SoleKey - Privacy Policy

Last updated: 30 May 2026

Summary. SoleKey is built so that nobody - including the developer - can read your passwords. Your vault is encrypted on your device with your PIN, which we never store and never transmit. Your encrypted vault optionally backs up to your own Google Drive; we never see it. Both the Android app and the Chrome extension send anonymous usage analytics to Mixpanel - event names only, no vault contents and no account identifiers. Either can be opted out of in-app.

This policy covers two related products:

SoleKey for Android - the password manager app distributed via the Google Play Store.
SoleKey for web - the read-only Chrome extension distributed via the Chrome Web Store.

Both share the same encrypted vault format and the same PIN-based encryption scheme. The Android app is where you create, edit, and delete entries; the Chrome extension only reads. Each section below notes which product it applies to.

1. The principle

SoleKey has no servers we control. We do not operate any backend that stores, processes, or proxies your passwords, your PIN, or your vault. If you forget your PIN, your data is gone forever - by design, because we have no copy and no recovery mechanism.

2. Data SoleKey handles

Your vault contents (passwords, usernames, notes, credit cards, TOTP secrets)

Android and web.

Created and stored locally on your Android device as an encrypted SQLite database. Encrypted with AES-256 using a key derived from your PIN. Plaintext entries are never written to disk.
If you enable Google Drive backup in the Android app, the same encrypted file is uploaded to your own Google Drive. The file is encrypted before upload; Google Drive - and we - see only ciphertext.
The Chrome extension downloads that encrypted file from your Drive (and only that one file - see §5), decrypts it locally in browser memory using the same PIN, and displays the result while you are viewing it. Nothing is written to disk in the browser.
Decrypted entries live only in active app memory while the app or popup is open, plus on the system clipboard if you copy a value.

Your PIN

Android and web.

Never written to disk. Never transmitted off the device.
Held in app memory only long enough to derive the AES key, and then in derived-key form for the unlocked session.
Cleared on app lock, sign-out, auto-lock, or process restart.
There is no PIN reset, recovery email, security question, or backdoor.

Biometric data (fingerprint / face unlock)

Android only.

If you enable biometric unlock, your biometric template stays inside your device's secure hardware (Android Keystore / BiometricPrompt). SoleKey never sees, copies, transmits, or stores it.
What SoleKey stores in Keystore is a hardware-bound key that wraps the encryption key the same way your PIN does. Removing or changing your enrolled biometric on the device invalidates this key, and you fall back to PIN entry.

OAuth tokens (Google Drive)

Android and web.

Managed by the OS-provided OAuth client (Android AccountManager / Chrome chrome.identity API). The refresh token never enters SoleKey's process; only short-lived access tokens cross the API boundary, and only long enough to make a Drive request.
You can revoke at any time at myaccount.google.com/permissions.

Device and usage information (analytics)

Android and web.

Both the Android app and the Chrome extension use Mixpanel to collect anonymous product-usage analytics. The events tell us things like "a user reached the PIN setup screen" or "a backup completed successfully" so we can find broken flows and prioritize improvements. Both clients send to the same Mixpanel project; a platform property on every event distinguishes android from extension. Specifically, Mixpanel receives:

An anonymous identifier (distinct_id) - on Android, generated locally by the Mixpanel SDK; in the Chrome extension, a UUID we generate locally on first launch and store only in chrome.storage.local. It is not linked to your Google account, your email, or your name.
Coarse device information: on Android, manufacturer, model, OS version, screen size, carrier, language, time zone. In the extension, only the extension version and that the browser is Chrome. Mixpanel may derive an approximate location (country / region / city) from the request IP unless we suppress it; we send the ip=0 flag from the extension to disable that.
Event names - e.g. ENTER_PIN_SUCCESS, VAULT_OPENED, COPY_TO_CLIP_BOARD_CLICKED (with a label like "Username" or "TOTP" - never the value), SECRET_OPENED (with the type - login vs card - and whether it has a TOTP, never the name).

What Mixpanel never receives:

Your PIN or anything derived from it.
Any vault contents - names of stored secrets, usernames, passwords, notes, card numbers, TOTP secrets, or hashes thereof.
Your Google account email, Google account ID, or any contact information.
Precise location.

You can opt out at any time: in the Android app via Settings → Privacy, in the Chrome extension via the "Anonymous usage analytics: on · Turn off" link at the bottom of the sign-in screen. The opt-out persists on the device and applies to all future events until you toggle it back on.

Mixpanel's own privacy policy: mixpanel.com/legal/privacy-policy/.

Password-breach checks

Android only.

The "Check Breaches" and "Password Health" features use the Have I Been Pwned (HIBP) Pwned Passwords API with the k-anonymity protocol:

SoleKey computes a SHA-1 hash of each password locally on your device.
It sends only the first 5 hexadecimal characters of that hash to api.pwnedpasswords.com.
HIBP responds with a list of all hash suffixes (~500 candidates) sharing that 5-character prefix.
SoleKey checks locally whether any returned suffix completes one of your hashes.

This means HIBP cannot determine which of your passwords (if any) it just checked, and your passwords never leave the device in plaintext or as a complete hash. This is the same technique used by major browsers' password-leak checks.

HIBP's privacy policy: haveibeenpwned.com/Privacy.

Camera (QR code scanning)

Android only.

The Android app uses the camera to scan TOTP QR codes when you add a one-time-password secret. Camera frames are processed locally on your device by Android's BarcodeScanner APIs and discarded immediately; nothing is recorded, transmitted, or saved to your gallery.

In-app purchases (Plus subscription)

Android only.

If you purchase a subscription, the transaction is handled entirely by the Google Play Billing Library. SoleKey does not see your payment method, billing address, or full transaction details. Google sends SoleKey a purchase token that we verify locally to determine your entitlement. Subscription status is stored locally on your device.

Google Play's privacy notice for billing: play.google.com/about/play-terms/.

Clipboard

Android and web.

When you tap "copy" on a password or TOTP code, SoleKey writes it to your system clipboard. We cannot control what happens to it after that - other apps with clipboard access, clipboard-sync features (Windows Cloud Clipboard, Apple Universal Clipboard, etc.), or anyone with physical access to your device may read it. SoleKey attempts to clear copied values after a short timer when feasible, but cannot guarantee removal once the value has been pasted, synced, or cached elsewhere.

Autofill

Android only.

If you enable SoleKey as your Android Autofill service, the OS asks SoleKey for credentials when you focus a username/password field in another app or website. SoleKey decrypts the relevant entry on-device and offers it to the requesting field. No autofill data is sent to any server, and SoleKey does not log which apps requested autofill.

3. Where data goes

The complete list of network destinations and what they receive:

Destination	Product	What is sent	Why
`www.googleapis.com` (Google Drive API)	Android & web	Encrypted vault bytes (upload/download), file metadata, OAuth access token	Sync the encrypted backup to/from your own Drive
`oauth2.googleapis.com`	Android & web	OAuth access token to be revoked (only when you choose "sign in with different account")	Invalidate the previous account's grant
`api.pwnedpasswords.com`	Android only	First 5 hex characters of each password's SHA-1 hash	Breach checking via k-anonymity
`api.mixpanel.com`	Android & web	Anonymous event + device data described in §2 above. Web events are sent with `ip=0` to disable server-side IP geolocation.	Product analytics
`play.google.com` / `android.com`	Android only	Play Billing transactions (handled by Google's library, not by SoleKey directly)	Plus subscription purchases
`reflections-dreams.github.io`	Web only	No vault data. The hosted Google Picker page receives only the OAuth token (passed via Chrome's internal extension messaging, not over the public network) so the user can select their backup file.	First-time setup of the Chrome extension
`apis.google.com`	Web only	Standard Google Picker JS library load + Picker session traffic. The session uses your own OAuth token to show your own Drive contents.	Render Google Picker on the setup page

4. What SoleKey does NOT do

Does not have a backend operated by the developer. No accounts, no servers, no proxies, no logs.
Does not transmit your PIN, your decrypted vault, your decrypted secrets, or any cryptographic key off your device.
Does not sell or share any data with advertisers, data brokers, or marketing partners.
Does not display ads.
Does not track web browsing, monitor app usage on your device, or read other apps' data.
Does not collect biometric data, contacts, call logs, SMS, calendar, photos, files, or precise location.
The Chrome extension does not embed error reporting, crash reporting, or any third-party scripts beyond the Mixpanel events described above. No remote-loaded code; the analytics call is a single fetch() to api.mixpanel.com from extension code.

5. Specific permissions explained

Android permissions

Permission	Why
`INTERNET`	Drive backup, HIBP breach check, Mixpanel analytics, Play Billing.
`ACCESS_NETWORK_STATE`	Allows Mixpanel to batch events when offline and send them when connectivity returns.
`USE_BIOMETRIC`	Optional biometric unlock instead of PIN entry, using Android's BiometricPrompt API.
`CAMERA`	QR-code scanning when adding a TOTP secret. Optional; declined cameras simply hide the QR option.
`com.android.vending.BILLING`	Required by Google Play Billing for the optional Plus subscription.
`WRITE_EXTERNAL_STORAGE` (Android 9 and below only)	Allows the "Export Secrets" feature to save an encrypted export file to the device's shared storage on legacy Android versions. On Android 10+ scoped storage is used and this permission is not requested.

Chrome extension permissions

Permission	Why
`identity`	Call `chrome.identity.launchWebAuthFlow` to obtain a Google Drive OAuth token. (We use `launchWebAuthFlow` against a Web-application OAuth client, not `getAuthToken`, so account choice is independent of the Chrome profile's primary account.)
`storage`	Persist the user-selected Drive file ID, the analytics opt-out flag, and the locally generated analytics `distinct_id` in `chrome.storage.local`. No vault contents are stored.
`alarms`	Schedule the auto-lock timer that wipes the decryption key after inactivity.
`host_permissions`: `https://www.googleapis.com/drive/v3/*`	Authenticated REST calls to Google Drive v3 to download the encrypted backup and read its metadata.
`host_permissions`: `https://oauth2.googleapis.com/*`	Revoke the OAuth token on sign-out / account switch.
`host_permissions`: `https://api.mixpanel.com/*`	Send anonymous usage events when analytics is enabled (default-on, opt-out from the sign-in screen).
`externally_connectable`: `https://reflections-dreams.github.io/*`	Allow the hosted file-picker page to send the chosen file ID back to the extension over Chrome's internal extension messaging. Cannot be used to exfiltrate any other data.
OAuth scope `drive.file`	Read access to the single backup file the user picks via Google Picker. Does not grant access to any other file in the user's Drive.

6. Data retention

On your device: the encrypted vault persists until you uninstall the Android app or explicitly delete the file. The Chrome extension keeps only the picked Drive file ID locally; uninstalling the extension or clicking "Sign out" removes it.
On your Google Drive: the encrypted backup persists until you delete it from your own Drive. SoleKey has no access to delete it on your behalf beyond the file you selected (web) or the file the app uploaded (Android).
Mixpanel: events are retained per Mixpanel's standard retention (presently five years for free-tier projects). The data does not include any direct identifier; deletion requests for a specific device identifier can be made via the contact below.
HIBP, Google Drive, Play Billing: retention is governed by those providers' own policies, linked above.

7. Your rights and choices

Disable Drive backup at any time in the Android app's "Backup & Sync" settings. Existing backups stay in your Drive until you delete them from drive.google.com.
Revoke Google access for either product at myaccount.google.com/permissions. The next time you sign in, you will be re-prompted for consent.
Opt out of analytics: the Android app provides a toggle in Settings → Privacy, and the Chrome extension provides a toggle at the bottom of the sign-in screen ("Anonymous usage analytics: on · Turn off"). Existing events sent prior to the toggle cannot be retroactively withdrawn except by request to the address below.
Delete everything: uninstalling the Android app removes the local vault and analytics identifier. Uninstalling the Chrome extension removes the stored file ID. Deleting the encrypted backup from your Drive removes the cloud copy.
GDPR / CCPA data requests: because SoleKey does not link Mixpanel events to a real-world identity, we typically cannot identify "your" data without you providing your Mixpanel distinct_id (visible in the Android app's About → Diagnostics screen). Once provided, we can request Mixpanel to delete events associated with that ID.

8. Children

SoleKey is not designed for, marketed to, or intended for use by children under 13. We do not knowingly collect data from children.

9. Changes to this policy

If we change this policy in a way that meaningfully affects what data we collect or how we use it, we will update the "Last updated" date at the top and announce the change in the next app or extension release. Continued use after the change constitutes acceptance.

10. Contact

Open an issue on the project's GitHub repository, or email reflections.dreams.memories@gmail.com. The fastest channel for security reports (please disclose responsibly) is the same email with subject line beginning [SECURITY].

SoleKey is an independent project. Google, Mixpanel, and Have I Been Pwned are mentioned only as third-party services whose APIs SoleKey uses; they are trademarks of their respective owners.