Nothing in. Nothing out. Nothing stored.

Nothing. Keptex runs locally and derives every credential on your device using Web Crypto. It makes no outbound request on its own, with two exceptions you control: a WalletConnect session you explicitly start with a wallet of your choice, and, in the default mode, fetching site icons (favicons) to make your saved services easier to scan. Switch to fully local mode and even the icon fetch stops; nothing leaves your device.

• • Your encrypted vault blob, in your browser’s extension storage (AES-256-GCM, passphrase-derived).
• • Your last-used preferences (auto-lock timeout, default wallet), local only.
• • Cached cryptographic material in RAM while the vault is unlocked, wiped on lock or browser close.

This website uses no cookies. No analytics scripts. No third-party trackers. No advertising network. No fingerprinting. You can verify by inspecting the network tab on any page, there are no outbound requests at all (the fonts are self-hosted, not loaded from any CDN). The CSP header (also published, see /_headers) enforces this at the browser level.

None on this website. Inside Keptex, you choose which wallet to connect (Freighter, MetaMask, Phantom, WalletConnect). The connection happens client-side, on your device; Keptex is not a relay.

If we ever add analytics, telemetry, or any data collection in the future, this page changes first, the privacy section inside the extension changes with it, and the change lands in the public commit history. There is no silent change.

Open an issue at github.com/keptex if you find anything on this page that does not match reality. Privacy is a contract, not a tagline.