Privacy Policy for PassHatch
Last Updated: March 26, 2026 | Terms of Service
Overview
PassHatch is an offline-first password manager. Your privacy is our top priority. This policy explains what data we collect, how we handle it, and your rights.
Data Collection
What We DO NOT Collect
- We do not collect, transmit, or store your passwords, entries, or vault data on any server
- We do not track your usage, behavior, or activity
- We do not use analytics, telemetry, or crash reporting services
- We do not sell, share, or monetize your data in any way
- We do not have access to your master password, PIN, or biometric data
What Stays On Your Device
All of the following data is stored exclusively on your device and encrypted at rest:
- Master password (stored as a cryptographic hash, never in plaintext)
- Vault entries (passwords, usernames, URLs, notes, custom fields)
- TOTP/2FA secrets
- OAuth/API tokens
- Attachments
- PIN and biometric enrollment data
- App settings and preferences
Optional Features That Use the Internet
These features are disabled by default and require your explicit action:
- Breach Check: When you manually trigger a breach check, PassHatch sends only the first 5 characters of a SHA-1 hash of your password to the Have I Been Pwned API (k-anonymity model). Your full password is never transmitted.
- Cloud Backup: If you choose to connect Google Drive or WebDAV/Nextcloud, encrypted backup files are uploaded to your own account. PassHatch cannot read these files — they are AES-256-GCM encrypted with a password you set. We do not operate any cloud servers.
- Ads: The free version displays ads via third-party ad networks. These networks may collect device identifiers and ad interaction data per their own privacy policies. The paid version removes all ads.
Encryption
- All sensitive data is encrypted using AES-256-GCM (authenticated encryption)
- Encryption keys are derived from your master password using Argon2id (memory-hard key derivation)
- Keys are stored in the Android Keystore (hardware-backed when available)
- The database is encrypted at rest using SQLCipher
- Screenshots and screen recording are blocked via Android FLAG_SECURE
Permissions
PassHatch requests only the permissions necessary for its features:
| Permission | Purpose |
|---|---|
| Biometric | Fingerprint/face unlock |
| Internet | Breach check + cloud backup (optional) |
| Camera | QR code scanning for TOTP import |
| Location | Geo-locked entries (optional) |
Data Export and Deletion
- You can export all your data at any time as an encrypted
.passhatchfile - You can import data from other password managers (Bitwarden, LastPass, 1Password, Chrome)
- Uninstalling the app permanently deletes all data from your device
- Cloud backups remain in your own cloud storage until you delete them
Children's Privacy
PassHatch is not directed at children under 13. We do not knowingly collect data from children.
Changes to This Policy
We may update this policy from time to time. Changes will be reflected in the "Last Updated" date above.
Contact
If you have questions about this privacy policy, please contact us at:
Email: hello@latentdivergence.comPassHatch is designed so that even we cannot access your data. Your passwords are yours alone.