Privacy Policy

Effective date: April 28, 2026 · Last updated: April 28, 2026

This Privacy Policy explains how Appnimi ("we," "us," or "our") collects, uses, stores, and discloses information when you use the Password Monk website at passwordmonk.com (the "Website") and the Password Monk desktop application (the "App"). Together these are referred to as the "Services."

Please read this policy carefully. By using the Services you acknowledge that you have read, understood, and agree to the practices described here.

1. Data Controller

The data controller responsible for your personal information is:

Appnimi
Email: [email protected]
Website: passwordmonk.com

2. Information We Collect

2a. Website

Information you provide directly

Contact form submissions — When you use the contact form, we collect your name and email address, together with the message you send. This information is used solely to respond to your enquiry.

Information collected automatically

When you visit the Website, certain technical information is collected automatically by our servers and by third-party analytics services:

IP address — collected by our web server and, in anonymised form, by Google Analytics.
Browser type and version
Operating system
Referring URL — the page you visited before arriving at our Website.
Pages visited, time on page, and navigation paths
Date and time of each request
Screen resolution and device type
General geographic location derived from your IP address (country / city level; not precise location).

This data is collected through Google Analytics 4 (see Section 6 for full details) and standard server access logs.

Cookies and similar technologies

The Website uses the following categories of cookies:

Category	Purpose	Examples
Strictly Necessary	Required for the Website to function (e.g., CSRF protection, session state). Cannot be disabled.	`csrftoken`, `sessionid`
Analytics	Track aggregate usage patterns to help us improve the Website. Set by Google Analytics.	`_ga`, `_ga_*`

We do not use advertising or targeting cookies. You can control analytics cookies by opting out via Google Analytics Opt-out or by configuring your browser to block third-party cookies.

2b. Desktop App (Password Monk)

Information you provide

Email address — Required to activate the App. Your email is sent to our licensing server at passwordmonk.com to generate and verify a one-time passcode (OTP) and to confirm your entitlement. Your email is stored locally on your device in the App's data directory.

Information collected automatically by the App

License verification requests — The App periodically contacts our licensing server to verify that your activation is still valid. These requests include your email address and a device token. They contain no file content, no passwords, and no recovery results.
OTP delivery metadata — When you request activation, our server records the email address and the timestamp of the OTP request for security and anti-abuse purposes.

What the App does NOT collect or transmit

Files you load for password recovery
Encryption hashes or signatures extracted from your files
Recovered passwords or recovery results
Wordlists or their contents
Contents of your Secure Vault
Keystroke data or clipboard contents

All password recovery operations run entirely on your local device. No file data or recovery data is ever sent to our servers.

Data stored locally on your device

The App stores the following data locally in your operating system's application data directory:

Your activation email and a license token (license.monk)
Application settings (settings.json)
Secure Vault (AES-256-CBC encrypted; key derived from your vault password, which we never receive)
Wordlist files you download or import
Recovery session files created by the Recovery Engine

We have no access to any of this locally stored data.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Processing activity	Legal basis
Responding to contact form enquiries	Legitimate interest (Art. 6(1)(f) GDPR) — responding to a user-initiated request
App activation and license verification	Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR) — necessary to provide access to the App
Google Analytics (website analytics)	Consent (Art. 6(1)(a) GDPR) where legally required; Legitimate interest (Art. 6(1)(f) GDPR) for aggregate statistical analysis where consent is not required
Server access logs / security	Legitimate interest (Art. 6(1)(f) GDPR) — maintaining security and preventing abuse

4. How We Use Your Information

To operate and deliver the Services — processing activation, verifying licenses, and responding to support requests.
To communicate with you — sending OTP codes for activation and responding to contact form messages.
To improve the Website — analysing aggregate, anonymised usage patterns via Google Analytics to understand which features are most useful.
For security and fraud prevention — detecting and blocking abuse of the activation system.
For legal compliance — retaining records as required by applicable law.

We do not sell, rent, or trade your personal information. We do not use your data for targeted advertising.

5. How We Share Your Information

We share personal information only in the following circumstances:

Google LLC — Website analytics data is processed by Google Analytics 4. See Section 6 for details.
Email delivery providers — OTP emails are sent via a transactional email service. Only your email address is shared for the purpose of delivering the OTP message.
Legal requirements — We may disclose your information if required by law, court order, or to protect the rights, property, or safety of Appnimi, our users, or the public.
Business transfers — If Appnimi is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via prominent notice on the Website.

6. Google Analytics

The Website uses Google Analytics 4, a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses cookies to collect information about how visitors use the Website.

What Google Analytics collects

Pages visited and navigation paths
Time spent on each page
Referring source (how you arrived at the Website)
Browser, operating system, and device type
Screen resolution
Approximate geographic location (country / city, derived from IP address)
Events such as button clicks and file downloads

IP anonymisation

Google Analytics 4 anonymises IP addresses by default before they are stored. Your full IP address is not retained by Google in connection with Analytics data.

Google's use of the data

Google may use the collected data in accordance with its own Privacy Policy. The data is used to provide us with aggregated reports about Website activity. We have enabled data sharing restrictions that prevent Google from using our Analytics data for its own advertising products.

Data transfers

Google Analytics data may be transferred to and processed in the United States. Google relies on Standard Contractual Clauses (SCCs) and/or the EU–US Data Privacy Framework for such transfers where applicable.

Opting out of Google Analytics

Install the Google Analytics Opt-out Browser Add-on
Use your browser's privacy or "do not track" settings to block third-party cookies
Use a browser extension or content blocker that prevents analytics scripts from loading

For more information about Google's data practices, see Safeguarding your data — Google Analytics Help.

7. Data Retention

Data type	Retention period
Contact form messages (name + email)	Until the enquiry is resolved, then deleted within 12 months
App activation records (email, entitlement)	Duration of the entitlement plus 90 days after deactivation or expiry
OTP request logs (email + timestamp)	30 days
Server access logs	90 days
Google Analytics data	14 months (Google Analytics default retention setting)

8. Your Rights

EEA, UK, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Right of access — Request a copy of the personal data we hold about you.
Right to rectification — Request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — Request deletion of your personal data, subject to legal retention obligations.
Right to restriction of processing — Request that we limit how we use your data.
Right to data portability — Receive your data in a structured, machine-readable format.
Right to object — Object to processing based on legitimate interests, including profiling.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint — You have the right to complain to your local data protection authority (e.g., ICO in the UK, or your national supervisory authority in the EEA).

California residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know — The categories and specific pieces of personal information we collect about you.
Right to delete — Request deletion of personal information we have collected.
Right to correct — Request correction of inaccurate personal information.
Right to opt out of sale or sharing — We do not sell or share personal information for cross-context behavioural advertising.
Right to non-discrimination — We will not discriminate against you for exercising any CCPA right.

How to exercise your rights

To exercise any of these rights, please contact us at [email protected] with the subject line "Privacy Request." We will respond within 30 days (or within the timeframe required by applicable law).

9. Children's Privacy

The Services are not directed to children under the age of 13 (or 16 where required by local law). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at [email protected] and we will promptly delete it.

10. Data Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, or destruction. These include:

HTTPS/TLS encryption for all data in transit between the App, Website, and our servers
Hashed and salted storage of activation tokens
Access controls limiting who can access personal data
Regular security reviews

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

11. International Data Transfers

Our servers are located in the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries whose data protection laws may differ from those in your country. Where required, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) to protect your information.

12. Third-Party Links

The Website may contain links to third-party websites. This Privacy Policy does not apply to those websites, and we are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Effective date" at the top of this page and, where appropriate, provide additional notice (such as a notice on our Website). Your continued use of the Services after the effective date of any update constitutes acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Web: passwordmonk.com/contact

We aim to respond to all privacy-related enquiries within 30 days.