| 1 | gPass web browser extension Privacy Policy␊ |
| 2 | ------------------------------------------␊ |
| 3 | ␊ |
| 4 | ␊ |
| 5 | ## Information we collect ##␊ |
| 6 | ␊ |
| 7 | The gPass extension collect three information once invoked :␊ |
| 8 | * Site address URL␊ |
| 9 | * Login name␊ |
| 10 | * Master key␊ |
| 11 | ␊ |
| 12 | ␊ |
| 13 | ## How we use information we collect ##␊ |
| 14 | ␊ |
| 15 | Once collected, site address and login name are encrypted by a derived version of your master key.␊ |
| 16 | It's then sent to the server (password server) you configured in extension configuration page for comparison.␊ |
| 17 | ␊ |
| 18 | This server has been set up by the user himself (recommended) or by a provider he trust in.␊ |
| 19 | ␊ |
| 20 | The database that the server access to do comparisons only contains the crypted␊ |
| 21 | version of your information. They are never decrypted in the server side.␊ |
| 22 | ␊ |
| 23 | If a comparison match, the real password is sent back to your extension were␊ |
| 24 | it's unencrypted using the same key (derived masterkey).␊ |
| 25 | ␊ |
| 26 | Finally, the application context is cleared and nothing is kept in memory␊ |
| 27 | nor written anywhere.␊ |
| 28 | ␊ |
| 29 | ␊ |
| 30 | ## Accessing and updating your personal information ##␊ |
| 31 | ␊ |
| 32 | As a user, you can add, edit and delete your ciphered information through␊ |
| 33 | the web interface of the password server.␊ |
| 34 | ␊ |
| 35 | During these operations, no clear information is sent to the server.␊ |
| 36 | ␊ |
| 37 | ␊ |
| 38 | ## Information we share ##␊ |
| 39 | ␊ |
| 40 | Nothing is shared with anyone. Nor on extension side, nor on server side.␊ |
| 41 | ␊ |
| 42 | ␊ |
| 43 | ## Information security ##␊ |
| 44 | ␊ |
| 45 | Information transmitted to the server are done through an HTTPS AJAX request.␊ |
| 46 | Data are encrypted using AES 256 CBC algorithm and the master key is prior␊ |
| 47 | derived using PKBDF2 algorithm.␊ |
