← Back to Keygrain

Keygrain — Privacy Policy

Last updated: May 2026

Summary

Keygrain does not collect, store, or transmit any personal data. Your master secret never leaves your device.

What Keygrain Does

Keygrain is a deterministic password generator. It computes passwords locally using cryptographic functions (HMAC-SHA256). All computation happens on your device — in the browser extension, the mobile app, or the web generator.

Data We Do NOT Collect

• Your master secret
• Your generated passwords
• Your email addresses
• Your browsing history
• Analytics or telemetry
• Cookies or tracking identifiers

Optional Sync & Backup Service

If you choose to use the backup feature, an encrypted blob is stored on our server. The server cannot decrypt this blob — it is encrypted with a key derived from your master secret. The server stores:

• A lookup identifier (derived hash — not your email)
• A bcrypt hash of your auth password (derived — not your master secret)
• Your encrypted configuration blob (opaque to the server)

You can delete your backup at any time. Without your master secret, the backup is unrecoverable and useless.

Browser Extension Permissions

• activeTab — to read the current tab's URL for site identification and to fill password fields when you click Fill
• alarms — to schedule an auto-lock timer that clears your master secret from memory after inactivity, and to trigger periodic background sync (every 5 minutes) when sync is enabled
• contextMenus — to add a quick-access option to the right-click menu
• scripting — to inject the autofill script into the active tab
• storage — to store your encrypted site list, sync preferences, and per-domain settings locally
• tabs — to read tab URL during background operations (e.g., context menu clicks) when activeTab context is unavailable
• host_permissions (keygrain.com) — to communicate with the sync server for pushing and pulling encrypted vault data

When sync is enabled, the extension makes network requests to keygrain.com to transmit and retrieve your encrypted data. All transmitted data is encrypted locally before sending — the server cannot decrypt it.

The extension also periodically fetches rules.json (site-specific password rules) and breaches.json (breach notifications) from keygrain.com. These are simple GET requests to static files — no user data, credentials, or identifiers are transmitted with these requests.

Contact

Questions? Email: contact@keygrain.com