Privacy Policy

Last updated: June 7, 2026

Our Commitment to Privacy

At Authium, we believe your security data should remain private. Our zero-knowledge architecture means we never have access to your decrypted TOTP secrets or master password. This policy explains what limited data we collect across the Authium website, cloud account (optional Premium), and browser extension.

Browser Extension (Chrome, Edge, Opera, Firefox)

The Authium extension stores your TOTP vault locally on your device. Premium features may connect to Authium servers; core code generation works offline after setup.

Data stored locally

  • Encrypted TOTP secrets, account labels, tags, and optional issuer names
  • Vault lock settings, theme preference, and inactivity timeout
  • Optional Premium session tokens (if you sign in)
  • A random device identifier used only for license activation and device limits

Optional features that access the browser

  • Smart tab suggestions:When the popup is open, we read the active tab's URL hostname and page title to rank matching accounts. We do not send this to our servers.
  • OTP autofill: Only after you grant optional permissions and click autofill, we inject the current one-time code into OTP fields on the active tab. No page content is uploaded.
  • QR scan from tab: Only after you grant optional permissions, we capture a screenshot of the visible tab and decode a QR region locally to import a TOTP secret. Images are processed on-device and not uploaded.
  • Time calibration:If enabled, the extension may request optional access to Google's time endpoint to reduce clock drift. No personal data is sent.

Network requests from the extension

  • Supabase authentication (email/password or Google sign-in) — only if you use Premium sign-in
  • Encrypted vault sync — only if you enable cloud sync; payload excludes decrypted secrets and account names
  • License validation — device ID, browser/OS label, and license key or account session — only for Premium

The extension does not include analytics SDKs, sell data, or track browsing history. Optional permissions can be revoked anytime in extension settings.

Website & Cloud Account Data

  • Account information: email address and display name
  • Encrypted vault blobs for Premium sync (we cannot decrypt these)
  • Billing and subscription status (processed by our payment provider)
  • Aggregate website analytics on authium.app (via Vercel Analytics) — not collected inside the extension
  • Device and browser information when you contact support or validate a license

Zero-Knowledge Architecture

Your vault is encrypted using AES-256-GCM with keys derived from your master password (PBKDF2). Encryption happens locally on your device before any optional cloud sync. We never receive your master password or decryption keys.

How We Use Your Data

  • Provide and maintain the Authium service and browser extension
  • Sync your encrypted vault across devices (Premium, opt-in)
  • Validate subscriptions and license keys
  • Send important account and security notifications
  • Improve the website based on aggregate analytics (website only)
  • Provide customer support

Data Retention

We retain your account data and encrypted vault for as long as your account is active. When you delete your account, we remove associated cloud data within 30 days. Local extension data remains on your device until you uninstall the extension or clear extension storage. Anonymized website analytics may be retained per our analytics provider's policy.

Your Rights

You have the right to:

  • Access your personal data
  • Export your vault data from the extension
  • Delete your account and associated cloud data
  • Revoke optional extension permissions (autofill, tab scan, time sync)
  • Opt out of non-essential communications

Contact Us

If you have questions about this privacy policy or your data, please contact us at support@authium.app.