Privacy Policy
Last updated: 3 June 2026
This policy explains what personal data Family Pass collects, why, and the rights you have over it under the EU General Data Protection Regulation (GDPR). We have tried to keep it plain. If anything is unclear, contact us using the details below.
1. Who we are
Family Pass (“we”, “us”, the “Service”) is a password and secrets manager available at pass.sigvark.dev.
The data controller responsible for your personal data is:
- Controller: [LEGAL ENTITY OR OPERATOR NAME]
- Address: [REGISTERED ADDRESS]
- Contact for privacy matters: [privacy@your-domain]
2. The short version
Family Pass is designed so that we cannot read the contents of your secrets. Usernames, passwords, and notes you save are encrypted in your browser before they ever reach our servers, and only you (and people you explicitly share a secret with) hold the keys to decrypt them. We do, however, process some personal data to run your account, send essential emails, secure the Service, and understand how it is used. The rest of this policy explains the detail.
3. What data we collect
a. Account data
When you create an account we process:
- your name (as you choose to enter it);
- your email address;
- your password, which is never stored in plain text — it is kept only as a salted cryptographic hash used to verify sign-in;
- an optional profile image, if you add one;
- account metadata such as creation date and your role within the Service.
b. Vault and secrets data
For each secret you store, we hold:
- the encrypted contents (username, password, notes). These are encrypted in your browser with keys we cannot access, so to us they are unreadable ciphertext.
- Encrypted cryptographic keys used to make the Service recoverable after a password reset (see our Terms and our security notes below).
- Unencrypted metadata that we need to display and organise your vault — specifically the name and website/URL you give a secret. Please avoid putting confidential information in those two fields, as they are not encrypted.
c. Technical and session data
To keep you signed in and to protect the Service, we process:
- session identifiers and authentication cookies;
- your IP address and browser user-agent;
- basic security and request logs.
d. Usage and diagnostics data
We use PostHog for product analytics and error tracking. This collects information such as pages visited, actions taken, device and browser characteristics, and technical error reports. When you are signed in, this data is associated with your account (including your email and name) so we can diagnose issues tied to a specific account. It is never used to access the contents of your secrets.
4. Why we use it and our legal basis
| Purpose | Data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and run your account; store and sync your vault | Account data, vault data | Performance of a contract — Art. 6(1)(b) |
| Send essential service emails (verification, password reset, invitations) | Email address, name | Performance of a contract — Art. 6(1)(b) |
| Keep the Service secure, prevent abuse, keep logs | Technical and session data | Legitimate interests — Art. 6(1)(f) |
| Product analytics and error diagnostics | Usage and diagnostics data | Consent — Art. 6(1)(a) [recommended], or Legitimate interests — Art. 6(1)(f) |
Where we rely on legitimate interests, we balance those interests against your rights and only process what is necessary. Where we rely on consent, you may withdraw it at any time.
5. Who we share data with
We do not sell your personal data. We share it only with service providers (processors) who help us run the Service, under contracts that require them to protect it:
| Provider | Purpose | Data involved |
|---|---|---|
| [HOSTING / INFRASTRUCTURE PROVIDER] | Application and database hosting | All stored data (secrets remain encrypted) |
| Resend | Sending transactional emails | Email address, name, email content |
| PostHog | Product analytics and error tracking | Usage data, account identifiers |
We may also disclose data where required by law, or to protect our rights, safety, or property.
6. International transfers
Some of our providers may process data outside the European Economic Area (for example, in the United States). Where that happens, the transfer is protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision. Confirm the hosting region and each provider's transfer mechanism before publishing.
7. How long we keep data
- Account and vault data: for as long as your account exists. When you delete your account, this data is deleted or irreversibly anonymised, subject to short technical backup-retention windows.
- Session data: until the session expires or you sign out.
- Security logs: [retention period, e.g. 90 days].
- Analytics data: retained according to our PostHog configuration, [retention period].
8. How we protect your data
Security is the core purpose of the Service. The sensitive contents of your secrets are encrypted in your browser using modern cryptography (AES-256-GCM, with X25519 key exchange for sharing) before being sent to us, and we store only ciphertext. To allow recovery after a password reset, an encrypted copy of your vault key is held on our servers, protected by an application secret; this means that, in the event of a severe server compromise that also exposed that secret, encrypted vaults could in principle be at risk. We apply technical and organisational measures to guard against this. No system is perfectly secure, and you remain responsible for keeping your own account credentials safe.
9. Cookies
We use a small number of cookies and similar technologies:
- Strictly necessary: authentication and session cookies that keep you signed in. These are required for the Service to function.
- Analytics: cookies set by PostHog to measure usage. Under EU ePrivacy rules these generally require prior consent — add a consent banner if one is not yet in place.
10. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased (“right to be forgotten”);
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time, where we rely on it.
To exercise any of these rights, contact us at [privacy@your-domain]. You also have the right to lodge a complaint with your local data protection supervisory authority [name of your lead supervisory authority] if you believe we have mishandled your data.
11. Children
Family Pass is not directed at children and is intended for users aged 16 and over. “Family” in our name refers to households sharing access — we do not knowingly collect data from children.
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you.