Zecuri Privacy Policy

Effective date: 2026-05-01 | Last updated: 2026-05-01

Who we are

Zecuri is a password manager built and operated by Linespotting AB, a Swedish limited liability company.

• Company name: Linespotting AB
• Registered address: Stockholm, Sweden
• Organisationsnummer: 559350-0755
• Data controller (GDPR Art. 4(7)): Linespotting AB
• Contact email: [email protected]

Our promise

Zecuri is a zero-knowledge password manager. The information you store in your vault — site passwords, usernames, URLs, notes, TOTP secrets — is encrypted on your device before it ever leaves it. The encryption key is derived from your master password using Argon2id; we never see, store, or transmit your master password or the derived encryption key.

What we collect

Your vault data is end-to-end encrypted on your device under a key derived from your master password. We treat this as opaque ciphertext at every layer.

Account data (Phase 3 onward): Email address, authentication record, account creation timestamp, and last-active timestamp.

Operational telemetry: Server access logs (IP, user agent, timestamp, path) retained for 30 days. No behavioral analytics. No crash reports. No product telemetry.

Legal bases (GDPR Art. 6)

• Storing encrypted vault blob: Contract (Art. 6(1)(b))
• Server access logs: Legitimate interest (Art. 6(1)(f))
• Service-related emails: Legitimate interest + contract

Your rights (GDPR Chapter III)

You have the right to access, rectify, erase, restrict, port, object to processing, and withdraw consent. Because your vault is end-to-end encrypted, access requests give you the encrypted blob and metadata only — we physically cannot provide plaintext.

To exercise any right, email [email protected]. We respond within 30 days (extendable to 90 days for complex requests).

You can file a complaint with the Swedish Authority for Privacy Protection (IMY) at https://www.imy.se or your EU supervisory authority.

Where data lives

Servers are hosted in the European Union via Cloudflare. All data processing occurs within the EEA. We do not transfer personal data outside the European Economic Area.

Subprocessors

Cloudflare — edge compute (Workers), database hosting (D1). Cloudflare is a US company but all EU data processing occurs in the EU.

Cookies and tracking

The Zecuri website, Chrome extension, and iOS app do not use tracking cookies or analytics cookies. No Google Analytics, no Facebook Pixel, no behavior tracking. We do not run ads.

Data retention

• Vault blob: As long as account is active. Deleted within 30 days of closure.
• Server access logs: 30 days then deleted
• Customer support emails: 2 years from last interaction

Questions? Email [email protected]