Privacy Policy

1. Data Collection

KeyArmor does not collect, transmit or share any personal data to external servers. All information you enter in the app stays exclusively on your device, unless you explicitly enable Google Drive synchronization.

KeyArmor does not collect your email address or any account credentials. The only personal identifier is an optional name or nickname you may set during setup, which is stored exclusively on your device in encrypted form.

2. Local Storage

All your data (passwords, notes, credit cards, bank accounts, crypto wallets, attachments and password history) is stored encrypted using AES-256-GCM with keys managed by your device's Android Keystore. No data leaves your device without your explicit consent.

3. Master Password

Your master password is never stored in plain text or in any recoverable form. It is used solely to derive the vault encryption key via PBKDF2. If you lose your master password, your data cannot be recovered.

4. Biometrics

Fingerprint unlocking is managed entirely by the Android operating system via the BiometricPrompt API. KeyArmor does not access, store or process biometric data at any time.

5. Google Drive Synchronization

Google Drive sync is entirely optional. When enabled, KeyArmor:

• Requests access to your Google account solely to create and manage a backup file in your own Google Drive.
• Encrypts the vault with an additional backup password you choose before uploading. Google cannot read the file contents.
• Never accesses any other Drive files or Google information beyond the minimum required for authentication.
• On-demand sync is available on all plans (triggered manually). Automatic daily sync is available on Premium. Automatic sync on every app open and master password change is available on the Lifetime plan.

You can disconnect your Google account at any time from the sync screen.

6. Attachments

The attachments feature lets you associate files (up to 5 per entry, max 5 MB each) with your vault entries. All attachments are encrypted with AES-256-GCM before being saved to the device's internal storage. Attachments are never automatically synced to any external service.

7. Password History

KeyArmor keeps a local history of previous passwords for each entry. This history is stored encrypted on the device and is never transmitted to any external server.

8. In-App Notifications

KeyArmor generates internal notifications to alert you about important security events:

• Expiry warnings: sent when one or more passwords are approaching their expiry date.
• Expired passwords: sent when one or more passwords have already passed their expiry date.
• Breach alerts: sent when your passwords are detected in known data breaches.

All notifications are stored locally on your device and are never transmitted to external servers. Notifications are automatically deleted after 30 days. You can delete any notification by swiping it sideways, or clear all at once from the Notifications screen. Push notifications require system permission to be sent.

9. Security Audit

The security audit feature analyzes your passwords locally on the device. Common password checking is done by comparing against a predefined list stored within the app itself, with no queries to external services.

10. Breach Monitoring (HIBP)

KeyArmor can check whether your passwords have appeared in known data breaches using the Have I Been Pwned (HIBP) service, operated by security researcher Troy Hunt.

This check uses a k-anonymity model: only the first 5 characters of a SHA-1 hash of your password are sent to the HIBP API. The full hash is never transmitted. Matching is performed locally on your device. No usernames, email addresses or account associations are ever sent. HIBP responses are padded with decoy hashes so that even network traffic analysis reveals nothing about the password being checked.

11. Autofill Service

KeyArmor includes an optional Android Autofill service. When enabled in system settings, it reads the app package name or website URL of the currently active login screen in order to suggest matching credentials from your vault. This matching is performed entirely on-device. No app names, website URLs or credentials are transmitted to any external server. The autofill service does not read the content of other apps beyond what is strictly necessary to identify the login context.

12. Crypto Wallet Live Balance

When you store a crypto wallet entry and enable live balance monitoring, KeyArmor queries public blockchain nodes or APIs to retrieve the balance associated with the wallet address you entered. Only the wallet address is transmitted — no private keys, seed phrases or personal data are sent. These queries go directly to public infrastructure; KeyArmor does not operate any intermediate server.

13. Peer-to-Peer Entry Sharing

KeyArmor allows you to share individual vault entries directly with other KeyArmor users via QR code or encrypted text. This transfer is end-to-end encrypted and peer-to-peer — no server or intermediary is involved. You are solely responsible for choosing who you share entries with and for the security of the channel used to transmit the encrypted text (if not using QR directly).

14. Third-Party Libraries

KeyArmor uses open-source libraries (see Open Source Notice). None of these libraries include telemetry, analytics or data collection mechanisms in the configuration used by this app.

15. Permissions

KeyArmor requests only the permissions necessary for its operation:

• Biometrics (optional): for fingerprint unlock.
• Internet (optional): exclusively for Google Drive sync and live crypto balance queries when you enable them.
• File access (optional): for vault import/export and adding attachments, only when you initiate it.
• Camera (optional): to scan QR codes when setting up two-factor authentication (2FA/TOTP) or when receiving shared entries. Activated only upon explicit user request.
• Autofill service (optional): enabled manually in Android system settings. Used solely to suggest credentials in login screens of other apps.

KeyArmor does not request access to contacts, location, microphone or any other personal data not mentioned above.

16. Contact

For any questions related to this policy, you can write to support@thormakk.dev