Privacy Policy for PassNote

Effective Date: February 19, 2026
Last Updated: February 19, 2026

Introduction

Welcome to PassNote ("we," "our," or "us"). PassNote is a secure password manager application that helps you store and manage your passwords safely on your mobile device (Android and iOS).

This Privacy Policy explains how we collect, use, store, and protect your information when you use the PassNote application. We are committed to protecting your privacy and ensuring the security of your data.

By using PassNote, you agree to the terms outlined in this Privacy Policy.

1. Information We Collect

1.1 Personal Information

When you create an account using Google Sign-In, we collect:

Email address: Your Google account email
Display name: Your name from your Google account
Profile photo: Your Google account profile picture (URL)
User ID: A unique identifier provided by Firebase Authentication

1.2 Password and Sensitive Data

PassNote is designed to store your passwords and sensitive information. The data you create includes:

Password entries: Title, account/username, password, website URL, category, type, and notes
Encryption key hint: An optional hint you provide to help remember your encryption key (stored as plaintext)
Metadata: Creation and update timestamps for your password entries

Important: All sensitive data (titles, accounts, passwords, URLs, and notes) are encrypted end-to-end using AES-256-GCM encryption before being stored on our servers. We cannot read, access, or decrypt your passwords.

1.3 Technical Information

We automatically collect certain technical information:

Device information: Device type, operating system version
App usage data: Features used, app version
Error logs: Crash reports and error information (via Firebase Crashlytics)
Analytics data: App performance metrics, user engagement (via Firebase Analytics)

1.4 Advertising Data

PassNote displays advertisements through Google AdMob. AdMob may collect:

Advertising ID: Your device's advertising identifier
Ad interaction data: Ads viewed, clicked, or interacted with
Device information: For ad targeting and performance measurement

For more information about Google AdMob's data practices, please visit: Google AdMob Privacy Policy

2. How We Use Your Information

2.1 To Provide Our Services

Authentication: Verify your identity and manage your account
Data synchronization: Sync your encrypted passwords across your devices
Service functionality: Enable core features like password storage, generation, and search

2.2 To Improve Our Services

Analytics: Understand how users interact with PassNote to improve features
Error detection: Identify and fix bugs, crashes, and performance issues
Feature development: Develop new features based on usage patterns

2.3 To Display Advertisements

Monetization: Display ads through Google AdMob to support free access to PassNote
Ad personalization: AdMob may use data to show relevant ads (you can opt out in your device settings)

2.4 To Communicate With You

Service updates: Notify you about important changes to PassNote
Security alerts: Inform you about security-related matters
Support: Respond to your inquiries and provide customer support

3. Data Security and Encryption

3.1 End-to-End Encryption

PassNote uses AES-256-GCM encryption to protect your sensitive data:

What is encrypted: All password entries (titles, accounts, passwords, URLs, notes)
Encryption key: Created by you and stored securely on your device using:
- iOS: Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly
- Android: EncryptedSharedPreferences (AES-256-GCM)
Zero-knowledge architecture: Your encryption key is never transmitted to our servers. We cannot decrypt your data.

3.2 Data Storage

Firebase Firestore: Your encrypted data is stored on Google's Firebase Firestore servers
Data transmission: All data transmitted between your device and our servers uses SSL/TLS encryption
Firebase security: Firebase infrastructure includes industry-standard security measures, firewalls, and access controls

3.3 Data Integrity

Authentication tags: AES-GCM mode provides authenticated encryption, detecting any tampering with your encrypted data
Secure storage: Your encryption key is protected by your device's secure storage mechanisms

3.4 Important Security Notes

⚠️ If you forget your encryption key:

We cannot recover your data
Your passwords will be permanently inaccessible
This is by design to ensure maximum security (zero-knowledge)

⚠️ Key Hint:

Your optional key hint is stored as plaintext (not encrypted) on our servers
Do not include your actual encryption key in the hint
Use hints that help you remember without revealing the key

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or encrypted data to third parties.

4.2 Third-Party Services

We use the following third-party services that may have access to certain data:

Firebase (Google LLC)

Services: Authentication, Firestore (database), Analytics, Crashlytics
Data shared: Email, display name, user ID, encrypted password data, usage analytics, crash logs
Purpose: Provide core app functionality, analytics, and error tracking
Privacy Policy: Firebase Privacy Policy

Google AdMob (Google LLC)

Services: Advertisement display and management
Data shared: Advertising ID, device information, ad interaction data
Purpose: Display advertisements and measure ad performance
Privacy Policy: Google AdMob Privacy Policy

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

Court orders, subpoenas, or legal processes
Requests from law enforcement or government authorities
Protection of our rights, property, or safety
Prevention of fraud, abuse, or security threats

Note: Due to our zero-knowledge encryption, we cannot provide decrypted password data even if legally requested.

5. Data Retention

5.1 Account Data

Your account information and encrypted passwords are retained as long as your account is active
Metadata (creation dates, update timestamps) is retained with your encrypted data

5.2 Account Deletion

When you delete your account:

Immediate deletion: All your encrypted passwords are permanently deleted from Firebase Firestore
Authentication data: Your Firebase Authentication account is deleted
Local data: Your encryption key is deleted from your device's secure storage
Irreversible: This action cannot be undone

5.3 Backup and Logs

No backups: We do not maintain backups of your encrypted passwords after account deletion
System logs: Technical logs and analytics data may be retained for up to 90 days for operational purposes

6. Your Rights and Choices

6.1 Access and Portability

View your data: You can view all your password entries within the PassNote app
Export: Currently not available in MVP (planned for Phase 3)

6.2 Correction and Updates

Edit passwords: You can edit, update, or delete individual password entries at any time
Profile information: Your email and display name are managed through your Google account

6.3 Account Deletion

Delete account: You can permanently delete your account and all associated data from the Profile tab
Confirmation required: Type "DELETE" to confirm (prevents accidental deletion)

6.4 Advertising Choices

Opt out of personalized ads:

Android: Settings > Google > Ads > Opt out of Ads Personalization
iOS: Settings > Privacy > Advertising > Limit Ad Tracking

Note: You will still see ads, but they may be less relevant

7. Children's Privacy

PassNote is not intended for use by children under the age of 13 (or the minimum age in your jurisdiction).

We do not knowingly collect personal information from children under 13
If we discover that we have collected data from a child under 13, we will delete it promptly
Parents/guardians: If you believe your child has provided information to PassNote, please contact us

8. International Data Transfers

8.1 Data Location

Your encrypted data is stored on Firebase servers, which may be located in various countries
Firebase complies with data protection laws including GDPR (Europe) and applicable U.S. laws

8.2 Cross-Border Transfers

By using PassNote, you consent to the transfer of your data to countries where Firebase operates
We ensure that data transfers comply with applicable privacy laws

9. Changes to This Privacy Policy

9.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements
Effective date at the top of this policy indicates the last update

9.2 Notification

Material changes: We will notify you via in-app notification or email
Minor changes: Posted updates will take effect immediately
Your continued use: Continued use of PassNote after changes indicates acceptance

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

Developer: XApp Studio
Email: support@xappstudio.dev
App: PassNote - Secure Password Manager

Response time: We aim to respond to all inquiries within 7 business days.

11. Supplemental Information

11.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to know: Request details about the personal information we collect
Right to delete: Request deletion of your personal information
Right to opt-out: Opt-out of the sale of personal information (we do not sell data)
Non-discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, please contact us using the information above.

11.2 European Residents (GDPR)

If you are in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

Right of access: Request a copy of your personal data
Right to rectification: Correct inaccurate or incomplete data
Right to erasure: Request deletion of your data ("right to be forgotten")
Right to restrict processing: Limit how we use your data
Right to data portability: Receive your data in a portable format
Right to object: Object to certain types of data processing
Right to withdraw consent: Withdraw consent for data processing

Legal basis for processing:

Contract: To provide PassNote services to you
Legitimate interests: To improve our services and ensure security
Consent: For analytics and advertising (where required)

12. Security Best Practices for Users

To maximize your security when using PassNote:

✅ Create a strong encryption key: Use 16+ characters with a mix of letters, numbers, and symbols
✅ Keep your key safe: Store your encryption key securely offline (e.g., written down in a safe place)
✅ Use a meaningful hint: Create a key hint that helps you remember without revealing the key
✅ Enable device security: Use screen lock (PIN, pattern, biometric) on your device
✅ Keep PassNote updated: Install app updates for the latest security improvements
✅ Don't share your key: Never share your encryption key with anyone
✅ Be cautious on public Wi-Fi: Use VPN on public networks for added security

13. Summary

What we collect:

Email, name, photo (from Google account)
Encrypted password entries (we cannot read them)
Technical and analytics data
Advertising data (via AdMob)

What we do:

Store your data securely with end-to-end encryption
Sync your encrypted passwords across your devices
Analyze app usage to improve PassNote
Display ads to support free access

What we don't do:

❌ We do NOT sell your data
❌ We CANNOT read your encrypted passwords
❌ We CANNOT recover your data if you forget your encryption key
❌ We do NOT share your data except as described in this policy

Your control:

Delete your account and all data at any time
Edit or delete individual passwords
Opt out of personalized advertising

Consent

By downloading, installing, or using PassNote, you acknowledge that you have read, understood, and agree to this Privacy Policy and our Terms of Service.