Oak Keyring Privacy Policy

Local-first vault data

Oak Keyring stores vault data locally on your device by default. Your saved credentials, passwords, recovery words, master password, vault key, and local vault database are not sent to OpenKeyring servers as part of normal use.

Oak Keyring does not provide a hosted account, hosted vault, or hosted account recovery service. If you lose both your master password and your recovery words, OpenKeyring cannot recover your vault.

Google Drive OAuth and sync

Google Drive sync is optional. If you authorize it, Oak Keyring uses Google OAuth2 to access Google Drive with this scope: https://www.googleapis.com/auth/drive.file.

This scope is used to create, read, update, and delete Oak Keyring sync files in Google Drive that the app creates or that you explicitly make available to the app. Oak Keyring uses that access only to synchronize encrypted vault records, sync metadata, conflict data, and sync lock files needed for backup and multi-device movement.

Google Drive receives encrypted sync data, not your vault key, master password, or plaintext saved passwords. Oak Keyring does not use Google user data for advertising, profiling, model training, or sale to third parties.

Google API Limited Use

Oak Keyring's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google user data is used only to provide or improve the user-facing Google Drive sync feature, maintain security, comply with applicable law, or act with your consent. OpenKeyring does not transfer Google user data to advertising platforms, data brokers, or information resellers.

Human access to Google user data is limited to cases where you ask for support, where access is necessary for security or abuse investigation, where required by law, or where you explicitly consent.

OAuth tokens

OAuth access and refresh tokens are stored on your device in Oak Keyring's local configuration token directory. On Unix-like systems, the token file is restricted to owner-only permissions when the operating system allows it.

You can revoke Google Drive authorization from your Google Account, delete locally stored Oak Keyring tokens, and delete Oak Keyring sync files from Google Drive. Removing authorization or deleting sync files may stop cloud sync until you authorize Google Drive again or recreate the sync data.

Website data

The public website does not require an account. Some public website pages may use Cloudflare Web Analytics in production to understand aggregate page traffic and basic site health. Website analytics are not connected to a hosted Oak Keyring vault account, because Oak Keyring does not provide one.

Oak Keyring's browser-local password generator does not submit generated passwords to OpenKeyring.

Children

Oak Keyring is not directed to children under 13, and OpenKeyring does not knowingly collect personal information from children under 13. If you believe a child has provided personal information to the project, contact OpenKeyring so it can be reviewed and removed where appropriate.

Support and security reports

If you contact OpenKeyring by email, GitHub Issues, GitHub Discussions, or another public channel, the project may receive the information you choose to include. Do not post passwords, vault files, recovery words, OAuth secrets, tokens, or private logs in public issues or discussions.

Sharing and retention

OpenKeyring does not operate a hosted vault service and does not sell personal information. Data stored in your local vault remains under your control. Data synchronized to Google Drive remains subject to your Google Account settings and Google's terms and privacy policy.

Locally stored vault data, OAuth tokens, backups, and sync files remain until you delete them, revoke access, or remove the relevant files from your device or Google Drive. Public GitHub issues, discussions, pull requests, and email messages may remain in those systems unless removed under the rules of the relevant service.

Changes and contact

This policy may change as Oak Keyring evolves from preview software toward a stable release. Material changes will be reflected on this page.

For privacy or security questions, contact alphaqiu@gmail.com.