|
| 1 | +Browserpass Privacy Policy |
| 2 | +========================== |
| 3 | + |
| 4 | +## Definitions |
| 5 | + |
| 6 | + - Browserpass means the WebExtension at https://github.com/browserpass/browserpass-extension |
| 7 | + - Browserpass OTP means the WebExtension at https://github.com/browserpass/browserpass-otp |
| 8 | + - User means the user of the web browser where Browserpass or Browserpass OTP is installed. |
| 9 | + - Password Store means one or more locations on disk where the user stores encrypted credential files. |
| 10 | + - Credential File(s) means the individual credential files in the User's password store. |
| 11 | + - Developer(s) means the individuals who are responsible for the development of Browserpass and Browserpass OTP. |
| 12 | + |
| 13 | +## Applicability |
| 14 | + |
| 15 | +This Privacy Policy applies to Browserpass and Browserpass OTP. |
| 16 | + |
| 17 | +## Usage of Credential Files |
| 18 | + |
| 19 | +During the course of normal operation, Browserpass handles decrypted Credential Files. |
| 20 | +Only files selected by the User via the Browserpass interface are decrypted. |
| 21 | + |
| 22 | +The contents of decrypted Credential Files are used *only* for the following purposes: |
| 23 | + |
| 24 | + - To copy login credentials to the clipboard; |
| 25 | + - To automatically fill login credentials into a website in the current tab; |
| 26 | + - To provide the User with an interface to edit the contents of a selected Credential File, |
| 27 | + - To provide the OTP seed to Browserpass OTP |
| 28 | + - To fill other fields as requested by the User (e.g. credit card data) |
| 29 | + |
| 30 | +## Use & Transmission of Data |
| 31 | + |
| 32 | +Browserpass will fill data selected by the User to the website in the currently |
| 33 | +active browser tab. This implies that data will be sent to that site when the |
| 34 | +form into which the data has been filled is submitted. |
| 35 | + |
| 36 | +If the form fields detected by Browserpass belong to a foreign origin, Browserpass |
| 37 | +will prompt the User to confirm whether they would like to continue filling those |
| 38 | +fields. |
| 39 | + |
| 40 | +If an OTP seed is detected in a credential file when it is decrypted, it will be |
| 41 | +passed to Browserpass OTP. |
| 42 | + |
| 43 | +Browserpass only holds the decrypted contents of Credential Files while they are |
| 44 | +actively being used by the User. Once the action selected by the User has been |
| 45 | +completed, the data becomes out of scope, and will be cleaned up by the browser's |
| 46 | +garbage collection mechanism. |
| 47 | + |
| 48 | +Browserpass contains an autosubmit feature, which defaults to disabled. If enabled by |
| 49 | +the user, this will cause Browserpass to automatically submit the form into which |
| 50 | +credentials were filled immediately after filling. The Developers do not recommend |
| 51 | +use of this feature, and it will never be enabled by default. |
| 52 | + |
| 53 | +Browserpass OTP will, upon receipt of an OTP seed from Browserpass, generate an OTP |
| 54 | +code and make it available on demand via the Browserpass OTP popup interface. If |
| 55 | +Browserpass is not already using the clipboard, it will also place that code on the |
| 56 | +clipboard. |
| 57 | + |
| 58 | +Browserpass OTP will retain the OTP seed until the tab for which the seed applies is |
| 59 | +navigated to a different origin, so that it can generate new codes as needed (typically |
| 60 | +every 30 seconds). |
| 61 | + |
| 62 | +IN NO EVENT WILL BROWSERPASS OR BROWSERPASS OTP EVER SEND DATA OF ANY KIND TO ANY PARTY |
| 63 | +OTHER THAN A WEBSITE INTO INTO WHICH THE USER HAS DELIBERATELY REQUESTED BROWSERPASS |
| 64 | +TO FILL DATA. |
| 65 | + |
| 66 | +## Security of Transmission |
| 67 | + |
| 68 | +Filled content will be submitted via whatever mechanism is provided by the form that |
| 69 | +has been filled. This is determined by the website to which the form belongs. For clarity, |
| 70 | +please note that some sites do not properly secure such forms - Browserpass will prompt |
| 71 | +the User before filling data into any non-https origin. |
| 72 | + |
| 73 | +Some websites may use a secure origin, but transmit data via insecure means. It is possible |
| 74 | +that Browserpass may not be able to detect all such sites, so filling and submitting |
| 75 | +data is done solely at the User's own risk. |
| 76 | + |
| 77 | +## Local Storage |
| 78 | + |
| 79 | +Browserpass may store the following via the browser's local storage API: |
| 80 | + |
| 81 | + - Historical usage data, in order to sort the list of Credential Files in the Browserpass |
| 82 | + popup interface by recency and usage count. |
| 83 | + - Usage of any given Credential File on an origin that cannot be automatically matched. |
| 84 | + - Responses to confirmation prompts. |
| 85 | + |
| 86 | +Local storage may be cleared via the Browserpass options screen. |
| 87 | + |
| 88 | +Decrypted contents of Credential Files are never placed in local storage for any reason. |
| 89 | + |
| 90 | +## Further Detail |
| 91 | + |
| 92 | +For further detail on how Browserpass functions and protects your data, please see the |
| 93 | +readme at https://github.com/browserpass/browserpass-extension/blob/master/README.md. |
| 94 | + |
| 95 | +## Liability |
| 96 | + |
| 97 | +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 98 | +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 99 | +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| 100 | +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 101 | +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| 102 | +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 103 | +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
0 commit comments