Privacy Policy
Last updated: 2025
Zero-Knowledge Architecture
Ironlox is designed with a zero-knowledge architecture. All encryption and decryption of your vault data happens on your device. Your master password, encryption keys, and plaintext vault contents never leave your device.
What We Store
- Your email address (for account identification)
- An encrypted version of your vault (AES-256-GCM, encrypted on your device)
- A server-side hashed authentication token (never your master password)
- Login event metadata (IP hash, timestamp, user agent) for security auditing
What We Never See
- Your master password
- Your encryption keys
- Plaintext vault contents (passwords, credit cards, notes, identities)
- Your authentication hash in plaintext (server-side hashed)
Analytics and Tracking
We do not use any third-party analytics, tracking cookies, or advertising. Server-side operational metrics (request counts, error rates) are collected via Cloudflare Analytics Engine for service reliability.
Data Retention and Deletion
Your data is retained for the lifetime of your account. When you delete your account, all data is permanently removed after a 7-day grace period. You may cancel deletion during this period.
Contact
For privacy-related inquiries, contact [email protected].