Privacy

Privacy Policy

Last updated: February 26, 2026

The short version: Claspt is a local-first, zero-knowledge application. Your vault data never leaves your device unencrypted. We do not have access to your passwords, notes, or encryption keys. The desktop app collects no personal information. This website uses privacy-respecting analytics with no cookies.

1. Who We Are

Claspt is developed by Indivar Software Solutions Limited, a software company registered in Auckland, New Zealand. For privacy enquiries, contact us at [email protected].

2. The Claspt Desktop Application

2.1 What Data the App Stores

Your Claspt vault — including pages, folders, encrypted secret blocks, tags, and settings — is stored entirely on your local filesystem. Claspt does not transmit vault data to any server unless you explicitly configure sync (see Section 4).

2.2 Encryption

All secret blocks are encrypted using AES-256-GCM with unique nonces per block. Your master password is processed through Argon2id (64MB memory, 3 iterations, 4 lanes) to derive the encryption key. We have no mechanism to recover your master password or decrypt your vault. If you lose your master password, your encrypted data is permanently inaccessible.

2.3 Biometric Unlock

When you enable biometric unlock (Touch ID, Face ID, or Windows Hello), a wrapped copy of your vault key is stored in the operating system's secure keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service). The biometric data itself is never accessed by Claspt — authentication is handled entirely by the operating system.

2.4 Telemetry and Crash Reports

The Claspt desktop application does not collect telemetry, usage analytics, or crash reports. No data is sent to our servers or any third-party service from the desktop app. We may introduce opt-in crash reporting in the future — it will always be opt-in, never opt-out.

3. The Claspt Website (claspt.app)

3.1 Analytics

This website uses privacy-respecting analytics to understand aggregate traffic patterns (page views, referral sources, device types). Our analytics:

  • Do not use cookies
  • Do not track individual users across sessions
  • Do not collect personal information (no IP addresses stored)
  • Do not share data with advertising networks
  • Are compliant with GDPR, CCPA, and PECR without requiring a cookie banner

3.2 Contact Forms and Email

If you contact us via email at [email protected], we store your message and email address for the purpose of responding to your enquiry. We do not add your address to marketing lists or share it with third parties.

4. Sync and Cloud Features (Pro)

4.1 Self-Managed Sync (Git, WebDAV, SFTP)

If you use self-managed sync, your encrypted vault files are transmitted to a server you control. Claspt does not have access to your sync server, credentials, or transferred data. The files transferred are already encrypted — even if intercepted, they cannot be read without your master password.

4.2 Claspt Relay Sync

If you use the optional Claspt relay for sync, your vault files pass through our relay server in encrypted form only. The relay:

  • Never receives your master password or encryption keys
  • Cannot decrypt your vault data (zero-knowledge architecture)
  • Stores encrypted blobs only for the duration needed to sync between your devices
  • Does not log or inspect file contents

4.3 Secure Sharing

Shared links are end-to-end encrypted. The decryption key is included in the URL fragment (after the #), which is never sent to our server. We cannot read shared content. Shared links respect the expiry and burn-after-reading settings you configure.

5. Payment Processing

Payments for Claspt Pro are processed through a third-party payment provider. We do not store credit card numbers or payment details on our servers. The payment provider's privacy policy applies to payment data.

6. Third-Party Services

Claspt does not integrate with or transmit data to any third-party advertising, tracking, or data brokerage services. The only third-party interactions are:

  • Payment provider — for Pro subscription billing
  • Update server — to check for new application versions (no personal data transmitted)

7. Data Retention

Your vault data lives on your device and is under your control. We do not retain copies. If you cancel Pro sync, encrypted data on the relay is deleted within 30 days. Website analytics data is retained in aggregate form (no individual records) indefinitely.

8. Your Rights

Regardless of your jurisdiction, you have the right to:

  • Access — Request a copy of any data we hold about you
  • Deletion — Request deletion of your account and associated data
  • Portability — Export your vault at any time (it's already your local files)
  • Object — Object to any processing of your data

For EU/EEA residents, these rights are guaranteed under GDPR. For California residents, these rights are guaranteed under CCPA. Contact [email protected] to exercise any of these rights.

9. Children's Privacy

Claspt is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or applicable law. We will note the date of the last update at the top of this page. For material changes, we will provide prominent notice on the website.

11. Contact

For privacy-related questions or requests:

  • Email: [email protected]
  • Company: Indivar Software Solutions Limited
  • Location: Auckland, New Zealand