IronVault Browser Extension — Privacy Policy
This policy describes what the IronVault browser extension ("IronVault — Secure Autofill") accesses, stores, and transmits. Short version: your vault is end-to-end encrypted, decryption happens only on your device behind your master password, page content is read locally solely to detect and fill login forms, and the extension sends nothing to anyone except our own API — encrypted.
Effective date: July 5, 2026
Zero-knowledge by design
The IronVault extension is an autofill companion to your IronVault account. All vault contents — passwords, TOTP secrets, credit cards, identities, and passkeys — are protected with end-to-end encryption (AES-256-GCM, with keys derived from your master password via PBKDF2). Encryption and decryption happen only on your device, after you unlock with your master password. Your master password is never transmitted, and neither we nor anyone else can read your vault contents.
What the extension accesses and why
- Web pages you visit (content scripts): the extension reads page form fields locally to detect login, card, and identity forms, to fill them when you choose, and to offer to save credentials you submit. Page content is processed entirely on your device; it is never sent to our servers or to any third party. You can disable saving per-site ("never save on this site").
- storage: keeps an encrypted copy of your vault cache and your settings in the browser's extension storage. Decrypted material and session keys live only in in-memory session storage and are cleared when the extension locks or the browser closes.
- activeTab / tabs / scripting: used to run the autofill logic in the tab where you invoke IronVault and to match saved logins to the site you are on.
- notifications: shows save prompts and security notices locally.
- alarms: powers the auto-lock timer.
- clipboardWrite: lets you copy a password or 2FA code; the clipboard is automatically cleared about 30 seconds later.
- downloads: used only when you explicitly export your own data.
- Host permissions (ironvault.app only): the extension's only privileged hosts are
www.ironvault.app and ironvault.app — our own service, used to sign in and sync your encrypted vault.
What the extension sends over the network
The extension communicates exclusively with the IronVault API (ironvault.app) over TLS: to authenticate your session, to download and upload your encrypted vault data, and to record vault activity for your own security history. It makes no requests to any other server. The extension contains no analytics, no telemetry, no ad or tracking code.
What our servers store
To provide your account, the IronVault service stores: your account email address, a salted cryptographic hash of your account password (the account password itself is never stored), and your encrypted vault blobs — ciphertext we cannot decrypt. Data is encrypted in transit (TLS) and at rest. We do not sell or share your personal data, and we do not use it for advertising.
Data retention and deletion
Your encrypted vault data is retained while your account is active so it can sync across your devices. You can delete your account and its data at any time — see how to delete your IronVault account. Deleting your account removes your account record and encrypted vault data from our servers.
Autofill happens locally
Matching a saved login to a website, generating a password, and filling a form are all performed on your device. Nothing you type on third-party websites is transmitted to IronVault servers.
Changes to this policy
If our practices change, we will update this page and its effective date. Material changes will be highlighted in the app.
Contact
Questions about this policy or your data: support@ironvault.app. The general IronVault Privacy Policy covers the web and mobile apps.
Back to IronVault home · Browser Extension Privacy Policy — IronVault