Privacy Policy

Last updated: March 2026

What Lockbox stores on your device

All your vault data (passwords, secrets, notes, files, auth codes) is encrypted with AES-256-GCM using a key derived from your master password via Argon2id. The encrypted database is stored locally on your device using SQLCipher.

Your master password is never stored anywhere. Not on your device, not on any server, not in any log.

What Lockbox sends to our server

Almost nothing. The only network communication happens when you use the Whisper feature to share a secret:

• The encrypted ciphertext is uploaded to our relay server
• The decryption key is in the URL fragment and is never sent to our server (per RFC 3986)
• We cannot read your shared secrets
• Whispers are automatically deleted after first view or expiry

What we do NOT collect

• No analytics or telemetry
• No usage tracking
• No crash reports containing personal data
• No advertising identifiers
• No location data
• No contacts or call logs
• No browsing history

Cloud sync (optional)

If you enable cloud sync, your data is encrypted before leaving your device. The encrypted blobs are stored in your own iCloud or Google Drive account. We never see or process your synced data.

Third-party services

Lockbox does not integrate with any third-party analytics, advertising, or tracking services. The only external service is the Whisper relay, which is operated by us on our own infrastructure.

Data deletion

Uninstall the app and all local data is gone. If you used cloud sync, delete the Lockbox folder from your iCloud or Google Drive. If you used the Dead Man's Switch, the app automatically deletes all data after your configured inactivity period.

Open source

Our encryption module is open source. You can inspect exactly how your data is encrypted, what keys are derived, and verify that no data leaks occur.

Contact

Questions about privacy? Email privacy@lockboxnow.app