Auteeth← home

●●● ●●●

Privacy Policy

Last updated: June 7, 2026

Auteeth (“the extension”, “we”) is a two-factor authentication (2FA) and password-manager browser extension. This policy explains exactly what data Auteeth handles and how. Auteeth is built to be zero-knowledge: your 2FA secrets and saved passwords are encrypted on your device and are never readable by us.

Who we are

Auteeth is published by an individual developer. Contact: imyawin1@gmail.com.

The short version

  • Your 2FA secrets and saved website passwords are encrypted on your device with a master password before anything is stored or synced.
  • We cannot read your 2FA secrets, your saved passwords, your master password, or your recovery code — by design.
  • We store only encrypted data and one-way hashes needed to log you in and sync.
  • We do not use ads, trackers, or analytics, and we do not sell or share your data.

What data we handle

1. Account email address
When you create an account for sync, your email is used to sign you in and to send recovery codes. It is stored by our authentication provider (Supabase).

2. Encrypted vault data (ciphertext only)
Your list of 2FA accounts (issuer, label, and TOTP secret) and your saved website logins (site, username, and password) are encrypted on your device using a key derived from your master password (Argon2id + AES-256-GCM). Only the resulting ciphertext is synced and stored. We never receive the plaintext secrets, passwords, or your master password.

3. Authentication and recovery hashes
To log you in without sending your master password, your device sends a one-way derived value (an HKDF “auth hash”). To support recovery, a one-way hash of your recovery code (a “verifier”) is stored. Neither value can be used to decrypt your data.

4. Local device storage
Your encrypted vault is also cached in your browser’s local storage so the extension works offline. If you enable biometric unlock, a device-bound encrypted key is stored locally and never leaves your device.

What we do NOT collect

  • We do not collect your 2FA secrets, passwords, master password, recovery code, or biometric data (we store them only as ciphertext we cannot decrypt).
  • We do not use analytics, advertising, fingerprinting, or third-party trackers.
  • We do not collect browsing history or the contents of web pages. To offer save and autofill, the extension detects login fields on your device; the only page data it reads is the username/password you typed into a login form, used solely to offer “Save password?” — saved only with your explicit confirmation, and never transmitted unencrypted. The screen-capture feature reads the visible tab only when you explicitly click “Scan QR on current page”, and the captured image is processed on your device solely to read a QR code — it is never uploaded.

How your data is used

  • Email: to authenticate you and deliver one-time recovery codes.
  • Encrypted vault + hashes: to sync your accounts across your browsers and let you restore them on a new device.

That is the entirety of how your data is used. We do not use it for any other purpose.

Third parties

We use Supabase (supabase.com) as our hosting and authentication provider. Supabase stores the encrypted data and email on our behalf as a data processor. Because the data we store is encrypted on your device, Supabase cannot read your 2FA secrets either. We share data with no other third parties.

Permissions the extension requests

  • storage — to save your encrypted vault and settings in your browser.
  • alarms — to automatically lock the vault after a period of inactivity.
  • activeTab— only when you click “Scan QR on current page”, to read a QR code from the current tab.
  • Access to websites (content script) — to detect login forms, show the in-page Auteeth icon, offer to save credentials you submit, and fill saved credentials when you select them. All of this happens on your device; page content is never collected or transmitted. Saved credentials are only offered on the domain they were saved for.

Data retention and deletion

  • Local data:uninstalling the extension or clearing the extension’s storage removes the local encrypted vault.
  • Synced data: to delete your account and its encrypted data from our servers, email imyawin1@gmail.comfrom your account’s email address and we will delete it.
  • Forgotten password: because we cannot read your data, if you lose both your master password and your recovery code, your synced data is permanently unrecoverable.

Children

Auteeth is not directed to children under 13 and does not knowingly collect data from them.

Changes to this policy

We may update this policy; the “Last updated” date will reflect changes. Material changes will be noted in the extension’s listing.

Contact

Questions about this policy or your data: imyawin1@gmail.com.