Who we are
Zecuri ("we", "us") is a password manager built and operated by LineSpotting AB, a Swedish limited liability company. This policy covers the Zecuri website (zecuri.com), the Chrome extension, and the iOS app.
- Company name: LineSpotting AB
- Registered address: Stockholm, Sweden
- Organisationsnummer: 559350-0755
- Data controller (GDPR Art. 4(7)): LineSpotting AB
- Privacy contact: [email protected]
Our promise
Zecuri is a zero-knowledge password manager. The information you store in your vault — site passwords, usernames, URLs, notes, TOTP secrets — is encrypted on your device before it ever leaves it. The encryption key is derived from your master password using Argon2id; we never see, store, or transmit your master password or the derived key.
- We cannot read what's in your vault.
- We cannot recover your vault if you forget your master password. You can use a recovery code saved at 2FA setup; otherwise the data is unrecoverable. This is by design.
- Law-enforcement requests for vault contents are answered with the encrypted blob only; we have no means to decrypt it.
What we collect
Vault data
End-to-end encrypted on your device under a key derived from your master password. We treat it as opaque ciphertext at every layer.
| Field | Where it lives | Who can read it |
|---|---|---|
| Master password | Never leaves your device | Only you |
| Argon2id-derived key | Never leaves your device | Only you |
| Site credentials, usernames, URLs, notes, TOTP secrets | On your device; plaintext only when unlocked, encrypted on disk and in backups | Only you |
| Encrypted vault blob (after sync launch) | Synced through our servers as opaque ciphertext | Only you |
Account data (when sync launches)
Today Zecuri does not require an account — the apps run fully local. When sync launches we will collect an email address (for account identification and account-recovery emails, not the vault), an OPAQUE authentication record (proves you know your password without revealing it), an account-creation timestamp, and a last-active timestamp. This policy will be updated before sync launches.
Operational telemetry
We collect minimal operational data to run the service. We do not collect behavioral analytics, advertising IDs, or product-usage telemetry of any kind.
| Type | Stored | Why |
|---|---|---|
| Server access logs (IP, user agent, timestamp, path) | 30 days, then deleted | Operate the service, detect abuse, investigate incidents |
| Crash reports | None — disabled by default | Not collected |
| Product analytics | None | Not collected |
The Chrome extension and iOS app do not "phone home". They make no network requests except to your designated sync server.
What we do NOT collect
- The contents of your vault, your master password, or your derived key
- Your browsing history or the websites you autofill on
- Your IP address other than in server access logs (above)
- Anything identifying which sites you hold credentials for
- Behavioral analytics or any data for advertising (we never run ads)
How we use what we collect
Vault data: it's encrypted; we use it solely to deliver the bytes to your other devices when sync is enabled. Account data: solely to authenticate you to sync and send service-related security messages. Operational logs: to operate the service and detect abuse — never joined with vault data or used to profile users.
Legal bases (GDPR Art. 6)
| Processing | Legal basis |
|---|---|
| Storing your encrypted vault blob | Contract (Art. 6(1)(b)) |
| Server access logs | Legitimate interest (Art. 6(1)(f)) |
| Service-related security emails | Legitimate interest + contract |
| Marketing emails | Consent (Art. 6(1)(a)) — opt-in only; we don't send these today |
How long we keep things
| Data | Retention |
|---|---|
| Vault blob | While your account is active; deleted within 30 days of closure |
| Account record | While active; anonymized within 30 days of closure |
| Server access logs | 30 days |
| Billing records (paid plans) | 7 years (Swedish Bokföringslagen) |
| Customer support emails | 2 years from last interaction |
Where it lives
Servers are hosted in the European Union via Cloudflare (EU edge locations and Cloudflare D1 in EU regions). All processing and storage occurs within the EEA. We do not transfer personal data outside the EEA; if we ever need to, we will use Standard Contractual Clauses and document it here first.
Subprocessors
When cloud sync launches, we use Cloudflare for edge compute, database hosting, and infrastructure. Cloudflare is a US company, but all data processing occurs in the EU per their EU data-residency commitment. A current list is published at zecuri.com/subprocessors.
Your rights (GDPR Chapter III)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, to withdraw consent, and not to be subject to purely automated decision-making (we don't do this).
Two Zecuri-specific notes: (1) because your vault is end-to-end encrypted, an access request returns the encrypted blob and account metadata — we physically cannot provide plaintext. (2) Account closure destroys the key-derivation parameters specific to your account; if you kept a backup blob and remember your master password, you can still decrypt it locally, since Zecuri's format is documented and the code is open source.
To exercise any right, email [email protected]. We respond within 30 days (extendable to 90 for complex requests). You may also complain to the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.
Cookies and tracking
The website, Chrome extension, and iOS app do not use tracking or analytics cookies. Specifically: no Google Analytics, no Meta Pixel, no advertising trackers, no third-party fonts or CDNs that could log your IP, and no fingerprinting. The marketing site may use a single session cookie for cart state when paid plans launch.
Security
- AES-256-GCM authenticated encryption for vault contents
- Argon2id key derivation (64 MiB, 3 iterations, 4 lanes) with a PBKDF2-SHA256 fallback
- Per-vault random salts; per-message random nonces
- Master passwords and derived keys never leave your device
- WebAuthn (FIDO2) hardware-key support; recovery codes encrypted under the master key
- TLS 1.3 for all server traffic; secure development lifecycle with pre-commit secret scanning and peer review
Found a vulnerability? Email [email protected]. See SECURITY.md in our public repository for the disclosure policy.
Children
Zecuri is not directed at children under 13 (16 in some EU member states, including Sweden). We do not knowingly collect data from children. If you believe a child created an account, contact [email protected] and we will delete it.
Changes to this policy
We update this policy when our practices change. Material changes are notified to active users by email at least 30 days before they take effect. The current version is always at zecuri.com/privacy.
Contact
- Privacy questions: [email protected]
- Security disclosures: [email protected]
- Postal address: LineSpotting AB, Stockholm, Sweden
Published in English. A Swedish translation is available at zecuri.com/integritetspolicy. In case of discrepancy, the Swedish version is authoritative for users resident in Sweden; the English version for all others.