LockBox — Privacy Policy

LockBox does not collect any personal data about you. Your vault lives on your device, encrypted with AES-256. If you enable cloud backup, an encrypted copy is stored in the hidden app-data area of your own Google Drive — we never receive it. We do not run any servers. We do not run analytics. We do not track you. We do not sell or share anything, because there is nothing to sell or share.

RakulAgn. Contact: rakul0agn@gmail.com

The following data is created by you and stored only on your device inside an encrypted local database (Hive) using AES-256-CBC with per-entry random initialization vectors:

• Passwords, usernames, URLs, notes, and category labels you enter
• Credit card details you choose to save
• Secure notes you create
• TOTP (2FA) secrets you add
• Emergency-access contacts you configure
• Your 4-digit PIN (stored as a salted SHA-256 hash — never in plaintext)
• App settings and preferences

The AES encryption key is generated on first launch and stored in the operating system’s secure keystore (Android Keystore / iOS Keychain). It never leaves the device.

• No account registration, no email, no phone number
• No analytics, telemetry, or usage metrics
• No crash reporting sent to any third party
• No advertising identifiers
• No location data
• No contact list, SMS, call log, or photos
• No device fingerprinting
• No server-side copy of your vault

LockBox does not make any network request that sends your personal vault contents anywhere, except the optional encrypted cloud-backup to your own Google Drive described below.

If you choose to sign in with Google and enable cloud backup, LockBox will:

• Encrypt your entire vault locally before upload
• Wrap the encryption key with a key derived from your PIN (PBKDF2-HMAC-SHA256, 150,000 iterations)
• Upload the encrypted blob to the hidden appDataFolder of your Google Drive

The appDataFolder is a private, per-app folder that is not visible to you in drive.google.com and cannot be accessed by any other app. Only LockBox, signed in with your Google account, can read or write it.

LockBox requests the drive.appdata OAuth scope only. It does not request access to any other file in your Google Drive.

Important: we never see your backup. It lives entirely within your Google account, end-to-end encrypted with a key only you can derive (from your PIN). If you lose your PIN, nobody — including us — can recover your data.

LockBox offers an optional breach-check feature powered by HaveIBeenPwned. This uses the HIBP k-anonymity API, which works as follows:

• Your password is SHA-1 hashed on your device
• Only the first 5 characters of the hash are sent to HIBP
• HIBP returns a list of hash suffixes that match that prefix
• Your device locally checks if your full hash appears in the list

Your actual password — and the full hash — never leave your device. This check is opt-in and only runs when you tap the breach-check action.

LockBox offers optional premium features via Google Play Billing. Payment processing is handled entirely by Google Play — we never see your payment method, card number, or billing address. Google provides us only with an anonymous purchase token confirming that your account is a paying subscriber.

Google’s handling of payment data is governed by Google’s Privacy Policy (policies.google.com/privacy).

Each permission is used only for the feature it enables, and is optional:

• Biometric (fingerprint / face) — unlocking the app as an alternative to PIN. Handled entirely by the operating system; LockBox never sees your biometric data.
• Camera — scanning QR codes when adding TOTP (2FA) entries. No images are saved or transmitted.
• Notifications — local password-expiry reminders. Scheduled on-device only, no push server involved.
• Autofill (Android Autofill Service) — auto-filling saved credentials into other apps. Runs only when you tap an autofill suggestion while the vault is unlocked.
• Internet — only for: Google Sign-In, Drive backup, HIBP breach check, and Play Store billing.

LockBox is not directed at children under 13. We do not knowingly collect any data about children. If a parent or guardian believes their child has installed LockBox and has concerns, please contact us — though since we do not collect any user data in the first place, there is nothing for us to delete server-side.

Users in the European Economic Area, United Kingdom, California, and other jurisdictions with comparable data-protection laws have the right to:

• Access the personal data a controller holds about them
• Request correction or deletion of that data
• Object to processing
• Withdraw consent
• Lodge a complaint with a supervisory authority

Because LockBox does not collect or retain any personal data on our servers, there is nothing for us to access, correct, or delete on your behalf. All of your data lives on your device and in your own Google Drive. You can:

• Delete all data by uninstalling the app — local data is wiped
• Revoke LockBox’s access to your Google Drive at myaccount.google.com/permissions
• Delete the encrypted backup from your Google Drive via the same page

If you still have questions about your rights, contact us at rakul0agn@gmail.com.

LockBox is distributed globally through the Google Play Store. Because we do not collect or store any user data, there are no cross-border data transfers to disclose. Your vault data never leaves your device except when you explicitly enable cloud backup, in which case it is stored in your own Google account’s infrastructure (governed by Google).

We retain no user data. There is no server to hold anything. If you uninstall the app, your local vault is wiped. If you also delete the backup from your Google Drive, nothing about you remains anywhere.

LockBox interacts with the following third parties, each only for the feature described:

• Google — Google Sign-In, Google Drive (appDataFolder only), Google Play Billing
• HaveIBeenPwned — optional breach-check via k-anonymity API (only a 5-character hash prefix is sent)

No other third parties receive any data from LockBox.

We may update this Privacy Policy when the app changes. Material changes will be announced in the app’s release notes on the Play Store. Continued use of LockBox after an update constitutes acceptance of the revised policy.

Questions, complaints, or data requests: rakul0agn@gmail.com

© 2026 RakulAgn. LockBox is an independent project and is not affiliated with Google, Apple, HaveIBeenPwned, or any other third party mentioned in this policy.