Privacy Policy

Who We Are

ZeroPanic ("we", "us", "our") is a privacy-first cybersecurity platform providing three core tools: a Password Vault with breach monitoring, an AI Cybersecurity Assistant, and a client-side Encryption Playground. Our platform is accessible at zeropanic.org and any subdomains thereof.

When this policy refers to "the Service", it means the ZeroPanic website, web application, and all associated features. When it refers to "you" or "the user", it means any person who accesses or registers an account on the Service.

For any privacy-related enquiries, you can reach us at info@zeropanic.org.

Information We Collect

We collect only what is necessary to provide the Service. Here is a precise breakdown:

Information you give us directly:

• Account registration: your email address and a hashed password. We never store your password in plaintext — it is hashed using Argon2, a memory-hard hashing algorithm.
• Password Vault entries: labels, URLs, and encrypted password blobs. The password values themselves are encrypted client-side using a key derived from your master key. We hold only the encrypted ciphertext — we cannot decrypt it.
• AI Assistant conversations: the text and files you send to the assistant during a session. Unsaved chats are discarded at the end of the session. Saved chats are retained until you delete them.
• Billing information: when you subscribe to Pro, payment is processed by Paystack. We do not handle or store your card details. We receive only a subscription status confirmation and a customer reference from Paystack.
• Support communications: if you email us, we retain that correspondence to assist you.

Information collected automatically:

• Session data: a session cookie is set on login to keep you authenticated. It contains no personal information beyond a session identifier.
• Security logs: we log failed login attempts and rate-limit events for abuse prevention. These are not retained beyond 30 days.
• Two-factor authentication (2FA) data: if you enable 2FA, we store a TOTP secret tied to your account. It is not shared with anyone.

What we do NOT collect:

• We do not run analytics tracking scripts (no Google Analytics, no Meta Pixel, no fingerprinting).
• We do not log your IP address in association with your activity beyond short-term abuse prevention.
• We do not collect behavioural data, advertising identifiers, or device fingerprints.
• We do not read or log the content of your AI conversations for training purposes.

How We Use Your Information

We use the information we collect for the following purposes only:

• Providing the Service: authenticating your account, delivering the tools you pay for, and maintaining your data.
• Security and abuse prevention: rate limiting, brute-force protection, session management, and fraud detection.
• Breach monitoring alerts: sending you email notifications when your passwords are detected in a known data breach (Pro tier).
• Transactional emails: account creation confirmation, password reset links, 2FA setup, subscription receipts, and breach alerts. These are functional emails, not marketing.
• Customer support: responding to questions or issues you raise with us.

We do not use your data for advertising. We do not sell, rent, or trade your personal information to any third party. We do not build profiles on you for commercial purposes.

Password Vault & Zero-Knowledge Design

This section is important. The Password Vault is built on a zero-knowledge architecture, which means we are technically incapable of reading your stored passwords.

When you set your master key, it is used to derive an encryption key (via PBKDF2 or Argon2). Your passwords are encrypted using AES-256 before being sent to our servers. The master key itself is never transmitted to or stored on our servers. What we store is an encrypted blob — a string of characters that is mathematically useless without your master key.

Master key loss: because the master key is never stored anywhere on our systems, we cannot recover it for you. If you lose your master key, we can reset your vault (which clears all stored passwords) so you can start fresh. We strongly recommend exporting a backup of your vault periodically while you are logged in.

Master key changes: changing your master key requires email verification. When changed, all stored passwords are re-encrypted with a key derived from the new master key.

Encryption Tool

The Encryption Playground operates entirely within your browser. No data you encrypt, decrypt, or generate (including key pairs) is ever transmitted to our servers. All cryptographic operations — AES-256, RSA, PGP — happen locally in your browser's JavaScript environment.

We do not log, store, or have access to any plaintext content, encrypted content, private keys, or public keys generated or used in the Encryption Tool.

AI Assistant

The AI Cybersecurity Assistant is powered by large language models accessed via OpenRouter. When you send a message to the assistant, the content of that message — including any files you upload — is transmitted to the model provider to generate a response.

What this means for you:

• Do not share highly sensitive personal information (e.g., actual passwords, financial credentials, government ID numbers) with the AI assistant.
• Uploaded files are processed for the purpose of answering your query and are not permanently stored beyond your session, unless you explicitly save the chat.
• We do not use your AI conversations to train models. Our model provider's data handling is governed by their own terms — we select providers with strong privacy commitments.
• Saved chats are stored securely and are accessible only to you. You can delete them at any time from the Saved Chats section.

The assistant includes ethical guardrails and will refuse requests that could facilitate harm — including requests for malware, attack instructions, or other harmful content.

Breach Monitoring

Breach monitoring is a Pro-tier feature that checks your stored passwords against the Have I Been Pwned (HIBP) database daily.

We use a privacy technique called k-anonymity to perform these checks without exposing your passwords:

• Your password is hashed using SHA-1 (a one-way process — it cannot be reversed).
• Only the first 5 characters of that 40-character hash are sent to the HIBP API.
• The API returns a list of possible suffix matches, and the final check happens locally on our servers — your actual password or its full hash is never transmitted.

If a match is found, you receive an immediate email notification identifying the affected entry by its label only (e.g., "Your entry labelled 'Facebook' was found in a data breach"). The actual password value is never included in any notification email.

You will continue to receive repeat notifications on each daily check cycle for any breached password that has not yet been changed, to ensure you take action.

A monthly summary email is sent 30 days from your signup date — regardless of whether any breaches were detected — giving you a clear overview of your current exposure.

Data Retention

We retain your data for as long as your account exists or as needed to provide the Service. Specifically:

• Account data (email, hashed password, 2FA secret): retained until you delete your account.
• Vault data (encrypted password entries): retained indefinitely while your account exists, regardless of your subscription status. See Section 9 for what happens when Pro expires.
• Saved AI chats: retained until you delete them or delete your account.
• Unsaved AI chats: discarded at the end of the browser session.
• Uploaded files (in AI Assistant): not permanently stored. They exist in memory only for the duration of your session unless part of a saved chat.
• Security logs (failed login attempts, rate limit events): retained for a maximum of 30 days, then purged.
• Billing records: retained as required by applicable financial regulations (typically 7 years), but only the transaction reference and subscription status — never payment card data.

When you delete your account, all personal data associated with it — vault entries, saved chats, account details — is permanently deleted within 30 days. Anonymised or aggregated data not linked to your identity may be retained for operational purposes.

Subscription, Billing & Pro Access

ZeroPanic offers a Free tier and a Pro tier. Payment is processed by Paystack. We do not handle or store your card details — all payment data is held by Paystack and governed by their privacy policy.

What happens when your Pro subscription expires or is cancelled:

Breach monitoring and saved chat history also become inaccessible on the Free tier but are similarly preserved and restored upon resubscription.

Cancellation: you may cancel your Pro subscription at any time from your Billing page. You retain full Pro access until the end of your current billing period. There is no early termination fee and no penalty for cancelling.

Refunds: given the nature of digital access, we do not offer refunds on subscription payments already processed, except where required by applicable consumer protection law. If you believe you have been charged in error, contact us at info@zeropanic.org and we will investigate promptly.

Account deletion and billing: deleting your account does not automatically cancel a Paystack subscription. Please cancel your subscription from the Billing page before deleting your account to avoid further charges.

Third-Party Services

We use a small number of third-party services to operate the platform. These are disclosed in full:

• Paystack — payment processing for Pro subscriptions. Paystack handles all card data. Their privacy policy governs how they handle that data.
• OpenRouter / AI model providers — the AI assistant routes queries through OpenRouter to large language models. Query content is transmitted to the model for inference. We do not permit providers to use your conversations for model training.
• Have I Been Pwned (HIBP) — used for breach checking via k-anonymity. Only a 5-character hash prefix is ever transmitted. No personally identifiable information is shared with HIBP.
• Brevo (formerly Sendinblue) — used to deliver transactional emails (breach alerts, password resets, monthly summaries). We transmit your email address to Brevo for the purpose of sending these emails. Brevo is GDPR-compliant.
• hCaptcha — used on the signup form to prevent automated bot registrations. hCaptcha may collect behavioural data as part of its challenge mechanism. Their privacy policy applies.

We do not embed social media widgets, advertising networks, or any other third-party tracking code on the Service.

Cookies & Sessions

We use a minimal, functional-only cookie approach:

• Session cookie: set on login to maintain your authenticated session. It is HttpOnly (cannot be accessed by JavaScript), SameSite=Lax (protects against CSRF), and is cleared when you log out or when the session expires. This cookie is strictly necessary for the Service to function.
• CSRF token cookie: set to protect state-changing requests from cross-site request forgery attacks. This is a security necessity, not a tracking mechanism.

We do not use advertising cookies, tracking cookies, analytics cookies, or any persistent cookies beyond what is functionally necessary. You will not see a cookie consent banner for marketing purposes because we do not use marketing cookies.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We respect these rights regardless of where you are located:

• Right to access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can correct inaccurate data via your account settings or by contacting us.
• Right to erasure ("right to be forgotten"): you can delete your account at any time, which triggers permanent deletion of your personal data within 30 days.
• Right to data portability: you can export your vault entries at any time while logged in. We will provide your data in a machine-readable format on request.
• Right to restriction of processing: you can ask us to limit how we use your data while a dispute is being resolved.
• Right to object: you can object to any processing of your personal data that you believe is not justified.
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at info@zeropanic.org. We will respond within 30 days. We will never charge you for a data access request.

Security Measures

We take security seriously. The measures we have implemented include:

• Password hashing: all account passwords are hashed using Argon2, a memory-hard algorithm that is highly resistant to brute-force attacks.
• AES-256 encryption: vault password data is encrypted at rest using AES-256.
• Two-factor authentication (2FA): TOTP-based 2FA is available and strongly recommended for all accounts.
• CSRF protection: all state-changing requests are protected by Django's CSRF middleware.
• Rate limiting and brute-force protection: login attempts are rate-limited and locked out after repeated failures using the Django Axes library.
• Secure cookies: session and CSRF cookies are set as HttpOnly and SameSite=Lax. In production, Secure flag is enforced, meaning cookies are only transmitted over HTTPS.
• Session rotation: sessions are rotated on login to prevent session fixation attacks.
• Input validation and output sanitisation: all user inputs are validated and all rendered outputs are sanitised to prevent XSS.
• Parameterised queries: all database interactions use Django's ORM, which uses parameterised queries by default, preventing SQL injection.
• File upload security: uploaded files are validated by MIME type and extension. Files are never executed on the server.

Despite these measures, no system is perfectly secure. If you discover a security vulnerability, please report it responsibly to info@zeropanic.org. We take all reports seriously and respond promptly.

Age & Accessibility

ZeroPanic is open to users of all ages. The Service contains no adult content, no advertising, and no data monetisation. We believe good security habits — strong passwords, breach awareness, and understanding encryption — are valuable at any age, and we have no reason to restrict access based on it.

That said, entering into a paid subscription constitutes a contract. If you are under the age of legal contractual capacity in your jurisdiction, you should have a parent or guardian's consent before subscribing to Pro. The Free tier is available without any such restriction.

If you have any concerns about a minor's use of the Service, feel free to reach out at info@zeropanic.org.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes — changes that meaningfully affect how we handle your personal data — we will notify you by email at least 14 days before the change takes effect.

Your continued use of the Service after a change takes effect constitutes your acceptance of the updated policy. If you do not agree with the updated policy, you should stop using the Service and delete your account.

We will never retroactively reduce your privacy rights without explicit consent. Any changes we make will be in the direction of greater transparency and stronger protections.

Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your data, please get in touch. We are a small team and we read every message personally.