LEGAL · DOCUMENT 01

Privacy Policy.

Effective: April 25, 2026 Last updated: April 25, 2026 Contact: [email protected]

TL;DR

CypherKeep does not collect, transmit, or share any personal data. Everything you enter lives on your Mac and never leaves — except when you explicitly press "Test" on an API key, in which case the key is sent directly from your Mac to that provider (OpenAI, Anthropic, etc.) for validation. We see nothing.

1. Introduction

CypherKeep ("the App," "we," "us," or "our") is a macOS password and secrets manager developed by Kir Kovalski. This Privacy Policy explains what information the App does and does not collect, how it operates, and your rights as a user.

2. Information we do not collect

CypherKeep does not collect, store, process, or transmit:

Your name, email address, or any personal identifiers
Your credentials, passwords, API keys, seed phrases, or secure notes
Device identifiers (UDID, serial number, advertising ID)
Usage analytics, crash reports, or telemetry
Location data
Payment information
Any data via third-party analytics SDKs (none are included in the App)

We have no user accounts, no registration, and no backend servers.

3. Data stored locally on your device

All data you create in CypherKeep is stored exclusively on your Mac.

3.1 Vault database

Your credentials are stored in an encrypted SQLite database at:

~/Library/Application Support/com.cypherkeep.CypherKeep/cypherkeep_clean.db

All records are encrypted with AES-256-GCM (Apple CryptoKit) before being written to disk. The encryption key is derived from your master password using PBKDF2-HMAC-SHA256 (150,000 iterations) and is never persisted anywhere.

3.2 Master password

Your master password is stored in the macOS Keychain with the kSecAttrAccessibleWhenUnlockedThisDeviceOnly protection class. This means:

It is accessible only on this specific device
It is inaccessible when the device is locked
It is not included in iCloud Keychain sync or unencrypted backups

3.3 App preferences

Basic UI preferences (auto-lock timeout, clipboard clear timeout, appearance mode) are stored in NSUserDefaults / App Container. These contain no personal or sensitive information.

4. Optional network requests — API key testing

CypherKeep includes an optional API Key Testing feature. When you explicitly trigger a key validation test, the App sends a minimal authentication request directly from your device to the respective third-party API provider:

Provider	Endpoint used
OpenAI	`https://api.openai.com/v1/models`
Anthropic	`https://api.anthropic.com/v1/models`
GitHub	`https://api.github.com/user`
Stripe	`https://api.stripe.com/v1/balance`
Google Gemini	`https://generativelanguage.googleapis.com/v1beta/models`
HuggingFace	`https://huggingface.co/api/whoami-v2`
ElevenLabs	`https://api.elevenlabs.io/v1/user`

Important. These requests are made directly from your Mac to the provider — there is no CypherKeep proxy. The App transmits only the API key as an authentication header (exactly as you would when using the API yourself). No request or response is sent to us. The feature is opt-in per test. Each provider's own Privacy Policy governs what they log from such requests.

No other network connections are made by CypherKeep at any time.

5. Encrypted backups

CypherKeep allows you to export an encrypted backup of your vault (.cypherkeep file) to a location of your choice on your Mac. This file is a direct copy of the AES-256-GCM encrypted database. It cannot be read without your master password. We have no access to, and receive no copy of, any backup files you create.

6. Touch ID / biometric authentication

The App may use Touch ID (or other biometrics configured on your Mac) via Apple's LocalAuthentication framework. Biometric data never leaves Apple's Secure Enclave. CypherKeep does not access, store, or transmit any biometric data.

7. Children's privacy

CypherKeep is not directed to children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect any information from children. If you believe a child has provided information through the App, please contact us and we will take appropriate action.

8. GDPR (European Economic Area users)

Because CypherKeep collects no personal data and operates entirely locally on your device, the General Data Protection Regulation (GDPR) processing requirements do not apply to the App's operation. No personal data is processed by us as a data controller.

If you contact us by email for support, we will process your email address solely to respond to your inquiry. You may request deletion of that correspondence at any time.

9. CCPA (California residents)

CypherKeep does not sell, share, or disclose any personal information to third parties. California residents have the right to know, delete, and opt out of the sale of personal information — none of which is applicable here, as no personal information is collected.

10. Data security

All sensitive data within CypherKeep is protected by multiple layers:

Application layer: AES-256-GCM encryption via Apple CryptoKit
Database layer: Encrypted blobs stored in SQLite via GRDB — no plaintext on disk
System layer: macOS App Sandbox, Hardened Runtime

The master encryption key exists only in memory while the vault is unlocked and is cleared upon vault lock, app quit, or auto-lock timeout.

11. Third-party services

CypherKeep does not integrate any third-party analytics, advertising, crash reporting, or tracking SDKs. The App's only external dependency is GRDB.swift (MIT-licensed), an open-source SQLite library that operates entirely locally.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last Updated" date above. Continued use of the App after changes constitutes acceptance of the updated policy.

13. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact:

Kir Kovalski
Email: [email protected]

This Privacy Policy is provided in good faith and reflects the App's actual technical architecture as implemented. It does not constitute legal advice.