Privacy Policy

Last updated: March 21, 2026

Overview

API Locker is built on a simple principle: your data never leaves your device. We have no servers, no databases, and no ability to access your API keys — because we never receive them in the first place.

What We Collect

The API Locker Chrome Extension collects nothing. Specifically:

• All API keys are stored locally on your device using chrome.storage.local
• Encryption happens entirely in your browser using the WebCrypto API (AES-256-GCM)
• Your master password never leaves your device — it is used only to derive an encryption key locally
• No analytics, no crash reports, no telemetry of any kind
• No network requests are made by the extension

Landing Page (apilocker.dev)

This website (apilocker.dev) is a static page hosted on Vercel. When you visit:

• Vercel may collect standard server access logs (IP address, browser type, pages visited) as part of their infrastructure. See Vercel's Privacy Policy.
• If you submit your email via the waitlist form, it is stored only for the purpose of notifying you about the launch. It is not shared with third parties.

Data Storage & Security

• All vault data is encrypted with AES-256-GCM before being stored
• The encryption key is derived from your master password using PBKDF2 (100,000 iterations)
• Data is stored exclusively in your browser's local storage
• Uninstalling the extension permanently deletes all stored data

Third-Party Services

The extension does not integrate with any third-party services. The landing page uses Vercel for hosting.

Children's Privacy

API Locker is not intended for use by children under 13. We do not knowingly collect any information from children.

Changes to This Policy

If we make material changes to this policy, we will update the "Last updated" date at the top of this page.

Contact

Questions about this policy? Email us at hello@apilocker.dev