Privacy policy

This privacy policy applies to the Arlopass website (arlopass.com), the Arlopass browser extension, the native bridge application, the developer SDKs (@arlopass/web-sdk, @arlopass/react), and all related open-source packages published under the Arlopass organization.

Arlopass does not collect, store, or process personal information about you. There are no user accounts, no sign-up forms, no email collection, no newsletters, and no contact forms that transmit data to our servers. The contact page uses mailto: links that open your own email client — we receive your message only if you choose to send it.

We do not use analytics services (such as Google Analytics, Plausible, or PostHog), tracking pixels, fingerprinting, or any other mechanism to monitor how you use the website or extension.

The Arlopass website does not set any cookies. A single localStorage value (arlopass-theme) stores your color scheme preference (light or dark) so the site respects your choice on return visits. This value never leaves your browser and is not transmitted to any server.

The browser extension uses chrome.storage.local and chrome.storage.session to store your provider configuration, connection grants, and UI state. This data is stored locally in your browser profile and is never sent to Arlopass or any third party.

The Arlopass browser extension and native bridge operate entirely on your device. API credentials you add are encrypted using AES-256-GCM and stored in a vault file on your local file system, secured by a master password or your OS keychain (Windows Credential Manager, macOS Keychain, or Linux Secret Service). Your credentials are never transmitted to Arlopass servers.

When you approve a web app's request to use AI, the native bridge routes that request directly to the AI provider you selected (such as Ollama, Claude, GPT, Gemini, or Bedrock). Arlopass does not proxy, intercept, log, or inspect the content of these requests. The messages you send to AI providers are governed by those providers' own privacy policies.

The extension communicates with the native bridge via Chrome Native Messaging (a local IPC channel). No network requests are made to Arlopass infrastructure during normal operation.

When you use Arlopass to connect to a cloud AI provider (such as Anthropic Claude, OpenAI, Google Gemini, Amazon Bedrock, Google Vertex AI, Perplexity, or Microsoft Foundry), your prompts and messages are sent directly from the native bridge on your device to that provider. Arlopass has no visibility into this traffic.

When you use a local AI provider (such as Ollama or LM Studio), your prompts and responses never leave your machine.

Each AI provider has its own privacy policy and data retention practices. We recommend reviewing the privacy policy of any provider you connect.

The Arlopass website is hosted on Cloudflare Pages. When you visit arlopass.com, Cloudflare processes your IP address and standard HTTP metadata (such as browser user-agent and referrer) as part of serving the page. This processing is governed by Cloudflare's privacy policy (https://www.cloudflare.com/privacypolicy/). Arlopass does not have access to individual visitor IP addresses or request logs from Cloudflare.

The website loads AI provider icon images from unpkg.com, a public CDN for npm packages. Requests to unpkg.com are subject to unpkg's infrastructure provider and may expose your IP address to that service.

No other third-party services are loaded on the website. Fonts are self-hosted. There are no advertising networks, social media widgets, or embedded third-party content.

The Trust Center page displays compliance framework data (ISO 27001, ISO 42001, SOC 2, GDPR) fetched at build time from Probo, our compliance management platform. This data is fetched during the site build process using an API token — no user data is shared with Probo, and no requests are made to Probo when you visit the Trust Center page.

The Arlopass SDKs (@arlopass/web-sdk and @arlopass/react) do not collect telemetry, usage data, or crash reports. The SDKs communicate exclusively with the user's locally installed browser extension via injected transport — no data is sent to Arlopass servers.

Arlopass supports optional, self-hosted audit logging for organizations that enable policy bundles. When enabled, audit logs are written locally in JSONL format or exported via OTLP to the organization's own observability platform (such as Splunk, Elastic, or Datadog). Arlopass does not receive or store these logs. Audit logs omit personally identifiable information by default.

Arlopass is not directed at children under 16. We do not knowingly collect any personal data from children. Since we do not collect personal data from any users, no special provisions are necessary.

Under the EU General Data Protection Regulation (GDPR) and similar laws, you have rights including access, rectification, erasure, restriction, portability, and objection. Because Arlopass does not collect or store personal data about you, there is no personal data for us to provide, correct, or delete.

All data generated by the browser extension and native bridge (provider configuration, connection grants, vault contents) is stored exclusively on your device. You can delete this data at any time by removing the extension, uninstalling the native bridge, or deleting the vault file from your file system.

If you contact us by email, we process your email address and message content to respond to your inquiry. This processing is based on legitimate interest (GDPR Art. 6(1)(f)). We retain email correspondence only as long as necessary to resolve your inquiry and do not use it for marketing.

Arlopass does not transfer personal data internationally because we do not collect personal data. Cloudflare, as our hosting provider, may serve the website from edge locations worldwide. Any processing by Cloudflare is governed by their Data Processing Addendum and Standard Contractual Clauses. As Arlopass is based in Romania (an EU member state), EU GDPR applies directly.

We may update this privacy policy to reflect changes in our practices or for legal, regulatory, or operational reasons. Material changes will be noted on this page with an updated effective date. Since we do not collect email addresses, we cannot notify you directly — we recommend checking this page periodically.

If you have questions about this privacy policy or our data practices, contact us at privacy@arlopass.com. For security concerns, contact security@arlopass.com.