Privacy Policy

Last updated: January 2026

TL;DR: Your passwords are encrypted on your device. We cannot read them. Cloud sync stores only encrypted data. We collect minimal information needed to provide the service.

What We Collect

Base-2-Pass is designed with privacy as a core principle. Here's what data is involved:

Local Storage (Browser Extension):

Your encrypted vault (passwords, usernames, notes)
Extension settings and preferences
All data is encrypted with your master password before storage

Cloud Sync (Optional):

Email address (for account identification and token delivery)
Encrypted vault data (we cannot decrypt this)
Sync timestamps

Encryption

Your data is protected using industry-standard encryption:

XChaCha20-Poly1305: For encrypting your vault data
Argon2id: For deriving encryption keys from your master password
All encryption/decryption happens locally in your browser
Your master password never leaves your device

Zero-Knowledge Architecture: Even with cloud sync enabled, we cannot read your passwords. The server only stores encrypted blobs that are meaningless without your master password.

What We Don't Collect

Your master password
Decrypted passwords or credentials
Browsing history
Website usage analytics
Personal information beyond email (for sync users)

Data Storage

Local data is stored in your browser's extension storage (chrome.storage.local) and persists until you uninstall the extension or clear browser data.

Cloud sync data (if enabled) is stored on our servers. You can delete your account and all associated data at any time.

Third-Party Services

Base-2-Pass does not use any third-party analytics, tracking, or advertising services. The extension only communicates with:

Our sync server (if you enable cloud sync)
Websites you visit (for autofill functionality)

Your Rights

You have the right to:

Export your data at any time using the built-in export feature
Delete your cloud sync account and all associated data
Use the extension without cloud sync (fully offline mode)

Security

We take security seriously:

All cloud communications use HTTPS
Passwords are never transmitted in plain text
Sync tokens are generated using cryptographically secure random number generation

Changes to This Policy

We may update this privacy policy from time to time. We will notify users of any material changes by updating the "Last updated" date at the top of this policy.

Contact

If you have questions about this privacy policy or how your data is handled, please open an issue on our GitHub repository.