Privacy Policy
Last updated: July 7, 2026
AuthPeak is a Chrome extension that manages your two-factor authentication (TOTP) codes entirely on your own device. Our privacy model is simple: everything stays on your device, and nothing is ever sent anywhere.
AuthPeak collects no personal data and transmits nothing. There are no servers and no network requests. The developer has no access to your vault or your codes.
What we collect
Nothing. AuthPeak has no user accounts, no analytics, no telemetry, and no crash reporting. We do not collect, receive, or have any way to access your data.
What leaves your device
Nothing. AuthPeak makes no network requests and works fully offline. There is no cloud sync and no backend. Everything — including decoding imported QR codes — runs locally on your machine. The QR-decoder component (WebAssembly) is bundled inside the extension and is never fetched from the internet.
What is stored, and how
Your two-factor secrets are stored only on your device, in the browser’s local storage, encrypted with AES-GCM. The encryption key is protected by envelope encryption and unlocked with your Touch ID credential (WebAuthn PRF), your passphrase, or a one-time recovery code. Secrets are never written in plaintext. Your non-secret settings (such as the auto-lock timeout) are also stored locally; they contain no personal data.
No tracking, no sharing, no ads
AuthPeak contains no analytics or tracking of any kind, shares no data with third parties, and shows no advertising. We do not sell or rent data, because we never receive any.
Permissions
AuthPeak requests only the minimum Chrome permissions needed to work on your device, and no host permissions:
- activeTab and scripting — to read the current tab’s domain so the right code can be recommended, and to fill a code into the page’s field only when you explicitly ask (by clicking Fill or dragging a code onto it). The injected helper receives only the numeric code, never your secret or key.
- storage — to keep the local, encrypted vault and your settings on your device.
- clipboardWrite — to copy a code to your clipboard when you choose to.
- alarms — to run the auto-lock timer that re-locks the vault after a period you set.
None of these permissions send data off your device.
Data deletion
You are always in control of your data. Using the in-app Reset removes your stored vault, and uninstalling the extension removes all of AuthPeak’s stored data from your browser. Because nothing was ever uploaded, nothing persists anywhere else after removal.
Children’s privacy
AuthPeak is a general-purpose utility and is not directed at children. Since it collects no data at all, it collects no data from anyone, including children.
Changes to this policy
If this policy ever changes, the updated version will be published at this URL with a new “last updated” date.
Contact
Questions about privacy? Email support@peakuse.com.