Skip to main content
Last updated: February 24, 2026

1. Introduction

PassAgent (“we”, “our”, “the service”) is an AI-powered password manager that helps you store, reset, and rotate passwords. This policy explains what data we collect, how we use it, and how we protect it.

2. Data we collect

  • Account data: email, account identifiers, and authentication information (e.g., session tokens).
  • Vault data: passwords, usernames, URLs, and notes. These are encrypted before storage (see Security). We do not have access to your master password or the keys that decrypt your vault.
  • Integration tokens: if you connect Gmail or other providers, we store OAuth tokens needed to perform actions you authorize. We use the minimum scopes required.
  • Usage and audit data: logs of API calls, feature use, and security-related events for security, debugging, and compliance. These do not include your actual passwords or vault contents.

3. How we use your data

  • Service operation: storing and retrieving your encrypted vault, running password resets, and showing your security dashboard.
  • Password reset automation: when you start a reset, our systems may access third-party websites on your behalf. We do this only when you explicitly request a reset and only for the sites and steps required.
  • Gmail and third-party integrations: if you connect Gmail, we use it only to read emails needed for password reset flows. We do not send email on your behalf or use your mailbox for any other purpose.
  • Breach monitoring: we send only the minimal data required (e.g., hashed password prefix via k-anonymity) to breach checking services. We do not share your plaintext passwords.
  • Product improvement: we may use aggregated, non-identifying usage data to improve reliability and features. We do not use your vault contents for marketing or advertising.

4. Data retention

  • Vault and account data: retained until you delete your account or the specific data.
  • Automation evidence: screenshots, traces, and similar evidence from reset runs are retained for a limited period (default: 30 days) for debugging and support, then removed.
  • Audit logs: retained for at least 365 days for security and compliance, unless a shorter period is required by law.
  • Deletion: you can request account deletion at any time. We use a soft-delete period (7 days) before permanent deletion.

5. Security

We use encryption in transit (TLS) and at rest. Vault data is encrypted with zero-knowledge and envelope encryption so we never have access to your plaintext secrets. For more detail, see Security.

6. Sharing and disclosure

We do not sell your personal data. We may share data only: (1) with your consent; (2) with service providers who process data on our behalf under strict agreements; (3) when required by law or to protect rights and safety; or (4) in connection with a merger or sale of assets.

7. Your rights

Depending on your location, you may have the right to access, correct, delete, or port your data, or to object to or restrict certain processing.

8. Changes

We may update this policy from time to time. We will post the updated version and, for material changes, provide notice as required by law.

9. Contact

For privacy questions or requests, contact us at privacy@passagent.ai.