At LockPulse, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your information when you use our zero-knowledge password manager service.
Core Principle: We are built on a zero-knowledge architecture, meaning we cannot access, view, or decrypt your stored credentials. Your privacy is protected by cryptography, not just policy.
2. Our Zero-Knowledge Commitment
What Zero-Knowledge Means for You:
Your master password never leaves your device
All encryption happens in your browser before data reaches our servers
We store only encrypted data that we mathematically cannot decrypt
Even if compelled by law enforcement, we cannot provide your passwords
Our employees cannot access your credentials under any circumstances
A data breach would only expose useless encrypted data
3. Information We Collect
3.1 Data Encrypted Client-Side (We Cannot Access)
The following information is encrypted on your device before transmission and remains encrypted on our servers. We have zero technical ability to decrypt this data:
All credential data: passwords, usernames, notes, URLs, tags
Credential titles and names
Project data: project names, descriptions, and associated credentials
Service data: service names and credentials
Custom fields and additional notes
Any content you enter into password items
This data is protected by AES-256-GCM encryption with keys derived from your master password using Argon2id key derivation function.
3.2 Account Information (Necessary for Service)
To provide our service, we must collect and store certain unencrypted information. This is the minimum data necessary for the app to function securely:
Email address: Required for account verification, password reset requests, and critical security notifications
Username: Your unique identifier for login (not your email)
Full name (optional): If provided, used for personalization
Email verification status: Whether your email has been verified
Account timestamps: When your account was created and last updated
Why we need this:
Email: To send verification codes, password reset links, and breach notifications
Username: To identify your account without exposing your email during login
Verification status: To ensure account security and prevent spam
3.3 Cryptographic Data (Necessary for Zero-Knowledge Architecture)
To enable zero-knowledge authentication and encryption, we store cryptographic parameters:
OPAQUE registration record: Cryptographic commitment used for password authentication (this is NOT your password)
Wrapped vault key: Your encryption key encrypted with your master password derivative
KDF salt: Random data used in key derivation (public, non-sensitive)
KDF parameters: Settings for Argon2id (opslimit, memlimit, parallelism, version)
Encryption nonces: One-time random values for each encrypted field
Ciphertexts: Encrypted binary data of your credentials
Why we need this: These cryptographic elements enable us to verify your identity and provide encrypted storage without ever knowing your master password or decrypting your data.
3.4 Session and Authentication Data
For security and session management, we collect:
Device ID: Unique identifier for each device you use (generated by us)
Device name/type: Browser/device information (e.g., "Chrome on Windows")
IP address: Your network address when you access our service
Session timestamps: When you login and last activity time
Authentication logs: Record of login attempts, password changes, session events
Activity logs: Actions performed (view, create, update, delete) on encrypted resources
Why we need this:
Detect and prevent unauthorized access
Show you active sessions and allow remote logout
Identify suspicious activity patterns
Comply with security incident investigation requirements
Provide you with activity history for security auditing
3.5 Metadata (Non-Content Information)
We collect minimal metadata about your encrypted resources:
Resource counts: Number of projects, services, credentials you have
Resource IDs: Unique identifiers (UUIDs) for encrypted items
Timestamps: When resources were created, updated, or deleted
Sharing relationships: Who you've shared projects with (usernames/emails)
Activity metadata: Which resources were accessed (by ID, not content)
Note: We cannot see the names or contents of your resources—only that they exist and when they were modified.
4. What We Do NOT Collect or Store
❌ Your master password (never transmitted or stored)
❌ Your decrypted credentials (passwords, usernames, etc.)
❌ Your encryption keys in usable form
❌ Credential content or titles in readable form
❌ Payment information (handled by third-party processors)
❌ Biometric data
❌ Social security numbers or government IDs
❌ Unnecessary tracking cookies or analytics
5. How We Use Your Information
We use the collected information for:
5.1 Service Provision
Authenticating your identity using OPAQUE protocol
Storing and retrieving your encrypted data
Managing your sessions across devices
Enabling project sharing and collaboration features
5.2 Security and Fraud Prevention
Detecting unusual login patterns or unauthorized access attempts
Preventing brute force attacks and account takeovers
Investigating security incidents
Enforcing rate limits and abuse prevention
5.3 Communication
Sending account verification emails
Processing password reset requests
Notifying you of security events (new device login, password change)
Sending service updates or critical announcements
5.4 Legal Compliance
Complying with applicable laws and regulations
Responding to valid legal requests
Protecting our rights and preventing fraud
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We may share data only in these limited circumstances:
6.1 With Your Consent
When you share a project with collaborators, we share: project metadata, encrypted credentials, and your username/email with the specified users.
6.2 Service Providers
We work with third-party service providers who process data on our behalf:
Cloud hosting providers (for server infrastructure)
Email service providers (for sending verification and notification emails)
Security monitoring tools (for threat detection)
These providers are contractually obligated to protect your data and use it only for specified purposes.
6.3 Legal Obligations
We may disclose information if required by law:
In response to valid legal process (subpoena, court order)
To protect rights, property, or safety
To prevent fraud or security threats
Important: Due to our zero-knowledge architecture, we cannot provide your encrypted credentials even if legally compelled. We can only provide account metadata and logs.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and ensure continued privacy protection.
7. Data Retention
We retain your data as follows:
Active accounts: Data retained while your account is active
Deleted accounts: All data permanently deleted within 30 days of account deletion
Authentication logs: Retained for 90 days for security purposes
Activity logs: Retained for 90 days
Legal hold: Data may be retained longer if required by law or for litigation
You can request account deletion at any time through your profile settings. This action is irreversible and will result in permanent loss of all encrypted data.
8. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights:
🔍 Right to Access
Request a copy of your personal information we hold
✏️ Right to Rectification
Update or correct inaccurate information (available in profile settings)
🗑️ Right to Deletion
Request deletion of your account and data (available in profile settings)
📦 Right to Data Portability
Export your encrypted data in a machine-readable format
🚫 Right to Object
Object to processing of your data for certain purposes
⚖️ Right to Lodge Complaint
File a complaint with a data protection authority in your jurisdiction
To exercise these rights, contact us at privacy@lockpulsekey.com
9. Security Measures
We implement industry-leading security practices:
🔐 Encryption
• AES-256-GCM for data encryption
• TLS 1.3 for data in transit
• Argon2id key derivation
🛡️ Authentication
• OPAQUE protocol (zero-knowledge)
• Device verification for new logins
• Session management and timeout
🖥️ Infrastructure
• Secure cloud hosting
• Regular security audits
• Intrusion detection systems
👥 Access Controls
• Principle of least privilege
• Employee background checks
• Audit logging of admin actions
10. International Data Transfers
LockPulse operates from India. If you access our service from outside India, your information may be transferred to and processed in India or other countries where our service providers operate.
We ensure appropriate safeguards are in place for international transfers, including:
Standard contractual clauses
Data processing agreements with service providers
Compliance with GDPR, CCPA, and other privacy regulations
Encryption of data in transit and at rest
11. Children's Privacy
LockPulse is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete it promptly.
If you are a parent or guardian and believe your child has provided us with information, please contact us at privacy@lockpulsekey.com.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
We will update the "Last Updated" date
We will notify you via email for material changes
We will provide an in-app notification
You can review changes before continuing to use the service
Continued use of LockPulse after changes become effective constitutes acceptance of the updated Privacy Policy.
13. Contact Information
For privacy-related questions, concerns, or requests, please contact:
Privacy Team: privacy@lockpulsekey.com
Data Protection Officer: dpo@lockpulsekey.com
General Support: support@lockpulsekey.com
Address: BE 12, Tower A Prius Global, Plot No 11, Amity Rd, Sector 125, Noida, Uttar Pradesh 201303, India
Our Transparency Commitment
We believe transparency is essential for privacy. Here's what we promise:
✅ We will never sell your data to third parties
✅ We collect only the minimum data necessary for our service
✅ We use strong, open-source cryptography (libsodium, OPAQUE)
✅ We provide clear explanations of why each piece of data is needed
✅ We give you full control to delete your account and data
✅ We will notify you of any data breaches within 72 hours
✅ We will resist overly broad government requests for user data