Privacy Policy

Effective Date: 01st April 2026

Keyri ("the App") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the App. Please read it carefully to understand your rights and how your data is managed.

1. Data We Process

The App is a password manager that stores the following information solely on your device:

• Usernames, passwords, payment card details, scanned barcode/QR code data, and other info for your accounts you choose to save within the App.

• Images: any image you choose to attach is compressed, converted into a text format (Base64), and encrypted locally alongside your other data.

• A master password, chosen by you:

  1. when biometric authentication is disabled, it is stored as a SHA-256 hash in the app's private storage 

  2. when biometric authentication is enabled, it is also securely stored on the device using encrypted storage mechanisms provided by the Android operating system.

• Any additional notes or information you choose to store within the App

• Local Activity Log: The App automatically generates and stores a local log of certain actions performed within the App (e.g., creation, modification, or deletion of entries, master password changes, backup exports/imports). This log is kept strictly local on your device to help you monitor recent activities.

• Security Metrics: To provide you with a "Security Score", the App locally analyzes metadata related to your entries, such as password strength, password duplication, and (if you have enabled the optional data breach features) the number of known leaked passwords or breached accounts.

We do not collect, store, or have access to any of this data. All data remains encrypted and saved on your device, as long as you decide to keep it.

The App ensures that all sensitive data is securely encrypted before being stored locally on your device. We use ChaCha20-Poly1305, a modern symmetric encryption algorithm designed for high security and performance. Your data is encrypted using a key derived from your master password, ensuring that only you can decrypt and access your stored information. Please note that while strong encryption is used, no security system is completely immune to brute-force attacks. The strength of your protection depends on the complexity of your master password. For this reason, we strongly recommend choosing a strong and unique master password. Please be aware that if you forget your master password, it cannot be recovered and you will no longer be able to access your data.

Standard Technical Data for Optional Features: When you choose to use the optional data breach verification features, your device will transmit standard technical connection data (e.g., IP address) to the relevant third-party provider in addition to the specific data required for the check. 

Temporary Processing of Unencrypted Import Files: If you choose to use the CSV import feature (e.g., to import credentials exported from Google Chrome), the App temporarily processes the plain-text data contained within the selected file. This processing occurs locally and exclusively for the purpose of encrypting the data into the App's secure database using your master password. The App does not retain the original unencrypted CSV file, nor does it automatically delete it from your device storage; the management of the source file remains your responsibility. 

2. Data Management Features

The App provides the following data management capabilities:

• Export your encrypted data as JSON files

• Import 'natively' encrypted JSON files (using the same master password) or plain-text credentials via CSV files (e.g., Google Chrome export format). 

• Delete all saved data from your device

• Review and completely clear your Local Activity Log at any time directly from the App's settings.

3. Optional Features and Third-Party Data Sharing

With your explicit consent, the App provides optional features to enhance account security:

A. Username Data Breach Checks

The App can send your usernames to the API of XposedOrNot to verify if they have been involved in any data breaches.

B. Password Data Breach Checks

The App can send the first 5 characters of the SHA-256 hash of your passwords to the API of HaveIBeenPwned to check if they are part of any known data breaches. No passwords are sent in plain text, and only the hash fragment is transmitted. This technique utilizes the 'k-anonymity' method provided by the HaveIBeenPwned API to help protect your privacy, as the full password is never transmitted to HaveIBeenPwned. 

For more details on how these third parties handle your data, please review their privacy policies:

• XposedOrNot: https://xposedornot.com/privacy

• HaveIBeenPwned: https://haveibeenpwned.com/Privacy

Please be aware that when you use these optional features, you are interacting directly with the APIs provided by these third parties. We are not responsible for the privacy practices, data handling, or content of XposedOrNot or HaveIBeenPwned. Your use of their services is solely subject to their respective terms and privacy policies. We encourage you to review them. 

C. Biometric Authentication

The App offers optional biometric authentication to unlock your data. If enabled:

• 1. • Your master password is encrypted and stored locally using the method described in Section 1

     • Biometric data is processed by your device's secure hardware and never stored or accessed by the App

D. Autofill Services

With your explicit permission, the App can utilize the Android Autofill Framework to automatically fill in your credentials in third-party apps and websites. When this feature
is enabled and invoked by you:

• The App processes the structure of the target application or website solely to identify username and password input fields.

• This analysis happens locally on your device in real-time.

• Keyri does not store, track, or transmit any data regarding the apps or websites you visit, nor does it access the content of those apps beyond the necessary input fields.

• You maintain full control and can enable or disable this service at any time in the App's settings or Android system settings.

E. Barcode and QR Code Scanning (Google ML Kit)
With your explicit consent, the App offers an optional feature to scan barcodes and QR codes to extract and securely store their content. This feature utilizes the Google ML Kit library.

• Local Processing: The scanning and decoding of the images occur entirely locally on your device. The App does not transmit the captured images, the camera feed, or the extracted plain-text data to Google.

• Telemetry Data: While the image processing is offline, Google ML Kit may automatically collect and transmit standard telemetry, diagnostic, and usage data (such as API performance metrics and device information) to Google's servers to maintain and improve their services.
  Because of this telemetry data collection, this feature is disabled by default and requires your explicit consent to be activated. For more information on how Google handles this data, please refer to Google's Privacy Policy: https://policies.google.com/privacy

F. Brand Icon Fetching (Brandfetch API)
To help you visually identify your saved entries, the App allows you to search for brand icons using the Brandfetch API. When you use this feature:

• The App transmits your search query (e.g., the brand name or domain) and standard technical connection data (e.g., your IP address) to Brandfetch's servers to retrieve the requested image.

• We do not track or store your search queries on any of our systems.
  For more details on how Brandfetch apis work, please review their docs: https://docs.brandfetch.com/guides/overview

4. Legal Basis for Processing (GDPR Article 6)

We process your data based on:

• Performance of contract: to provide the password management service

• Explicit consent: for optional features involving third-party services

5. Consent and Control

• The optional features are disabled by default and require your explicit consent to be activated

• You can enable or disable these features at any time in the App's settings

• If you choose to enable these features, data will only be transmitted as described above

• You have the right to withdraw consent at any time

6. Security Measures

The App uses robust encryption mechanisms to ensure the safety of your data:

• All sensitive data is encrypted locally using your master password

• The master password is:

  1. stored as a SHA-256 hash in the app's private storage when biometric authentication is disabled

  2. also encrypted via AES+RSA with keys stored in Android KeyStore when biometric authentication is enabled

• Data transmitted to third-party APIs is limited and uses secure connections (HTTPS)

• No cloud storage or backup of your data is maintained by us

7. Data Retention

• Your data remains on your device until you choose to delete it

• If you uninstall the App, all associated data will be permanently deleted from your device

• We recommend exporting your encrypted data before uninstalling the App if you wish to retain it

8. User Rights

Under the GDPR and other applicable privacy laws, you have the following rights:

• Right to Access: Access your personal data

• Right to Rectification: Correct your personal data

• Right to Erasure: Delete your personal data

• Right to Data Portability: Export your data

• Right to Object: Object to processing of your personal data (primarily applicable where processing is based on legitimate interests or for direct marketing, neither of which apply to the data stored within the App). 

• Right to Restriction of Processing: Request the restriction of processing of your personal data (primarily applicable in certain circumstances outlined in the GDPR, generally not applicable to data stored solely on your device and controlled by you). 

• Right to Withdraw Consent: Revoke previously given consent

• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or where the alleged infringement of the GDPR occurred. In Italy, the competent authority is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it). 

Exercising Your Rights: Given that your credentials and notes are stored and managed exclusively on your device, the rights of Access, Rectification, Erasure, and Data Portability regarding this data must be exercised directly by you using the functionalities integrated within the App (e.g., viewing, editing/deleting entries, using the export function). We do not have the capability to access, modify, or delete your data on your behalf, as we do not store or control it on our systems. The Right to Withdraw Consent for optional features can be exercised through the App's settings. 

For users in California, the App complies with the California Online Privacy Protection Act (CalOPPA) by:

• Providing this Privacy Policy

• Informing users about the use of optional features and data sharing

• Allowing users to use the App without collecting personal information

• Responding to "Do Not Track" signals by not collecting tracking information

9. Children's Privacy

The App is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13 (nor from any other user of any age). 

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be communicated through the App. The "Effective Date" at the top of this document will indicate the latest update. Continued use of the App after such changes constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at:

• Email: niluved0@gmail.com

By using the App, you agree to this Privacy Policy. If you do not agree, please refrain from using the App.