Short version: We do not collect, store, or transmit your passwords, keys, or vault data. The only data that leaves your device is an anonymised 5-character hash fragment used for breach checking — and that is sent directly to a third-party service (HaveIBeenPwned), not to us.
1. Who we are
True Entropy is operated by Sovereign Quantum Systems (sole trader, United Kingdom). Contact: ropeaccessandrigging@gmail.com
2. What data we collect — and what we don't
We do not collect:
- Your passwords, generated keys, or any values you generate in the app
- Your vault contents or master password (encrypted vault stays in your browser's localStorage — on your device only)
- Any personal identifiers when you use the free app
If you subscribe (Quantum or Developer plan), we collect via Stripe:
- Your email address (for receipts and support)
- Payment method details (processed and stored entirely by Stripe — we never see your card number)
- Subscription status and API key usage counts (to enforce plan limits)
Automatically collected when you use the web app:
- Your IP address appears in our server logs (standard HTTP access logs) — retained for up to 30 days for security and abuse prevention
- We apply rate limiting (60 requests per minute per IP) — no persistent tracking
- No cookies, no analytics, no tracking pixels, no fingerprinting
3. Breach check — HaveIBeenPwned (HIBP)
When you use the breach check feature, the app computes a SHA-1 hash of the password you enter, then sends only the first 5 characters of that hash to the HaveIBeenPwned API (k-anonymity model). Your actual password, and all but 5 characters of the hash, never leave your device. We do not receive this request — it goes directly from your browser to HIBP's servers. See HIBP's privacy policy.
4. Entropy pool and API
Entropy requests (the random data your app fetches) are proxied through our server to the quantum entropy source. The proxy strips all identifying information before forwarding. We log:
- Request count per API key (for billing/quota — subscriber accounts only)
- No content of entropy responses is logged
5. Your vault
The encrypted vault is stored entirely in your browser's localStorage. It is encrypted with AES-256-GCM, derived from your master password via PBKDF2 (150,000 iterations, SHA-256). We have no copy of your master password and no ability to decrypt your vault. If you clear your browser data, your vault is deleted. Back it up yourself if it matters.
6. Payment processing (Stripe)
All payments are processed by Stripe, Inc. We use Stripe Payment Links and the Stripe Customer Portal. Stripe is PCI-DSS Level 1 certified. We receive a subscription status signal from Stripe — we do not receive or store your full card details. Stripe's privacy policy: stripe.com/gb/privacy
7. Third-party services used
- Stripe — payment processing (subscriber accounts only)
- HaveIBeenPwned — breach check API (optional, initiated by you, k-anonymity only)
- Tailscale — network tunnelling for public access (your IP is visible to Tailscale's relay servers while routing through them)
No Google Analytics, no Meta pixels, no advertising networks, no CDN that tracks users.
8. Your rights (UK GDPR)
You have the right to access, correct, or delete personal data we hold about you. For subscribers, email us at ropeaccessandrigging@gmail.com and we will respond within 30 days. For free-tier users, we hold no personal data beyond server logs which auto-expire.
9. Data retention
- Server access logs: 30 days, then deleted
- Subscriber records: retained while subscription is active, then 90 days after cancellation (for dispute resolution), then deleted
- Vault data: on your device only — we have no copy
10. Changes to this policy
We will update the "last updated" date if this policy changes materially. Subscribers will be notified by email. Continued use of the service after changes constitutes acceptance.
11. Contact
Questions about privacy: ropeaccessandrigging@gmail.com
Response time: within 5 working days.