keyfount
Back to home

Privacy policy

Last updated · 2026-05-26

This Privacy Policy describes how the Keyfount Project (the "Project", "we") handles information when you use the browser extension, the desktop application, the mobile applications, the website at keyfount.github.io or any other software distributed by the Project (together, the "Service"). Keyfount is engineered around a single principle: the Project operates no user-facing infrastructure and is designed to collect no personal data.

1. Data controller and contact

For the purposes of the General Data Protection Regulation ("GDPR", Regulation (EU) 2016/679) and the French Data Protection Act ("Loi Informatique et Libertés"), the Project is the data controller for the very limited data described below. Privacy enquiries may be sent to privacy-keyfount@loule.me.

2. Summary — what we do and do not collect

The Project does not collect, process, transmit, store or share your master password, derived passwords, account identifiers, site domains, per-site profiles, browsing activity, IP address, device identifiers, telemetry, crash reports or any other personal data. All cryptographic operations are performed locally on your device. The Service does not require an account with the Project.

3. Data processed locally on your device

The Service stores the following data exclusively in the local storage of your browser, operating system or device — never on the Project's infrastructure:

  • Per-site derivation profiles — registrable domain, account identifier, password length, character classes, counter and suffix rules. Metadata only — never the derived password itself.
  • Interface preferences — theme, language and session-timeout settings.
  • Optional encrypted master-password hint — if you choose to set one, it is encrypted on your device using a key derived from your master password and never leaves the device.
  • A local visual fingerprint — a deterministic identicon derived from your master password, displayed to help you detect mistyping. The underlying value is never persisted.

You can inspect or delete this data at any time from the in-app settings panel, from the browser's extension-storage inspector or by uninstalling the Service.

4. The website (keyfount.github.io)

The website is a static site built with Astro and served from GitHub Pages. The Project does not set cookies, does not embed analytics, advertising, fingerprinting or social-media trackers and does not trigger any network request after the initial page load. You can verify this by opening your browser's network inspector. The interactive "Try it live" demonstration performs the derivation in your browser using WebAssembly; the inputs never leave the page.

Because the website is hosted on GitHub Pages, GitHub, Inc. may record standard HTTP access logs (including IP address and user-agent) as part of its infrastructure operations. Those logs are processed by GitHub under its own privacy statement. The Project has no access to them.

5. Permissions requested by the browser extension

The extension requests only the permissions strictly required to operate locally. It declares no host_permissions and cannot reach the network from its content scripts.

  • storage — to persist per-site derivation profiles, interface preferences and the optional encrypted hint in the browser's extension storage on your device.
  • activeTab — to read the registrable domain of the current tab when you explicitly invoke the extension, so it can propose the matching profile. The domain is processed in memory only and is never persisted or transmitted by the extension.
  • scripting — to inject the password-fill script into the active tab when you explicitly press "fill". The script reads no other data from the page.
  • alarms — to schedule the local auto-lock timer that clears the in-memory master after a period of inactivity, in line with your session-timeout preference.
  • favicon — to display the favicon of a saved site next to its entry in the account list. Favicons are retrieved by the browser from its existing favicon cache; the extension does not perform additional network requests.
  • contextMenus — to add the "Fill with Keyfount" entry to the browser's right-click menu on password fields.

6. Desktop and mobile applications

The desktop and mobile applications (built with Tauri) follow the same principle as the extension. They perform their cryptographic operations locally, store derivation profiles and preferences in the operating system's application-data directory and request only the capabilities required for those operations (file-system access scoped to the application directory, clipboard access at your explicit request, autofill APIs when integrated with the operating system). They open no outbound network connection by default.

7. Optional self-hosted sync server

The Project publishes the source code and container images of an optional sync server. A user who chooses to operate such a server deploys it on infrastructure under that user's own control. With respect to that deployment:

  • the self-hoster is the data controller and the operator of the service;
  • the Project is neither a controller nor a processor of any data transmitted to that deployment;
  • authentication uses OPAQUE, an asymmetric password-authenticated key-exchange protocol: the server never sees the master password and a complete database dump leaks nothing that an attacker can use to recover it offline;
  • the data exchanged with the server is limited to opaque ciphertexts and ordering metadata; site domains, account identifiers and derivation profiles are encrypted client-side before transmission.

If you connect a client to a self-hosted sync server, the privacy practices applicable to that server are those of its operator, not those of the Project.

8. Cookies and similar technologies

The website does not set any cookie and uses no equivalent technology (local storage, IndexedDB, ETag tracking, session replay, fingerprinting). The Service uses localStorage within the demonstration page solely to persist your UI preferences (theme, language) on that device; this data is not accessible to the Project.

9. Recipients and transfers

Because the Project processes no personal data on its infrastructure, no personal data is transferred to any recipient, processor or sub-processor. The static hosting of the website by GitHub Pages (operated by GitHub, Inc., USA) is governed by GitHub's own privacy statement and standard contractual clauses applicable to its infrastructure.

10. Retention

Data stored locally on your device is retained for as long as you keep the Service installed and is deleted when you remove the relevant entry, clear the application data or uninstall the Service. The Project itself retains no personal data and therefore has no retention period to define.

11. Legal basis for processing

To the extent that any incidental processing occurs (for example, the access logs maintained by the hosting provider of the website), the legal basis is the Project's legitimate interest in operating and securing the Service (GDPR art. 6.1.f).

12. Your rights

Because no personal data leaves your device under the Project's operation, there is no data on our side to access, rectify or erase. Under the GDPR and similar laws, your rights of access, rectification, erasure, restriction of processing, portability and objection apply to the local data stored by the Service — which you control directly through the in-app settings.

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence, place of work or place of the alleged infringement. In France, the competent authority is the Commission nationale de l'informatique et des libertés (CNIL).

13. Children

The Service is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). Because the Service collects no data, no children's data is ever processed by the Project.

14. Automated decision-making and profiling

The Project carries out no automated decision-making and no profiling within the meaning of GDPR art. 22.

15. Changes to this policy

Material changes to this policy will be reflected by updating the "Last updated" date above and, where appropriate, by an in-app notice on the next release. The historical text of this policy is preserved in the website's public source repository.

16. Contact

For any privacy enquiry, contact privacy-keyfount@loule.me or open a public issue at github.com/Keyfount.