Password Bunny

Password Bunny Legal

Privacy Policy

This policy explains what Password Bunny processes directly, what stays on your device or in your chosen sync target, and how our local-first model affects privacy.

Effective date: May 2, 2026
Important: Password Bunny is designed so that your master password and decrypted vault contents are not part of our ordinary server-side account and licensing flow.

This Privacy Policy is tailored to Password Bunny's local-first model, including account access, licensing, and optional third-party sync providers chosen by the user.

1. Overview

This Privacy Policy explains how passwordbunny, Inc. ("Password Bunny," "we," "us," or "our") handles personal information when you use our websites, web applications, desktop applications, mobile applications, browser extensions, local integrations, and related services (collectively, the "Services").

For privacy questions or requests, you can contact us at support@passwordbunny.ai.

Password Bunny is designed to be local-first. Your vault data is primarily stored on your device and, if you choose to enable sync, in the storage provider or sync target that you connect. Our goal is to minimize what we collect from you directly.

2. What Personal Information Means

"Personal Information" means information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable person. Depending on how you use the Services, this may include:

  • account information, such as your email address and account status.
  • verification and security information used to confirm account access and protect against abuse.
  • license, subscription, and entitlement information needed to provide paid or trial access.
  • support communications and materials you choose to send us.
  • payment or marketplace metadata related to purchases, subscriptions, or entitlements handled through payment processors or app marketplaces.
  • device, network, and request metadata that is necessarily transmitted when you access our websites or APIs.

3. Data We Collect Directly

Depending on how you use Password Bunny, we may collect the following categories of information directly from you:

  • account and login information, such as your email address used for verification and account access.
  • verification and security information needed to authenticate you and protect the Services.
  • license and entitlement information needed to determine access to paid or trial features.
  • support communications and related contact details you choose to provide.
  • website and network metadata that is necessarily transmitted when you access our websites or APIs. We do not intentionally retain this information in application logs unless needed for security, abuse prevention, troubleshooting, or legal compliance.

4. Data Stored Locally or in Your Chosen Sync Target

Your vault contents, including credentials, passkeys, one-time code secrets, and related records you create, import, migrate, or modify in Password Bunny, are intended to remain under your control on your device and, if sync is enabled, in the third-party provider or storage location you choose.

We do not ask for your master password, we do not store your master password on our servers, and we do not have a practical way to recover it for you.

Certain settings and security state may also be stored locally on your device, such as sign-in state, license state, local security preferences, and sync connection credentials for storage targets you choose, including WebDAV-compatible storage or user-controlled NAS.

5. Sensitive Vault Information

Password Bunny is a password manager, so your vault may include Personal Information or sensitive information. Some of that information may come from records you create in Password Bunny, and some may come from data migrated or imported from another password manager or credential source.

Password Bunny does not necessarily support creating every type of record that may appear in migrated data. However, migrated vault data may still be stored in your vault, and you may be able to edit, update, or remove supported fields through the app.

Our ordinary account, authentication, licensing, and entitlement systems do not store your master password or decrypted vault contents, and Password Bunny is designed so that we cannot access your decrypted vault contents through those systems.

If you choose to contact support and voluntarily send materials that contain vault information or sensitive information, we may receive the information you choose to share with us.

6. Device and Usage Information

Password Bunny does not intentionally include in-app advertising SDKs, broad product analytics trackers, or third-party crash reporting SDKs. If that changes, we will update this Privacy Policy as required.

The apps may still use limited device information locally to support your product experience. That information may be included in your own synced vault data if you enable sync.

Our websites, APIs, hosting providers, browsers, app stores, operating systems, and third-party sync or identity providers may still process network and device metadata as part of normal operation.

7. Cookies and Similar Technologies

Our public website may use cookies or similar browser storage that are necessary for site delivery, security, routing, or basic browser behavior.

Our website may load fonts or other site assets from third-party providers. Those providers may receive technical request information needed to deliver those assets.

Password Bunny does not intentionally operate a website analytics, advertising-cookie, or cross-site tracking program. If that changes, we will update this Privacy Policy as required.

8. How We Use Personal Information

We use personal information to operate, secure, and support the Services, including to:

  • send email verification codes and verify account access.
  • create, maintain, and validate license or entitlement state.
  • determine whether paid or trial access is available.
  • provide customer support and respond to questions.
  • maintain service security, diagnose faults, prevent abuse, and enforce our Terms of Use.
  • comply with applicable law and legitimate legal process.

9. Legal Bases

Where privacy law requires a legal basis, we generally process personal information because it is necessary to provide the Services you request, perform our contract with you, comply with legal obligations, protect security and fraud-prevention interests, or pursue legitimate interests that are not overridden by your rights.

Where consent is required, we will rely on consent and you may withdraw it where applicable.

10. Sharing of Information

We do not sell Personal Information, and we do not share Personal Information for cross-context behavioral advertising or targeted advertising.

We may share personal information only in limited circumstances, including with:

  • vendors we engage to process Personal Information on our behalf to help operate core functions, such as email delivery, hosting, support communications, and payment processing when enabled. We require those vendors to process Personal Information only to provide services to us and as otherwise permitted by applicable law.
  • platforms, marketplaces, and external providers that you choose or use in connection with the Services, such as app stores, payment platforms, and site asset providers. Their handling of information is governed by their own terms and privacy policies.
  • third-party sync providers or storage targets that you choose to connect. Their handling of information is governed by their own terms, privacy policies, and account settings.
  • law enforcement, regulators, courts, or other third parties when required by law or reasonably necessary to protect rights, safety, and security.
  • a successor entity in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business.

11. Marketing Choices

Password Bunny does not currently send marketing emails, promotional emails, or newsletters.

If that changes, we will update this Privacy Policy and provide any opt-out choices required by applicable law. Operational, security, account, payment, and legal notices are not marketing communications and may still be sent when needed to provide or protect the Services.

12. International Transfers

Password Bunny may rely on service providers, infrastructure, or personnel in multiple countries, including the United States. As a result, personal information may be processed outside your home jurisdiction.

Where required, we will use reasonable safeguards for cross-border transfers, such as contractual protections or other lawful transfer mechanisms.

13. Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, including account security, fraud prevention, legal compliance, recordkeeping, dispute resolution, and enforcement.

Different categories of records may be retained for different periods depending on operational, security, financial, and legal needs.

If you request deletion, we may still retain limited information where reasonably necessary for legal compliance, payment records, fraud prevention, security, dispute resolution, or enforcement.

Information stored locally on your own device or in your chosen sync target remains under your control unless removed or overwritten through product behavior.

14. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information that we process directly.

No service can guarantee absolute security. You are responsible for protecting your devices, your email account, your master password, and any third-party storage accounts you connect to Password Bunny.

15. Your Rights and Choices

Depending on where you live, you may have rights to request access to, correction of, deletion of, restriction of, portability of, or objection to our processing of your personal information.

You may also have the right to withdraw consent where processing is based on consent, and to appeal or complain to a relevant supervisory authority.

Before responding to a privacy request, we may require information reasonably necessary to verify your identity and protect against unauthorized access or deletion requests.

You may request deletion of account information that we process directly by emailing us at support@passwordbunny.ai or through any other request method we make available.

Deleting or changing information stored locally on your own device or in your chosen sync target may need to be handled by you directly in the app, on your device, or with the sync provider you selected.

Because Password Bunny is designed to keep vault data under your own control, some requests relating to vault content may need to be handled by you directly on your own device or in your chosen sync provider rather than by us.

16. Children

The Services are not intended for children under 16. We do not knowingly collect personal information directly from children under 16. If you believe a child has provided us personal information, contact us and we will review the request.

17. Third-Party Services

The Services may link to or integrate with third-party websites, cloud providers, platforms, app stores, operating systems, and browser environments. Those third parties have their own privacy practices, and this Privacy Policy does not cover them.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and change the effective date above. The updated Privacy Policy applies after it becomes effective.

19. Contact

Questions or privacy requests can be sent to support@passwordbunny.ai.