Privacy Policy
Last updated: 2026-05-07
TL;DR
KeyNest is a local-only password manager. Your data never leaves your device. We don't run any servers, we don't collect telemetry, we don't have analytics, and we have no way to read your secrets even if we wanted to.
What we store, and where
| Data | Where it lives | How it's protected |
|---|---|---|
| Your encrypted vault (passwords, API keys, notes, etc.) | A SQLite file on your device — see paths below | AES-256-GCM with per-field random nonces; the data-encryption key is wrapped with a key derived from your master password via Argon2id (32 MiB memory, 3 iterations) |
| Your master password | Never stored, anywhere | Only used in-memory while you're unlocked, and zeroed when you lock, the auto-lock timer fires, or the app exits |
| Your name (optional, set at first run) | Inside the same encrypted vault file | Same encryption as everything else |
| Backups you create | A backups/ folder next to the vault | Same encryption — backups are byte-for-byte copies of the encrypted DB |
| Encrypted JSON exports | Wherever you save them | Wrapped with a separate password you choose at export time, also via AES-256-GCM + Argon2id |
| Application logs | A logs/ folder next to the vault | Never include secret values, master passwords, or key material. Used for diagnosing crashes. |
Storage locations per platform
- Windows —
%LOCALAPPDATA%\KeyNest\ - Linux (.deb / Snap) —
~/.local/share/KeyNest/(under Snap:~/snap/keynest/current/.local/share/KeyNest/due to Snap confinement) - Web (self-hosted Blazor Server) — wherever the operator configured the path provider
What is sent over the network
Two outbound connections, both optional, both to GitHub:
- Update check — once on launch and once per hour, KeyNest fetches
https://api.github.com/repos/isaiasgv/KeyNest/releases/latestto learn whether a newer version is available. The request includes only aUser-Agent: KeyNest/<version>header — no master password, no vault data, no machine identifier. If you block this URL the app keeps working; the update banner just won't show. - Release-notes link — when you click "What's new" on the update banner, your browser opens the release page. KeyNest itself doesn't fetch that content.
That's it. No analytics, no error reporting service, no third-party SDK, no advertising tracker, no cloud sync. The Linux package binds a random loopback port (127.0.0.1:<random>) so the in-process Blazor host can serve the UI to the embedded WebKit window — that port is never exposed beyond the local machine.
What we do not do
- We don't have a server-side account. No login, no email capture, no "anonymous telemetry" toggle.
- We don't sell, share, or have access to your data — we never see it.
- We don't store recovery questions, password reminders, or hints. If you forget your master password, your vault is gone. That's the trade-off for zero-knowledge encryption.
- We don't include any third-party trackers, A/B testers, ad SDKs, fingerprinting libraries, or behavioural analytics.
Children's privacy
KeyNest is intended for general adult use. We don't knowingly collect data from anyone — children included — because we don't collect data.
Open source — verify everything above
The full source code is at github.com/isaiasgv/KeyNest. Cryptography lives in CryptoService.cs and the only outbound HTTP call lives in UpdateService.cs.
Changes to this policy
Material changes will be announced in a release-notes entry on the GitHub Releases page. Adding a tracker would be a hard-fork-worthy violation of KeyNest's purpose, so this policy will only ever get more restrictive, never less.
Contact
- GitHub issues — github.com/isaiasgv/KeyNest/issues
- Email —
igarcia@bcposgroup.com - Security disclosures — see
SECURITY.md