Privacy Policy

Effective Date: January 30, 2026

This Privacy Policy applies to this application (the "App" or "we"). We value your personal information and data security, and provide services with a "security-first, local-first" design philosophy. This policy explains how we collect, use, store, share, retain, and protect your information, as well as your rights. Please read it carefully before using the App. We will provide services only after you agree to this Privacy Policy.

Introduction

The App is a password management and secure storage application. Our core design principle is that user data is stored locally on the user's device by default, and core data is encrypted and controlled only by the user. We cannot decrypt or read your password content. We comply with applicable laws and regulations (including but not limited to GDPR, CCPA, China's Personal Information Protection Law (PIPL)) and Apple App Store review guidelines, and take necessary security measures to protect your information.

Scope and definitions

  1. This Privacy Policy applies to all features and services provided by the App. If a specific feature has separate instructions, those instructions will prevail.
  2. "Personal information" refers to all kinds of information, recorded electronically or otherwise, that relates to an identified or identifiable natural person. "Sensitive personal information" refers to personal information that, once leaked or illegally used, may endanger personal or property safety.
  3. "Processing" in this policy includes collection, use, storage, sharing, disclosure, deletion, and other similar activities.

Information we collect

To provide basic functionality and account services, we may collect the following information:

  1. Account and identity information
    • Email address (for registration, login, verification codes, and account recovery)
    • Necessary account identifiers obtained through Sign in with Apple (such as Apple's stable identifier and authorized email)
  2. Device and security verification information
    • Device identifiers or security authentication data provided by the system
    • Necessary information related to security protection and device trust assessment
  3. Runtime and diagnostic information
    • Crash logs and performance diagnostics (excluding your passwords or plaintext vault data)
    • Version information, system information, and basic runtime environment data
  4. Necessary server-side metadata
    • Information related to account verification and synchronization metadata (such as sync status, timestamps, device count)
  5. Information you provide voluntarily
    • Content submitted through customer support or feedback channels (such as issue descriptions and contact information), used only to process requests

Information we do not collect

We do not collect or store the following:

  • Passwords, keys, notes, or other plaintext vault contents stored in the App
  • Master passwords, key material, or decryption credentials that would allow us to recover or decrypt your core data
  • Data related to advertising, profiling, or behavioral tracking

How we use information

We use your information only for the following purposes:

  • Provide account registration, login, verification, and security protection services
  • Send email verification codes or security notifications
  • Perform device authentication and anti-fraud checks
  • Maintain service stability and improve product experience (such as handling crashes and performance issues)
  • Handle user support and feedback
  • Fulfill compliance obligations as required by applicable laws

We do not use your information for advertising, profiling, or any purposes unrelated to the services.

Legal basis for processing (if applicable)

Where required by applicable law (such as GDPR), we process personal information based on the following legal bases:

  • Necessary to perform a contract with you or provide services you request
  • Necessary to comply with legal obligations
  • Based on your consent (where consent is required)
  • Based on our legitimate interests that do not override your rights (such as service security and fraud prevention)

Data storage and security measures

  1. Local-first and zero-knowledge design
    • Your core data is stored on your device by default and protected by system security capabilities.
    • We cannot read or decrypt your password content or plaintext vault data.
  2. Transmission and storage security
    • We use industry-standard transport encryption to protect data in transit.
    • Servers store only the minimum information and encrypted metadata necessary for service delivery.
  3. Permissions and access control
    • Internal access is restricted according to the principle of least privilege.
    • Reasonable technical and organizational measures are taken to prevent unauthorized access, disclosure, alteration, or loss.
  4. Security incident response
    • If an information security incident occurs or may occur, we will take remedial measures and notify you as required by applicable law.

Cross-border transfers

If cross-border transfer of personal information is required for business purposes, we will comply with applicable laws and take necessary measures to protect data security, and notify you within the scope required by law.

Third-party services

To provide necessary functions, we may use the following third-party services or system capabilities:

  • Platform-provided login services (for account authentication)
  • Platform-provided security capabilities (for local secure storage and protection)
  • Email service providers (for sending verification codes or security notifications)
  • System-level crash and diagnostic services (for stability improvements)

We do not introduce third-party SDKs or provide your data to third parties for their independent purposes without disclosure. If changes are required in the future, we will explain them under "Changes to this Privacy Policy."

Data sharing and disclosure

We commit to the following:

  • We will not sell your personal information.
  • We will not share your personal information for advertising or profiling purposes.

We may share or disclose necessary information in the following circumstances:

  • With your explicit consent or authorization
  • To comply with legal requirements or respond to lawful requests by judicial or administrative authorities
  • To protect your or other users' significant legal rights, public safety, or security needs
  • With entrusted service providers to deliver services (such as email services, device authentication, or diagnostics), and require them to process information only within the entrusted scope
  • In the event of a merger, acquisition, reorganization, or asset transfer, we will disclose as required by law and follow this Privacy Policy or provide reasonable notice

User rights

Within the scope permitted by applicable laws and regulations, you have the following rights:

  • Access and correction: You can access and correct your account information.
  • Deletion: You can request deletion of your account information and related data.
  • Export: You can export data stored in the App (in a format supported by the App).
  • Withdraw consent: You can withdraw your consent to this Privacy Policy at any time. After withdrawal, we will stop providing services related to that consent, without affecting the validity of processing carried out before withdrawal under applicable law.

To protect account and information security, we may require identity verification before processing requests. To exercise these rights, please refer to "Contact."

Data retention policy

  • We retain your information only for the period necessary to achieve the purposes described in this Privacy Policy.
  • After you delete your account or request deletion, we will delete or anonymize related data in accordance with applicable laws. If laws require retention, we will retain it and delete or anonymize it when the retention period ends.
  • Logs or diagnostic data related to security and stability will be retained for a reasonable period as needed for operations.

Children's privacy

The App is not intended for minors. If your local law defines minors as under a certain age (such as 14 or 13), we do not knowingly collect their personal information. If we discover that we have inadvertently collected such information, please contact us under "Contact," and we will handle it promptly.

Changes to this Privacy Policy

We may update this Privacy Policy due to feature updates or changes in laws. If changes materially affect your rights and obligations, we will notify you through in-app prompts or other reasonable means. The updated policy will be published in the App and become effective on the date of publication.

Contact

If you have any questions, comments, or requests regarding this Privacy Policy or the handling of your personal information, please contact us:

  • Email: support@mdotmail.com

We will respond and handle your request within a reasonable period.