LegendPass ("we", "our", "us") is a password manager and secure vault application available on Android and iOS. This Privacy Policy explains what data we collect, why we collect it, how it is stored and protected, and your rights regarding your data.
By using LegendPass you agree to the practices described in this policy. If you do not agree, please discontinue use of the app.
Core principle: Your vault data is end-to-end encrypted on your device before it ever leaves your hands. We cannot read your passwords, notes, or any vault content.
1Data We Collect
1.1 Vault Data (encrypted)
All items you store in LegendPass — passwords, usernames, URLs, secure notes, and any custom fields — are classified as Vault Data. This data is encrypted with AES-256 on your device before being transmitted to our cloud backend. We never have access to the plaintext of your Vault Data.
1.2 Account & Administrative Data
To create and manage your account we collect:
- Display name and email address (from your Google account, via Google Sign-In)
- Google account UID (used as an identifier in our database)
- Timestamp of account creation and last sync
1.3 Device & Technical Data
When you use the app we may automatically collect:
- Device model and operating system version
- App version and language/locale settings
- Crash reports and anonymous error logs (no vault content is ever included)
1.4 Biometric Data (Including Face and Palm Data)
LegendPass supports biometric authentication (including fingerprint, Face ID / Face Data, and Palm Data). To explicitly address the handling of this sensitive information:
- What data is collected: Biometric templates or features derived from your face or palm.
- How it is used: This data is used solely for local identification to authenticate you and securely unlock the app.
- Data Sharing & Storage: Face and palm data are processed and stored entirely and exclusively on your local device using the platform's secure enclave or local ML models. This data never leaves your device, is never uploaded to our servers, and is never shared with any third parties.
- Data Retention: Biometric data is retained only locally on your device for as long as the app is installed. It is removed if you uninstall the app or delete your biometric profile from your device's system settings.
2How We Use Your Data
| Data | Purpose |
|---|---|
| Email & Google UID | Authenticate your account; associate your encrypted vault with your identity |
| Vault Data (encrypted) | Store and sync your passwords across devices; you hold the only decryption key |
| Device/OS info | Debug crashes; ensure compatibility with new OS versions |
| Biometric templates (Face, Palm, Fingerprint) | Unlock the app locally for authentication; never leaves the device |
We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.
3How We Store & Protect Your Data
End-to-end encryption
Vault Data is encrypted with AES-256-CBC combined with HMAC-SHA-256 (Encrypt-then-MAC) before leaving your device. The encryption key is derived from your Google account UID and a per-installation salt; it never leaves your device.
Local storage
A local SQLite database (protected by biometric lock) stores your vault for offline access. This database is located in the app's private sandbox and is not accessible to other apps.
Cloud storage
Encrypted vault items are synced to Google Firestore with persistent caching enabled. Only ciphertext is stored; Firestore operators cannot read your vault content. Data is transmitted over TLS.
Authentication
User authentication is handled by Google Firebase Authentication using Google Sign-In (OAuth 2.0). We do not store your Google password.
Important: If you lose access to your Google account, we cannot recover your vault data because we do not hold your encryption key.
4Data Sharing & Third Parties
We share minimal data with trusted service providers solely to operate LegendPass:
Each provider has their own privacy policy. We encourage you to review:
We may disclose data if required by law, court order, or to protect the rights and safety of our users.
5Data Retention
We retain your account and encrypted vault data for as long as your account is active. You may delete your account at any time from within the app's Settings screen. Upon deletion:
- Your Firestore data is permanently erased within 30 days.
- Local app data (including any locally processed Face/Palm biometric templates) is removed when you uninstall the app.
- Firebase Auth records are deleted immediately upon account deletion request.
6Your Rights
Depending on your location you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Ask us to correct inaccurate personal data.
- Deletion: Request deletion of your account and all associated data.
- Portability: Export your vault data at any time via the in-app export feature.
- Objection / Restriction: Object to or restrict certain processing activities.
To exercise any right, contact us at the email below. We will respond within 30 days.
7Children's Privacy
LegendPass is not directed at children under 13 years of age (or 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8International Data Transfers
LegendPass is operated from Vietnam. By using the app, users outside Vietnam agree to the transfer and processing of their data in accordance with this policy. Cloud data may be stored in Google's data centers located in multiple regions. All transfers use industry-standard encryption (TLS) and comply with applicable data protection laws.
9Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of the page and, for material changes, notify you via an in-app notice or email. Continued use of LegendPass after changes become effective constitutes acceptance of the revised policy.
10Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: