Privacy Policy — PassGen

Last updated: April 2026

Summary

We don't collect your data. All tools run in your browser. We don't use cookies. We don't track you.

Data Collection

PassGen does not collect, store, or transmit any personal data. Specifically:

• Passwords you generate or test are created and analyzed entirely in your browser using JavaScript and the Web Crypto API. They are never sent to any server.
• No user accounts are required or offered. There is no registration, login, or profile system.
• No cookies are set. The only data stored locally is your theme preference (light/dark mode) via localStorage.
• No analytics tracking scripts are loaded that identify or profile individual users.

Password Leak Checker Exception

Our Password Leak Checker uses the Have I Been Pwned (HIBP) API with the k-anonymity model. Here's exactly what happens:

1. Your password is hashed locally using SHA-1 in your browser.
2. Only the first 5 characters of the hash are sent to the HIBP API.
3. HIBP returns all hash suffixes matching that prefix.
4. Your browser checks if your full hash appears in the returned list — locally.

Your full password or its complete hash is never transmitted. The HIBP API cannot determine your actual password from the 5-character prefix.

Third-Party Services

PassGen is hosted on Netlify/Vercel. These hosting providers may collect standard server access logs (IP address, request URL, timestamp) as part of their infrastructure. We do not access or analyze these logs.

Local Storage

We store one item in your browser's localStorage:

• theme — Your preferred color scheme ("light" or "dark"). This is not personal data and never leaves your device.

Children's Privacy

PassGen does not knowingly collect any data from anyone, including children under 13.

Changes to This Policy

If we ever change this policy, we'll update the "Last updated" date above. Given our architecture (no data collection), changes are unlikely.

Contact

Questions about this policy? Contact us.