Fadelock — Password Generator & Vault
Effective Date: April 25, 2026 · Last Updated: April 25, 2026
Fadelock is a zero-knowledge, local-first password generator and encrypted vault application. This means that your data belongs entirely to you, is stored on your device, and is encrypted with a key that only you control. We cannot access, read, decrypt, or recover your data under any circumstances.
This Privacy Policy explains how the App operates, what minimal data is processed by third-party services embedded in the App, and your responsibilities as the sole custodian of your data. By using Fadelock, you agree to the practices described in this policy.
Fadelock does not store, collect, or have access to any of your personal information, passwords, or credentials. Everything is encrypted locally on your device. We have zero knowledge of your data.
The following table summarizes where your data lives and who can access it:
| Data | Where It Is Stored | Who Can Access It |
|---|---|---|
| Passwords and credentials | Your device only (AES-256-CBC encrypted) | Only you |
| Encryption key | Your device's secure enclave (iOS Keychain / Android Keystore) | Only you |
| Audit log | Your device only (AES-256 encrypted) | Only you |
| App preferences and settings | Your device only | Only you |
| Vault backups | Created locally, stored wherever you choose | Only you |
For Pro and Family subscribers who opt into cloud sync, your encrypted credential data (ciphertext) is transmitted to our server to enable cross-device access. The server stores only the encrypted ciphertext. We cannot decrypt it because we never possess your encryption key. If you do not enable cloud sync, no credential data ever leaves your device.
You are solely responsible for the security of your data. Fadelock provides the tools — AES-256 encryption, biometric protection, secure key storage — but the responsibility for safeguarding your encryption key, device access, and vault backups rests entirely with you.
Encryption Key. Your encryption key is generated and stored exclusively on your device's hardware-backed secure enclave. We do not store, transmit, or have any copy of this key. If you lose access to your encryption key — by resetting your device, uninstalling the App without backing up the key, or any other means — your encrypted data is permanently and irreversibly lost. We cannot recover it for you.
Device Security. The security of your vault depends on the security of your device. If your device is compromised (jailbroken, rooted, infected with malware, or accessed by an unauthorized person), your data may be at risk regardless of the App's encryption.
Vault Backups. If you export a vault backup, that file contains your encrypted credentials. You are responsible for storing backup files securely.
Shared Credentials. If you use the credential sharing feature (Family plan), you are responsible for choosing what to share and with whom. Shared credentials are encrypted with a unique per-share key and transmitted via time-limited deep links (24-hour expiry), but once a recipient saves the credential, it is under their control.
To be explicit, Fadelock itself does not collect, store, or transmit:
| Data Type | Collected by Fadelock? |
|---|---|
| Your name, email, or personal details | No |
| Your passwords or credentials (plaintext or encrypted) | No |
| Your encryption key | No |
| Your browsing history | No |
| Your contacts | No |
| Your photos, camera, or microphone data | No |
| Your precise location (GPS) | No |
| Your biometric data (Face ID / fingerprint templates) | No — processed entirely by your device OS |
While Fadelock itself collects no personal data, the App integrates third-party services that may process limited data independently. These services operate under their own privacy policies, and any data they process is handled by them — not by Fadelock.
| Service | What It Does | What Data It Processes | Privacy Policy |
|---|---|---|---|
| Google AdMob | Displays ads for free-tier users | Device advertising ID, IP address, general location | Google Privacy Policy |
| Twilio Verify | Sends SMS verification codes (if configured) | Phone number | Twilio Privacy Statement |
| Have I Been Pwned | Breach monitoring | First 5 chars of a SHA-1 hash prefix only (k-anonymity) | HIBP Privacy Policy |
| Firebase Analytics | Anonymized usage analytics (if configured) | Device type, OS version, anonymized events | Firebase Privacy |
Regarding AdMob: Advertisements are displayed only to free-tier users. If you subscribe to any paid plan or purchase the "Remove Ads" option ($3.99), AdMob is fully disabled and no ad-related data processing occurs. You can also limit ad personalization through your device settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Privacy → Ads).
Regarding Breach Checks: When the App checks your passwords against known breaches, it uses the k-anonymity model — only the first 5 characters of a SHA-1 hash prefix are sent to the HIBP API. Your actual passwords are never transmitted, and HIBP cannot determine which password you are checking.
| Storage Mechanism | What It Stores | Security Level |
|---|---|---|
| SecureStore (hardware-backed) | Encryption key, authentication tokens | Highest — hardware-isolated, biometric-protected |
| AsyncStorage (app sandbox) | Encrypted credentials, encrypted audit log, preferences | Application-level — encrypted by the App before storage |
No data is stored on our servers unless you explicitly enable cloud sync (Pro/Family plans), in which case only encrypted ciphertext is transmitted and stored.
Fadelock is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). Since Fadelock does not collect personal information, there is no risk of inadvertent data collection from minors. However, parents and guardians should supervise their children's use of any application that stores sensitive data.
Since Fadelock stores all data locally on your device, you have complete and immediate control over your data at all times.
Access and Export. You can view all stored credentials in the Vault, review the Audit Log, and check the Security Dashboard at any time. Paid subscribers can export vault data as an encrypted JSON backup.
Deletion. You can delete individual credentials, clear the audit log, or uninstall the App to remove all locally stored data. If you have enabled cloud sync, contact us to request deletion of cloud-stored ciphertext.
No Data Requests Needed. Because we do not hold your personal data, there is no need to submit data access or deletion requests to us for locally stored information. You already have full control.
We may update this Privacy Policy to reflect changes in the App or legal requirements. Material changes will be communicated through an in-app notification or by updating the "Last Updated" date above. Your continued use of the App after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, please contact us at:
Email: fadelockapp@gmail.com
Website: fadelockapp.github.io/fadelock-legal