Privacy Policy

Welcome to passwords.lu. This Privacy Policy explains what personal data we process, how we process it, and the measures we take to protect your privacy. Our service is designed with privacy-by-default in mind - the core tools generate passwords locally in your browser, and your secrets never leave your device.

Summary: We minimize data collection, use no tracking cookies, and never receive or store any generated passwords, passphrases, PINs, or API keys.

1. Privacy-First Design

Summary: All password generation happens locally in your browser; no secrets are ever sent to us.

  • Local Generation: All secrets are generated using the Web Crypto API directly in your browser.
  • No Storage: We do not store or log any generated values.
  • No Transmission: Generated passwords, passphrases, PINs, and API keys never leave your device.
  • No Accounts: You can use all tools anonymously without registration.
  • Client-Side Processing: Password strength checks and breach lookups are processed within your browser.

2. Information We Do Not Deliberately Collect

Summary: We do not intentionally collect personal data when you use the core tools.

For the core password tools, we do not intentionally collect or process:

  • passwords, passphrases, PINs, or API keys
  • personal data (unless you voluntarily provide it)
  • analytics, tracking data, or usage patterns
  • device fingerprints or browser fingerprinting data
  • advertising or marketing identifiers
  • geolocation data
  • non-essential cookies or tracking pixels

However, some limited technical data is automatically processed by our infrastructure provider (Cloudflare), as described below.

3. Information We May Process in Limited Situations

Summary: Minimal data is processed only when you voluntarily interact with us.

A. Newsletter Subscriptions (Voluntary)

If you subscribe to the newsletter:

  • we store your email address
  • your subscription source page (if provided)
  • data is stored in Supabase (EU region when available)
  • used solely to send occasional updates

Legal basis (GDPR Art. 6(1)(a)): Consent. You may unsubscribe at any time.

B. Contact Emails

If you email us, we process:

  • your email address
  • message content
  • any data you include in your message

Legal basis: Performance of a contract / responding to a request (GDPR Art. 6(1)(b)) and Legitimate interest (GDPR Art. 6(1)(f)).

C. Infrastructure Logs (Automatic)

Cloudflare Pages automatically processes:

  • IP addresses
  • user agent strings
  • request URLs
  • timestamps
  • aggregated country-level location (derived from IP)

This data is processed for security (e.g., DDoS protection), performance, debugging, and abuse prevention. Cloudflare acts as our data processor. These logs are not analyzed or stored by us outside Cloudflare's dashboards.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)).

4. Infrastructure Provider, Logging, and Cookies

Summary: Cloudflare logs IP addresses and may set strictly necessary security cookies.

Cloudflare may set strictly necessary cookies, such as:

  • __cf_bm (bot mitigation)
  • other security-related identifiers

These are not used for tracking, are essential for site performance and protection, and are under Cloudflare's privacy policy.

Cloudflare logs are automatically retained for 30-90 days depending on the service plan and are governed by Cloudflare's policies. We do not set any cookies ourselves.

5. Breach Checking (Have I Been Pwned - HIBP)

Summary: Only the first 5 characters of a SHA-1 hash are sent; the password itself never leaves your device.

Our breach checking tool uses the k-anonymity model:

  • Your password is hashed with SHA-1 locally.
  • Only the first 5 characters of the hash are sent to HIBP.
  • HIBP returns matching hash suffixes.
  • Matching occurs entirely in your browser.

SHA-1 is used only for compatibility with HIBP's database. It does not affect the security of your password generation. HIBP's privacy policy applies to their API.

6. Browser Local Storage

Summary: Preferences are stored only on your device and never sent to us.

We may store the following in localStorage or sessionStorage:

  • language preference
  • theme (light/dark)
  • generator settings
  • clipboard-clear preference (if enabled in future updates)

This data never leaves your device and can be deleted anytime via your browser's settings.

7. Third-Party Service Providers

Summary: Cloudflare, Supabase, and HIBP process data under their own policies.

We rely on:

  • Cloudflare Pages (hosting) - processes IPs and request metadata
  • Supabase (newsletter) - stores email addresses
  • Have I Been Pwned (HIBP) - receives partial password hashes

Each provider is responsible for their own data processing under their privacy policy. We do not sell or share your data with any advertising or tracking companies.

8. GDPR Compliance and Legal Basis

Summary: We operate in Luxembourg and follow GDPR principles.

We process data only when necessary and only for clear purposes.

Legal Bases Used:

  • Consent: Newsletter subscriptions
  • Performance of a service: Responding to inquiries
  • Legitimate interest: Security, fraud prevention, infrastructure logs

Your GDPR Rights

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object
  • Right to portability

Contact us at contact@passwords.lu. We respond within one month as required by GDPR.

No Automated Decision-Making: We do not perform profiling or automated decision-making.

9. Data Security

Summary: We apply industry-standard measures, but no system is perfectly secure.

Security measures include:

  • TLS encryption
  • minimal backend surface
  • Cloudflare DDoS protection
  • frequent software updates
  • no handling of generated secrets server-side

While we take security seriously, no method is 100% secure. Client-side password generation greatly reduces risk.

10. Data Retention

Summary: We keep data only as long as necessary.

  • Newsletter emails: retained until you unsubscribe
  • Contact inquiries: retained for a reasonable time
  • Cloudflare logs: retained according to Cloudflare policies (approx. 30-90 days)

Once data is no longer needed, we delete or anonymize it.

11. Children's Privacy

Summary: Not intended for children under 13.

We do not knowingly collect personal data from children under 13. If you believe a child has provided data, contact us and we will delete it.

12. International Data Transfers

Summary: We use safeguards for data processed outside the EU.

Cloudflare and Supabase may process data in the EU, US, or other regions. Transfers follow GDPR-required safeguards (e.g., SCCs or adequacy decisions).

13. Your Rights and Choices

Summary: You control your data and can stop using our tools at any time.

You may:

  • unsubscribe from newsletters
  • request deletion of your email
  • clear localStorage
  • stop using the site without restriction

You can always contact us to exercise your rights.

14. Updates to This Policy

Summary: Changes will be reflected in the date at the top.

If we update this policy, the "Last Updated" date will change. Your continued use of the site indicates acceptance.

15. Contact Us

Summary: Contact us with privacy questions or GDPR requests.

Email: contact@passwords.lu
Website: passwords.lu

We respond to GDPR-related requests within one month.