Legal

Privacy Policy

SVPassman is designed with privacy as a top priority. Your passwords, keys, and secrets are stored locally on your device using encrypted storage — and that is where they stay.

Effective date: December 2025  ·  Last updated: March 7, 2026

1. Introduction

SVPassman is designed with privacy as a top priority. Your passwords, credit card details, SSH keys, TOTP secrets, and other vault entries are stored locally on your device using encrypted storage. We do not upload, sync, or transmit your sensitive information to our servers.

This Privacy Policy explains how SVPassman ("the Application"), developed and maintained by SwaVan ("we," "us," or "our"), handles information when you use SVPassman on any supported platform — desktop (macOS, Windows, Linux) or mobile (iOS, Android). By using SVPassman, you agree to the practices described in this policy. If you do not agree, please do not use the Application.

2. Information We Collect

2.1 Information You Provide Directly

When you use SVPassman, you may provide and store the following information locally on your device:

  • Vault credentials: usernames, passwords, website URLs, and notes for saved login entries
  • Payment information: credit and debit card numbers, expiry dates, CVV codes, and cardholder names
  • SSH keys: private keys, public keys, passphrases, and associated hostnames
  • TOTP secrets: two-factor authentication seed keys and associated account labels
  • Secrets: arbitrary sensitive text such as API keys, environment variables, and recovery codes
  • Master key: the password used to derive the encryption key that protects your vault. This is never stored in plain text and never transmitted anywhere.
  • Profile information: a local username and optional avatar used to identify your vault profile on the device

All of this information remains exclusively on your device and is encrypted at rest.

2.2 Biometric Authentication

On supported platforms, SVPassman can use biometric authentication to unlock your vault — Touch ID / Face ID on macOS and iOS, fingerprint or face recognition on Android, and Windows Hello on Windows. When you use biometric unlock:

  • Biometric verification is handled entirely by the operating system's secure enclave (Secure Enclave on Apple devices, Android Keystore on Android, TPM on Windows)
  • SVPassman never receives, processes, or stores raw biometric data of any kind
  • The operating system returns only a boolean authentication result to the Application
  • Your biometric data never leaves the device's secure hardware

Biometric unlock can be disabled at any time from Settings.

2.3 Mobile Device Permissions

On iOS and Android, SVPassman may request the following device permissions:

  • Camera: used solely to scan QR codes when adding TOTP/2FA accounts. The camera is only activated when you initiate a QR scan. No images or video are stored or transmitted.
  • Biometrics / Face ID / Fingerprint: used to unlock the vault. See section 2.2 above.
  • Local storage / file access: used to read and write your encrypted vault database on the device filesystem.

SVPassman does not request access to your contacts, location, microphone, photo library, or any other device resource not listed above.

2.4 Automatically Collected Technical Information

SVPassman may collect limited technical information to maintain and improve the Application:

  • Device operating system and version (e.g., macOS 14, Windows 11, iOS 18, Android 15)
  • Application version number
  • Device type and architecture (e.g., iPhone, Android phone, desktop)
  • Crash diagnostic information that does not contain personal data or vault contents

Anonymous usage statistics are only collected when you explicitly opt in. No usage data is collected by default.

2.5 Breach Checking (Optional)

SVPassman optionally integrates with the HaveIBeenPwned k-Anonymity API to check whether a stored password has appeared in known data breaches. When this feature is used:

  • Only the first 5 characters of the SHA-1 hash of the password are transmitted to the API
  • The full password, or any portion sufficient to reconstruct it, is never transmitted
  • This feature is opt-in and can be disabled at any time

2.6 Information We Do NOT Collect

SVPassman does not collect any of the following:

  • Your vault contents — passwords, keys, card numbers, secrets, or notes
  • Your master key or any derived cryptographic material
  • Browsing history or web activity
  • Location data
  • Contact lists or address books
  • Personal files outside the Application
  • Advertising identifiers or tracking cookies
  • Any data through third-party analytics SDKs

3. How We Use Your Information

The limited information SVPassman processes is used solely for the following purposes:

  • Encrypting and decrypting your vault on your local device
  • Providing biometric unlock functionality via the OS secure enclave
  • Checking for application updates to keep you on a secure version
  • Optionally checking passwords against breach databases (HaveIBeenPwned)
  • Diagnosing crashes and improving application stability
  • Responding to support enquiries you initiate

4. How We Store and Protect Your Information

4.1 Local Storage Only

All vault data is stored exclusively on your device in an encrypted SQLite database. The location depends on your operating system:

  • macOS: ~/Library/Application Support/svpassman/
  • Windows: %APPDATA%\svpassman\
  • Linux: ~/.local/share/svpassman/
  • iOS: Within the Application's sandboxed container in the iOS file system. The data is not accessible to other apps and is protected by iOS Data Protection.
  • Android: Within the Application's private internal storage directory, protected by Android's application sandbox.

On mobile platforms, the vault database is additionally protected by the operating system's device encryption when the device is locked. We do not upload, synchronise, or transmit your vault data to any server operated by SwaVan. If you configure optional remote sync, your vault is encrypted before transmission and the encryption key never leaves your device.

4.2 Encryption and Security

  • Vault data is encrypted with AES-256-GCM
  • The encryption key is derived from your master password using Argon2id, a memory-hard key derivation function designed to resist brute-force attacks
  • The master key is held in memory only for the duration of an active session and zeroed from memory when the vault is locked
  • The Application is built in Rust, which eliminates entire classes of memory safety vulnerabilities at compile time
  • A strict Content Security Policy (CSP) is enforced by the Tauri runtime to prevent data exfiltration

4.3 Update Checks

On desktop, when SVPassman checks for updates, the request includes your current application version and operating system architecture (e.g., darwin-aarch64). This information is used solely to determine whether a newer version is available. It is not logged, stored persistently, or associated with any personal identifier. Update checks can be disabled in Settings.

On iOS and Android, updates are delivered through the Apple App Store and Google Play Store respectively. Update availability is determined by the respective store's standard mechanisms, not by SVPassman itself.

5. Information Sharing and Disclosure

5.1 We Do Not Share Your Data

We do not sell, rent, trade, or share your personal information or vault contents with any third parties, including:

  • Advertisers or marketing companies
  • Analytics providers (beyond opt-in crash diagnostics)
  • Data brokers
  • Social media platforms
  • Any other applications or services

5.2 Legal Requirements

Because your vault data is stored locally and encrypted, we do not have access to your passwords, keys, or secrets under any circumstances. In the event of a legal request, we can only disclose non-sensitive technical information such as application version data. We cannot disclose what we do not possess.

6. Your Data Rights and Control

6.1 Access Your Data

All vault data is directly accessible within the Application. You can view, copy, and edit any entry at any time.

6.2 Delete Your Data

You have full control over your data:

  • Delete individual vault entries from within the Application
  • Clear all vault data by deleting the Application's data directory
  • Permanently remove all stored data by uninstalling SVPassman and deleting the data directory

6.3 Export Your Data

You can export your vault at any time via Settings → Transfer → Export. Export formats include CSV, JSON, and an encrypted backup. You are never locked in.

7. Data Retention

Vault data remains on your device for as long as SVPassman is installed and you have not deleted individual entries or cleared app data. Uninstalling the Application and deleting the data directory permanently removes all locally stored information. We do not retain copies of your data on any external server.

8. Children's Privacy

SVPassman is not directed at children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided personal information through the Application, please contact us and we will take appropriate steps to delete that information.

9. International Data Transfers

Because all vault data is stored locally on your device, no international data transfers of your personal information occur through our systems. Any remote SSH connections or remote sync you configure are made directly from your device to the destination server — they are not routed through SwaVan's infrastructure.

10. Third-Party Services

SVPassman may optionally interact with the following third-party services:

  • HaveIBeenPwned API — breach checking, opt-in only, using k-Anonymity (no full password transmitted)
  • Update server — checks for new Application versions using only the current version string and OS architecture

The Application does not embed analytics SDKs, advertising SDKs, or any other third-party tracking libraries. We encourage you to review the privacy policies of any third-party services you interact with independently.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable regulations. When we do, we will update the "Last updated" date at the top of this page and publish a notice on the releases page. We will provide advance notice of significant changes. Continued use of SVPassman after changes are posted constitutes acceptance of the updated policy. We will never make changes that retroactively permit us to collect your vault data.

By downloading and using SVPassman, you consent to this Privacy Policy and the information practices described herein. If you do not agree with any part of this policy, please discontinue use of the Application.

13. Compliance & App Store Policies

This Privacy Policy is designed to comply with applicable privacy regulations including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. Given the local-first architecture of SVPassman — where we do not collect or process your personal data on external servers — many obligations under these regulations are addressed by design.

For the mobile applications:

  • Apple App Store: The iOS version of SVPassman complies with Apple's App Store Review Guidelines and App Privacy requirements. We accurately disclose all data practices in the App Store privacy nutrition label.
  • Google Play Store: The Android version of SVPassman complies with Google Play's Developer Program Policies, including the Data Safety requirements. We accurately disclose all data practices in the Data Safety section on the Play Store listing.
  • Device permissions: SVPassman only requests permissions that are strictly necessary for the features described in this policy. Permissions are requested at the point of use, not at app launch.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or SVPassman's data practices, please contact us:

We aim to respond to all enquiries within 30 days.

15. Additional Rights for EU Users (GDPR)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your personal data ("right to be forgotten")
  • Right to restriction of processing — request that we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing of your personal data
  • Right to withdraw consent — withdraw consent at any time where processing is based on consent

Given that SVPassman does not transmit or store your vault data on external servers, most of these rights are exercised directly within the Application. To exercise any right that requires our involvement, please contact us at privacy@swavan.io.

16. Additional Rights for California Users (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know — the categories and specific pieces of personal information we collect, use, and disclose
  • Right to delete — request deletion of personal information we have collected
  • Right to opt out of sale — we do not sell personal information; this right is not applicable
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights

To exercise your California privacy rights, contact us at privacy@swavan.io.

The best privacy policy is one where there is nothing to disclose. SVPassman is built so that we genuinely cannot access your data — not as a matter of policy, but as a matter of architecture.