Privacy Policy

Last updated: May 17, 2026

The TL;DR

The Password Generator (“we”, “our”, the “Service”) runs entirely in your browser. We do not see, store, log, or transmit any password or passphrase you generate. The only data we collect is anonymous usage analytics about how the site itself is used. This page explains that in detail and describes your rights under GDPR, CCPA, and similar laws.

1. Information We Do Not Collect

We do not collect any of the following:

  • Generated passwords, passphrases, or any output of the tool.
  • Inputs you give to the tool (length sliders, mode selections at the password level, character toggles).
  • Names, email addresses, phone numbers, or any contact information unless you voluntarily submit them through our contact form.
  • Payment information of any kind. We have no paid features.
  • Account credentials. We have no accounts.

Password and passphrase generation happens in your browser using JavaScript and the browser's built-in random source. You can verify this by opening your browser's developer tools network tab while generating a password — you will see no outbound requests carrying that data.

2. Information We Do Collect

2.1 Anonymous Usage Analytics

We use Google Analytics 4 (GA4) to understand how visitors find and use the site, so we can prioritize features and fix bugs. GA4 stores:

  • Anonymous interaction events such as “changed mode to passphrase” or “clicked generate” — never the password itself.
  • Pages visited and approximate time on page.
  • Country and approximate region derived from IP address (IP is anonymized by GA4 before storage).
  • Device type, browser, and operating system.
  • Referring page (e.g., a search engine or another site that linked to us).

We do not enable Google Signals, advertising features, or any cross-site identity linking inside GA4. You can opt out at any time by installing the official Google Analytics Opt-out Browser Add-on, by using a privacy-focused browser, or by enabling browser tracking protection.

2.2 Approximate Geographic Location

Our hosting platform (Vercel) detects the country your request originates from at the edge and stores it in a short-lived cookie (24 hours) so we can show region-appropriate content (such as legal notices required by your jurisdiction). The country code never identifies you personally and is derived from your IP address without ever exposing the IP to our application code.

2.3 Contact Form Submissions

If you choose to use the contact form, we will receive the email address and message you provide. This information is used only to reply to your inquiry. We do not add contact form submissions to a mailing list.

3. Cookies and Local Storage

We use the following client-side storage:

  • Analytics cookies set by Google Analytics. These contain a random identifier that lets GA4 distinguish unique visitors. They contain no personal information and you can block them at the browser level.
  • A geo cookie containing a two-letter country code, set on first visit and expiring after 24 hours.
  • No local storage of passwords. The tool does not write generated passwords to localStorage, sessionStorage, IndexedDB, or any other client-side store.

4. Third Parties

The Service uses a small number of third-party services. Each has its own privacy policy.

  • Google Analytics — anonymous usage analytics. See Google's privacy policy.
  • Google AdSense (if/when displayed) — contextual advertising. See Google's privacy policy.
  • Vercel — our hosting provider. Vercel processes requests on our behalf and may log standard request metadata (IP, user agent, URL, timestamp) for security and reliability purposes. See Vercel's privacy policy.
  • Google Fonts — we self-host fonts through Next.js where possible to avoid sending requests to Google's font CDN.

5. Your Rights Under GDPR (EU/UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate personal data.
  • Right to erasure (“right to be forgotten”) — request deletion of your personal data.
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a machine-readable format.
  • Right to object — object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent — where processing is based on consent, withdraw that consent at any time.
  • Right to lodge a complaint — with your local data protection supervisory authority.

Because we do not collect personal information beyond what is described above, most rights requests will return little or no data. To exercise any of these rights, contact us through the contact form.

6. Your Rights Under CCPA (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) and CPRA give you the following rights:

  • Right to know what categories of personal information we collect, why, and with whom we share it (described above).
  • Right to delete personal information we collect about you, subject to certain exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. We do not sell personal information.
  • Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CCPA.
  • Right to non-discrimination for exercising any of these rights.

7. Data Retention

We retain anonymous analytics data for the default Google Analytics retention period (currently 14 months). Contact form messages are retained only as long as needed to handle the inquiry, typically less than 90 days. The geo cookie expires after 24 hours.

8. Security

The Service is delivered over HTTPS. Because all sensitive processing happens client-side, our attack surface is small — we have no database of passwords to leak. However, no service can guarantee absolute security against all attacks on the underlying browser, operating system, or network.

9. Children's Privacy

The Service is intended for general audiences and is safe for children to use, but we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information through the contact form, please contact us and we will delete it.

10. International Data Transfers

Our hosting and analytics providers may process data in the United States and other jurisdictions. By using the Service, you understand that your data may be transferred to and processed in countries other than your own. We rely on the providers' standard contractual clauses and other transfer mechanisms required by GDPR and similar laws.

11. Do Not Track

We honor the browser-level Global Privacy Control (GPC) signal where supported. The site does not implement personalized advertising or cross-site tracking.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page will reflect the most recent revision. Material changes will also be noted on the homepage.

13. Contact

If you have questions about this Privacy Policy or want to exercise any of the rights described above, please see the about page or reach out at abevalle.com.