Privacy Policy

AccSec — Offline Password Manager · Last updated: May 8, 2026

Summary: AccSec stores all of your data locally on your device using strong encryption. We do not run servers that hold your passwords, we do not have accounts, and we do not collect personal information. The only network traffic the app may produce is for advertisements and for biometric/system services provided by your device's operating system.

1. Who we are

This Privacy Policy describes how the AccSec mobile application (“AccSec”, “the app”, “we”, “us”) handles information in connection with your use of the app. AccSec is distributed under the application identifier com.accsec.app.

2. The data you store in the app

AccSec is an offline-first password manager. The credentials and notes you enter (titles, usernames, passwords, websites, notes, two-factor secrets, categories) are:

Encrypted on your device with AES-256-CBC, using a key derived from your master password via PBKDF2-SHA256 with 100,000 iterations and a random per-installation salt.
Stored exclusively in encrypted form within your device's local storage (Android SharedPreferences for the encrypted blob; the master-password salt and verification hash live in the platform secure keystore — Android Keystore or iOS Keychain).
Never transmitted off your device by us. AccSec does not operate servers that receive, sync, back up, or process your vault contents.

Because we never receive your data, we cannot read it, recover it, share it, or sell it. The flip side is that if you forget your master password, your vault cannot be recovered. There is no backdoor and no “forgot password” flow.

3. Information we do not collect

AccSec does not collect, transmit, or store on any remote server:

Your name, email address, phone number, or any account identifiers.
The contents of your vault (titles, usernames, passwords, notes, TOTP secrets, etc.).
Your master password, or any value derived from it that could be used to authenticate as you.
Behavioural analytics, click-tracking, screen recordings, crash reports tied to your identity, or first-party telemetry.

4. Permissions used by the app

Permission	Purpose
`USE_BIOMETRIC` / `USE_FINGERPRINT`	Optional. Lets you unlock the app with a fingerprint or face scan instead of typing your master password every time. Biometric matching is performed by your device's operating system; AccSec never receives your biometric data.
`INTERNET` / `ACCESS_NETWORK_STATE`	Used only when in-app advertisements are enabled, so the AdMob SDK can request and display ads.

5. Advertising (Google AdMob)

AccSec includes banner advertisements served by Google AdMob. When ads are enabled:

The Google Mobile Ads SDK may collect a limited set of device-level signals (such as your device's advertising identifier, coarse location derived from IP, device model, and language) to deliver and measure ads. This data is processed by Google under Google's own privacy terms.
The first time the SDK loads, Android may show you a User Messaging Platform (UMP) consent prompt where required by law (for example, in the European Economic Area and the United Kingdom). You can change your consent at any time through your device's ad settings.

Google's privacy policy is available at https://policies.google.com/privacy. Information specific to AdMob is available at https://support.google.com/admob/answer/6128543.

6. Security

We have designed AccSec to minimise the trust you have to place in us:

No server-side storage means there is no database for an attacker to breach.
Master password is never stored. We persist only a salted hash, derived through PBKDF2 with a high iteration count, used solely to verify that you typed the correct password locally.
Encryption keys live only in memory for the duration of an unlocked session. They are zeroed out and released when you lock the app, when the configured auto-lock timer fires, or when the operating system terminates the process.
Biometric unlock is gated by the operating system's biometric stack; the app simply asks the OS “is this the rightful user?” and unlocks if the OS confirms.

No method of electronic storage is 100% secure. If you suspect your device is compromised (for example, lost, stolen, or rooted), we recommend that you change the master passwords stored in your vault and rotate any credentials you consider sensitive.

7. Children's privacy

AccSec is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. Because we collect no personal information from any user, this restriction is technical as well as legal.

8. International users

Because AccSec is offline and we do not collect personal data, no international transfer of personal data takes place under our control. Where ads are enabled, Google may transfer ad-related data internationally as described in Google's own privacy policy.

9. Your choices and rights

Disable ads: Settings → Advertisements inside the app.
Delete your data: uninstalling the app will remove all locally stored vault data, settings, and keystore entries written by the app on Android. On iOS, locally stored data is removed on uninstall; some keychain entries may persist depending on your operating system version — you can delete them from the iOS keychain settings if needed.
Export your data: a future release may add an encrypted export feature. Until then, treat the data inside AccSec as device-local only.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If a change is material, we will surface a notice inside the app. Continued use of AccSec after a change constitutes acceptance of the revised policy.

11. Contact

Questions about this policy or how AccSec handles your data? Reach the developer through the support channel listed on the app's Google Play store page.