Privacy Policy
Last updated: 12 March 2026
The short version
Lockbox is a local-first, zero-knowledge tool. Your API keys are encrypted on your device using a password only you know. We cannot read your keys, and we never sell your data.
What we collect
- Account data (Pro users): Email address and payment information processed by Stripe. We never see or store full card numbers.
- Sync metadata (if enabled): Encrypted vault blobs, timestamps, and device identifiers used to sync your vault between devices. The sync server cannot decrypt your vault contents.
- Crash reports: Anonymous, opt-in error reports that include stack traces and browser/OS version. These never contain vault contents or API keys.
- Usage analytics: We do not use any third-party analytics. No cookies, no trackers, no fingerprinting.
What we never collect
- Your master password or recovery phrase
- Decrypted API keys or secrets
- Browsing history or visited URLs
- Keystrokes or form inputs outside of the Lockbox extension UI
Encryption
All vault data is encrypted using PBKDF2-derived keys with the Web Crypto API before it ever leaves your device. The encryption key is derived from your master password, which is never transmitted or stored anywhere.
Data storage
Extension: Encrypted vault is stored in chrome.storage.local, which is isolated per-extension by the browser.
CLI: Encrypted vault is stored at ~/.config/lockbox/vault.enc with file permissions restricted to the current user (mode 0600).
Dashboard sync: If you opt into cloud sync, encrypted vault blobs are stored in our database. We use Supabase with row-level security. The server never has access to your decryption key.
Third-party services
- Stripe: Payment processing for Pro subscriptions. See Stripe's privacy policy.
- Clerk: Authentication for the dashboard. See Clerk's privacy policy.
- Supabase: Database hosting for sync functionality. See Supabase's privacy policy.
Data deletion
You can delete your data at any time:
- Extension: Uninstall the extension or use Settings → Reset Vault.
- CLI: Run
lockbox resetor delete~/.config/lockbox/. - Dashboard/Sync: Use Settings → Delete Account, or email dev@yourlockbox.dev.
Changes to this policy
We'll update this page when the policy changes. Material changes will be announced in the dashboard and extension changelog.
Contact
Questions? Email dev@yourlockbox.dev.
← Back to Lockbox