Privacy policy & data handling

Your passwords never leave your browser. Generation runs entirely on your device using JavaScript and the Web Crypto API. We cannot see, store, or recover passwords you create.

Session history is kept in session storage only for your current tab session and is cleared when you close the tab.

Optional checks use the Have I Been Pwned API with k-anonymity:

• Your password is hashed with SHA-1 locally in the browser
• Only the first five characters of the hash prefix are sent to HIBP
• Your browser compares the full hash against the returned bucket locally

The plaintext password is not transmitted over the network.

We may use privacy-preserving analytics (e.g. Vercel Analytics) for aggregated traffic insight — page views; device class; coarse region. We do not use it to build individual profiles or sell data.

If configured, Google Analytics (gtag.js) loads only after you accept optional cookies on the banner, using a measurement ID supplied via site configuration — not for selling your data.

We use minimal first-party cookies for essential functionality:

• Theme preference — remembers light, dark, or system theme
• GDPR consent — stores your cookie banner choice where applicable

These are not used for cross-site advertising.

• Have I Been Pwned — optional breach lookup (k-anonymity as above)
• Hosting / CDN — delivery of the static site and edge functions

We do not load advertising or social trackers until you accept optional cookies where applicable. Core password generation does not require ad scripts.

Where GDPR and similar laws apply, you may exercise rights over personal data. Because we minimize collection, most control is in your hands:

• Clear site data in your browser to remove preferences and session history
• Use browser or extension controls to limit analytics
• Withdraw consent by clearing cookies and reloading the site

Questions about this policy: privacy@passlore.com