Last Updated: April 2026
Welcome to TwoPass. This Privacy Policy outlines our commitment to protecting the highly sensitive cryptographic data managed by the TwoPass Web Application and Chrome Extension ("The Software"). Because TwoPass is fundamentally a security product, privacy and data ownership are mathematically guaranteed by the architecture of the application itself.
1. Data Ownership & Storage Architecture
TwoPass is built as a highly secure, client-first vault. The way your data is stored depends strictly on the mode you are using:
- Local Only Mode (Offline): If you do not explicitly sign in to the Cloud Sync feature, zero data leaves your device. ALL configuration rules, shared metrics, and raw TOTP Base32 Secret Keys are stored strictly inside your browser's physical
localStorage API. We have no analytics trackers, telemetry pipelines, or backup servers in Local Mode. If you clear your browser data, your vault is irreversibly lost.
- Cloud Sync Mode: If you voluntarily create an account and connect to Cloud Sync, your account data is transmitted and stored within a dedicated Google Firebase Firestore database partition. This data is rigorously guarded by Firebase authenticated security rules, mathematically restricting read and write access strictly to your specific authenticated session identifier (UID).
2. Chrome Extension Permissions
The TwoPass Chrome Extension requests minimal permissions specifically necessary to provide a frictionless authentication experience:
- activeTab: This permission is used strictly locally within your browser to read the domain name of the website you are currently viewing. TwoPass uses this strictly to instantly search your Vault and pin the correct 2FA code to the top of your layout. We do not transmit your browser history or active URLs externally.
- storage: The extension requires local storage access to permanently hold the cryptography configuration transferred directly from your Web App.
- Host Permissions (*://twopass.mirzahasnat.com/*): This defines the exact Web App DOM target that is allowed to establish standard, secure initialization handshakes with your extension via the
postMessage protocol.
3. The Peer-to-Peer Sharing Mechanics
TwoPass offers a revolutionary feature allowing you to cleanly share 2FA credentials with specific individuals ("Distributed Network"). By executing a "Secure Share":
- You inherently consent to transmitting a functional iteration of the TOTP secret key mapping through our NoSQL Cloud routing inbox directly into the recipient's Vault.
- The system deliberately restricts the Recipient's User Interface from revealing the raw cryptographic string; however, this is a software layer obfuscation. Due to mathematical realities, the key itself physically executes on their device. Share only with perfectly trusted recipients.
- Your email address (the sender) will be visibly flagged to the recipient within their Vault interface enforcing token origin accountability.
4. Third-Party Integrations
If utilizing Cloud Sync, TwoPass relies on infrastructure governed by Google Cloud / Firebase. We transmit Authentication tokens, Email Addresses, and Encrypted Network Payload representations exactly as outlined by standard NoSQL Database architecture. No secondary third-party organizations or advertisers have access to your data.
5. Data Retention & Deletion Rights
You inherently control the entire lifecycle of your Vault.
- If operating locally, you can irrevocably wipe your storage manually at any time by clearing your browser site-data or triggering the "Disconnect" capability.
- If operating natively on the Cloud network, deleting a credential from your Vault executes a hard-delete command inside Firestore. Revoking a Shared Token transmits an identical hard-delete command dynamically resolving upon the recipient's app sequence synchronization.
- You may request complete remote wiping of your account parameters by directly contacting the repository authors.
6. Contact Us
If you have any questions, concerns, or technical audits regarding this Privacy Policy, please contact the developer via GitHub Issues organically linked inside the main software repository or the Google Chrome Web Store support channels.