Privacy Policy
Last updated: June 28, 2026
Blackbox is a zero-knowledge password, secret, and autofill manager. Your master password and the encryption keys derived from it never leave your device. We cannot read, recover, or reset the contents of your vault.
What we store
- Encrypted vault data — your logins, keys, notes, cards, etc. are encrypted on your
device with AES-256-GCM (keys derived from your master password via Argon2id). Only ciphertext
is ever sent to or stored on our sync server (
blackbox.ght.network). - Your account email and a one-way authentication proof (a salted hash), used only to sign you in. The proof cannot be reversed into your encryption key.
We cannot decrypt your vault. We do not have your master password.
What the extension accesses (and why)
- Page fields on sites you use — only to fill credentials you ask to fill, and to offer to save a credential after you submit a login form. This happens locally in your browser.
- Storage — to cache your encrypted vault and settings on your device.
- Clipboard — to copy a secret when you click “copy”; the clipboard is auto-cleared about 25 seconds later.
Nothing you type or view is transmitted anywhere except your own encrypted vault, synced to your account.
What we do NOT do
- No analytics, tracking, ads, or fingerprinting.
- No selling or sharing of any data with third parties.
- No reading of page content beyond credential autofill/capture as described above.
Data retention & deletion
Your encrypted vault is retained on the sync server while your account exists. You may delete your local vault at any time from the app, and request account/data deletion by emailing us. Because the data is encrypted with a key only you hold, deletion of your master password renders any stored copy permanently unreadable.
Contact
Glass House Technologies — admin@ght.network
Blackbox is a product of Glass House Technologies. This policy applies to the Blackbox browser extension, web app, and desktop app.