 hash of your password are sent to HIBP. Your actual password never leaves your browser. This is the same method used by all major password managers.

6. Data Retention

Data	Retention Period
Account data (email, vault)	Until you delete your account
Audit log (activity history)	90 days
Deleted vault entries (trash)	30 days, then permanently purged
SecureSend files	Until TTL expires (max 7 days), metadata kept 30 days
Web sessions	60 minutes
Device trust tokens	7 days
Email verification codes	10 minutes

7. Your Rights

7.1 For all users

Access — View your data via the console (vault, audit log, settings)
Delete — Delete your account and ALL associated data permanently (Settings → Account → Delete Account)
Export — Export your vault data as CSV (Import/Export page)
Modify — Change your email, password and preferences at any time
Notifications — Enable or disable email notifications in Settings

7.2 For EU/EEA residents (GDPR)

Under the General Data Protection Regulation, you have the right to:

Access your personal data (Article 15)
Rectify inaccurate data (Article 16)
Erase your data (Article 17)
Port your data to another service (Article 20)
Object to processing (Article 21)
Lodge a complaint with your local data protection authority

7.3 For California residents (CCPA/CPRA)

Right to know what data we collect
Right to delete your data
Right to opt-out of sale — We do NOT sell your personal information
Right to non-discrimination

7.4 For other US states

Residents of Virginia, Colorado, Connecticut, Utah, Montana and other states with privacy laws have similar rights. Contact us at support@unveiltech.com for any request.

8. Data Security

Zero-knowledge encryption — All vault data encrypted client-side with AES-256-GCM
Master password — Never stored, never transmitted in cleartext
Key derivation — Argon2id with high memory/time cost parameters
Transport security — TLS 1.2+ for all communications (HSTS enabled)
Email encrypted at rest — AES-256-GCM on server
Two-factor authentication — TOTP and Passkeys/WebAuthn supported
Rate limiting — Protection against brute force attacks
Regular security audits — Including OWASP Top 10 review

9. Data Hosting

Our servers are hosted by OVH in France (European Union). Your encrypted data is stored within the EU.

When we use third-party services based in the USA (Stripe, HIBP), only minimal non-vault data is shared (email hash for HIBP, email for Stripe billing). No vault data ever leaves our EU servers.

10. Children's Privacy

UnveilPass is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us at support@unveiltech.com for immediate deletion.

11. Account Deletion

When you delete your account, ALL data is permanently and immediately removed:

Vault entries, secure items, identities, notes
File attachments and SecureSend files
Contacts, shares, team memberships
Emergency access settings
Audit log, sessions, API keys
Subscription and billing association

This action is irreversible. No data can be recovered after deletion.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice in the console. The "Last updated" date at the top indicates the latest revision.

13. Contact Us

For any questions about this Privacy Policy or your data:

Email: support@unveiltech.com
Website: https://unveilpass.com
SIRET: 820 274 280