Zen Passwords · Privacy Policy

Effective date: March 30, 2026Last updated: March 30, 2026

This Privacy Policy describes how Zen Passwords ("App") and the operator identified below ("we," "us," or "our") handle information when you use the App on Apple devices and when you interact with us (for example support email or our website).

Data controller / publisher: ZENPRODUCTS operates Zen Passwords. Our public website is www.zenproducts.ai. For a registered business address, EU or UK representative details, or formal data protection correspondence, contact hello@zenproducts.ai.

Contact for privacy questions: hello@zenproducts.ai

1. Summary

Vault contents are encrypted on your device with keys derived from your master password. We do not receive your master password and cannot decrypt your vault on your behalf.
Optional iCloud sync stores and synchronizes encrypted vault records through Apple's private CloudKit database tied to your Apple ID. We do not operate our own servers that host your vault database.
Zen Premium is sold through Apple In-App Purchase. Apple processes payment; we receive subscription status from Apple (via StoreKit), not your full payment card details.
Imports, exports, password health checks, scheduled backups, and most processing run on your device unless you explicitly save or share a file outside the App.
This build does not embed third-party analytics SDKs in the App as shipped; see Section 9 for Apple diagnostics and future changes.

This summary is not a substitute for the full policy below.

2. Scope

This policy applies to the Zen Passwords App and to personal information we process when you email us or use our website in connection with the product. It does not govern third-party sites you open from saved links, Apple's own services, or other apps you use alongside Zen Passwords.

3. Categories of information we process

3.1 Information you provide in the App

Depending on how you use the App, this may include:

Vault items: Usernames, passwords, notes, URLs, optional TOTP secrets, structured fields for cards, identities, bank accounts, Wi-Fi, software licenses, secure note bodies, custom fields, and similar.
Organization data: Folder names (stored encrypted when sealed in the data model), folder accent colors, tags, favorites, archive state, pins, and sort preferences.
List metadata: Titles and tags may be stored in encrypted list metadata where the App implements sealing; some operational metadata may exist in forms required for lists and sync (see Section 4).
Attachments: Images and filenames associated with items, stored encrypted with the item where applicable.
Settings: Preferences such as appearance (light / dark / system), lock on background, idle lock timing, clipboard auto-clear timing, biometric unlock toggles, sync-related preferences, backup schedules, and similar. Companion or allow-list style settings may store identifiers (for example item IDs) locally only, as described in the App.

3.2 Cryptography and biometrics

Key derivation uses your master password. If you enable Face ID, Touch ID, or Optic ID quick unlock, related key material may be stored in the Apple Keychain and processed through Local Authentication and the Secure Enclave as documented by Apple. We do not receive biometric samples.

3.3 Information you send to us

If you contact hello@zenproducts.ai, we receive your email address, message content, and technical details you choose to include (for example screenshots or crash descriptions). We use this to respond to support, improve the App, and meet legal obligations.

3.4 Website visitors

When you visit www.zenproducts.ai, our hosting provider may process standard technical data needed to deliver the site (for example IP address, user agent, referrer). We use Vercel Analytics and Speed Insights on the public site for aggregate product metrics in line with Vercel's privacy documentation. We do not use those tools to read your App vault. If we add marketing cookies or materially different tracking, we will update this policy and the live site.

4. Storage, sync, and metadata

4.1 On-device storage

Primary storage uses SwiftData (and related files) on your device. On supported platforms the App may apply file protection attributes to the database and related files so data has additional protection when the device is locked; exact behaviour depends on the OS, device settings, and backup configuration.

4.2 iCloud and CloudKit

When you are signed into iCloud and sync is enabled, vault records may sync through your private CloudKit database for the App's container. Encrypted payloads (sealed item bodies, sealed folder names where applicable, sealed attachments, and similar) are stored and transmitted as ciphertext that is not readable without your vault keys.

4.3 Non-secret metadata

To render lists, support merges, and satisfy CloudKit record modelling, some fields may exist in forms that are not full ciphertext of every display attribute (for example record identifiers, item type, ordering, favourite or archive flags, timestamps). This metadata is not a substitute for your encrypted secrets; it is limited to what the App needs for functionality and sync. Exact fields may evolve with App versions.

4.4 Apple backups

Device backups and iCloud Backup may include App data according to your Apple ID and device settings. Encrypted vault data in backups remains ciphertext without your master password.

4.5 No publisher-hosted vault cloud

We do not operate a centralized cloud service that stores your decrypted vault or your master password.

5. How we use information

We process information to:

Provide, maintain, and improve the App (including sync, search, organisation, security features, and Premium gating).
Respond to support requests and communicate about security or policy updates.
Comply with law, enforce our Terms, and protect rights and safety.
Develop aggregate, non-identifying statistics where feasible (for example total crash counts if we add crash tooling in the future), consistent with this policy.

We do not sell your personal information. We do not use vault contents for advertising. We do not train generalized machine learning models on your vault data.

6. Legal bases (EEA, UK, and similar jurisdictions)

Where GDPR or similar laws apply, we rely on:

Contract: Providing the App and features you request.
Legitimate interests: Security, abuse prevention, product improvement, and support, balanced against your rights.
Consent: Where required (for example optional marketing emails if we ever offer them; currently support is transactional).
Legal obligation: Where we must retain or disclose information by law.

You may have rights to access, rectify, erase, restrict, port, or object, and to lodge a complaint with a supervisory authority. Because most vault data is encrypted with keys we do not hold, erasure on device or deletion of the App may be the practical way to remove vault data from your environment. iCloud copies are controlled through your Apple ID and device management.

7. Sharing and subprocessors

7.1 Apple

Apple provides the operating system, App Store, In-App Purchase, iCloud, CloudKit, Keychain, and related infrastructure. Apple's privacy policy and terms apply to those services.

7.2 Service providers

We may use email, hosting, or ticketing providers to operate support or our website. They process data under contract and only on our instructions, to the extent we collect any personal data through those channels.

7.3 Legal and safety

We may disclose information if we believe in good faith that disclosure is required by law, legal process, or to protect rights, safety, or security.

7.4 Business transfers

If we merge, are acquired, or sell assets, information may transfer to the successor under safeguards required by law.

8. International transfers

If you use iCloud, Apple may process data in accordance with Apple's infrastructure and data residency practices. If you contact us from outside our primary jurisdiction, your message may be stored in mail systems located in various countries. We use appropriate safeguards where required (for example Standard Contractual Clauses).

9. Analytics, logging, and diagnostics

9.1 Third-party SDKs in the App

The App as described in our public materials is designed not to embed third-party advertising or analytics SDKs for vault tracking. If we integrate analytics or crash reporting in a future version (for example crash symbols or feature usage), we will update this Policy and, where required, the App's disclosures.

9.2 Local and OS logging

The App may write technical logs locally or through Apple's unified logging for debugging. Those logs are not used to sell data.

9.3 Apple analytics

If you opt in to sharing analytics with Apple, Apple may collect diagnostic data according to Apple's privacy policy. That collection is between you and Apple.

10. Retention

Vault data remains until you delete items, reset the vault, or remove the App, subject to backups and sync copies under your Apple ID.
Support emails are retained as long as needed to resolve issues and for legitimate business or legal needs, then deleted or anonymized where feasible.
Subscription status is determined by Apple; we do not need to retain payment card data because we do not receive it from Apple for App Store purchases.

11. Security

We implement reasonable technical and organisational measures in our products and processes. No method of storage or transmission is perfectly secure. You reduce risk by using a strong master password, keeping devices updated, enabling disk encryption where available, and being cautious with exports and shared files.

12. Clipboard

When you copy a field, content may be placed on the system pasteboard. You may enable an optional timer in Settings to clear the clipboard after copy if the value was not replaced. Locking the vault may clear the general pasteboard. Other apps and the OS may still access pasteboard content according to platform rules.

13. Password health and similar tools

Features such as password reuse or strength summaries operate on-device on decrypted data in memory during the scan. We do not receive your plaintext passwords for that feature.

14. Children

The App is not directed at children under 13 (or the minimum age in your jurisdiction). Do not use the App to collect personal information from children without appropriate authority. If you believe we have received child data improperly, contact hello@zenproducts.ai.

15. California residents (summary)

California law may grant rights to know, delete, and opt out of certain "sales" or "sharing." We do not sell personal information as defined by the CCPA / CPRA in the conventional sense of selling vault contents. For requests about information we hold through support channels, email hello@zenproducts.ai with "California privacy request" in the subject. We will verify reasonable requests as required by law.

16. Your choices and controls

You may:

Edit or delete vault items, change folders, export encrypted backups, import data, or use in-App reset flows as offered.
Disable biometric unlock in Settings and manage Keychain entries through system settings if needed.
Turn iCloud sync on or off subject to Apple account status and App behaviour.
Cancel Zen Premium through Apple's subscription management.

17. Changes to this Privacy Policy

We may update this Policy. We will revise the "Last updated" date and post the new version on our website. Material changes may require additional notice under law or in the App. Continued use after the effective date constitutes acceptance of the updated Policy where permitted.

18. Contact

Privacy inquiries: hello@zenproducts.ai

Suggested subject: Zen Passwords · Privacy

You may also use App Store "Contact developer" or equivalent links where available.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. Have qualified counsel review it before publication, especially for GDPR, CPRA, and App Store requirements.