Privacy Policy
Last updated: May 2026
The short version: MSafe makes no network connections - on Android it isn't even granted permission to, and on iOS it ships with no networking code at all. There are no servers to breach, no accounts, no analytics, and no tracking. Your vault never leaves your phone unless you explicitly export it.
Data Collection
MSafe collects no data. Specifically, there is:
- No personal information collection
- No analytics, telemetry, or usage tracking
- No crash reports or diagnostics sent to the developer
- No advertising identifiers or ad SDKs
- No cookies, fingerprinting, or any other tracking mechanism
- No account creation, email collection, or phone verification
Network Access
On Android, MSafe is built without the internet permission, so the operating system refuses to let the app make any network connection at all. On iOS, MSafe contains no networking code whatsoever and links no analytics, advertising, or sync SDKs - it never opens a connection. On neither platform can it phone home, sync to a cloud, fetch updates, or contact any server.
How Your Vault Is Stored
Your credentials are stored on your device, encrypted with AES-256 using a key derived from your master password. The master password itself is never saved in plain text.
If someone gets hold of your phone's storage without your master password, the vault contents are unreadable.
Authentication and Wipe
MSafe authenticates you with your master password. By default, after ten consecutive incorrect attempts the entire vault is wiped from the device; you can turn this off in Settings if you prefer. There is no recovery email, no "forgot password" link, no back door. This is a deliberate trade-off: the strongest guarantee that nobody else gets in is the same guarantee that you are responsible for remembering your master password.
Optional biometric unlock - fingerprint on Android, Face ID or Touch ID on iOS - is gated by the platform's secure hardware (the Android Keystore, or the iOS Secure Enclave / Keychain) and requires your biometric every time. The stored payload is bound to your current enrolled biometrics, so re-enrolling a fingerprint or face invalidates it. Your master password is never saved to the device in readable form when biometric unlock is on - it stays in secure storage gated behind your biometric, or in memory only while the app is open.
Backups and Exports
MSafe never backs up your vault automatically. You decide when and where a backup lives. The app supports three explicit, user-initiated export formats:
- QR-code PDF - a single credential or your full vault as scannable encrypted QR codes you can print
- NFC tag - write a credential to an NFC tag and tap your phone against it later to import
- Encrypted
.msafefile - the vault as an encrypted file you can move between devices
All exports are encrypted the same way as your live vault, and the encrypted format is identical across platforms - an export made on Android imports on iPhone and vice versa, as long as you use the same master password. Anyone who picks up an exported QR or file still needs your master password to read it. MSafe is also kept out of automatic cloud backup - excluded from Android's auto backup to Google, and stored in an iOS location not copied to iCloud - so nothing is uploaded in the background.
Permissions
MSafe declares only the permissions it needs to do its job, and each one is scoped to an explicit user action:
- Camera - only when you scan a QR code to import a credential
- NFC - only when you read or write an NFC tag (more limited on iPhone, where tag reads are always tap-initiated)
- Biometric - only if you turn on biometric unlock; fingerprint via Android, Face ID / Touch ID via iOS, managed entirely by the operating system
- Autofill - only if you enable MSafe as your provider in Android autofill settings, or as a Password AutoFill provider in iOS Settings
On Android, MSafe does not declare the Internet permission, so the app cannot make any network connection even if it wanted to. On iOS there is no internet-permission concept, but MSafe ships with no networking code, so it never connects either way.
These permissions are managed by the operating system. You can revoke them at any time in System Settings (Android: Apps > MSafe > Permissions; iOS: Settings > MSafe).
Third-Party Services
MSafe does not connect to any third-party services. There is no analytics, no crash reporting, no advertising, and no tracking. QR scanning is fully on-device (the open-source ZXing decoder with CameraX on Android, AVFoundation on iOS); no camera frames or decoded barcode data ever leave your phone, and nothing is sent to Google, Apple, or any other server.
Editions and Pricing
Android comes in a free edition and a Pro edition; they have identical privacy guarantees and differ only in the credential cap. Pro is a one-time Google Play purchase processed by Google.
iOS is a single paid app with no free tier and no credential cap, purchased once on the App Store and processed by Apple. There is no subscription and no in-app purchase.
codfishworks does not see your payment information on either platform.
Children's Privacy
MSafe does not knowingly collect any data from anyone, including children under 13. Since no data is collected or transmitted, there are no COPPA concerns.
Changes to This Policy
If this privacy policy changes, the updated version will be published on this page with a new "Last updated" date. Since MSafe collects no data and cannot connect to the internet, significant policy changes are unlikely.
Contact
If you have questions about this privacy policy, reach out via email at msafeworks@gmail.com.