Privacy Policy

Last updated: April 18, 2026

1. Overview

DeniKey is a password manager built on zero-knowledge architecture. By design, we can never access your passwords or personal data. This policy explains what data we collect and how we use it.

2. Data We Collect

• Email address: Used for account creation and verification.
• Master password hash: An Argon2id-derived hash is stored on the server; your actual password is never transmitted.
• Encrypted vault data: All your passwords and notes are encrypted on your device with AES-256-GCM; the server only stores encrypted (unreadable) data.
• Device information: Device type may be collected for session management.

3. Data We Do Not Collect

• Your actual master password
• Unencrypted vault contents (passwords, notes, usernames)
• Location, contacts, camera, or microphone data
• Third-party advertising data

4. Use of Data

Collected data is used solely for the following purposes:

• Account verification and authentication
• Storage and synchronization of encrypted vault data on the server
• Sending password reset emails

5. Data Security

• Encryption: AES-256-GCM
• Key derivation: Argon2id (memory: 65536 KB, iterations: 3)
• Transport: All communication is via HTTPS/TLS.
• Authentication: JWT token-based

6. Third-Party Services

• Railway: Backend hosting (European region)
• Supabase: PostgreSQL database
• Resend: Email delivery (verification and password reset only)

7. Data Retention and Deletion

When you delete your account, all your data is permanently removed. Encrypted vault data is completely erased from our servers.

8. Children's Privacy

DeniKey is not intended for children under 13 and does not knowingly collect data from this age group.

9. Contact

For privacy-related questions: denisergocmen@gmail.com