Privacy Policy

Effective date: March 29, 2026

Introduction

ItchyPassword is a privacy-first, offline-capable password manager that runs entirely in your browser. This Privacy Policy explains what data ItchyPassword collects (essentially none), how it operates, and how third-party integrations work.

Data we collect

We do not collect any personal data.

ItchyPassword is a client-side Blazor WebAssembly application. All cryptographic operations happen locally in your browser. There is no server-side component, no analytics, no tracking, and no telemetry.

  • Your master key is never stored anywhere — not even encrypted. It exists only in browser memory while the tab is open.
  • Your vault data is encrypted and decrypted entirely in your browser using the Web Crypto API (SubtleCrypto).
  • No data is sent to any server operated by ItchyPassword.

Local storage

ItchyPassword uses your browser's localStorage to persist non-secret configuration data, such as:

  • Vault connector settings (e.g., which storage backends are configured).
  • UI preferences (e.g., selected theme).

Any secret stored in localStorage (such as OAuth tokens) is encrypted with your master key before being saved. You can clear this data at any time through your browser settings.

Third-party services

ItchyPassword supports optional vault connectors that interact with third-party services to store and retrieve your encrypted vault data. When you enable a connector, ItchyPassword communicates directly with that service from your browser:

  • Google Drive — If you choose to use Google Drive as a vault storage backend, ItchyPassword uses the Google Drive API to read and write a single encrypted vault file in your Google Drive. The OAuth flow happens via a browser popup. Only the encrypted vault blob is stored; Google never receives your master key or decrypted data. Google's privacy policy applies to data stored in your Google Drive account.
  • GitHub — If you choose to use GitHub as a vault storage backend, ItchyPassword uses the GitHub API to read and write an encrypted vault file as commits in a repository. Only the encrypted vault blob is stored.
  • Solid Pod — If you choose to use a Solid Pod as a vault storage backend, ItchyPassword uses the Solid protocol to read and write an encrypted vault file on your Pod. The OAuth flow uses DPoP-bound tokens via a browser popup. Only the encrypted vault blob is stored on your Pod; the Solid provider never receives your master key or decrypted data.

These services are entirely optional. ItchyPassword can operate fully offline without any third-party service.

Cookies

ItchyPassword does not use cookies.

Children's privacy

ItchyPassword does not knowingly collect any information from anyone, including children under 13 years of age.

Changes to this policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated effective date.

Contact

If you have questions about this Privacy Policy, you can open an issue on the GitHub repository.