Privacy Policy
Effective date: May 20, 2026 Last updated: June 4, 2026
This Privacy Policy describes how Pepperword Inc. ("Pepperword", "we", "us") handles information in connection with the Pepperword mobile application and its AutoFill extension (together, the "App").
Summary
- We do not operate servers that store your passwords, password material, or account.
- Your passwords are derived on your device from your image-based entropy and never leave your device in plaintext.
- If you turn on iCloud Sync, an encrypted file is stored in your personal iCloud account using Apple's CloudKit. We cannot read it.
- We do not track you, do not use analytics, and do not share data with advertisers.
- The App makes a small number of outbound network requests to fetch website icons and public domain lists. These requests do not include your passwords.
1. Who we are
Pepperword Inc. is a Delaware corporation. You can reach us at
support@pepperword.app.
For the purposes of the EU General Data Protection Regulation (GDPR), where the Regulation applies to you, Pepperword Inc. is the data controller for the limited processing described below.
2. Information we do not collect
We do not collect, receive, or store on our infrastructure:
- The master image you use to derive your entropy.
- Your derived entropy or any value derived from it.
- The passwords the App generates.
- The list of websites, applications, or accounts you store in the App.
- Your name, email address, phone number, IP address, advertising identifiers, or device identifiers.
- Analytics, telemetry, crash reports, or usage events.
We do not operate a Pepperword user account system. There is nothing to "sign up" for, and there is no Pepperword-side profile of you.
3. Information stored on your device
The App stores the following on your device:
- An encrypted password container file (
pcs-{id}.pcs) inside the App Group container shared between the main App and the AutoFill extension. The file is encrypted with a key derived from your image-based entropy; without the entropy, the file cannot be decrypted, by us or by anyone else. - Derived key material in the iOS Keychain, scoped to the App Group, used to open the encrypted container during a session.
- Cached icons for the websites and apps you have added, stored as image files inside the App Group container.
- App settings, including whether iCloud Sync is enabled, in standard iOS
UserDefaultsscoped to the App Group. - Cached public lookup data (suggested-domain catalog) in
UserDefaults, refreshed periodically. This data does not describe you. A suggested-domain baseline is also bundled with the App for offline first use.
None of the above is transmitted to Pepperword.
4. iCloud Sync
iCloud Sync is an optional, paid feature. When enabled:
- The same encrypted container file from Section 3 is uploaded to your personal iCloud account using Apple's CloudKit service.
- The file is encrypted before it leaves your device. Apple receives ciphertext; Apple cannot read its contents, and neither can Pepperword.
- Synchronization happens directly between your devices and Apple's iCloud infrastructure. Pepperword's servers are not involved.
- Disabling iCloud Sync stops further uploads. Removing the App from your devices or signing out of iCloud removes the local copy. To delete the iCloud copy you can sign in to iCloud.com or use Settings → Apple ID → iCloud on any of your devices.
Apple's handling of CloudKit data is governed by the Apple Privacy Policy available at apple.com/legal/privacy.
5. AutoFill extension
The AutoFill extension reads the same on-device encrypted container described in Section 3 in order to fill credentials into other apps and websites at your request. The extension does not transmit your credentials anywhere; iOS routes the filled value directly to the receiving app or web view under your control.
6. Network requests the App makes
The App makes a small number of outbound HTTPS requests, none of which contain your passwords or your stored credentials:
- Website icons. When you add a site, the App fetches a favicon for it. It
may request the favicon from Google's public favicon service
(
https://www.google.com/s2/favicons) and/or directly from the website itself using the URL you entered. The request reveals the domain you added to the destination server, as is standard for any HTTP request. We do not log these requests. - Suggested-domain catalog. When you type a site that few of the App's built-in suggestions match, the App may fetch a public list of popular domains from the Tranco project (tranco-list.eu) to offer more options. It fetches at most once per app session and keeps the result only in memory. This request does not identify you.
These requests are made by your device directly to the third-party services listed; Pepperword does not proxy or log them.
7. Subscriptions and payments
Premium features, including iCloud Sync, are sold as auto-renewable subscriptions through the Apple App Store. Apple processes the purchase, holds your payment information, and manages the subscription lifecycle.
- We do not receive your payment card details. We receive only the subscription status returned by Apple's StoreKit framework on your device, which we use to unlock premium features locally.
- Your subscription will automatically renew at the end of each period unless you cancel through your Apple ID subscription settings at least 24 hours before the end of the period.
- Apple's handling of payment data is governed by the Apple Privacy Policy and the Apple Media Services Terms.
8. Children
The App is not directed to children under 13, and we do not knowingly process information about children under 13.
9. Security
The encryption that protects your data is performed locally on your device using keys derived from your image-based entropy. We do not hold those keys. As a consequence:
- If you lose access to the image used to derive your entropy and you have not set up recovery on another device, your stored data cannot be recovered. We cannot recover it for you.
- We strongly recommend keeping a secure backup of the image used as your entropy source.
No security system is perfect. While we design the App to minimize the data exposed to any party (including us), you use the App at your own risk.
10. Your rights
Depending on where you live, you may have rights under laws such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), including the right to access, correct, or delete personal information we hold about you.
Because Pepperword does not maintain server-side records identifying individual users, in most cases we hold no personal information about you to access, correct, or delete. If you have questions about data Apple holds in connection with App Store purchases or iCloud Sync, please contact Apple.
To make a request or ask a question, email support@pepperword.app.
11. Third-party services
The App relies on the following third-party services. Each is governed by its own privacy policy:
- Apple Inc. — App distribution, StoreKit (subscriptions), iCloud / CloudKit (optional sync). apple.com/legal/privacy
- Google LLC — Google's public favicon endpoint, used to fetch website icons. policies.google.com/privacy
- Tranco — Public suggested-domain source. tranco-list.eu
Pepperword has no contractual relationship with these providers beyond ordinary use of their public services, and we receive no data about you from them.
12. International users
The App is operated from the United States. If you use the App from outside the United States, please note that data processed locally on your device stays on your device, and any data routed through Apple's iCloud or StoreKit is handled under Apple's own privacy policy and infrastructure.
13. Changes to this Policy
We may update this Policy from time to time. When we do, we will revise the "Last updated" date above. Material changes will be announced in the App.
14. Contact
Questions about this Policy? Email support@pepperword.app.