FORTIKEY
Access Protected
|

Privacy Policy

Your trust is our greatest asset. This Privacy Policy explains how FortiKey handles data under a core principle: Privacy by technology, not just by promise.

1. Zero-Knowledge Architecture: We are "blind" to your data

FortiKey is designed so that we can never access your sensitive information.

  • End-to-End Encryption (E2EE): The entire encryption and decryption process occurs locally on your device using the AES-256-GCM algorithm.
  • The "Blind" Server Principle: Your Master Password and decryption keys never leave your device. The only thing FortiKey servers receive and store are completely meaningless encrypted strings (Ciphertext).
  • Incapable of Interference: We cannot read, recover, or sell data that we do not have the keys to unlock.

2. Information We Collect and Its Purpose

We only collect the absolute minimum information necessary to operate the service:

  • Identifying Information: Email address collected via Google OAuth. The sole purpose is to identify the user and link them to their respective data segment (Vault) in our database.
  • Encrypted Vault Data: We store blocks of encrypted data to facilitate synchronization (Sync) across your devices.
  • Operational Data (Metadata): Minimal logs regarding login times and connection status for system maintenance, preventing DDoS attacks, and stopping resource abuse (Spam).

3. What We ABSOLUTELY DO NOT Collect

  • No Tracking: We do not use behavioral trackers (Tracking pixels) or third-party advertising cookies.
  • No Sensitive Information Collection: We do not store detailed IP addresses, precise geolocation, or user browsing history.
  • No Data Selling: FortiKey is a community project; your data is not merchandise.

4. Infrastructure Security and Hosting Partners

We utilize infrastructure from top-tier global providers, namely Vercel and NeonDB/Supabase:

  • Your data is protected by multiple layers of firewalls and the physical security standards of our partners.
  • Technical Note: Even if these infrastructure providers were to be compromised, your data remains mathematically secure because it is encrypted before it ever leaves your browser.

5. Legal Requests and Subpoenas

In the event we receive a lawful request from law enforcement agencies:

  • We will only provide the information we actually possess (such as the registered Email and minimal login logs).
  • Regarding Vault contents: We can only provide encrypted files. We cannot comply with any data decryption requests because we do not possess the decryption key (Master Password).

6. Your Rights

You have full rights to access, export your decrypted data, or permanently delete your account and all associated data from our servers at any time securely through the application dashboard. This deletion process is instantaneous, permanent, and strictly enforces the "Right to be Forgotten".

Using FortiKey means you trust in the power of mathematics and cryptography.