1. Overview
HexPass ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how
your information is handled in the HexPass mobile application.
2. Data Collection
HexPass is an offline-first application.
- We do NOT collect, store, or transmit any personal data to external servers.
- All your passwords, usernames, notes, and other data are stored locally on your device in an
encrypted database.
- We have no access to your master password, PIN, or your stored data.
- We do NOT use analytics, tracking, or advertising services.
3. Google Drive Integration
When you use the optional Google Drive backup feature:
- We use Google's OAuth 2.0 for secure authentication
- We only access the app-specific folder (appDataFolder) in your Google Drive
- We cannot read, modify, or access any of your other Google Drive files
- Your backup data is encrypted locally before being uploaded to Google Drive
- You can revoke access at any time from your Google Account settings
Scope Used: drive.appdata - See, create and delete its own configuration
data in your Google Drive
4. Permissions
The app requests the following permissions for specific functionalities:
- Internet: Used for Google Drive sync and breach detection checks
- Biometric Hardware: Used solely for verifying your identity to unlock the app
locally
- Camera: Used solely for scanning QR codes to add 2FA (TOTP) accounts. No images are
saved or transmitted
- Storage (Files): Used only when you explicitly choose to "Backup" or "Restore" your
data locally
5. Data Security
- Your data is encrypted using AES-256 encryption
- Your Master Password/PIN is hashed and never stored in plain text
- Encryption keys are stored in Android Keystore (hardware-backed when available)
- All cloud backups are encrypted before leaving your device
6. Breach Detection
When using the password breach detection feature:
- We use the Have I Been Pwned API with k-anonymity
- Only the first 5 characters of your password's SHA-1 hash are sent
- Your actual password is never transmitted
- This feature is optional and user-initiated only
7. Third-Party Services
- Google Sign-In: For optional cloud backup authentication
- Have I Been Pwned API: For optional breach detection
8. Data Retention
- All data is stored locally on your device
- You can delete all data at any time using the "Emergency Nuke" feature
- Uninstalling the app removes all local data
- Cloud backups in Google Drive remain until you delete them manually
9. Children's Privacy
HexPass is not intended for children under 13 years of age. We do not knowingly collect personal
information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new
Privacy Policy on this page.
11. Contact Us
If you have any questions about this Privacy Policy, please contact us: