Privacy & Cryptographic Policy

Last updated: March 8, 2026

1. Our Core Principle: Zero Knowledge & Post-Quantum Security

PassmanAI is a military-grade password management platform built on a strict zero-knowledge architecture. This means your sensitive data is encrypted and decrypted locally on your device before it ever reaches our servers. We never see your master password, and we cannot read your encrypted data.

To protect against future threats, we implement NIST-standardized Post-Quantum Cryptography, including ML-KEM-768 for quantum-resistant key encapsulation and ML-DSA-65 for challenge-response authentication.

2. Data We Do Not Collect

Because of our architecture, we fundamentally cannot collect or access:

  • Your Master Password or generated private keys.
  • Your saved passwords, usernames, or URLs.
  • Your secure notes or personal identities.
  • The plaintext contents of your initialized encrypted vault.

3. Data We Do Collect

To provide our services, we only collect a minimal amount of necessary data:

  • Account Information: An email address for account recovery and notifications. Emails are securely hashed using Argon2id prior to storage to guarantee cryptographic privacy.
  • Encrypted Vault Data: We store the opaque, AES-256-GCM encrypted and Base64-encoded blobs representing your vault. We cannot decrypt these.
  • Technical Logs: Limited security logs (like IP addresses for rate limiting) and error telemetry. Plaintext passwords or vault contents are never logged.

4. Third-Party Integrations & Security Intelligence

If you choose to sync your vaulted data via Google Drive, your data is securely encrypted client-side before transmission. Google cannot decrypt the contents of your backup.

To proactively defend against cybersecurity threats, we integrate with trusted intelligence providers such as URLHaus, Have I Been Pwned, and VirusTotal to perform malicious URL detection and breach exposure checks using k-anonymity privacy models.

5. Blockchain Anchoring

Premium vaults employ blockchain anchoring. The SHA-256 hashes of your encrypted vaults are anchored to a blockchain, providing a mathematically certain, tamper-evident audit trail of your data's integrity without exposing any sensitive information.

6. User Rights & Compliance

PassmanAI is built to comply with international privacy standards, including the Indian Digital Personal Data Protection (DPDP) Act 2023, GDPR (Europe), and CCPA (California). Our primary servers are located in India to ensure data sovereignty.

You maintain full rights to access, rectify, export, and permanently erase all your data from our systems at any time through our complete account deletion mechanism.

7. Contact Us

PassmanAI Technologies Private Limited is registered in Bangalore, Karnataka, India.

If you have any questions or concerns regarding our privacy practices, please contact our Data Protection and Privacy team at privacy@passmanai.app.