Last Updated: April 15, 2026

LOCKED is built with a "Privacy by Design" philosophy. We believe your data belongs to you, and our software is engineered to ensure it stays that way.

1. Data Collection & Transmission
   No Personal Data Collection: LOCKED does not collect, store, or transmit any personally identifiable information (PII), such as names, email addresses, or location data.

No Tracking: We do not use cookies, tracking pixels, or any third-party analytics (like Google Analytics) within the extension.

No Cloud Storage: All passwords, usernames, and notes created within LOCKED are stored locally on your device using the browser's secure storage API. We have no central server and cannot access your data.

1. Third-Party Services (Breach Checker)
   LOCKED includes a "Breach Check" feature.

How it works: When you manually run a check, a cryptographic hash of your password is created. Only the first five characters of this hash are sent to the Have I Been Pwned (HIBP) API.

Security: This process (k-Anonymity) ensures that your full password is never sent over the internet and your identity remains anonymous to the service provider.

1. Data Security
   Encryption: All data stored within the extension is encrypted using AES-256 industry-standard encryption.

Decryption: Decryption happens entirely within your browser's memory. Your "Master Password" is never stored or transmitted.

1. Children’s Privacy
   LOCKED does not collect any data, making it compliant with the Children’s Online Privacy Protection Act (COPPA). We do not target or knowingly collect information from children under the age of 13.
2. Changes to This Policy
   Because we do not collect your contact information, we cannot notify you of changes. We recommend checking the version notes on the official extension store for any updates to this policy.
3. Contact
   If you have questions about this privacy policy or the security of the extension, please open an issue on our official GitHub repository.