Safetie.Sign in

Privacy & Rules

Last updated: 6/6/2026

Introduction

Hi. Welcome to Safetie Passwords. This page tells you exactly what we do with your data, what we don't do, and what you can and can't do with our service. It's longer than most people read, but everything in here is meant to be honest and human. If you have questions that aren't answered here, get in touch.

Core principles

  • We never see your passwords. The Master Password encrypts everything in your browser.
  • We don't sell, rent, lease, donate, or barter your data. Ever.
  • We don't run ads. There's no business model that requires invading you.
  • We don't track you across the web. No third-party pixels, no fingerprinting.
  • Safetie is free, and it stays free. If we ever add paid features, the free tier stays usable forever.

What we actually collect

When you sign up and use Safetie, we store:

  • Google account basics: your email, name, and avatar URL — provided by Google when you sign in.
  • Encrypted vault data: opaque ciphertext + random IVs. Useless without your Master Password.
  • Encrypted vault key: the AES key that decrypts your items, itself encrypted with your Master Password.
  • AI usage counters: a daily count of how many AI messages you've sent, so we can enforce the free 20/day limit.
  • Hashed IP fragment: a one-way hash combined with a daily salt, used purely to prevent rate-limit abuse. We can't recover the original IP from it.
  • Server logs: brief, automatically purged operational logs for keeping the service up.

What we never see

We never see your Master Password, your recovery phrase, your individual usernames or passwords, your secure notes, your card numbers, or any plaintext content of your vault. This isn't a promise — it's mathematics. Our server receives encrypted bytes and stores encrypted bytes. We don't have the key.

Who we share data with

The minimum needed to operate the service: our hosting provider (to run the website and database), and Google (only when you sign in, and only the OAuth flow data Google exposes to us). We don't share your data with advertisers, data brokers, analytics companies, or AI training pipelines. If law enforcement requests data, the only thing we can hand over is ciphertext — so that's all we can hand over.

Cookies & tracking

We use a session cookie to keep you signed in. That's it. No third-party trackers, no analytics SDKs that follow you across the web, no Facebook pixels, no advertising IDs. Your browser does the heavy lifting locally.

How we protect data

  • End-to-end encryption with AES-GCM 256 for every vault item.
  • Master Key derived with PBKDF2-SHA256, 600,000 iterations.
  • TLS 1.3 for every byte in transit.
  • Row-level security in the database — even our own backend can only see your encrypted blobs.
  • Service-role keys live only on the server and are never exposed to the browser.

Data retention

Your encrypted vault stays until you delete your account or your individual items. AI usage counters reset daily. Server logs are purged automatically after a short window.

Your rights

You can export your vault, change your Master Password (re-encrypting your Vault Key), and delete your account at any time. If you're in a region with GDPR, CCPA, or similar laws, you have the right to access, correct, port, and delete your personal data. We honor those rights regardless of where you live.

Deleting your account

From the Settings page, hit "Delete account". We immediately remove your profile, vault items, folders, and AI usage records. We can't un-delete an account — make sure you've exported anything you want first.

Children

Safetie isn't directed at children under 13. If you're under 13, please use the password manager built into your device with adult supervision.

Acceptable use

By using Safetie, you agree not to:

  • Store credentials you obtained by hacking, phishing, or other illegal means.
  • Use the AI assistant to plan or perform attacks on other people or systems.
  • Attempt to overload, scrape, or attack our servers.
  • Resell or sublicense Safetie or its API.
  • Reverse-engineer the service for the purpose of cloning it commercially. (Personal study is fine.)

Breaking these rules can get your account terminated without warning.

AI assistant rules

  • The AI assistant uses a third-party model (Google Gemini) routed through our backend.
  • Your AI messages are sent to the model provider to generate a response. Don't put real passwords in the AI chat — there's no reason to.
  • You get 20 AI messages per day, free, counted per account and per IP. We don't store chat history server-side.
  • The AI is a helper, not a security expert. It can make mistakes. Don't act on critical security advice without verifying it.

Browser extension

Our Manifest V3 browser extension uses the same zero-knowledge crypto as the website. It only ever talks to our domain. It asks for the permissions needed to detect login forms and autofill — nothing more. You can review the source before installing.

Changes to this policy

If we change something material, we'll show a notice in the app before the change takes effect. Tiny edits (typos, clarifications) we'll just ship.

Contact

Questions, privacy requests, security disclosures, or just to say hi: open the in-app chat with Lumi, or email privacy@safetie.app (set this up once your domain is live).

Jurisdiction

Safetie is operated by an independent maker. Disputes are governed by the laws of the maker's country of residence, unless your local consumer-protection laws give you stronger rights — in which case those apply.