TOTPBOX Logo
TOTPBOX
HomePrivacy Policy

Privacy Policy

TOTPBOX is built on a local-first, zero-knowledge architecture. We collect the absolute minimum to operate. This document explains exactly what, why, and how.

Last updated: March 14, 2026

TL;DR — Your authentication secrets (TOTP seeds, recovery codes, Passkey handles) are encrypted on your device before they ever touch our servers. We cannot read them. Ever.

1. Information We Collect

1.1 Account Information

When you sign up for a TOTPBOX Pro or Team plan, we collect:

  • Email address (for account identification and transactional emails)
  • Payment information processed by our payment provider (Stripe) — we do not store raw card data
  • Plan type and subscription status

The free plan does not require an account. If you use only the local vault, we collect nothing.

1.2 Encrypted Vault Data (Pro / Team)

When cloud sync is enabled, your encrypted vault blob is transmitted to and stored on our servers. This blob is sealed with your master key before leaving your device using AES-256-GCM. We hold ciphertext only — the plaintext contents are mathematically inaccessible to us.

1.3 Usage and Diagnostic Data

We collect minimal, anonymised analytics to improve the product:

  • Feature interaction events (e.g., "TOTP code copied") — no account association
  • Crash reports with device OS version and extension version
  • Extension install and uninstall events (aggregated, not per-user)

You can opt out of analytics at any time in Settings → Privacy.

2. How We Use Your Information

We use the information we collect solely to:

  • Provide and maintain the TOTPBOX service
  • Process payments and send receipts
  • Sync your encrypted vault across your signed-in devices (Pro/Team only)
  • Send critical security notifications and service announcements
  • Detect and prevent abuse or unauthorised access
  • Improve product quality via anonymised analytics

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising.

3. Local-First Architecture

The core TOTPBOX principle is that sensitive authentication data lives on your device, not our servers. This means:

  • Your master key / passphrase is never transmitted to or stored on our systems
  • TOTP seeds and recovery codes are encrypted client-side before sync
  • Passkey credentials are bound to your OS hardware enclave and are never transmitted
  • A breach of our servers yields no usable authentication credentials

4. Data Sharing and Third Parties

We share data with a limited set of service providers who help us operate:

  • Stripe — payment processing (subject to Stripe's privacy policy)
  • AWS / Cloudflare — encrypted vault storage and CDN
  • Sentry — anonymised error reporting
  • PostHog — anonymised product analytics (self-hosted)

All third-party providers are contractually bound to process your data only as directed by us and in compliance with applicable data protection law.

5. Data Retention

We keep your data for as long as your account is active. Upon account deletion:

  • Account information is purged from active databases within 30 days
  • Encrypted vault data is deleted immediately on request
  • Anonymised analytics data is retained indefinitely (no personal identifiers)
  • Billing records may be retained for up to 7 years for legal compliance

6. Your Rights

Depending on your jurisdiction, you have rights including:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your account and associated data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to certain types of processing (e.g., analytics)

To exercise these rights, contact us at privacy@totpbox.com. We respond within 30 days.

7. Security

We implement industry-standard security measures including TLS 1.3 in transit, AES-256 encryption at rest, regular penetration testing, and strict access controls. However, no system is immune to all risks. We encourage you to use a strong, unique master key and enable your device's biometric lock.

8. Children's Privacy

TOTPBOX is not intended for use by individuals under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this policy occasionally. We will notify you of material changes via email or an in-app notice before they take effect. The "Last Updated" date at the top of this page always reflects the most recent revision.

10. Contact

For any privacy questions or requests, reach us at: privacy@totpbox.com