Privacy Policy
Overview
API Locker is a Chrome extension for securely storing and managing API keys. We are committed to transparency about what data we collect, how we use it, and who we share it with. This policy covers both the extension and the apilocker.dev website.
Data We Collect
1. Local-Only Users ("Continue without account")
When you choose to use API Locker without creating an account, we ask for your email address. This email is:
- Stored in our Supabase database solely to help you recover access to your keys if needed
- Used only to contact you about critical updates or key recovery options
- Never sold or shared with third parties for marketing purposes
Your API keys remain encrypted on your device only and are never transmitted to our servers.
2. Account Users (Sign Up / Sign In)
When you create an account, we collect and store:
- Email address — used for authentication and account management
- Encrypted vault data — your API keys, encrypted with AES-256-GCM using your master password before leaving your device. We receive only the encrypted blob; we cannot read your API keys.
- Encryption salt — a cryptographic value used with your master password to derive your encryption key. This is stored alongside your encrypted vault to enable cross-device restore.
- Pro status — whether your account has an active Pro subscription
- Last sync timestamp — the time your vault was last backed up
What We Never Collect
- Your API keys in plaintext — they are always encrypted before leaving your device
- Your master password — it never leaves your device
- Browsing history, visited URLs, or any tab content
- Analytics or telemetry data from within the extension
How We Use Your Data
- Email: Account authentication, password recovery, and critical service notifications
- Encrypted vault: Cloud backup and cross-device synchronization (account users only)
- Pro status: Determining which features are available to your account
We do not use your data for advertising, profiling, or any purpose unrelated to providing the API Locker service.
Third-Party Services
The extension uses the following third-party service:
- Supabase (supabase.com) — used for user authentication and encrypted vault storage. Supabase processes data on our behalf under our instructions. See Supabase's Privacy Policy.
The apilocker.dev website is hosted on Vercel, which may collect standard server logs (IP address, browser type). See Vercel's Privacy Policy.
No other third-party services, analytics tools, or advertising networks are used.
Data Storage & Security
- API keys are encrypted with AES-256-GCM entirely within your browser before any data leaves your device
- The encryption key is derived from your master password using PBKDF2 with 100,000 iterations
- Your master password is never transmitted — not even to us
- Local data is stored in
chrome.storage.localon your device - Cloud data (account users) is stored in Supabase, protected by row-level security so only your account can access your vault
- Uninstalling the extension deletes all locally stored data. Cloud data can be deleted by deleting your account.
Data Sharing
We do not sell, rent, or share your personal data with third parties, except:
- Supabase, as our infrastructure provider (described above)
- If required by law or to protect our legal rights
Data Retention
We retain your data for as long as your account is active. You may request deletion of your account and all associated data by emailing hello@apilocker.dev.
Children's Privacy
API Locker is not intended for use by children under 13. We do not knowingly collect any information from children under 13.
Changes to This Policy
If we make material changes to this policy, we will update the "Last updated" date at the top of this page. Continued use of the extension after changes constitutes acceptance of the updated policy.
Contact
Questions about this policy? Email us at hello@apilocker.dev