← Back to home

Privacy Policy

Last updated: May 4, 2026

1. Introduction

MeowPass ("we", "our", "us") operates the meowpass.dev website and the MeowPass CLI application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Information We Collect

Account Information

When you create an account, we collect your email address, name, and a hashed version of your password. We never store your password in plaintext.

Encrypted Vault Data

Your secrets (API keys, credentials, environment variables) are encrypted on your device before being transmitted to our servers using AES-256-GCM encryption. We store only the encrypted ciphertext. We cannot read, access, or decrypt your secrets. This is a zero-knowledge architecture.

Usage Data

We collect anonymous usage metrics including vault creation counts, API request counts, and feature usage patterns. We do not track the content of your secrets.

Payment Information

Payment processing is handled entirely by Lemon Squeezy. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive only a subscription identifier, plan type, and payment status from Lemon Squeezy.

Audit Logs

We log access events (who accessed which vault, when, and from which IP address) to provide audit trail functionality. These logs are retained for 90 days for free plans and 1 year for paid plans.

3. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To authenticate you and manage your account
  • To process payments and manage subscriptions via Lemon Squeezy
  • To enforce plan limits and quotas
  • To provide audit logs and access history
  • To send transactional emails (account verification, password resets, billing receipts)
  • To detect and prevent fraud, abuse, and security incidents
  • To improve and optimize the Service

4. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with:

  • Lemon Squeezy — our payment processor, which receives your email and billing information to process subscriptions
  • Neon (Database provider) — hosts our PostgreSQL database containing your encrypted vault data and account information
  • Amazon Web Services — hosts our API infrastructure (AWS Lambda, API Gateway)
  • Law enforcement — only when required by valid legal process (subpoena, court order). Even then, we can only provide encrypted ciphertext as we cannot decrypt your secrets.

5. Data Security

We implement industry-standard security measures:

  • All secrets are encrypted client-side with AES-256-GCM before transmission
  • Master passwords are derived using Argon2id (time=3, memory=64MB, threads=4)
  • Team sharing uses X25519 key exchange for vault key re-encryption
  • All network communication uses TLS 1.3
  • API keys are stored as SHA-256 hashes
  • Passwords are hashed with bcrypt
  • Database connections use SSL/TLS

6. Data Retention

We retain your account data and encrypted vault data for as long as your account is active. When you delete your account:

  • All vaults and encrypted secrets are permanently deleted within 30 days
  • Audit logs are deleted within 30 days
  • Account information is anonymized
  • Payment records are retained as required by tax law (typically 7 years)

7. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — update or correct your personal information
  • Deletion — request deletion of your account and all associated data
  • Portability — export your vault data using the CLI ("meowpass pull")
  • Restriction — request that we limit processing of your data

To exercise any of these rights, contact us at privacy@meowpass.dev.

8. Cookies

Our website uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children's Privacy

The Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13.

10. International Data Transfers

Our servers are located in the United States (AWS us-east-1). If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website at least 30 days before the changes take effect.

12. Contact Us

If you have questions about this Privacy Policy, contact us at:

Email: privacy@meowpass.dev